First alpha release of PowerDNS Recursor 4.3.0

We’re proud to announce the first alpha release for the PowerDNS Recursor 4.3 release train. Two major features are introduced:

  • A relaxed form of QName Minimization as described in rfc7816bis-01 has been implemented. To test this feature, do not forget to enable qname-minimization in the settings file.
  • When the recursor is started by systemd, the recursor will no longer run as the root user. Instead, it will start as the pdns-recursor user. Make sure directories and files needed by your specific recursor setup are readable by this user. For non-systemd and non-chroot cases, the default location of the control socket and pid file has changed to /var/run/pdns-recursor.

Please see the changelog for details about other improvements and bug fixes and the documentation for more details about setting up the recursor.

We want to thank everyone that contributed to this and earlier releases, and invite you to contribute to the testing of this alpha release!

The tarball (signature) is available at downloads.powerdns.com and packages for CentOS 6 and 7, Debian Stretch and Buster and Ubuntu Xenial and Bionic are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

Second release candidate for dnsdist 1.4.0

We are very happy to announce the second release candidate of the 1.4.0 version of dnsdist.

This version adds one experimental feature, the ability to look into a Key-Value store like CDB or LMDB and to route a query based on the result of this lookup.

It also makes it possible to require a minimum TLS version for DNS over TLS and DNS over HTTPS, and to send custom HTTP responses even for queries received on the DoH port that are valid HTTP queries but not necessarily valid DoH queries.

Note that starting with 1.4.0-rc2, our packages are now built against the latest 2.2.6 version of libh2o, fixing several remote denial of service issues (CVE-2019-9512, CVE-2019-9514 and CVE-2019-9515).

We want to thank everyone that contributed to the testing of the beta release, and invite you to contribute to the testing of this release candidate!

Please see the dnsdist website for the more complete changelog and the current documentation.

Release tarballs are available on the downloads website.

Several packages are also available on our repository.

PowerDNS Authoritative Server 4.2.0

Hello everybody!

We are very happy to announce the release of Authoritative Server 4.2.0. Besides a ton of bug fixes (please see the Changelog), this release also offers a nice collection of new features.

This release was made possible by the contributions of a huge number of people. Please refer to alpha/beta/RC release announcements,  and, of course, the Changelog, to find them all. Thank you all!

Lua records

An important new feature is the support for Lua Records, which make the following possible, from any backend (even BIND, and LMDB!):

 

@ IN LUA A "ifportup(443, {'52.48.64.3', '45.55.10.200'})"

 

This will poll the named IP addresses (in the background) and only serve up hosts that are available. Far more powerful constructs are possible, for example to pick servers from regional pools close to the user, except if all servers in that pool are down. It is also possible to do traffic engineering based on subnets or AS numbers. A simple example:

 

@ IN LUA A ( "ifportup(443, {'52.48.64.3', '45.55.10.200'}, {selector='closest'})

 

For more about this feature, please head to the documentation.

ixfrdist

A new tool ixfrdist transfers zones from an authoritative server and re-serves these zones over AXFR and IXFR. It checks the SOA serial for all configured domains and downloads new versions to disk. This makes it possible for hundreds of PowerDNS Recursors (or authoritative servers) to slave an (RPZ) zone from a single server, without overwhelming providers like our friends over at Spamhaus/Deteque and Farsight.

UDP fragmentation

In accordance with the preliminary plans for DNS Flag Day 2020, this release lowers the default for udp-truncation-threshold from 1680 to 1232. This avoids most cases of UDP fragmentation, leading to better performance and security.

LMDB backend

Another new feature in 4.2.0 is the LMDB backend. As an in-process, memory mapped database, it should provide performance superior to most other backends. It supports master and slave operation and is fully DNSSEC capable. Sadly, just before 4.2.0, a fix for other backends somewhat broke the LMDB backend. Slaving zones works, and loading zones with pdnsutil works, but finer-grained tools like ‘pdnsutil edit-zone’ do not. We hope to fix this in an upcoming 4.2.x release soon!

If you want to try the LMDB backend, please review the two known bugs to avoid any surprises.

