![[Warning]](https://static.hsstatic.net/BlogImporterAssetsUI/ex/missing-image.png) |
Warning |
|---|---|
| Version 3.4.0 of the PowerDNS Authoritative Server is a major upgrade if you are coming from 2.9.x. Additionally, if you are coming from any 3.x version (including 3.3.1), there is a mandatory SQL schema upgrade. Please refer to Section 6, “From PowerDNS Authoritative Server 3.3.1 to 3.4.0” and any relevant sections before it, before deploying this version. |
|
Note |
|---|---|
| RC1 released August 1st, 2014
Downloads: |
This is a performance, feature, bugfix and conformity update to 3.3.1 and any earlier version. It contains a huge amount of work by various contributors, to whom we are very grateful.
A list of changes since 3.3.1 follows.
DNSSEC changes:
- commit bba8413: add option (max-signature-cache-entries) to limit the maximum number of cached signatures.
- commit 28b66a9: limit the number of NSEC3 iterations (see RFC5155 10.3), with the max-nsec3-iterations option.
- commit b50efd6: drop the ‘superfluous NSEC3’ option that old BIND validators need.
- The bindbackend ‘hybrid’ mode was reintroduced by Kees Monshouwer. Enable it with bind-hybrid.
- Aki Tuomi contributed experimental PKCS#11 support for DNSSEC key management with a (Soft)HSM.
- Direct RRSIG queries now return NOTIMP.
- commit fa37777: add secure-all-zones command to pdnssec
- Unrectified zones can now get rectified ‘on the fly’ during outgoing AXFR. This makes it possible to run a hidden signing master without rectification.
- commit 82fb538: AXFR in: don’t accept zones with a mixture of Opt-Out NSEC3 RRs and non-Opt-Out NSEC3 RRs
- Various minor bugfixes, mostly from the unstoppable Kees Monshouwer.
- commit 0c4c552: set non-zero exit status in pdnssec if an exception was thrown, for easier automatic usage.
- commit b8bd119: pdnssec -v show-zone: Print all keys instead of just entry point keys.
- commit 52e0d78: answer direct NSEC queries without DO bit
- commit ca2eb01: output ZSK DNSKEY records if experimental-direct-dnskey support is enabled
- commit 83609e2: SOA-EDIT: fix INCEPTION-INCREMENT handling
- commit ac4a2f1: AXFR-out can handle secure and insecure NSEC3 optout delegations
- commit ff47302: AXFR-in can handle secure and insecure NSEC3 optout delegations
New features:
- DNAME support. Enable with experimental-dname-processing.
- PowerDNS can now send stats directly to Carbon servers. Enable with carbon-server, tweak with carbon-ourname and carbon-interval.
- commit 767da1a: Add list-zone capability to pdns_control
- commit 51f6bca: Add delete-zone to pdnssec.
- The gsql backends now support record comments, and disabling records.
- The new reuseport config option allows setting SO_REUSEPORT, which allows for some performance improvements.
- local-address-nonexist-fail and local-ipv6-nonexist-fail allow pdns to start up even if some addresses fail to bind.
- ‘AXFR-SOURCE’ in domainmetadata sets the source address for an AXFR retrieval.
- commit 451ba51: Implement pdnssec get-meta/set-meta
- Experimental RFC2136/DNS UPDATE support from Ruben d’Arco, with extensive testing by Kees Monshouwer.
- pdns_control bind-add-zone
- New option bind-ignore-broken-records ignores out-of-zone records while loading zone files.
- pdnssec now has commands for TSIG key management.
- We now support other algorithms than MD5 for TSIG.
- commit ba7244a: implement pdns_control qtypes
- Support for += syntax for options
Bugfixes:
- We verify the algorithm used for TSIG queries, and use the right algorithm in signing if there is possible confusion. Plus a few minor TSIG-related fixes.
- commit ff99a74: making *-threads settings empty now yields a default of one instead of zero.
- commit 9215e60: we had a deadly embrace in getUpdatedMasters in bindbackend reimplementation, thanks to Winfried for detailed debugging!
