PowerDNS Authoritative Server 4.0.4 released!

Today we are releasing version 4.0.4 of the PowerDNS Authoritative Server.

This release features a fix for the ed25519 signer. This signer hashed the message before signing, resulting in unverifiable signatures. Also on the Elliptic Curve front, support was added for ED448 (DNSSEC algorithm 16) by using libdecaf.

The full changelog is as follows:

Bug fixes

  • #5423: Do not hash the message in the ed25519 signer (Kees Monshouwer)
  • #5445: Make URI integers 16 bits, fixes #5443
  • #5346: configure.ac: Corrects syntax error in test statement on existance of libcrypto_ecdsa (shinsterneck)
  • #5440: configure.ac: Fix quoting issue fixes #5401
  • #4824: configure.ac: Check in the detected OpenSSL/libcrypto for ECDSA
  • #5016: configure.ac: Check if we can link against libatomic if needed
  • #5341: Fix typo in ldapbackend.cc from issue #5091 (shantikulkarni)
  • #5289: Sort NSEC record case insensitive (Kees Monshouwer)
  • #5378: Make sure NSEC ordernames are always lower case
  • #4781: API: correctly take TTL from first record even if we are at the last comment (Christian Hofstaedtler)
  • #4901: Fix AtomicCounter unit tests on 32-bit
  • #4911: Fix negative port detection for IPv6 addresses on 32-bit
  • #4508: Remove support for ‘right’ timezones, as this code turned out to be broken
  • #4961: Lowercase the TSIG algorithm name in hash computation
  • #5048: Handle exceptions raised by closesocket()
  • #5297: Don’t leak on signing errors during outgoing AXFR; signpipe stumbles over interrupted rrsets; fix memory leak in gmysql backend
  • #5450: TinyCDB backend: Don’t leak a CDB object in case of bogus data

Improvements

  • #5071: ODBC backend: Allow query logging
  • #5441: Add ED25519 (algo 15) and ED448 (algo 16) support with libdecaf signer (Kees Monshouwer)
  • #5325: YaHTTP: Sync with upstream changes
  • #5298: Send a notification to all slave servers after every dnsupdate (Kees Monshouwer)
  • #5317: Add option to set a global lua-axfr-script value (Kees Monshouwer)
  • #5130: dnsreplay: Add --source-ip and --source-port options
  • #5085: calidns: Use the correct socket family (IPv4 / IPv6)
  • #5170: Add an option to allow AXFR of zones with a different (higher/lower) serial (Kees Monshouwer)
  • #4622: API: Make trailing dot handling consistent with pdnsutil (Tuxis Internet Engineering)
  • #4762: SuffixMatchNode: Fix insertion issue for an existing node
  • #4861: Do not resolve the NS-records for NOTIFY targets if the “only-notify” whitelist is empty, as a target will never match an empty whitelist.
  • #5378: Improve the AXFR DNSSEC freshness check; Ignore NSEC3PARAM metadata in an unsigned zone
  • #5297: Create additional reuseport sockets before dropping privileges; remove transaction in pgpsql backend

Tarball (sig) is available on the downloads website. Packages for Debian Jessie and Stretch, CentOS 6 and 7 and Ubuntu 14.04, 16.04, 16.10 and 17.04 are uploaded to our repositories.

PowerDNS Authoritative 4.0.4 Release Candidate 1 released!

Because 4.0.3 is 5 months ago, and a lot has happened since (see the long changelog below), we are doing a release candidate for release 4.0.4.

