Today a rather epic journey ends. In this post, we describe how 4.0.0 came to be, what we did, what we added, but also answer the big question: should I deploy PowerDNS 4? And enable DNSSEC validation? Finally.. to celebrate, we’ll be handing out vouchers for FREE PowerDNS 4.0.0 Coffee (or tea) mugs!
But first, a round of thanks. PowerDNS Authoritative Server 4.0.0 and PowerDNS Recursor 4.0.0 are the biggest releases in our history. This would not have been possible without the help of a lot of people. The PowerDNS community continues to be the stuff of dreams.
We believe in being an open company and producing powerful technology as open source. We are extremely grateful to be part of such a wonderful community that enables us together to make the internet and our software even greater. Thanks to you, this is the most powerful version of PowerDNS ever, and one we feel can be relied upon to serve your needs!
Secondly, we’d like to thank our supported users (customers) too. Through their efforts, we were able to cram even more features into PowerDNS 4.0.0 than originally anticipated. Specifically, RPZ, IXFR and DNSSEC validation have been fast-tracked and enabled by (sadly) anonymous but very large PowerDNS customers.
Additionally, a shout out to Spamhaus, Farsight and ThreatSTOP who all made their wonderful RPZ feeds freely available for interoperability testing.
Finally, we are grateful for your understanding. PowerDNS 4.0.0 was a major ‘spring cleaning‘ operation that took 16 months. It is rare for software projects to be granted the time to revisit and cleanup old code. We trust it was worth the wait!
In February 2015 we announced our plans for the 4.x.x branch of PowerDNS. Late May of that year, we asked for your help determining the roadmap for 4.x.x, and we got a lot of feedback from that. Late June we published the outcome of that process.
At the end of 2015 we launched the 4.0.0 Technology Preview releases (including dnsdist), where we noted:
A few months into the development, various users and customers suddenly chimed in on absolutely mandatory features we had somehow missed. Because of that, 4.x both under- and over-delivers.
During the 4.0.0 release process, we have stayed in close touch with our users and customers. And although we would have liked to have stuck to our roadmap, inevitably, some absolutely mandatory requirements came up. We spent most of early 2016 working with large (future) deployments to ensure 4.0.0 delivered what they needed (and deployed!).
So what did we do? You can read the full details in the release notes (auth link, recursor link), but here in short:
Over time, most software projects keep adding features, but sadly also a lot of complexity and “cruft”. For us, 4.0.0 was a “spring cleaning” exercise. We removed a lot of ancient code, tons of workarounds, loads of no longer relevant optimisations, non-functional backends and otherwise outdated code. We switched to C++2011, which allowed us to benefit from its enhanced features to make our code briefer and better.
Things we added
- Full DNSSEC in the PowerDNS Recursor (Authoritative had this since 3.0)
- RPZ in Recursor, tested to work with Spamhaus, Farsight Security and ThreatSTOP.
- IXFR slaving in Authoritative and Recursor (for RPZ)
- ODBC (Microsoft SQL Server & Azure) and LDAP backends are fully supported again in Authoritative
- Vastly improved Lua modules in Recursor, including the ability to asynchronously query reputation servers or databases (!)
- EDNS Client Subnet support in Recursor (Authoritative supported this in 3.x.x too)
- GEOIP backend enhanced, for example to support countries but also direct subnets for source dependent answers
- All caches can now be wiped for whole subtrees
- Powerful new metrics that point out performance and operational problems (fd usage, memory usage, network responsiveness, kernel dropped packets)
- ALIAS records so you can “CNAME your domain”, including DNSSEC support (as used by search.whitehouse.gov!)
- New pdnsutil commands like ‘pdnsutil edit-zone‘, create-zone, add-record, replace-rrset
- Halved query load on most database backends
Should I deploy PowerDNS 4.0.0?
Definitely. PowerDNS Authoritative Server 4.x.x and PowerDNS Recursor pre-releases are already widely deployed. All of us over at PowerDNS rely fully on the 4.0.0 version, and in fact find 3.x.x somewhat painful to use in comparison. We trust the code in 4.0.0 more.
In terms of performance, both Authoritative and Recursor look to offer higher peak performance than 3.x.x. We have performed extensive benchmarking on the Recursor, and reliably achieve 400kqps on “actual customer traffic”. For Authoritative, we note that 4.0.0 halves the database backend query load in many circumstances.
Enabling DNSSEC processing in Recursor 4.0.0 (the default) means slightly higher CPU utilization than 3.x.x. Turning on validation roughly doubles the CPU load.
What about DNSSEC validation?
DNSSEC does not make DNS any easier. Many DNS and DNSSEC enabled domains are misconfigured. Our trials indicate PowerDNS Recursor 4.0.0 will successfully validate all correctly configured domains (that we have tested). The bad news is that many domains, some important ones even, are not correctly configured.
Our advice for now is: turn on DNSSEC validation if you are prepared to spend time monitoring the log files for validation failures. And even as we improve our resilience against badly configured domains and work out issues, this advice will remain in place. DNSSEC validation, regardless of software used for it, requires monitoring. A useful option at this time is ‘log-fail‘, which will do the validation but only log the failures, and not block the answers.
Enough of this, how do I get my hands on the glorious PowerDNS 4.0.0 release mug?
As a small token of our appreciation, we have teamed up with MugBug to ship free PowerDNS 4.0.0 release mugs to anyone who was in any way part of the process. Uniquely, this giveaway extends to anyone deploying PowerDNS Authoritative Server 4.0.0 or PowerDNS Recursor 4.0.0 in the coming months!
So, apply for a free mug or even a set of mugs (if you are in an office), if you:
- Opened an issue relevant for PowerDNS 4.0.0 on GitHub
- Contributed code or a pull request that ended up in 4.0.0
- Supplied testing data (PCAPs) now or in the past
- Deployed PowerDNS 4.0.0 betas, release candidates, alphas or the technology preview
- Authored one of our dependencies
- Feel in any other way that you contributed to 4.0.0!
If you are part of a team, feel free to apply for mugs for the whole team. There is no need to send us your address details (since MugBug will do the actual logistics), but we do need to know who you are and what you did to be part of the PowerDNS community! Please email to firstname.lastname@example.org with your details (which we absolutely promise not to use in any other way than to authorize MugBug to send you your mugs!).
We’ve allocated a generous budget for the free mug giveaway, but it is limited – but we expect to be able to ship hundreds of mugs.
Thank you for your interest in PowerDNS Authoritative Server 4.0.0 and Recursor 4.0.0! Other blog posts have the full details and download links for the Authoritative Server and the Recursor.