- commit 9245fd9: don’t addSuckRequest after supermaster zone creation to avoid one cause of simultaneous AXFR for the same zone
- commit 719f902: fix dual-stack superslave when multiple namservers share a ip
- commit 33966bf: avoid address truncation in doNotifications
- commit eac85b1: prevent duplicate slave notications caused by different ipv6 address formatting
- commit 3c8a711: make notification queue ipv6 compatible
- commit 0c13e45: make isMaster ip check more tolerant for different ipv6 notations
- Various fixes for possible issues reported by Coverity Scan (commit f17c93b, )
- commit 9083987: don’t rely on included polarssl header files when using system polarssl. Spotted by Oden Eriksson of Mandriva, thanks!
- Various users reported pdns_control hangs, especially when using the guardian. We are confident that all causes of these hangs are now gone.
- Decreasing the webserver ringbuffer size could cause crashes.
- commit 4c89cce: nproxy: Add missing chdir(“/”) after chroot()
- commit 016a0ab: actually notice timeout during AXFR retrieve, thanks hkraal
REST API changes:
- The REST API was much improved and is nearing stability, thanks to Christian Hofstaedtler and others.
- Mark Schouten at Tuxis contributed a zone importer.
Other changes:
- Our tarballs and packages now include *.sql schema files for the SQL backends.
- The webserver (including API) now has an ACL (webserver-allow-from).
- Webserver (including API) is now powered by YaHTTP.
- Various autotools usage improvements from Ruben Kerkhof.
- The dist tarball is now bzip2-compressed instead of gzip.
- Various remotebackend updates, including replacing curl with (included) yahttp.
- Dynamic module loading is now allowed on Mac OS X.
- The AXFR ACL (allow-axfr-ips) now defaults to 127.0.0.0/8,::1 instead of the whole world.
- commit ba91c2f: remove unused gpgsql-socket option and document postgres socket usage
- Improved support for Lua 5.2.
- The edns-subnet option code is now fixed at 8, and the edns-subnet-option-numbers option has been removed.
- geobackend now has very limited edns-subnet support – it will use the ‘real’ remote if available.
- pipebackend ABI v4 adds the zone name to the AXFR command.
- We now avoid getaddrinfo() as much as possible.
- The packet cache now handles (forwarded) recursive answers better, including TTL aging and respecting allow-recursion.
- commit ff5ba4f: pdns_server –help no longer exits with 1.
- Mark Zealey contributed an experimental LMDB backend. Kees Monshouwer added experimental DNSSEC support to it. Thanks, both!
- commit 81859ba: No longer attempt to answer questions coming in from port 0, reply would not reach them anyhow. Thanks to Niels Bakker and sid3windr for insight & debugging. Closes ticket 844.
- RCodes are now reported in text in various places, thanks Aki.
- Kees Monshouwer set up automatic testing for the oracle and goracle backends, and fixed various issues in them.
- Leftovers of previous support for Windows have been removed, thanks to Kees Monshouwer, Aki Tuomi.
- Bundled PolarSSL has been upgraded to 1.3.2
- PolarSSL replaced previously bundled implementations of AES (commit e22d9b4) and SHA (commit 9101035)
- bindbackend is now a module
- commit 14a2e52: Use the inet data type for supermasters.ip on postgrsql.
- We now send an empty SERVFAIL when a CNAME chain is too long, instead of including the partial chain.
- commit 3613a51: Show built-in features in –version output
- commit 4bd7d35: make domainmetadata queries case insensitive
- commit 088c334: output warning message when no to be notified NS’s are found
- commit 5631b44: gpsqlbackend: use empty defaults for dbname and user; libpq will use the current user name for both by default
- commit d87ded3: implement udp-truncation-threshold to override the previous 1680 byte maximum response datagram size – no matter what EDNS0 said. Plus document it.
- Implement udp-truncation-threshold to override the previous 1680 byte maximum response datagram size – no matter what EDNS0 said.
- On shutdown, PowerDNS now attempts to stop all processes in its process group, especially useful for pipe/remotebackend users. Feature donated by Spotify.
- Removed settings related to fancy records, as we haven’t supported those since version 3.0
- Based on earlier work by Mark Zealey, Kees Monshouwer increased our packet cache performance between 200% and 500% depending on the situation, by simplifying some code in commit 801812e and commit 8403ade.
