PowerDNS Recursor 4.0.2 released

Today, the PowerDNS Recursor version 4.0.2 is released. This version fixes several bugs, among which was a regression in 4.x where CNAME records for DNSSEC signed domains were not sorted before the final answers, leading to some clients (notably some versions of Chrome) not being able to extract the required answer from the packet. This happened exclusively for DNSSEC signed domains, but the problem happens even for clients not requesting DNSSEC validation.

This release also features several additions to the RPZ-stack. Most notably the addition of NSDNAME and NSIP triggers and Lua-based access to the policy-decision in the existing hooks, plus a new prerpz hook that is called before preresolve to allow disabling of RPZ lookups.

Source tarball is here(sig) and packages are available from our repositories.

The full changelog is as follows:

Bug fixes

  • #4264: Set dq.rcode before calling postresolve
  • #4294: Honor PIE flags.
  • #4310: Fix build with LibreSSL, for which OPENSSL_VERSION_NUMBER is irrelevant
  • #4340: Don’t shuffle CNAME records. (thanks to Gert van Dijk for the extensive bug report!)
  • #4354: Fix delegation-only

Additions and enhancements

  • #4288: Respect the timeout when connecting to a protobuf server
  • #4300: allow newDN to take a DNSName in; document missing methods
  • #4301: expose SMN toString to lua
  • #4318: Anonymize the protobuf ECS value as well (thanks to Kai Storbeck of XS4All for finding this)
  • #4324: Allow Lua access to the result of the Policy Engine decision, skip RPZ, finish RPZ implementation
  • #4349: Remove unused DNSPacket::d_qlen
  • #4351: RPZ: Use query-local-address(6) by default (thanks to Oli Schacher of switch.ch for the feature request)
  • #4357: Move the root DNSSEC data to a header file

PowerDNS Recursor 4.0.1 released

We’re happy to announce the release of the PowerDNS Recursor version 4.0.1.

This release has several improvements with regards to DNSSEC validation and it improves interoperability with DNSSEC clients that expect an AD-bit on validated data when they query with only the DO-bit set.

Bug fixes

  • #4119 Improve DNSSEC record skipping for non dnssec queries (Kees Monshouwer)
  • #4162 Don’t validate zones from the local auth store, go one level down while validating when there is a CNAME
  • #4187:
  • Don’t go bogus on islands of security
  • Check all possible chains for Insecures
  • Don’t go Bogus on a CNAME at the apex
  • #4215 RPZ: default policy should also override local data RRs
  • #4243 Fix a crash when the next name in a chained query is empty and rec_control current-queries is invoked


  • #4056 OpenSSL 1.1.0 support (Christian Hofstaedtler)
  • #4140 Fix warnings with gcc on musl-libc (James Taylor)
  • #4160 Also validate on +DO
  • #4164 Fail to start when the lua-dns-script does not exist
  • #4168 Add more Netmask methods for Lua (Aki Tuomi)
  • #4210 Validate DNSSEC for security polling
  • #4217 Turn on root-nx-trust by default and log-common-errors=off
  • #4207 Allow for multiple trust anchors per zone
  • #4242 Fix compilation warning when building without Protobuf


The sources are on the downloads site(sig). Packages for several distributions are available from our repositories.

PowerDNS Authoritative Server 4.0.1 released

We’re happy to announce the release of the PowerDNS Authoritative Server 4.0.1. The first bugfix release for the 4.0 series.

This release fixes several small issues and adds a setting to limit AXFR and IXFR sizes, in response to CVE-2016-6172.

Bug fixes

  • #4126 Wait for the connection to the carbon server to be established
  • #4206 Don’t try to deallocate empty PG statements
  • #4245 Send the correct response when queried for an NSEC directly (Kees Monshouwer)
  • #4252 Don’t include bind files if length <= 2 or > sizeof(filename)
  • #4255 Catch runtime_error when parsing a broken MNAME


  • #4044 Make DNSPacket return a ComboAddredd for local and remote (Aki Tuomi)
  • #4056 OpenSSL 1.1.0 support (Christian Hofstaedtler)
  • #4169 Fix typos in a logmessage and exception (Christian Hofsteadtler)
  • #4183 pdnsutil: Remove checking of ctime and always diff the changes (Hannu Ylitalo)
  • #4192 dnsreplay: Only add Client Subnet stamp when asked
  • #4250 Use toLogString() for ringAccount (Kees Monshouwer)


  • #4133 Add limits to the size of received {A,I}XFR
  • #4142 Add used filedescriptor statistic (Kees Monshouwer)

The sources are on the downloads site(sig). Packages for several distributions are available from our repositories.

