PowerDNS Recursor 4.1.0 Release Candidate 1 Available

PowerDNS Recursor 4.1.0 RC1 is here!

The RC1 release features many fixes to the DNSSEC validation code, reported by different users. Other improvements include: logging, RPZ and the Remote Logger.

While not specifically mentioned in the ChangeLog, also thanks to Winfried Angele for bringing a documentation issue to our attention!

The full changelog looks like this:

Bug Fixes

  • #5569: Don’t fetch the DNSKEY of a zone to validate the DS of the same zone.
  • #5614: Improve DNSSEC debug logging,
  • #5672: Add NSEC records on nx-trust cache hits.
  • #5671: Handle NSEC wrap-around.
  • #5670: Fix erroneous check for section 4.1 of rfc6840.
  • #5715: Handle direct NSEC queries.
  • #5716: Detect zone cuts by asking for DS instead of NS.
  • #5738: Do not allow direct queries for RRSIG or NSEC3.
  • #5771: The target zone being insecure doesn’t mean that the denial of the DS is too, if the parent zone is Secure.
  • #5530: Add a missing header for PRId64 in the negative cache, required on EL5/EL6.
  • #5549: Prevent an infinite loop if we need auth and the best match is not.
  • #5570: Be more careful about the validation of negative answers.
  • #5599: Fix libatomic detection on ppc64. (Sander Hoentjen)
  • #5615: Fix sortlist in the presence of CNAME. (Benoit Perroud thanks for reporting this issue!)
  • #5515: Fix cache handling of ECS queries with a source length of 0.
  • #5328: Handle SNMP alarms so we can reconnect to the master.
  • #5662: Fix Recursor 4.1.0 alpha 1 compilation on FreeBSD. (@RvdE)
  • #5739: Remove pdns.PASS and pdns.TRUNCATE.
  • #5734: Fix a crash when getting a public GOST key if the private one is not set.
  • #5773: Don’t negcache entries for longer than their RRSIG validity.
  • #5792: Gracefully handle Socket::accept() returning a null pointer on EAGAIN.


  • #5756: Improve –quiet=false output to include DNSSEC and more timing details.
  • #5733: Add DNSSEC test vectors for RSA, ECDSA, ed25519 and GOST.
  • #5543: Wrap the webserver’s and Resolver::tryGetSOASerial objects into smart pointers (also thanks to Christian Hofstaedtler for reviewing!)
  • #5545: Add more unit tests for the NetmaskTree and ECS cache index.
  • #5588: Switch the default webserver’s ACL to, ::1.
  • #5598: Add help text on autodetecting systemd support. (Ruben Kerkhof thanks for reporting!)
  • #5622: Add log-rpz-changes to log RPZ additions and removals.
  • #5621: Log the policy type (QName, Client IP, NS IP…) over protobuf.
  • #5637: Remove unused SortList compare operator for ComboAddress.
  • #5620: Add support for dumping the in-memory RPZ zones to a file.
  • #5646: Support for identifying devices by id such as mac address.
  • #5699: Implement dynamic cache sizeing.
  • #5755: Improve dnsbulktest experience in Travis for more robustness.
  • #5772: Set TC=1 if we had to omit part of the AUTHORITY section.
  • #5764: autoconf: set –enable-libsodium to auto.

The tarball is available on downloads.powerdns.com (signature) and packages for CentOS 6 and 7, Debian Jessie and Stretch, Ubuntu Trusty, Yakkety, Xenial and Zesty are available from repo.powerdns.com.

We invite you to test this release candidate and send us all feedback and issues you might have via the mailinglist, or in case of a bug, via GitHub.

PowerDNS Authoritative Server 4.1.0 Release Candidate 1 Released

PowerDNS Authoritative Server 4.1.0 RC1 is here!

This release marks The Return of the LDAP Backend. Also recursion has been removed from the authoritative server (see #4752 below) and a CryptoKey API endpoint is now available.

