This a stability, bugfix and conformity update to 3.2. It improves interoperability with various validators, either through bugfixes or by catering to their needs beyond the specifications.
Changes between RC2 and final:
- pdnssec rectify-zone now refuses to operate on presigned zones, as rectification already happens during incoming transfer. Patch by Kees Monshouwer in commit 9bd211e.
- We now handle zones with a mix of NSEC3 opt-out and non-opt-out ranges correctly during inbound and outbound AXFR. Many thanks to Kees Monshouwer. Code incommit 5aa7003 and commit d3e7b17.
- More remotebackend fixes (commit 32d4f44, commit 44c2ee8, commit 1fcc7b7, commit 0b1a3b2, commit 9a319b1), thanks Aki Tuomi.
- Some compiler warnings were squashed (commit ed554db), thanks Morten Stevens.
- Fix broken memory access in LOC parser (commit 4eec51b, commit bea513c), thanks Aki Tuomi.
- DNSSEC: DS queries at the apex of a zone for which we are not hosting the parent, would wrongly get an ‘unauth NOERROR’. Fixed by Kees Monshouwer in commit 34479a6.
Changes between RC1 and RC2:
- Added dnstcpbench tool, by popular demand.
- We always shipped a static tools RPM; we now have a similar Debian package. All packages have been cleaned up a bit, and the binary collections are now consistent between RPM and Deb. New: pass –enable-tools to configure to have the tools included in ‘make all’ and ‘make install’.
- commit 4d2e3f5: add selinux policy files
- We would sometimes send a single NULL byte, or nothing at all, instead of an OPT record. Fixed in commit bf7f822, commit 063076b, commit 90d361d.
- commit 2ee9ba2: expand any-to-tcp to direct RRSIG queries
- commit 5fff084, commit e38ef51: drop no-op flag strict-rfc-axfrs, thanks Jelte Jansen.
- commit f3d8902, commit 7c0b859, commit 5eea730: Implement MINFO qtype for better interaction when slaving zones from NSD (that contain MINFO). Thanks to Jelte Jansen.
- commit 8655a42, commit bf79c6a, commit 38c941b: SRV record can have a ‘.’ as final field, from which we would dutifully strip the trailing ., leaving void, confusing everything. We now remove the trailing . in the right place, and not if we are trying to server ‘.’. Again thanks to Jelte & SIDN for catching this.
- commit 70d5a66: improve error message in ill formed unknown record type, thanks Jelte Jansen for reporting.
- commit 3640473: Built in webserver can now listen on IPv6, fixes ticket 843. Also silences some useless messages about timeouts.
- commit 7db735c, commit d72166c: CHANGES BEHAVIOUR: before we launch, check if we can connect to the controlsocket we are about to obliterate. If it works, abort. Fixes ticket 841 and changes standing behaviour. There might be circumstances where PowerDNS now refuses to start, where it previously would. However, starting and making our previous instance mute wasn’t good.
- commit 9130f9e: correctly refuse out-of-zone data in bindbackend, closes ticket 845
- commit 3363ef7: initialise server-id after all parsing is done, instead of half way through. Fixes situations where server-id was emptied explicitly. Reported by Wouter de Jong
- commit cd4f253: bump boost requirement, thanks Wouter de Jong
- commit 58cad74: Update pdns auth init script so it works on wheezy
- commit 8714c9c: clang fixes by Aki Tuomi, thanks!
- commit 146601d: stretch supermasters.ip for IPv6, thanks Dennis Krul
- commit 1a5c5f9: various remotebackend improvements by Aki Tuomi
- commit 6ab1a11: make sure systemd starts PowerDNS after relevant databases have been started, thanks Morten Stevens.
- commit 606018f, commit ee5e175, commit c76f6f4: check scopeMask of answer packet, not of query packet!
- commit 2b18bcf: Added warning if trailing dot is used, thanks Aki Tuomi.
- commit 16cf913: make superfluous ‘bind’ NSEC3 record optional
New features and important changes since 3.2 (these changes are in RC1 and up):
- commit 04576ee, commit b0e15c8: Implement pdnssec increase-serial, thanks Ruben d’Arco.
- commit cee857b: PowerDNS now sets additional groups while dropping privileges.
