PowerDNS Authoritative 4.3.0

Hello!

We are proud to announce the release of PowerDNS Authoritative Server 4.3.0. A lot of internals have been reworked, with some visible changes for users. If you read the upgrade notes for a beta or RC, please read them again!

A notable new feature in 4.3 is support for hiding DNSSEC keys, which makes it possible to do algorithm rollovers. This feature was contributed by Robin Geuze of TransIP, thanks! Another interesting new feature is support for automatically publishing CDS/CDNSKEY records with a single pdns.conf setting.

Please note that 4.3.0 comes with a mandatory database schema upgrade.

Please see the changelog for an almost complete list of changes since the last 4.2.x release.

We want to thank everyone that contributed to this and earlier releases, and invite you to contribute to the testing of this release!

The tarball (signature) is available at downloads.powerdns.com; packages for CentOS 6, 7 and 8, Debian Stretch and Buster, and Ubuntu Xenial and Bionic are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

First alpha release of dnsdist 1.5.0

We are very happy to announce the 1.5.0 alpha 1 release of dnsdist. This version contains several new exciting features detailed below, but also a few breaking changes so please take the time to read the next section.

Your feedback will be much appreciated so we can deliver a stable 1.5.0 final release!

Important changes

We took the opportunity of this new release to clean up a few things that might require updating your existing configuration.

First, in systemd environments, dnsdist used to be started as root before dropping privileges and switching to an unprivileged user, which could lead to weird issues where files where readable during startup but not after, or the other way around. This is no longer the case, and dnsdist is now directly started as an unprivileged user. This might require updating the permissions on the files accessed during startup. It is therefore recommended to recursively chown directories used by dnsdist:

chown -R root:dnsdist /etc/dnsdist

Packages provided on the PowerDNS Repository will chown directories created by them accordingly in the post-installation steps.

We also updated the default behavior of our DNS over HTTPS implementation. DoH endpoints specified in the fourth parameter of addDOHLocal are now specified as exact paths instead of path prefixes.

For example,

addDOHLocal('2001:db8:1:f00::1', '/etc/ssl/certs/example.com.pem', '/etc/ssl/private/example.com.key', { "/dns-query" })

will now only accept queries for /dns-query and no longer for /dns-query/foo/bar.

The default endpoint also switched from / to /dns-query. That can be overridden through the fourth parameter of addDOHLocal().

Finally the default SSL/TLS library used for DNS over TLS was changed from GnuTLS to OpenSSL / LibreSSL, based on the feedback we received from our users.

Please see the upgrade guide for more information.

New features and improvements

The most exciting new feature is the implementation of the Proxy Protocol between dnsdist and its backends. Aimed to replace the use of EDNS Client Subnet and our own XPF, the Proxy Protocol is an existing standard where a small header is prepended to the query, passing not only the source and destination addresses and ports along to the backend, but also custom values. Support for parsing the Proxy Protocol is already available in the development tree of the PowerDNS Recursor.

We implemented a new spoofRawAction(), which makes it possible to spoof any kind of response from dnsdist, instead of the existing limitation to A, AAAA and CNAME records. This new action requires submitting the response in DNS wire-format.

While it has always been possible to write custom selectors and actions in Lua, there was a huge performance gap between built-in rules written in C++ and the Lua ones. This release adds the ability to use the Lua FFI interface available in LuaJIT to write high-performance selectors and rules, as well as load-balancing policies. With carefully written Lua, this delivers performances almost on par with the built-in C++ rules and actions, with greater flexibility.

Several very large-scale users reported that the load-balancing policies based on a hash of the qname could lack a bit of fairness when the traffic was heavily skewed toward a few names, leading to some backends receiving much more traffic than others. In order to address this shortcoming, we added the ability to set load bounds to the chashed and whashed policies so that queries will be dispatched to a different backend if the one selected based on the qname is already handling more queries than it should.

Our DNS over HTTPS implementation received several improvements, including the ability to send cache-control headers, and to parse X-Forwarded-For headers sent by a frontend.

Users with a large number of backends will be happy to know that we refactored the handling of health checks so that they can now be performed in parallel instead of sequentially, leading to a huge performance improvement.

Finally our remote logging features using DNSTAP or our own protobuf saw several performance enhancements, a better handling of re-connection events, and the addition of the source and destination ports of the query whenever possible.

We want to once again thank everyone that contributed to the testing of the previous release candidates!

Please see the dnsdist website for the more complete changelog and the current documentation.

Release tarballs are available on the downloads website.

Several packages are also available in our repository. Please be aware that we have enabled a few additional features in our packages, like DNS over HTTPS, DNS over TLS and DNSTAP support, on distributions where the required dependencies were available.

PowerDNS Authoritative 4.3.0 first release candidate

Hello!

We are proud to announce the first, and hopefully last, release candidate of what should become PowerDNS Authoritative 4.3.0. So far this is mostly a maintenance release, but there are a few interesting changes. A lot of internals have been reworked, with some visible changes for users.

Due to a bug found in 4.3.0-beta2 right -after- we tagged RC1, this first release candidate, confusingly, is called RC2 in package versions.

If you read the upgrading notes for beta1, please see them again for an important change in NSEC(3) TTLs handling in beta2.

A notable new feature in 4.3 is support for hiding DNSSEC keys, which makes it possible to do algorithm rollovers. This feature was contributed by Robin Geuze of TransIP, thanks! Another interesting new feature is support for automatically publishing CDS/CDNSKEY records with a single pdns.conf setting.

Please note that 4.3.0 comes with a mandatory database schema upgrade.

Please see the changelog for an almost complete list of changes since the last 4.2.x release.