PowerDNS Authoritative Server 4.0.0 released!

We are proud and happy to announce the release of the PowerDNS Authoritative Server version 4.0.0. This release has a great number of new features and improvements compared to PowerDNS Authoritative Server 3.4. More about the 4.0.0 releases can be found here.

Many of the changes are on the inside and were part of the great “spring cleaning“:

  • Moved to C++ 2011, a cleaner more powerful version of C++ that has allowed us to improve the quality of implementation in many places.
  • Implemented dedicated infrastructure for dealing with DNS names that is fully “DNS Native” and needs less escaping and unescaping.
    • Due to this, the PowerDNS Authoritative Server can now serve DNSSEC-enabled root-zones.
  • All backends derived from the Generic SQL backend use prepared statements.
  • Both the server and pdns_control do the right thing when chroot‘ed.
  • Caches are now fully canonically ordered, which means entries can be wiped on suffix in all places

In addition to this cleanup, the following new and exciting features have been added:

  • A revived and supported ODBC backend (godbc).
  • A revived and supported LDAP backend (ldap).
  • Support for CDS/CDNSKEY and RFC 7344 key-rollovers.
  • Support for the ALIAS record.
  • The webserver and API are no longer experimental.
    • The API-path has moved to /api/v1
  • DNSUpdate is no longer experimental.
  • ECDSA (algorithm 13 and 14) supported without in-tree cryptographic libraries (provided by OpenSSL).
  • Experimental support for ed25519 DNSSEC signatures (when compiled with libsodium support).
  • Many new pdnsutil commands, e.g.
    • help command now produces the help
    • Warns if the configuration file cannot be read
    • Does not check disabled records with check-zone unless verbose mode is enabled
    • create-zone command creates a new zone
    • add-record command to add records
    • delete-rrset and replace-rrset commands to delete and add rrsets
    • edit-zone command that spawns $EDITOR with the zone contents in zonefile format regardless of the backend used (blogpost)
  • GeoIP backend has gained many features, and can now e.g. run based on explicit netmasks not present in the GeoIP databases

With new features come removals. The following backends have been dropped in 4.0.0:

  • LMDB.
  • Geo (use the improved GeoIP instead).

Other important changes and deprecations include:

  • pdnssec has been renamed to pdnsutil.
  • Support for the PolarSSL/MbedTLS, Crypto++ and Botan cryptographic libraries have been dropped in favor of the (faster) OpenSSL libcrypto (except for GOST, which is still provided by Botan).
  • ECDSA P256 SHA256 (algorithm 13) is now the default algorithm when securing zones.
  • The PowerDNS Authoritative Server now listens by default on all IPv6 addresses.
  • Several superfluous queries have been dropped from the Generic SQL backends, if you use a non-standard SQL schema, please review the new defaults
    • insert-ent-query, insert-empty-non-terminal-query, insert-ent-order-query have been replaced by one query named insert-empty-non-terminal-order-query
    • insert-record-order-query has been dropped, insert-record-query now sets the ordername (or NULL)
    • insert-slave-query has been dropped, insert-zone-query now sets the type of zone
  • The INCEPTION, INCEPTION-WEEK and EPOCH SOA-EDIT metadata values are marked as deprecated and will be removed in 4.1.0

We would like to thank everybody who contributed ideas, code, testing and comments during our journey toward 4.0.0. By name we like to thank (in no particular order):

Compared to RC2, the following bug fixes are included:

  • #4071 Abort on backend failures at startup and retry while running (Kees Monshouwer)
  • #4099 Don’t leak TCP connection descriptor if pthread_create() failed
  • #4137 gsqlite3: Check whether foreign keys should be turned on (Aki Tuomi)

And the following improvements were added:

  • #3051 Better error message for unfound new slave domains
  • #4123 check-zone: warn on mismatch between algo and NSEC mode

The tarball is here(sig), and packages for Debian Jessie, Ubuntu Trusty, Wily and Xenial, CentOS 6 and 7, SUSE Linux Enterprise 12.1 and Raspbian Jessie are available from our repositories.

PowerDNS Recursor 4.0.0 released!