- commit 7796a3b: Merge support for include-dir directive, thanks Aki Tuomi!
- commit d725755: make pdns-static Conflict with pdns-server, closes ticket 640
- commit c0d5504: pdnssec now emits ‘INSERT INTO domain ..’ queries when running without named.conf, thanks Ruben d’Arco.
- commit a1d6b0c: Older versions of the BIND 9 validating recursor need a superfluous NSEC3 record on positive wildcard responses. We now send this extra NSEC3. Closes ticket 814.
- commit 07bf35d: catch a lot more errors in pdnssec and report them. Fixes ticket 588.
- commit 032e390: make pdnssec exit with 1 on some error conditions, closes ticket 677
- commit 4af49b8, commit 4cec6ac: add ability to create an ‘active’ or inactive key using add-zone-key and import-zone-key, plus silenced some debugging. Fixes ticket 707.
- commit fae4167: Compiling against Lua 5.2 (–with-lua=lua5.2) now disables some code used for regression testing, instead of breaking during compile. This means that Lua 5.2 can be used in production.
- commit abc8f3f, 357f6a7: Implement the new any-to-tcp option that, when set, always replies with a truncated response (TC=1) to ANY queries, forcing them to use TCP.
- commit 496073b: Since 3.0, pdnssec secure-zone has always generated 3 keys: one KSK and two ZSK, with one ZSK active. For most, if not almost all, users, this inactive ZSK is never used. We now no longer generate this useless ZSK. The resulting smaller DNSKEY RRset improves interoperability with certain validators. Closes ticket 824.
- commit df55450: Non-DNSSEC ANY queries no longer get sent DNSSEC records. This improves interoperability with some old resolvers. Patch by Kees Monshouwer.
- commit 04b4bf6: Merge support for not using opt-out with NSEC3. Many thanks to Kees Monshouwer.
- commit 8db49a6: We now try not to NOTIFY ourselves. In convoluted cases involving REUSE_PORT and binding to 0.0.0.0 and ::, it might be possible that we guess wrong, in which case you can set prevent-self-notification to off.
Important bug fixes:
- commit 63e365d: don’t mess up encoding when copying qname from question to answer in packetcache. Based on reports&debugging by Jimmy Bergman (sigint), Daniel Norman (Loopia) and the fine people at ISC. This avoids most issues related to BIND 9 erroneously blacklisting PowerDNS for lack of EDNS support.
- commit 3526186: fix backslash handling in TXT parser, includes test. Thanks Jan-Piet Mens.
- commit 830281f, aef7330: Accept chars >127 (‘high ASCII’) in TXT records, closing ticket 541 and 723.
- commit feef1ec: fix missing NSEC3 for secure delegation, thanks Kees Monshouwer, closes ticket 682
- commit b61e407: around Thursday midnight, during signature rollovers, we would update the SOA serial too early. Fixed by reverting commit d90efbf, adding 7 days margin to inception. Fix by Kees Monshouwer.
- commit ff64750: make sure mixed-case queries get a correct apex NSEC3 type bitmap
- commit 4b153d8: always lowercase next name in NSEC to avoid interop troubles with validators, thanks Marco Davids&Matthijs Mekking.
Other changes:
- commit 49977c6: fix bug in boost.m4 where it insists on setting -L, causing useless RPATH in our binaries. Closes ticket 728
- commit 62ac758: use PolarSSL for MD5 hashing instead of shipping our own copy of md5 hashing code, thanks Aki Tuomi.
- commit 775acd9: give a better error on trying to add nsec3 parameters to a weird zone like “1 0 1 ab” (which indicates that you forgot to specify a zone name on the command line). Fixes ticket 800.
- commit 315dd2e: Simplify socket listening code, and make sure we always set the nonblocking flag correctly. Patch by Mark Zealey, closes ticket 664.
- commit b35da1b: if_ether.h is in netinet/ not net/ on OpenBSD, thanks Florian Obser.
- commit 71301b6: Replicate gsql backend feature of having separate -auth queries for DNSSEC into oraclebackend. Also lets you disable dnssec if you are not ready for it. Closes ticket 527, patch by Aki Tuomi.
- commit 2125dac: drop unused ignore-rd-bit flag
- commit 8c1a6d6: NSECx optimizations, thanks Kees Monshouwer.