The full changelog looks like this:

Bug fixes

  • #5346: configure.ac: corrects syntax error in test statement on existance of libcrypto_ecdsa (shinsterneck)
  • #5341: Fix typo in ldapbackend.cc from issue #5091 (shantikulkarni)
  • #5289: NSEC sorting (Kees Monshouwer)
  • #4824: Check in the detected OpenSSL/libcrypto for ECDSA
  • #4781: API: correctly take TTL from first record even if we are at the last comment (zeha)
  • #4901: Fix AtomicCounter unit tests on 32-bit
  • #4911: Fix negative port detection for IPv6 addresses on 32-bit
  • #4508: Remove support for ‘right’ timezones, as this code turned out to be broken
  • #4961: Lowercase the TSIG algorithm name in hash computation
  • #5048: Handle exceptions raised by closesocket()
  • #5378: Make sure NSEC ordernames are always lower case
  • #5297: Don’t leak on signing errors during outgoing AXFR; signpipe stumbles over interrupted rrsets; fix memory leak in gmysql backend

Improvements

  • #5325: YaHTTP: Sync with upstream changes
  • #5298: Notify dnsupdate backport (Kees Monshouwer)
  • #5317: add option to set a global lua-axfr-script value (Kees Monshouwer)
  • #5130: dnsreplay: Add --source-ip and --source-port options
  • #5085: calidns: Use the correct socket family (IPv4 / IPv6)
  • #5170: Backport: Add an option to allow AXFR of zones with a different (higher/lower) serial #5169 (Kees Monshouwer)
  • #5071: backport #5051: fix godbc query logging (cherry-pick of d2bc6b2)
  • #4622: API dot-inconsistencies
  • #4762: SuffixMatchNode: Fix insertion issue for an existing node
  • #5016: backport #4838: Check if we can link against libatomic if needed
  • #4861: Do not resolve the NS-records for NOTIFY targets if the “only-notify” whitelist is empty, as a target will never match an empty whitelist.
  • #5378: Improve the axfr dnssec freshness check; Ignore NSEC3PARAM metadata in an unsigned zone
  • #5297: Create additional reuseport sockets before dropping privileges; remove transaction in pgpsql backend

Tarballs (sig) and packages for different operating systems can be downloaded from the downloads website. The packages are versioned so that users of the 4.0.x repositories can download and install them (using dpkg -i or rpm -U) and when the final release of 4.0.5 is added to the repositories, the package will be upgraded to the version in the repository.

PowerDNS Recursor 4.0.5 Released!

Today we are releasing version 4.0.5 of the PowerDNS Recursor. The most important change is the addition of the KSK-2017, the new root key for DNSSEC, that will be used to sign the root starting October 11th 2017 (read more about the keyroll). If you do DNSSEC validation, upgrading is mandatory to continue to validate DNSSEC after October 11th 2017! Also on the DNSSEC front, Kees Monshouwer added support for validating ed25519 (algorithm 15) signatures when linked against libsodium. Packages supplied by us have this support enabled.

The RPZ module has also seen a steady number of improvements, like support for RPZ wildcard target names and several stability and performance improvements.

The full changelog looks like this:

Additions and Enhancements

  • commit 7705e1c: Add support for RPZ wildcarded target names. Fixes #5237
  • #5165: Speed up RPZ zone loading and add a zoneSizeHint parameter to rpzFile and rpzMaster for faster reloads
  • #4794: Make the RPZ summary consistent (Fixes #4342) and log additions/removals at debug level, not info
  • commit 1909556: Add the 2017 root key
  • commit abfe671 and commit 7abbb2c: Update Ed25519 algorithm number and mnemonic and hook up to the Recursor (Kees Monshouwer)
  • #5355: Add use-incoming-edns-subnet option to process and pass along ECS and fix some ECS bugs in the process
  • commit dff1a11: Refuse to start with chroot set in a systemd env (Fixes #4848)
  • commit 5a38a56: Handle exceptions raised by closesocket() to prevent process termination
  • #4619: Document missing top-pub-queries and top-pub-servfail-queries commands for rec_control (phonedph1)
  • commit 502a850: IPv6 address for g.root-servers.net added (Kevin Otte)
  • commit 7a2a645: Log outgoing queries / incoming responses via protobuf