We want to thank everyone that contributed to this and earlier releases, and invite you to contribute to the testing of this beta release!

The tarball (signature) is available at downloads.powerdns.com; packages for CentOS 6, 7 and 8, Debian Stretch and Buster, and Ubuntu Xenial and Bionic are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

PowerDNS Recursor 4.3.0 Released

Hello!,

We are proud to announce the release of PowerDNS Recursor 4.3.0.

Compared to the last release candidate, only two very minor issues were fixed.

Compared to the 4.2 release of PowerDNS Recursor, the most important features that were added are:

  • A relaxed form of QName Minimization as described in rfc7816bis-01. This feature is enabled by default. See the documentation for more details.
  • Dnstap support for outgoing queries to authoritative servers and the corresponding replies. See the documentation for more details.
  • The recursor now processes a number of requests incoming over a TCP connection simultaneously and will return results (potentially) out-of-order. See the documentation for more details on how to tune this feature.
  • Newly Observed Domain (NOD) functionality. See the documentation for information on how to make use of this feature.
  • When the recursor is started by systemd, the recursor will no longer run as the root user. Instead, it will start as the pdns-recursor user. Make sure directories and files needed by your specific recursor setup are readable by this user. For non-systemd and non-chroot cases, the default directory for the control socket and pid file has changed to /var/run/pdns-recursor. The upgrade guide contains more information.

As usual, there were also many other smaller enhancements and bugfixes. Please refer to the changelog for details.

We want to thank everyone that contributed to the testing of the release candidates.

The tarball (signature) is available at downloads.powerdns.com and packages for CentOS 6, 7 and 8, Debian Stretch and Buster, Ubuntu Xenial and Bionic are available from repo.powerdns.com.

With this release, PowerDNS Recursor 4.0 will be become End-of-Life and PowerDNS Recursor 4.1 will only receive critical security updates. For details, see the our EOL statement.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

PowerDNS Authoritative 4.3.0 Beta 2

Hello!

We are proud to announce the second, and hopefully last, beta release of what should become PowerDNS Authoritative 4.3.0. So far this is mostly a maintenance release, but there are a few interesting changes. A lot of internals have been reworked, with some visible changes for users.

If you read the upgrading notes for beta1, please see them again for an important change in NSEC(3) TTLs handling in beta2.

A notable new feature in 4.3 is support for hiding DNSSEC keys, which makes it possible to do algorithm rollovers. This feature was contributed by Robin Geuze of TransIP, thanks! Another interesting new feature is support for automatically publishing CDS/CDNSKEY records with a single pdns.conf setting.

Please note that 4.3.0 comes with a mandatory database schema upgrade.

Please see the changelog for an almost complete list of changes since the last 4.2.x release.

We want to thank everyone that contributed to this and earlier releases, and invite you to contribute to the testing of this beta release!

The tarball (signature) is available at downloads.powerdns.com; packages for CentOS 6, 7 and 8, Debian Stretch and Buster, and Ubuntu Xenial and Bionic are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

Second Release Candidate of PowerDNS Recursor 4.3.0

Hello!,

We are proud to announce the second and hopefully last release candidate of what should become PowerDNS Recursor 4.3.0.

Compared to the first release candidate, this release candidate changes the way RPZ policies are processed: if the matched policy is passthru, policies with a higher priority are still considered later in the resolving process. Additionally, a bug in the validation of NSEC records was fixed.

Compared to the 4.2 release of PowerDNS Recursor, the most important features that were added are:

* A relaxed form of QName Minimization as described in rfc7816bis-01. This feature is enabled by default.
* Dnstap support for outgoing queries to authoritative servers and the corresponding replies.
* The recursor now processes a number of requests incoming over a TCP connection simultaneously and will return results (potentially) out-of-order.
* Newly Observed Domain (NOD) functionality.
* When the recursor is started by systemd, the recursor will no longer run as the root user. Instead, it will start as the pdns-recursor user. Make sure directories and files needed by your specific recursor setup are readable by this user. For non-systemd and non-chroot cases, the default directory for the control socket and pid file has changed to /var/run/pdns-recursor.

Please refer to the changelog for details.

We want to thank everyone that contributed to the testing of the previous release candidate, and invite you to contribute to the testing of this release candidate!

The tarball (signature) is available at downloads.powerdns.com and packages for CentOS 6, 7 and 8, Debian Stretch and Buster, Ubuntu Xenial and Bionic are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

First Release Candidate of PowerDNS Recursor 4.3.0

Hello!,

We are proud to announce the first release candidate of what should become PowerDNS Recursor 4.3.0.

Compared to the second beta release, this release fixes a few RPZ related bugs. Additionally, a few other minor enhancements were made.

Compared to the 4.2 release of PowerDNS Recursor, the most important features that were added are:

* A relaxed form of QName Minimization as described in rfc7816bis-01. This feature is enabled by default.
* Dnstap support for outgoing queries to authoritative servers and the corresponding replies.
* The recursor now processes a number of requests incoming over a TCP connection simultaneously and will return results (potentially) out-of-order.
* Newly Observed Domain (NOD) functionality.
* When the recursor is started by systemd, the recursor will no longer run as the root user. Instead, it will start as the pdns-recursor user. Make sure directories and files needed by your specific recursor setup are readable by this user. For non-systemd and non-chroot cases, the default directory for the control socket and pid file has changed to /var/run/pdns-recursor.

Please refer to the changelog for details.

We want to thank everyone that contributed to the testing of the beta release, and invite you to contribute to the testing of this release candidate!

The tarball (signature) is available at downloads.powerdns.com and packages for CentOS 6, 7 and 8, Debian Stretch and Buster, Ubuntu Xenial and Bionic are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.