Some good news on

Way way back in the history of PowerDNS, we bought the full suite of domain names for our new company:,, Alternate names for the company we considered at the time were ‘SuperDNS’ and ‘UltraDNS’. We later found out that SuperDNS was the internal name over at Verisign for what is now the Atlas software that powers the COM and NET servers. And UltraDNS eventually became a DNS company in its own right!

Over time we no longer used and eventually the domain lapsed by accident and was quickly picked up by folks that held it ransom for a decade or so, without ever using it. I (Bert) personally always had issues with paying up to get the domain back, and over the years some very unsavoury parties ended up owning

Recently we decided it was time to get the .org back anyhow and after negotiating for a few days we finally paid up, and shortly after that we were back in control of, at a cost of $1000.

This personally left me with a bad aftertaste since effectively we have paid a chain of people that specialise in taking over domains for ransom purposes.

To compenmsfsate for all this, we’ve decided to donate $1000 to the Doctors without Borders charity. On doing the currency conversion I felt bad about that too, so we turned it into a €1000 donation.

So welcome back and hopefully we’ve atoned for our mistake a decade ago!

OX Summit 2016: 13th-14th October, Frankfurt

Hi everybody,

Like last year, this year PowerDNS will again be part of the OX/Dovecot/PowerDNS summit. This time round we visit Frankfurt on the 13th and 14th of October. This is already in a few weeks!

All information is on:

Many users of Dovecot, PowerDNS and AppSuite will be there. Specifically for PowerDNS, on Friday we will be hosting a 90 minute long session on malware filtering and parental control with DNS, with per-user settings, opt-in, opt-out, all with a single set of nameserver IP addresses.

Attendance is free! Please register here. When you register, you can also sign up for our malware session, which might even allow you to sell this trip to your company as ‘work’. The summit also involves (free) lunch and drinks.

If you are a PowerDNS user, or want to be, we hope to meet you there!


PowerDNS Recursor 4.0.3 released

A new release for the PowerDNS Recursor with version 4.0.3 is available. This release has many fixes and improvements in the Policy Engine (RPZ) and the Lua bindings to it. Therefore, we recommend users of RPZ to upgrade to this release. We would like to thank Wim (42wim on github) for testing and reporting on the RPZ module.

The full changelog is as follows:

Bug fixes

  • #4350: Call gettag() for TCP queries
  • #4376: Fix the use of an uninitialized filtering policy
  • #4381: Parse query-local-address before lua-config-file
  • #4383: Fix accessing an empty policyCustom, policyName from Lua
  • #4387: ComboAddress: don’t allow invalid ports
  • #4388: Fix RPZ default policy not being applied over IXFR
  • #4391: DNSSEC: Actually follow RFC 7646 §2.1
  • #4396: Add boost context ldflags so freebsd builds can find the libs
  • #4402: Ignore NS records in a RPZ zone received over IXFR
  • #4403: Fix build with OpenSSL 1.1.0 final
  • #4404: Don’t validate when a Lua hook took the query
  • #4425: Fix a protobuf regression (requestor/responder mix-up)

Additions and Enhancements

  • #4394: Support Boost 1.61+ fcontext
  • #4402: Add Lua binding for DNSRecord::d_place

The source tarball (signature) can be downloaded from the downloads website. Packages for several distributions are available in our repositories.

Authoritative Server 3.4.10

Hi everybody,

We’re pleased to announce version 3.4.10 of our Authoritative Server.

This release fixes several bugs, decreases CPU usage and allows better interoperability with PowerDNS 4.0.X databases. It also adds a feature to limit AXFR sizes in response to CVE-2016-6172.

Tar.gz and packages are available on:

Warning: Version 3.4.10 of the PowerDNS Authoritative Server is a major upgrade if you are coming from 2.9.x. Additionally, if you are coming from any 3.x version (including 3.3.1), there is a mandatory SQL schema upgrade. Please refer to the Upgrade documentation for important information on correct and stable operation, as well as notes on performance and memory use.