We are pleased to announce the availability of the PowerDNS Recursor 4.0.0. As announced, the Recursor was part of the great PowerDNS 4.x Spring Cleaning. And it was indeed kind of grand. More about the 4.0.0 release process can be found here.

We changed many things internally to the nameserver:

  • Moved to C++ 2011, a cleaner more powerful version of C++ that has allowed us to improve the quality of implementation in many places.
  • Implemented dedicated infrastructure for dealing with DNS names that is fully “DNS Native” and needs less escaping and unescaping.
  • Switched to binary storage of DNS records in all places.
  • Moved ACLs to a dedicated Netmask Tree.
  • Implemented a version of RCU for configuration changes
  • Instrumented our use of the memory allocator, reduced number of malloc calls substantially.
  • The Lua hook infrastructure was redone using LuaWrapper; old scripts will no longer work, but new scripts are easier to write under the new interface. See the examples:

Due to these changes, PowerDNS Recursor 4.0.0 is almost an order of magnitude faster than the 3.7 branch.

  • DNSSEC processing: if you ask for DNSSEC records, you will get them.
  • DNSSEC validation: if so configured, PowerDNS perform DNSSEC validation of your answers.
  • Completely revamped Lua scripting API that is “DNSName” native and therefore far less error prone, and likely faster for most commonly used scenarios. Loads and indexes a 1 million domain custom policy list in a few seconds.
  • New asynchronous per-domain, per-ip address, query engine. This allows PowerDNS to consult an external service in realtime to determine client or domain status. This could for example mean looking up actual customer identity from a DHCP server based on IP address (option 82 for example).
  • RPZ (from file, over AXFR or IXFR) support. This loads the largest Spamhaus zone in 5 seconds on our hardware, containing around 2 million instructions.
  • All caches can now be wiped on suffixes, because of canonical ordering.
  • Many, many more relevant performance metrics, including upstream authoritative performance measurements (‘is it me or the network that is slow’).
  • EDNS Client Subnet support, including cache awareness of subnet-varying answers.


As stated in the features section above, the PowerDNS Recursor now has DNSSEC processing and experimental DNSSEC validation support.

DNSSEC processing means the nameserver will return RRSIG records when requested to do so by the client (by means of the DO-bit) and will always retrieve the RRSIGs even if the client does not ask for. It will perform validation and set the AD-bit in the response if the client requests validation.

In fullblown DNSSEC-mode, the PowerDNS Recursor will validate the answers and set the AD-bit in validated answers if the client requests it and will SERVFAIL on bogus answers to all clients.

The DNSSEC support is marked experimental, but functional at the moment, as it has 2 limitations:

  • Negative answers validated but the NSEC(3) proof is not fully checked.
  • Zones that have a CNAME at the apex (which is ‘wrong’ anyway) validate as Bogus.

If you run with DNSSEC enabled and notice broken domains, do file an issue.

Changes compared to Release Candidate 1

This release features the following fixes compared to rc1:

  • #3989 Fix usage of std::distance() in DNSName::isPartOf() (signed/unsigned comparisons)
  • #4017 Fix building without Lua. Add isTcp to dq.
  • #4023 Actually log on dnssec=log-fail
  • #4028 DNSSEC fixes (NSEC casing, send DO-bit over TCP, DNSSEC trace additions)
  • #4052 Don’t fail configure on missing fcontext.hpp
  • #4096 Don’t call commit() if we skipped all the records

It has the following improvements:

  • #3400 Enable building on OpenIndiana
  • #4016 Log protobuf messages for cache hits. Add policy tags in gettag()
  • #4040 Allow DNSSEC validation when chrooted
  • #4094 Sort included html files for improved reproducibility (Christian Hofstaedtler)

And these additions:

  • #3981 Import Javascript sources for libs shipped with Recursor (Christian Hofstaedtler)
  • #4012 add tags support to ProtobufLogger.py
  • #4032 Set the existing policy tags in dq for {pre,post}resolve
  • #4077 Add DNSSEC validation statistics
  • #4090 Allow reloading the lua-config-file at runtime
  • #4097 Allow logging DNSSEC bogus in any mode
  • #4125 Add protobuf fields for the query’s time in the response

Getting the Recursor

The tarball is here(sig), and packages for Debian Jessie, Ubuntu Trusty, Wily and Xenial, CentOS 6 and 7, SUSE Linux Enterprise 12.1 and Raspbian Jessie are available from our repositories.