- commit 664716a: drop unused variables in lua backend ( ticket 653)
- commit d8ec70f: fix db2 backend includes ( ticket 653)
- commit 6477102: add goracle schema, thanks Aki Tuomi.
- commit 9118638: make goraclebackend “at least work”, closes ticket 729, thanks Aki Tuomi.
- commit e0ad7bb: add DS digest type 4 to show-zone output; add algorithm names. Based on a patch by Aki Tuomi, closes ticket 744
- commit 61a7fac: enable AM_SILENT_RULES, closing ticket 647
- commit 837f4b4: do a better job at escaping TXT, fixes ticket 795
- commit 6ca3fa7: add SOA-EDIT INCEPTION-INCREMENT mode, thanks stbuehler
- commit 6159c49: Add connection info to sql-connect message
- commit 9f62e34, commit 0fc965f, commit 2035112: Added EUI48 and EUI64 record types
- commit f9cf6d9: cut the number of database queries in half for AXFR-in, thanks Kees Monshouwer.
- commit c87f987: add default for SOA contact e-mail
- commit bb4a573: move random backend to modules, thanks Kees Monshouwer.
- commit 1071abd: restyle builtin webserver page, thanks Christian Hofstaedtler.
- commit cd5e158: correct bogus use of poll(2) related constants, improving non-Linux portability. Thanks Wouter de Jong.
- commit 27ff60a: make sure our NSEC(3)s for names with spaces in them are correct. Reported by Jimmy Bergman. Includes test.
- commit 116e28a: reduce log level of successful gpgsql/gsqlite3 connection to Info
- commit b23b90a: Metadata update is now in the same transaction as the AXFR. This improves slaving speed tremendously, especially for SQLite users. Patch by Kees Monshouwer.
- commit 4620e8a: Added zone2json, thanks Aki Tuomi.
- commit f0fa8b6: Fix remotebackend setdomainmetadata return value handling. Fix by Aki Tuomi, closes ticket 740.
- commit 80e82d6: log control listener abort even more explicitly.
- commit 7c0cb15, a718d74: support automake 1.12
- commit 3fe22eb, 6707cb1: update autoconf/automake preamble to non-deprecated variant, thanks Morten Stevens
- commit 6c4e531: disarm dead code that causes gcc crashes on ARM, thanks Morten Stevens.
- commit 36855b5: if we failed to make a new UDP socket, we’d report a confusing error about it.
- commit 1b8e5e6: autoconf support for oracle, thanks Aki Tuomi. Closes ticket 726.
- commit 8ac0c06: allow setting of some oracle env vars. Patch by Aki Tuomi, closes ticket 725.
- commit 45e845b: add example.rb sample script for remotebackend, thanks Aki Tuomi.
- commit 950bddd: add pdnssec generate-zone-key command, thanks Aki. Closes ticket 711.
- commit 2c03cde: Replace select with waitForData in remotebackend. Patch by Aki Tuomi, closes ticket 715.
- commit 450292c: accept ANY responses during recursive forwarding, thanks Jan-Piet Mens.
- commit d9dd76b: actually clean up unix domain sockets too after use.
- commit 36758d2: merge ticket 476 by Aki Tuomi, providing default-ksk/zsk-algorithms/size configuration parameters for pdnssec.
- commit 2f2b014: apply variant of code in ticket 714 so we can lauch pipe backend scripts with parameters, plus add experimental code that if pipe-command is a unix domain socket, we use that.
- commit 9566683: merge patch from ticket 712 addressing memory leak in remotebackend, thanks Aki.
- commit fb6ed6f: explicitly set domain id during bindbackend superslave domain create, thanks Kees Monshouwer&Aki Tuomi.
- commit 69bae20: use private temp dir when running under systemd, thanks Morten Stevens&Ruben Kerkhof.
- commit b26a48a: fix rapidjson usage in remotebackend, patch by Aki Tuomi. Closes ticket 697.
- commit da8e6ae: also answer questions with : in them.
- commit ef1c4bf: also spot trailing dots on CNAME content, thanks Jan-Piet Mens and Ruben d’Arco.
- commit fb31631: only setCloseOnExec on valid sockets