Auth 3.3 RC1 released

This a stability, bugfix and conformity update to 3.2. It improves interoperability with various validators, either through bugfixes or by catering to their needs beyond the specifications.

New features and important changes since 3.2:

  • commit 04576eecommit b0e15c8: Implement pdnssec increase-serial, thanks Ruben d’Arco.
  • commit cee857b: PowerDNS now sets additional groups while dropping privileges.
  • commit 7796a3b: Merge support for include-dir directive, thanks Aki Tuomi!
  • commit d725755: make pdns-static Conflict with pdns-server, closes ticket 640
  • commit c0d5504: pdnssec now emits ‘INSERT INTO domain ..’ queries when running without named.conf
  • commit a1d6b0c: Older versions of the BIND 9 validating recursor need a superfluous NSEC3 record on positive wildcard responses. We now send this extra NSEC3. Closes ticket 814.
  • commit 07bf35d: catch a lot more errors in pdnssec and report them. Fixes ticket 588.
  • commit 032e390: make pdnssec exit with 1 on some error conditions, closes ticket 677
  • commit 4af49b8commit 4cec6ac: add ability to create an ‘active’ or inactive key using add-zone-key and import-zone-key, plus silenced some debugging. Fixes ticket 707.
  • commit fae4167: Compiling against Lua 5.2 (–with-lua=lua5.2) now disables some code used for regression testing, instead of breaking during compile. This means that Lua 5.2 can be used in production.
  • commit abc8f3f357f6a7: Implement the new any-to-tcp option that, when set, always replies with a truncated response (TC=1) to ANY queries, forcing them to use TCP.
  • commit 496073b: Since 3.0, pdnssec secure-zone has always generated 3 keys: one KSK and two ZSK, with one ZSK active. For most, if not almost all, users, this inactive ZSK is never used. We now no longer generate this useless ZSK. The resulting smaller DNSKEY RRset improves interoperability with certain validators. Closes ticket 824.
  • commit df55450: Non-DNSSEC ANY queries no longer get sent DNSSEC records. This improves interoperability with some old resolvers. Patch by Kees Monshouwer.
  • commit 04b4bf6: Merge support for not using opt-out with NSEC3. Many thanks to Kees Monshouwer.
  • commit 8db49a6: We now try not to NOTIFY ourselves. In convoluted cases involving REUSE_PORT and binding to 0.0.0.0 and ::, it might be possible that we guess wrong, in which case you can set prevent-self-notification to off.

 

Important bug fixes:

  • commit 63e365d: don’t mess up encoding when copying qname from question to answer in packetcache. Based on reports&debugging by Jimmy Bergman (sigint), Daniel Norman (Loopia) and the fine people at ISC. This avoids most issues related to BIND 9 erroneously blacklisting PowerDNS for lack of EDNS support.
  • commit 3526186: fix backslash handling in TXT parser, includes test. Thanks Jan-Piet Mens.
  • commit 830281faef7330: Accept chars >127 (‘high ASCII’) in TXT records, closing ticket 541 and 723.
  • commit feef1ec: fix missing NSEC3 for secure delegation, thanks Kees Monshouwer, closes ticket 682
  • commit b61e407: around Thursday midnight, during signature rollovers, we would update the SOA serial too early. Fixed by reverting commit d90efbf, adding 7 days margin to inception. Fix by Kees Monshouwer.
  • commit ff64750: make sure mixed-case queries get a correct apex NSEC3 type bitmap
  • commit 4b153d8: always lowercase next name in NSEC to avoid interop troubles with validators, thanks Marco Davids&Matthijs Mekking.

 

Other changes:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s