Bug fixes

  • commit af76224: Correctly lowercase the TSIG algorithm name in hash computation, fixes #4942
  • commit 86c4ed0: Clear the RPZ NS IP table when clearing the policy, this prevents false positives
  • commit 5e660e9: Fix cache-only queries against a forward-zone, fixes #5211
  • commit 2875033: Only delegate if NSes are below apex in auth-zones, fixes #4771
  • commit e7c183d: Remove hardcoding of port 53 for TCP/IP forwarded zones in recursor, fixes #4799
  • commit 5bec36e: Make sure labelsToAdd is not empty in getZoneCuts()
  • commit 0f59e05: Wait until after daemonizing to start the outgoing protobuf thread, prevents hangs when the protobuf server is not available
  • commit 233e144: Ensure (re)priming the root never fails
  • commit 3642cb3: Don’t age the root, fixes a regression from 3.x
  • commit 83f9226: Fix exception when sending a protobuf message for an empty question
  • commit ffdd813: LuaWrapper: Allow embedded NULs in strings received from Lua
  • commit c5ffd90: Fix coredumps on illumos/SmartOS, fixes #4579 (Roman Dayneko)
  • commit 651c0e9: StateHolder: Allocate (and copy if needed) before taking the lock
  • commit 547d68f: SuffixMatchNode: Fix insertion issue for an existing node
  • commit 3ada4e2: Fix negative port detection for IPv6 addresses on 32-bit systems

Tarball (sig) is available on the downloads website. Packages for Debian Jessie and Stretch, CentOS 6 and 7 and Ubuntu 14.04, 16.04, 16.10 and 17.04 are uploaded to our repositories.

PowerDNS Recursor 4.0.5 Release Candidate 2 released!

One and a half week after the release of Release Candidate 1 comes the second release candidate for the PowerDNS Recursor version 4.0.5.

These are the two changes between RC1 and RC2:

  • Added the use-incoming-edns-subnet option to process and pass along ECS and fix some ECS bugs in the process
  • Correct a syntax error in test statement on existence of libcrypto_ecdsa during configure

The full changelog between 4.0.4 and 4.0.5 is available.

Tarballs (sig) and packages for different operating systems can be downloaded from the downloads website. The packages are versioned so that users of the 4.0.x repositories can download and install them (using dpkg -i or rpm -U) and when the final release of 4.0.5 is added to the repositories, the package will be upgraded to the version in the repository.

We ask you to test this release and provide feedback.

PowerDNS Recursor 4.0.5 Release Candidate 1 released!

Today we are releasing the first release candidate of version 4.0.5 of the PowerDNS Recursor. The most import change is the addition of the KSK-2017, the new root key for DNSSEC, that will be used to sign the root starting October 11th 2017 (read more about the keyroll). If you do DNSSEC validation, upgrading is mandatory to continue to validate DNSSEC after October 11th 2017! Also on the DNSSEC front, Kees Monshouwer added support for validating ed25519 (algorithm 15) signatures when linked against libsodium. Packages supplied by us have this support enabled.

The RPZ module has also seen a steady number of improvements, one is support for RPZ wildcard target names and several stability and performance improvements.

The full changelog looks like this:

Bug fixes

Additions and Enhancements

Tarballs (sig) and packages for different operating systems can be downloaded from the downloads website. The packages are versioned so that users of the 4.0.x repositories can download and install them (using dpkg -i or rpm -U) and when the final release of 4.0.5 is added to the repositories, the package will be upgraded to the version in the repository.

Please test these packages and provide feedback.

PowerDNS Recursor 4.1 Development Plans

Hi everyone,

In this message, we ask you to look at our intended PowerDNS Recursor 4.1 development plan. The 4.0 release train has been very successful and reliable for a major ‘.0’ release and is seeing wide production use, including DNSSEC validation for millions of clients.

However, we have found some things that need improving for the 4.1 release.  This is the focus for 4.1: general improvement of quality, rounding out of features, and adding a few specific new features.

We ask you to take a REAL good look at what we intend to do. It is entirely possible that you are running into issues and challenges you are sure we know about already, when we in fact don’t. So if the PowerDNS Recursor is somehow not making you happy, and what ails you is not in the list below, we would LOVE to hear from you!