The full changelog looks like this:

New Features

  • #4624: Add TCP management options described in section 10 of RFC 7766.
  • #5137: Add TCP Fast Open support.
  • #5258, #5132: Hash the entire query in the packet cache, split caches. This makes the authoritative server pass the EDNS compliance test. Add cache hit/miss statistics (Kees Monshouwer).
  • #5190, #5271: Add an adjustable statistics interval (#phonedph1).
  • #5316: Add option to set a global lua-axfr-script (Kees Monshouwer).
  • #4964, #1701, #4965: Allow forwarding of NOTIFY messages using forward-notify (#DrRemorse).
  • #5038, #4093: Add API endpoints for Domain metadata (Christian Kröger).
  • #4106: Implement CryptoKey in the API (Wolfgang Studier, #MrM0nkey, Tudor Soroceanu, Benjamin Zengin).
  • #5339: calidns: add –increment and –want-recursion flags.
  • #4058: Allow the use of a Lua script to validate DNS Update requests (Aki Tuomi).
  • #5264, #5263, #5321: Send a notification to all slave servers after every dnsupdate (Kees Monshouwer, Florian Obser).
  • #5115: Support “native” zones in the BIND backend.
  • #4477: Many improvements and additions to the LDAP backend (Grégory Oestreicher).
  • #5270, #5266, #5269: Support 2-character country codes and the MaxMind cities database in the GeoIP backend (Aki Tuomi).
  • #5043: Add function to the MyDNS backend to allow backend-to-backend migrations (Aki Tuomi).
  • #5379: Support the SMIMEA RRType.

Removed Features


  • #4373: Revamp and clean label compression code. Speeds up large packet creation by ~40%.
  • #4332: Apply non-local-bind to query-local-address and query-local-address6 when possible.
  • #4492, #4467: A number of fixes and improvements that are difficult to untangle:
    • Remove the ASCII DNSResourceRecord from the hot path of packet assembly,
    • Hash the storage of records in the BindBackend,
    • Hash the packetcache,
    • Fix some bugs in the LDAP backend and in the MyDNS backend,
    • Make the randombackend go ‘native’ and directly supply records that can be sent to packets,
    • The performance benefit of this PR is measured in “factors” for being a root-server.
  • #4504: Improve cleaning, remove an unnecessary lock and improve performance of the packetcache (Kees Monshouwer).
  • #4485: Improve SOA records caching (Kees Monshouwer).
  • #4829: Make sure AXFR only deletes records from a SLAVE domain in a multi backend setup (Kees Monshouwer).
  • #4908: Tidy up UeberBackend (Christian Hofstaedtler).
  • #4944: Improve API performance by instantiating only one DNSSECKeeper per request.
  • #4953: Incremental backoff for failed slave checks.When a SOA record for a slave domain can’t be retrieved, use an increasing interval between checking the domain again. This prevents hammering down on already busy servers.
  • #4549: Remove d_place from DNSResourceRecord (Christian Hofstaedtler).
  • #5169: Add an option to allow AXFR of zones with a different (higher/lower) serial (Kees Monshouwer).
  • #5112: Use the resolver setting for the stub resolver, use resolv.conf as fallback.
  • #5250: Re-implement the AXFR Filter with LuaContext (Aki Tuomi).
  • #5387: Allow control socket to listen on IPv6 (#Gibheer).
  • #5523: Fix typo in two log messages (Ruben Kerkhof).
  • #5542: Update YaHTTP (to fix a warning reported by Coverity).
  • #5541: Clarify how we check the return value of std::string::find() (reported by Coverity).
  • #5543: Wrap the webserver’s and Resolver::tryGetSOASerial objects into smart pointers.
  • #4692: SSql: Use unique_ptr for statements (Aki Tuomi).
  • #5599: Fix libatomic detection on ppc64 (Sander Hoentjen).
  • #5588: Switch the default webserver’s ACL to “, ::1”.
  • #5611: NOTIMP is only appropriate for an unsupported opcode (Kees Monshouwer).
  • #5641: Catch DNSName exception in the Zoneparser.
  • #5583: Listen on during regression tests (#tcely).
  • #4408: Enable the webserver when api is ‘yes’ (Christian Hofstaedtler).
  • #4751: Prevent sending nameservers list and zone-level NS in rrsets in the API (Christian Hofstaedtler).
  • #5389: Forbid mixing CNAMEs and other RRSets in the API (Christan Hofstaedtler).
  • #4195: Prevent duplicate records in single RRset (Christian Hofstaedtler).
  • #4007: Implement subcommand printing all KSK DS records in pdnsutil (Jonas Wielicki).
  • #4584: Allow setting the account of a zone via pdnsutil (Tuxis Internet Engineering).
  • #4719: Print “$ORIGIN .” on “pdnsutil list-zone”, so the output can be used in “pdnsutil load-zone” (Tuxis Internet Engineering).
  • #4478: pdnsutil: clarify error message when set-presigned fails with DNSSEC disabled (Peter Thomassen).
  • #3913: pdnsutil: Validate names with address records to be valid hostnames (Håkan Lindqvist).
  • #5118: Correct pdnsutil help output for add-zone-key.
  • #5062: Check for valid hostnames in SRV, NS and MX records.
  • #5182: Disable ALIAS expansion by default.
  • #5094: Make the zone parser adhere to RFC 2308 with regards to implicit TTLs. Existing zone files may now be interpreted differently. Specifically, where we previously used the SOA minimum field for the default TTL if none was set explictly, or no $TTL was set, we now use the TTL from the previous line.
  • #5605: mydnsbackend: Initialize d_query_stmt (Aki Tuomi).
  • #4711: Enable setting custom pgsql connection parameters, like TLS parameters (Tarjei Husøy).
  • #5121, #5221: Use pkg-config to detect PostgreSQL libraries.
  • #5426: Use BIGSERIAL for records.id in the gpgsql backend (Arsen Stasic).
  • #5509: Ship ldapbackend schema files in tarball (Christian Hofstaedtler).
  • #5548: Add ability to have service record for apex record and any other static record (Aki Tuomi).
  • #5116: Report query statistics as full numbers, not scientific notation in the webserver.
  • #5518: Schema changes for MySQL / MariaDB and PostgreSQL to for storage requirements of various versions (Kees Monshouwer).