Find the downloads on our download page,

Changes since 3.4.9:

  • commit 1f8078c: Enable mbedtls threading abstraction layer (Kees Monshouwer)
  • commit 63a6800: Update polarssl 1.3.9 to mbedtls 1.3.17 (Kees Monshouwer)
  • commit dc73734: Report DHCID type (Kees Monshouwer)
  • commit 2c6e628: Fix TSIG for single thread distributor (Kees Monshouwer)
  • commit 09bdd9f: Don’t send covering nsec records for direct nsec queries (Kees Monshouwer)
  • commit da231a4: Ignore trailing dot in signer name (Kees Monshouwer)
  • commit a014f4c: Add limits to the size of received AXFR, in megabytes
  • commit 881b5b0: Reject qnames with wirelength > 255, chopOff() handle dot inside labels
  • commit 210fb15: Gmysql get-order-after-query was slow (Kees Monshouwer)
  • commit 7bab770: Sync boost.m4 with upstream (Kees Monshouwer)
  • commit 9740371: Fix shorter best matching names in getAuth() (Kees Monshouwer)
  • commit 991528c: change default for any-to-tcp to yes (Kees Monshouwer)

dnsdist 1.1.0 Beta 1 released

We are pleased to announce the availability of the first beta release of dnsdist 1.1.0. In addition to several bug-fixes and improvements, a lot of new features have been added since dnsdist 1.0.0, including but not limited to:

  • TeeAction sends a copy of selected queries to a different nameserver
  • eBPF filtering allows in-kernel filtering based on the source or QName/QType
  • New rules have been added, allowing filtering on the opcode, records count and type, QName length and labels count, destination address and the presence of trailing data
  • Response rules are now supported and allow dropping or delaying a response
  • AXFR and IXFR awareness
  • Per-QName query counting (as contributed by Reinier Schoof of TransIP)

See the dnsdist website for the more complete changelog and the current documentation.

Release tarballs are available on the downloads website.

Several packages are also available on our repository.

PowerDNS Recursor 4.0.2 released

Today, the PowerDNS Recursor version 4.0.2 is released. This version fixes several bugs, among which was a regression in 4.x where CNAME records for DNSSEC signed domains were not sorted before the final answers, leading to some clients (notably some versions of Chrome) not being able to extract the required answer from the packet. This happened exclusively for DNSSEC signed domains, but the problem happens even for clients not requesting DNSSEC validation.

This release also features several additions to the RPZ-stack. Most notably the addition of NSDNAME and NSIP triggers and Lua-based access to the policy-decision in the existing hooks, plus a new prerpz hook that is called before preresolve to allow disabling of RPZ lookups.

Source tarball is here(sig) and packages are available from our repositories.

The full changelog is as follows:

Bug fixes

  • #4264: Set dq.rcode before calling postresolve
  • #4294: Honor PIE flags.
  • #4310: Fix build with LibreSSL, for which OPENSSL_VERSION_NUMBER is irrelevant
  • #4340: Don’t shuffle CNAME records. (thanks to Gert van Dijk for the extensive bug report!)
  • #4354: Fix delegation-only

Additions and enhancements

  • #4288: Respect the timeout when connecting to a protobuf server
  • #4300: allow newDN to take a DNSName in; document missing methods
  • #4301: expose SMN toString to lua
  • #4318: Anonymize the protobuf ECS value as well (thanks to Kai Storbeck of XS4All for finding this)
  • #4324: Allow Lua access to the result of the Policy Engine decision, skip RPZ, finish RPZ implementation
  • #4349: Remove unused DNSPacket::d_qlen
  • #4351: RPZ: Use query-local-address(6) by default (thanks to Oli Schacher of for the feature request)
  • #4357: Move the root DNSSEC data to a header file

PowerDNS Recursor 4.0.1 released

We’re happy to announce the release of the PowerDNS Recursor version 4.0.1.

This release has several improvements with regards to DNSSEC validation and it improves interoperability with DNSSEC clients that expect an AD-bit on validated data when they query with only the DO-bit set.

Bug fixes

  • #4119 Improve DNSSEC record skipping for non dnssec queries (Kees Monshouwer)
  • #4162 Don’t validate zones from the local auth store, go one level down while validating when there is a CNAME
  • #4187:
  • Don’t go bogus on islands of security
  • Check all possible chains for Insecures
  • Don’t go Bogus on a CNAME at the apex
  • #4215 RPZ: default policy should also override local data RRs
  • #4243 Fix a crash when the next name in a chained query is empty and rec_control current-queries is invoked


  • #4056 OpenSSL 1.1.0 support (Christian Hofstaedtler)
  • #4140 Fix warnings with gcc on musl-libc (James Taylor)
  • #4160 Also validate on +DO
  • #4164 Fail to start when the lua-dns-script does not exist
  • #4168 Add more Netmask methods for Lua (Aki Tuomi)
  • #4210 Validate DNSSEC for security polling
  • #4217 Turn on root-nx-trust by default and log-common-errors=off
  • #4207 Allow for multiple trust anchors per zone
  • #4242 Fix compilation warning when building without Protobuf


The sources are on the downloads site(sig). Packages for several distributions are available from our repositories.