We would like to thank everybody who helped with ideas, code and testing the Recursor.

Welcome to PowerDNS 4.0.0!

Today a rather epic journey ends. In this post, we describe how 4.0.0 came to be, what we did, what we added, but also answer the big question: should I deploy PowerDNS 4?  And enable DNSSEC validation? Finally.. to celebrate, we’ll be handing out vouchers for FREE PowerDNS 4.0.0 Coffee (or tea) mugs! 

But first, a round of thanks. PowerDNS Authoritative Server 4.0.0 and PowerDNS Recursor 4.0.0 are the biggest releases in our history. This would not have been possible without the help of a lot of people. The PowerDNS community continues to be the stuff of dreams.

We believe in being an open company and producing powerful technology as open source. We are extremely grateful to be part of such a wonderful community that enables us together to make the internet and our software even greater.  Thanks to you, this is the most powerful version of PowerDNS ever, and one we feel can be relied upon to serve your needs!

Secondly, we’d like to thank our supported users (customers) too. Through their efforts, we were able to cram even more features into PowerDNS 4.0.0 than originally anticipated. Specifically, RPZ, IXFR and DNSSEC validation have been fast-tracked and enabled by (sadly) anonymous but very large PowerDNS customers.

Additionally, a shout out to Spamhaus, Farsight and ThreatSTOP who all made their wonderful RPZ feeds freely available for interoperability testing.

Finally, we are grateful for your understanding. PowerDNS 4.0.0 was a major ‘spring cleaning‘ operation that took 16 months. It is rare for software projects to be granted the time to revisit and cleanup old code. We trust it was worth the wait!

The history

In February 2015 we announced our plans for the 4.x.x branch of PowerDNS. Late May of that year, we asked for your help determining the roadmap for 4.x.x, and we got a lot of feedback from that. Late June we published the outcome of that process.

At the end of 2015 we launched the 4.0.0 Technology Preview releases (including dnsdist), where we noted:

A few months into the development, various users and customers suddenly chimed in on absolutely mandatory features we had somehow missed. Because of that, 4.x both under- and over-delivers.

During the 4.0.0 release process, we have stayed in close touch with our users and customers. And although we would have liked to have stuck to our roadmap, inevitably, some absolutely mandatory requirements came up. We spent most of early 2016 working with large (future) deployments to ensure 4.0.0 delivered what they needed (and deployed!).

So what did we do? You can read the full details in the release notes (auth link, recursor link), but here in short:

Spring cleaning

Over time, most software projects keep adding features, but sadly also a lot of complexity and “cruft”. For us, 4.0.0 was a “spring cleaning” exercise. We removed a lot of ancient code, tons of workarounds, loads of no longer relevant optimisations, non-functional backends and otherwise outdated code. We switched to C++2011, which allowed us to benefit from its enhanced features to make our code briefer and better.

Things we added

  • Full DNSSEC in the PowerDNS Recursor (Authoritative had this since 3.0)
  • RPZ in Recursor, tested to work with Spamhaus, Farsight Security and ThreatSTOP.
  • IXFR slaving in Authoritative and Recursor (for RPZ)
  • ODBC (Microsoft SQL Server & Azure) and LDAP backends are fully supported again in Authoritative
  • Vastly improved Lua modules in Recursor, including the ability to asynchronously query reputation servers or databases (!)
  • EDNS Client Subnet support in Recursor (Authoritative supported this in 3.x.x too)
  • GEOIP backend enhanced, for example to support countries but also direct subnets for source dependent answers
  • All caches can now be wiped for whole subtrees
  • Powerful new metrics that point out performance and operational problems (fd usage, memory usage, network responsiveness, kernel dropped packets)
  • ALIAS records so you can “CNAME your domain”, including DNSSEC support (as used by search.whitehouse.gov!)
  • New pdnsutil commands like ‘pdnsutil edit-zone‘, create-zone, add-record, replace-rrset
  • Halved query load on most database backends

Should I deploy PowerDNS 4.0.0?

Definitely. PowerDNS Authoritative Server 4.x.x and PowerDNS Recursor pre-releases are already widely deployed. All of us over at PowerDNS rely fully on the 4.0.0 version, and in fact find 3.x.x somewhat painful to use in comparison. We trust the code in 4.0.0 more.