We are aiming for a June release of Recursor 4.1, but depending on developments this might be earlier or later, and possibly not with all features communicated below. This post is not a roadmap you can rely on. If you need to rely on certain features appearing by a certain time, please head to www.powerdns.com/contactform.html – for commercially supported customers we regularly commit to dates & features.

Already addressed since last 4.0 release, so no need to ask for this:

github.com/PowerDNS/pdns/issues/

#4988 – Add `use-incoming-edns-subnet` to process and pass along ECS
#4990 – Native SNMP support for Recursor
#5058 – Faster RPZ updates
#4873 – Ed25519 algorithm support
#4972 – 2017 root KSK added
#4924 – EDNS Client Subnet tuning & length configuration

All issues scheduled for 4.1 can be viewed on the rec-4.1.0 milestone on GitHub github.com/PowerDNS/pdns/milestone/7

Important highlights:

Improvements:
#5077 – DNSSEC validation is in need of a refactor (ongoing)
#4000 – And other tickets: more love & performance for RPZ

New features:
#5079 – EDNS Client Subnet port number
#5076 – RPZ persistency
#440 – DNS prefetching
#4662 – Continue serving expired cache data if all auths are down

If you want to help, please check out the full milestone listing github.com/PowerDNS/pdns/milestone/7 and see if (your) older issues might have been addressed by now.

Also, if you have an opinion on certain fixes, features or improvements, please add them to the GitHub issues so we learn about your concerns! You can also weigh in on our mailing lists.

Thanks!

PowerDNS Jobs, 4.1 roadmap, DNSSEC research

Hi everyone,

In this post, we want to mention a few things: PowerDNS Jobs, 4.1 plans & some DNSSEC research.

First, PowerDNS is growing rapidly as more and more large scale service providers displace closed DNS systems by PowerDNS, especially for security enhanced DNS and “parental control”. More on this PowerDNS Platform product can be found on the Open-Xchange website and here.

To support this growth, we have two job openings currently. Full details are here, brief descriptions:

Solution Engineer

Daily activities alternate between working on customer issues and actual Professional Services for customer implementations (both on-site and off-site). As Solution Engineer (with a focus on PowerDNS) you will work closely with the PowerDNS development team, as well as with other parts of Open-Xchange and Dovecot development, sales, and Product Management teams from within a European Services team.

We think Support & Implementation is a great step into a promising career. We are specifically looking for employees willing to learn quickly while delivering great support and service, while keeping an eye towards growing within the Global Services department or into different roles in the larger Open-Xchange organisation.

Versatile frontend developer with moderate middleware skills

We are looking for people with any or more of the following skills:

  • Modern web development (key words are AngularJS, JSON, RESTful, D3.js, Backbone and other frameworks that aren’t TOO hip)
  • Django
  • Ability to enhance middleware in Python
  • Ability to propose changes to core C++ code and make small additions
  • Automated UI testing

Full details and how to apply can be found here.

4.1 plans

We have started the process of 4.1 release planning. We have identified a number of areas that need to be addressed, but your input is most welcome. The 4.0 roadmap process was rather successful, but only because users vocally reminded us of what was missing.

So please let us know: what are we simply not talking about that you think is vital for PowerDNS. If we are not doing something, it is probably because we don’t know that you need it! So please let us know whatever you are missing on powerdns-ideas@powerdns.com.

DNSSEC research

We wrote some perhaps interesting stuff on DNSSEC here:
https://ds9a.nl/hypernsec3/

With this technique, we’ve been able to measure the DNSSEC penetration on all top level domains (including co.uk and com.br). The list is here: https://powerdns.org/dnssec-stats/, and here are the top domains:

screenshot-from-2017-02-07-104745

All in all we have found there are around 7.4 million signed DNSSEC domains.

Given what we know of the zones involved (.se, .nl, .de, .be), it looks like the majority of these are signed and mostly served by PowerDNS.