Bug Fixes

  • #4424: Fix compilation on systems with Boost < 1.54
  • #4560, #4548: Fix possible variable shadowing (Kees Monshouwer, Christian Hofstaedtler).
  • #4855: Fix “getaddrinfo()” returning address in triplicate.
  • #5117: Turn exception in a qthread into an error instead of a crash.
  • #5249, #5212: Remove duplicate dns2_tolower() function and move ascii-related function to one file (Thiago Farina).
  • #5209: Make copying locks impossible.
  • #5320: Properly truncate trailing bits of EDNS Client Subnet masks.
  • #5161, #5083: Fix regressions in the AXFR rectification code (Kees Monshouwer, Arthur Gautier).
  • #5408: Zero the port when creating a netmask from a ComboAddress.
  • #5512: Drop (broken) support for packet-specific SOA replies from backends (Christian Hofstaedtler).
  • #5525: Fix validation at the exact RRSIG inception or expiration time
  • #5519: Lookups one level (or more) below apex did confuse getAuth() for qytpe DS (Kees Monshouwer).
  • #5633: First and last SOA in an AXFR must be identical (Kees Monshouwer).
  • #4526: Make the URL in zone info absolute (Christian Hofstaedtler).
  • #5516: Avoid creating fake DNSPacket objects just for calling getAuth() from API code (Christian Hofstaedtler).
  • #5589: Check if the API is read-only on crypto keys methods.
  • #5556: Fix getSOA() in luabackend (#zilopbg).
  • #4740: Avoid undefined behaviour in Clang vs. GCC when printing DS records in pdnsutil.
  • #5125: In “pdnsutil create-slave-zone”, actually add all slaves.
  • #5303: Fix off-by-one in dnsreplay –packet-limit.
  • #5610: Fix that pdnsutil edit-zone complains about auth=1 problems on all data.
  • #4650: Do not corrupt data supplied by other backends in getAllDomains (Christian Hofstaedtler).
  • #5245: Reconnect to the server if the My/Pg connection has been closed.
  • #4929: Make statement actually unique (Christian Hofstaedtler).
  • #5506: Add missing query for last key insert id in the goracle backend (Aki Tuomi).
  • #4922: Fix ldap-strict autoptr feature.
  • #5340: Fix an erroneous ‘.’ in “.ip6.arpa” (#shantikulkarni).
  • #5267: Apply weights consistently during GeoIP lookups (Aki Tuomi).
  • #4997: Fix two problems with remotebackend (Aki Tuomi):
    • list method used domain-id json parameter, when it was supposed to use domain_id
    • NULL ordername was not passed as empty string in POST parameters builder, instead it threw an exception
  • #5308: Don’t copy data around in the Remote Backend when sending and receiving in the Unix Connector.

The tarball is available on downloads.powerdns.com (signature) and packages for CentOS 6 and 7, Debian Jessie and Stretch, Ubuntu Trusty, Yakkety, Xenial and Zesty are available from repo.powerdns.com.

We invite you to test this alpha and send us all feedback and issues you might have via the mailinglist, or in case of a bug, via GitHub.

dnsdist 1.2.0 released

We are very pleased to announce the availability of dnsdist 1.2.0, bringing a lot of new features and fixes since 1.1.0.