In terms of performance, both Authoritative and Recursor look to offer higher peak performance than 3.x.x. We have performed extensive benchmarking on the Recursor, and reliably achieve 400kqps on “actual customer traffic”. For Authoritative, we note that 4.0.0 halves the database backend query load in many circumstances.

Enabling DNSSEC processing in Recursor 4.0.0 (the default) means slightly higher CPU utilization than 3.x.x. Turning on validation roughly doubles the CPU load.

What about DNSSEC validation?

DNSSEC does not make DNS any easier. Many DNS and DNSSEC enabled domains are misconfigured. Our trials indicate PowerDNS Recursor 4.0.0 will successfully validate all correctly configured domains (that we have tested). The bad news is that many domains, some important ones even, are not correctly configured.

Our advice for now is: turn on DNSSEC validation if you are prepared to spend time monitoring the log files for validation failures. And even as we improve our resilience against badly configured domains and work out issues, this advice will remain in place. DNSSEC validation, regardless of software used for it, requires monitoring. A useful option at this time is ‘log-fail‘, which will do the validation but only log the failures, and not block the answers.

Enough of this, how do I get my hands on the glorious PowerDNS 4.0.0 release mug?

As a small token of our appreciation, we have teamed up with MugBug to ship free PowerDNS 4.0.0 release mugs to anyone who was in any way part of the process. Uniquely, this giveaway extends to anyone deploying PowerDNS Authoritative Server 4.0.0 or PowerDNS Recursor 4.0.0 in the coming months!

So, apply for a free mug or even a set of mugs (if you are in an office), if you:

  • Opened an issue relevant for PowerDNS 4.0.0 on GitHub
  • Contributed code or a pull request that ended up in 4.0.0
  • Supplied testing data (PCAPs) now or in the past
  • Deployed PowerDNS 4.0.0 betas, release candidates, alphas or the technology preview
  • Authored one of our dependencies
  • Feel in any other way that you contributed to 4.0.0!

If you are part of a team, feel free to apply for mugs for the whole team. There is no need to send us your address details (since MugBug will do the actual logistics), but we do need to know who you are and what you did to be part of the PowerDNS community! Please email to powerdns-4.0-contributors@powerdns.com with your details (which we absolutely promise not to use in any other way than to authorize MugBug to send you your mugs!).

We’ve allocated a generous budget for the free mug giveaway, but it is limited – but we expect to be able to ship hundreds of mugs.


Thank you for your interest in PowerDNS Authoritative Server 4.0.0 and Recursor 4.0.0! Other blog posts have the full details and download links for the Authoritative Server and the Recursor.


PowerDNS Authoritative Server 4.0.0 Release Candidate 2 released

We’re pleased to announce the release of the first Release Candidate for the PowerDNS Authoritative server.

This Release Candidate has the number 2. After rc1 was tagged in git, Kees Monshouwer discovered and corrected an issue where the server could terminate on a MySQL timeout.

This release features the addition of IXFR consumption and prepares SQL statements “lazily” to be more robust against database reconnections.

  • #3937 GSQL: use lazy prepared statements (Aki Tuomi)
  • #3949 Implement IXFR-based slaving for Authoritative, fix duplicate AXFRs
  • #4066 Don’t die on a mysql timeout (Kees Monshouwer)

Other improvements:

  • #4061 Various fixes, a MySQL-query fix that improves performance and one that allows shorter best matches in getAuth()
  • #3962 Fix OpenBSD support
  • #3972 API: change PATCH/PUT on zones to return 204 No Content instead of full zone (Christian Hofstaedtler)
  • #3917 Remotebackend: Add getAllDomains call (Aki Tuomi)

Bug fixes and changes:

  • #3998 remove gsql::isOurDomain for now (Kees Monshouwer)
  • #3989 Fix usage of std::distance() in DNSName::isPartOf()
  • #4001 re enable validDNSName() check (Kees Monshouwer)
  • #3930 Have pdns_control bind-add-zone check for zonefile
  • #3400 Fix building on OpenIndiana
  • #3961 Allow building on CentOS 6 i386
  • #3940 auth: Don’t build dnsbulktest and dnstcpbench if boost is too old, fixes building on CentOS 6
  • #3931 Rename notify to pdns_notify (Christian Hofstaedtler)

We believe this release is ready for production and encourage users to deploy it. The source code tarball(sig) can be downloaded from the downloads website and packages for several platforms are available from our repositories.