PowerDNS Recursor 4.0.5 Release Candidate 1 released!

Today we are releasing the first release candidate of version 4.0.5 of the PowerDNS Recursor. The most import change is the addition of the KSK-2017, the new root key for DNSSEC, that will be used to sign the root starting October 11th 2017 (read more about the keyroll). If you do DNSSEC validation, upgrading is mandatory to continue to validate DNSSEC after October 11th 2017! Also on the DNSSEC front, Kees Monshouwer added support for validating ed25519 (algorithm 15) signatures when linked against libsodium. Packages supplied by us have this support enabled.

The RPZ module has also seen a steady number of improvements, one is support for RPZ wildcard target names and several stability and performance improvements.

The full changelog looks like this:

Bug fixes

Additions and Enhancements

Tarballs (sig) and packages for different operating systems can be downloaded from the downloads website. The packages are versioned so that users of the 4.0.x repositories can download and install them (using dpkg -i or rpm -U) and when the final release of 4.0.5 is added to the repositories, the package will be upgraded to the version in the repository.

Please test these packages and provide feedback.

PowerDNS Recursor 4.1 Development Plans

Hi everyone,

In this message, we ask you to look at our intended PowerDNS Recursor 4.1 development plan. The 4.0 release train has been very successful and reliable for a major ‘.0’ release and is seeing wide production use, including DNSSEC validation for millions of clients.

However, we have found some things that need improving for the 4.1 release.  This is the focus for 4.1: general improvement of quality, rounding out of features, and adding a few specific new features.

We ask you to take a REAL good look at what we intend to do. It is entirely possible that you are running into issues and challenges you are sure we know about already, when we in fact don’t. So if the PowerDNS Recursor is somehow not making you happy, and what ails you is not in the list below, we would LOVE to hear from you!

We are aiming for a June release of Recursor 4.1, but depending on developments this might be earlier or later, and possibly not with all features communicated below. This post is not a roadmap you can rely on. If you need to rely on certain features appearing by a certain time, please head to www.powerdns.com/contactform.html – for commercially supported customers we regularly commit to dates & features.

Already addressed since last 4.0 release, so no need to ask for this:

github.com/PowerDNS/pdns/issues/

#4988 – Add `use-incoming-edns-subnet` to process and pass along ECS
#4990 – Native SNMP support for Recursor
#5058 – Faster RPZ updates
#4873 – Ed25519 algorithm support
#4972 – 2017 root KSK added
#4924 – EDNS Client Subnet tuning & length configuration

All issues scheduled for 4.1 can be viewed on the rec-4.1.0 milestone on GitHub github.com/PowerDNS/pdns/milestone/7

Important highlights:

Improvements:
#5077 – DNSSEC validation is in need of a refactor (ongoing)
#4000 – And other tickets: more love & performance for RPZ

New features:
#5079 – EDNS Client Subnet port number
#5076 – RPZ persistency
#440 – DNS prefetching
#4662 – Continue serving expired cache data if all auths are down

If you want to help, please check out the full milestone listing github.com/PowerDNS/pdns/milestone/7 and see if (your) older issues might have been addressed by now.

Also, if you have an opinion on certain fixes, features or improvements, please add them to the GitHub issues so we learn about your concerns! You can also weigh in on our mailing lists.

Thanks!

PowerDNS Jobs, 4.1 roadmap, DNSSEC research

Hi everyone,

In this post, we want to mention a few things: PowerDNS Jobs, 4.1 plans & some DNSSEC research.

First, PowerDNS is growing rapidly as more and more large scale service providers displace closed DNS systems by PowerDNS, especially for security enhanced DNS and “parental control”. More on this PowerDNS Platform product can be found on the Open-Xchange website and here.

To support this growth, we have two job openings currently. Full details are here, brief descriptions:

Solution Engineer

Daily activities alternate between working on customer issues and actual Professional Services for customer implementations (both on-site and off-site). As Solution Engineer (with a focus on PowerDNS) you will work closely with the PowerDNS development team, as well as with other parts of Open-Xchange and Dovecot development, sales, and Product Management teams from within a European Services team.

We think Support & Implementation is a great step into a promising career. We are specifically looking for employees willing to learn quickly while delivering great support and service, while keeping an eye towards growing within the Global Services department or into different roles in the larger Open-Xchange organisation.

Versatile frontend developer with moderate middleware skills

We are looking for people with any or more of the following skills:

  • Modern web development (key words are AngularJS, JSON, RESTful, D3.js, Backbone and other frameworks that aren’t TOO hip)
  • Django
  • Ability to enhance middleware in Python
  • Ability to propose changes to core C++ code and make small additions
  • Automated UI testing

Full details and how to apply can be found here.

4.1 plans

We have started the process of 4.1 release planning. We have identified a number of areas that need to be addressed, but your input is most welcome. The 4.0 roadmap process was rather successful, but only because users vocally reminded us of what was missing.

So please let us know: what are we simply not talking about that you think is vital for PowerDNS. If we are not doing something, it is probably because we don’t know that you need it! So please let us know whatever you are missing on powerdns-ideas@powerdns.com.