This release also addresses two security issues of low severity, CVE-2016-7069 and CVE-2017-7557. The first issue can lead to a denial of service on 32-bit if a backend sends crafted answers, and the second to an alteration of dnsdist’s ACL if the API is enabled, writable and an authenticated user is tricked into visiting a crafted website. More information can be found in our security advisories 2017-01 and 2017-02.

Highlights include:

  • applying rules on cache hits
  • addition of runtime changeable rules that matches IP address for a certain time: TimedIPSetRule
  • SNMP support, exporting statistics and sending traps
  • preventing the packet cache from ageing responses when deployed in front of authoritative servers
  • TTL alteration capabilities
  • consistent hash results over multiple deployments
  • exporting CNAME records over protobuf
  • tuning the size of the ringbuffers used to keep track of recent queries and responses
  • various DNSCrypt-related fixes and improvements, including automatic key rotation

Users upgrading from a previous version should be aware that:

  •  the truncateTC option is now off by default, to follow the principle of least astonishment
  • the signature of the addLocal() and setLocal() functions has been changed, to make it easier to add new parameters without breaking existing configurations
  • the packet cache does not cache answers without any TTL anymore, to prevent them from being cached forever
  • blockfilter has been removed, since it was completely redundant

This release also deprecates a number of functions, which will be removed in 1.3.0. Those functions had the drawback of making dnsdist’s configuration less consistent by hiding the fact that each rule is composed of a selector and an action. They are still supported in 1.2.0 but a warning is displayed whenever they are used, and a replacement suggested.

For the many other new features, improvements and bug fixes, please see the dnsdist website for the more complete changelog, the current documentation, and the upgrade guide.

Release tarballs are available on the downloads website.

Several packages are also available on our repository.

OX Summit & other conferences

Hi everyone,

As we are working on the 4.1 & 1.2 releases, please know you can also meet us in real life! We are just back from IETF in Prague, here is a list of other places where we will be present:

We hope to meet you there!

PowerDNS Recursor 4.1.0-alpha1 released

We’re happy to release the first alpha version of the PowerDNS Recursor 4.1.0.

This release features all the improvements made to the 4.0 branch of the PowerDNS Recursor, as well as an improved DNSSEC validator that reduces CPU load by caching the validation status.

The Lua scripting engine has several new features, such as the possibility to see whether a query came in over tcp in gettag, and allowing dq.data to be returned from that same function.

For those running RPZ, support for wildcarded target names has been added, as well as an option to limit the TTL from the RPZ. To top this off, several performance improvements have been added.

The full changelog is here. As you may notice, the documentation has been split from the original shared documentation that existed before.

The tarball is available on downloads.powerdns.com (signature) and packages for CentOS 6 and 7, Debian Jessie and Stretch, Ubuntu Trusty, Yakkety, Xenial and Zesty are available from repo.powerdns.com.

We invite you to test this alpha and send us all feedback and issues you might have via the mailinglist, or in case of a bug, via GitHub.

Happy testing!

PowerDNS Recursor 4.0.6 released!

This release features a fix for the ed25519 verifier. This verifier hashed the message before verifying, resulting in unverifiable signatures. Also on the Elliptic Curve front, support was added for ED448 (DNSSEC algorithm 16) by using libdecaf.

Besides that, this release features massive improvements to our edns-client-subnet handling, and some IXFR fixes. Note that this release changes use-incoming-edns-subnet to disabled by default.

The full changelog looks like this:

Bug fixes

  • commit c24288b87: Use the incoming ECS for cache lookup if use-incoming-edns-subnet is set
  • commit b91dc6e92: when making a netmask from a comboaddress, we neglected to zero the port. This could lead to a proliferation of netmasks.
  • commit 261591b6f: Don’t take the initial ECS source for a scope one if EDNS is off
  • commit 66f894b7a: also set d_requestor without Lua: the ECS logic needs it
  • commit c2086f265: Fix IXFR skipping the additions part of the last sequence
  • commit a5c9534d0: Treat requestor’s payload size lower than 512 as equal to 512
  • commit 61b1ea2f4: make URI integers 16 bits, fixes ticket #5443
  • commit 27f9da3c2: unbreak quoting; fixes ticket #5401