Deprecations

4.2 will see the removal of the poorly documented ‘autoserial’ feature. This removal decision was not taken lightly but as noted, its removal allows us to fix other bugs. Autoserial was holding us back. We realise it is no fun when a feature disappears, but since Authoritative Server 4.1 is still around, you can still use that if you require ‘autoserial’.
In compliance with the new Algorithm Implementation Requirements and Usage Guidance for DNSSEC RFC, support for ECC-GOST signing, validation, and support for GOST DS digests have all been removed.

Other developments

We always strive to deliver secure and performant software. As part of that policy, we joined OSS-Fuzz late last year. Please see that blog post for a nice overview of everything we do to deliver secure software to you, every release.

Release cycles

Starting with this release, we intend to move to 6 month release cycles. This means the next release of PowerDNS Authoritative (4.3) is scheduled for February 2020. We will support a release for two cycles (one year). After that, a release will only get security fixes for one more cycle and then move to end of life status. Recursor and dnsdist are adopting the same cycle.

Specific information can be found in the end of life statement.

Getting the new software

The tarball (signature) is available at downloads.powerdns.com and packages for CentOS 6 and 7, Debian Stretch and Buster, Ubuntu Xenial and Bionic are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

First release candidate for dnsdist 1.4.0

We are proud to announce the first release candidate of the 1.4.0 version of dnsdist. 1.4.0 brings a much more scalable way of handling DNS over TCP and DNS over TLS connections since the first alpha release. A major new feature since alpha2, and marquee feature of 1.4.0 compared to 1.3.x, is the new DNS-over-HTTPS functionality.

Following a round of testing from several large scale users, this version fixes several issues, most of them related to DNS over HTTPS (7894, 7917, 7927, 8112), DNS over TCP (7974, 7979, 8003, 8030, 8067, 8078, 8079, 8113), or both (7915).

In addition to minor improvements, it also introduces several new features:

  • a new ContinueAction allowing to keep processing rules even after calling a normally terminal action, like PoolAction (8117) ;
  • OCSP stapling for DNS over TLS and DNS over HTTPS (8141) ;
  • custom HTTP headers for DNS over HTTPS responses (contributed by Melissa Voegeli, 8148) ;
  • actions, rules and Lua binding to interact with DNS over HTTPS queries and generate responses from dnsdist (8153).

We want to thank everyone that contributed to the testing of the beta release, and invite you to contribute to the testing of this release candidate!

Please see the dnsdist website for the more complete changelog and the current documentation.

Release tarballs are available on the downloads website.

Several packages are also available on our repository.

PowerDNS Authoritative Server 4.2.0 Release Candidate 3

Thanks to an overwhelming amount of testing by our fabulous user community, this release candidate contains a ton of bug fixes (and a few improvements) compared to the previous one. We hope this has shaken out all of the important bugs, so that we can release 4.2.0 soon!

This release, sadly, cripples the LMDB backend somewhat, due to “transaction-related fixes for the SQL backends. We hope to fix this issue before 4.2.0, or otherwise, early in 4.2.x.

The changelog summary:

  • lots of bug fixes!

The tarball (signature) is available at downloads.powerdns.com and packages for CentOS 6 and 7, Debian Stretch and Buster, Ubuntu Xenial and Bionic are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

PowerDNS Authoritative Server 4.1.13 Released

The 4.1.12 release was skipped due to a packaging issue.

This is a bugfix release for high traffic setups using the pipebackend or remotebackend. It contains the following changes:

  • gpgsqlbackend: add missing schema file to Makefile (#8157)
  • stop using select() in places where FDs can be >1023 (#8162)

The tarball (signature) is available at downloads.powerdns.com and packages for CentOS 6 and 7, Debian Jessie and Stretch, Ubuntu Trusty, Xenial and Bionic are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

Security Notice for PowerDNS+Postgres Users

Hello,

Last Tuesday we published PowerDNS Security Advisory 2019-06, which called for a schema update if you are using PostgreSQL with the Authoritative Server. We have now released updated packages for the 4.0.x and 4.1.x branches. These packages contain no software changes, they only contain the updated schema. Simply updating your packages will NOT correct your PostgreSQL schema.

Please also see the 4.0.9 and 4.1.11 changelogs for more details.

The 4.0.9 tarball (signature) and 4.1.11 tarball (signature) are available at downloads.powerdns.com and packages for CentOS 6 and 7, Debian Jessie and Stretch, Ubuntu Trusty, Xenial and Bionic (only for 4.1.11) are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.