DNSSEC research

We wrote some perhaps interesting stuff on DNSSEC here:
https://ds9a.nl/hypernsec3/

With this technique, we’ve been able to measure the DNSSEC penetration on all top level domains (including co.uk and com.br). The list is here: https://powerdns.org/dnssec-stats/, and here are the top domains:

screenshot-from-2017-02-07-104745

All in all we have found there are around 7.4 million signed DNSSEC domains.

Given what we know of the zones involved (.se, .nl, .de, .be), it looks like the majority of these are signed and mostly served by PowerDNS.

 

PowerDNS Authoritative Server 4.0.3 released!

Today we’ve released version 4.0.3 of the PowerDNS Authoritative Server. This release fixes an issue when using multiple backends, where one of the backends is the BIND backend. This regression was introduced in version 4.0.2.

This makes the changelog very short:

  • #4905: Revert “In `Bind2Backend::lookup()`, use the `zoneId` when we have it”

Users with multiple backends are encouraged to upgrade.

Tarballs(sig) can be downloaded from the releases page. And the packages in the repositories have been updated.

PowerDNS Authoritative Server 3.4.11 and Recursor 3.7.4 released!

Today, we are releasing version 3.4.11 of the PowerDNS Authoritative Server and version 3.7.4 of the PowerDNS Recursor. These releases fix several security issues that were reported to PowerDNS.

It concerns the following security advisories:

  • 2016-02: Crafted queries can cause abnormal CPU usage
  • 2016-03: Denial of service via the web server (Authoritative only)
  • 2016-04: Insufficient validation of TSIG signatures (Authoritative only)
  • 2016-05: Crafted zone record can cause a denial of service (Authoritative only)

For those who cannot update, minimal patches are available (2016-02, 2016-03, 2016-04, 2016-05).

A few other issues have been fixed as well, see the Authoritative Server 3.4.11 changelog and the Recursor 3.7.4 changelog.

We urge all users to upgrade to these new versions.

Source tarballs and packages are available on:

PowerDNS Recursor 4.0.4 released!

We are happy to announce the release of the PowerDNS Recursor version 4.0.4. This release fixes 2 security issues and adds several improvements to the DNSSEC validation code.

The following PowerDNS Security Advisories are fixes:

  • 2016-02: Crafted queries can cause abnormal CPU usage
  • 2016-04: Insufficient validation of TSIG signatures

Minimal patches are available for those unable to fully upgrade (2016-02, 2016-04)

The full changelog is available, highlights include:

  • Check TSIG signature on IXFR (Security Advisory 2016-04)
  • Don’t parse spurious RRs in queries when we don’t need them (Security Advisory 2016-02)
  • Add `max-recursion-depth` to limit the number of internal recursion
  • Wait until after daemonizing to start the RPZ and protobuf threads
  • On RPZ customPolicy, follow the resulting CNAME
  • Make the negcache forwarded zones aware
  • Cache records for zones that were delegated to from a forwarded zone
  • DNSSEC: don’t go bogus on zero configured DSs
  • DNSSEC: NSEC3 optout and Bogus insecure forward fixes
  • DNSSEC: Handle CNAMEs at the apex of secure zones to other secure zones

We recommend all users of the Recursor to upgrade to this version. Tarballs with sources are available (signature).

Packages for Debian Stable, Ubuntu Trusty, Xenial and Wily and CentOS 6 and 7 are available from our repositories.

PowerDNS Authoritative Server 4.0.2 released!

We are pleased to announce the release of the PowerDNS Authoritative Server 4.0.2. This release fixes several security issues reported to us in the last few months, as well as a memory leak in the Postgresql backend.

The following security issues were fixed:

  • 2016-02: Crafted queries can cause abnormal CPU usage
  • 2016-03: Denial of service via the web server
  • 2016-04: Insufficient validation of TSIG signatures
  • 2016-05: Crafted zone record can cause a denial of service

For those who cannot update, minimal patches are available (2016-02, 2016-03, 2016-04, 2016-05).

The full changelog is available, highlights include:

  • Don’t parse spurious RRs in queries when we don’t need them (Security Advisory 2016-02)
  • Don’t exit if the webserver can’t accept a connection (Security Advisory 2016-03)
  • Check TSIG signature on IXFR (Security Advisory 2016-04)
  • Correctly check unknown record content size (Security Advisory 2016-05)
  • ODBC backend: actually prepare statements
  • Improve root-zone performance
  • Plug memory leak in postgresql backend (Christian Hofstaedtler)
  • calidns: Don’t crash if we don’t have enough ‘unknown’ queries remaining
  • Improve PacketCache cleaning (Kees Monshouwer)
  • Bind backend: update status message on reload, keep the existing zone on failure
  • Fix TSIG for single thread distributor (Kees Monshouwer)
  • Change default for any-to-tcp to yes (Kees Monshouwer)
  • Don’t look up the packet cache for TSIG-enabled queries
  • Fix build with OpenSSL 1.1.0 final (Christian Hofstaedtler)
  • pdnsutil: create-slave-zone accept multiple masters (Hannu Ylitalo)

We highly recommend all users to update to the latest version.

Source tarball(signature) is available and packages for Debian Stable, Ubuntu Trusty, Xenial and Wily and CentOS 6 and 7 are available form our repositories.