  • commit 2325010e6: with this, EDNS Client Subnet becomes compatible with the packet cache, using the existing variable answer facility.
  • commit 2ec8d8148: Remove just enough entries from the cache, not one more than asked
  • commit 71df15677: Move expired cache entries to the front so they are expunged
  • commit d84834c4c: changed IPv6 addr of b.root-servers.net (Arsen Stasic)
  • commit bcce047bc: e.root-servers.net has IPv6 now (phonedph1)
  • commit cef8ec7c2: hello decaf signers (ED25519 and ED448) Testing algorithm 15: ‘Decaf ED25519′ ->’Decaf ED25519’ -> ‘Decaf ED25519’ Signature & verify ok, signature 68usec, verify 93usec Testing algorithm 16: ‘Decaf ED448′ ->’Decaf ED448’ -> ‘Decaf ED448’ Signature & verify ok, signature 163usec, verify 252usec (Kees Monshouwer)
  • commit 68490a4b5: don’t use the libdecaf ed25519 signer when libsodium is enabled (Kees Monshouwer)
  • commit 5a88a8ed5: do not hash the message in the ed25519 signer (Kees Monshouwer)
  • commit 0e7893bf4: Disable use-incoming-edns-subnet by default

Tarball (sig) is available on the downloads website. Packages for Debian Jessie and Stretch, CentOS 6 and 7 and Ubuntu 14.04, 16.04, 16.10 and 17.04 are uploaded to our repositories.

PowerDNS Authoritative Server 4.0.4 released!

Today we are releasing version 4.0.4 of the PowerDNS Authoritative Server.

This release features a fix for the ed25519 signer. This signer hashed the message before signing, resulting in unverifiable signatures. Also on the Elliptic Curve front, support was added for ED448 (DNSSEC algorithm 16) by using libdecaf.

The full changelog is as follows:

Bug fixes

  • #5423: Do not hash the message in the ed25519 signer (Kees Monshouwer)
  • #5445: Make URI integers 16 bits, fixes #5443
  • #5346: configure.ac: Corrects syntax error in test statement on existance of libcrypto_ecdsa (shinsterneck)
  • #5440: configure.ac: Fix quoting issue fixes #5401
  • #4824: configure.ac: Check in the detected OpenSSL/libcrypto for ECDSA
  • #5016: configure.ac: Check if we can link against libatomic if needed
  • #5341: Fix typo in ldapbackend.cc from issue #5091 (shantikulkarni)
  • #5289: Sort NSEC record case insensitive (Kees Monshouwer)
  • #5378: Make sure NSEC ordernames are always lower case
  • #4781: API: correctly take TTL from first record even if we are at the last comment (Christian Hofstaedtler)
  • #4901: Fix AtomicCounter unit tests on 32-bit
  • #4911: Fix negative port detection for IPv6 addresses on 32-bit
  • #4508: Remove support for ‘right’ timezones, as this code turned out to be broken
  • #4961: Lowercase the TSIG algorithm name in hash computation
  • #5048: Handle exceptions raised by closesocket()
  • #5297: Don’t leak on signing errors during outgoing AXFR; signpipe stumbles over interrupted rrsets; fix memory leak in gmysql backend
  • #5450: TinyCDB backend: Don’t leak a CDB object in case of bogus data


  • #5071: ODBC backend: Allow query logging
  • #5441: Add ED25519 (algo 15) and ED448 (algo 16) support with libdecaf signer (Kees Monshouwer)
  • #5325: YaHTTP: Sync with upstream changes
  • #5298: Send a notification to all slave servers after every dnsupdate (Kees Monshouwer)
  • #5317: Add option to set a global lua-axfr-script value (Kees Monshouwer)
  • #5130: dnsreplay: Add --source-ip and --source-port options
  • #5085: calidns: Use the correct socket family (IPv4 / IPv6)
  • #5170: Add an option to allow AXFR of zones with a different (higher/lower) serial (Kees Monshouwer)
  • #4622: API: Make trailing dot handling consistent with pdnsutil (Tuxis Internet Engineering)
  • #4762: SuffixMatchNode: Fix insertion issue for an existing node
  • #4861: Do not resolve the NS-records for NOTIFY targets if the “only-notify” whitelist is empty, as a target will never match an empty whitelist.
  • #5378: Improve the AXFR DNSSEC freshness check; Ignore NSEC3PARAM metadata in an unsigned zone
  • #5297: Create additional reuseport sockets before dropping privileges; remove transaction in pgpsql backend

Tarball (sig) is available on the downloads website. Packages for Debian Jessie and Stretch, CentOS 6 and 7 and Ubuntu 14.04, 16.04, 16.10 and 17.04 are uploaded to our repositories.