Authoritative Server 3.4.0 Release Candidate 1

Aug 1, 2014
[Warning] Warning
Version 3.4.0 of the PowerDNS Authoritative Server is a major upgrade if you are coming from 2.9.x. Additionally, if you are coming from any 3.x version (including 3.3.1), there is a mandatory SQL schema upgrade. Please refer to Section 6, “From PowerDNS Authoritative Server 3.3.1 to 3.4.0” and any relevant sections before it, before deploying this version.

This is a performance, feature, bugfix and conformity update to 3.3.1 and any earlier version. It contains a huge amount of work by various contributors, to whom we are very grateful.

A list of changes since 3.3.1 follows.

DNSSEC changes:

  • commit bba8413: add option (max-signature-cache-entries) to limit the maximum number of cached signatures.
  • commit 28b66a9: limit the number of NSEC3 iterations (see RFC5155 10.3), with the max-nsec3-iterations option.
  • commit b50efd6: drop the ‘superfluous NSEC3’ option that old BIND validators need.
  • The bindbackend ‘hybrid’ mode was reintroduced by Kees Monshouwer. Enable it with bind-hybrid.
  • Aki Tuomi contributed experimental PKCS#11 support for DNSSEC key management with a (Soft)HSM.
  • Direct RRSIG queries now return NOTIMP.
  • commit fa37777: add secure-all-zones command to pdnssec
  • Unrectified zones can now get rectified ‘on the fly’ during outgoing AXFR. This makes it possible to run a hidden signing master without rectification.
  • commit 82fb538: AXFR in: don’t accept zones with a mixture of Opt-Out NSEC3 RRs and non-Opt-Out NSEC3 RRs
  • Various minor bugfixes, mostly from the unstoppable Kees Monshouwer.
  • commit 0c4c552: set non-zero exit status in pdnssec if an exception was thrown, for easier automatic usage.
  • commit b8bd119: pdnssec -v show-zone: Print all keys instead of just entry point keys.
  • commit 52e0d78: answer direct NSEC queries without DO bit
  • commit ca2eb01: output ZSK DNSKEY records if experimental-direct-dnskey support is enabled
  • commit 83609e2: SOA-EDIT: fix INCEPTION-INCREMENT handling
  • commit ac4a2f1: AXFR-out can handle secure and insecure NSEC3 optout delegations
  • commit ff47302: AXFR-in can handle secure and insecure NSEC3 optout delegations

New features:

  • DNAME support. Enable with experimental-dname-processing.
  • PowerDNS can now send stats directly to Carbon servers. Enable with carbon-server, tweak with carbon-ourname and carbon-interval.
  • commit 767da1a: Add list-zone capability to pdns_control
  • commit 51f6bca: Add delete-zone to pdnssec.
  • The gsql backends now support record comments, and disabling records.
  • The new reuseport config option allows setting SO_REUSEPORT, which allows for some performance improvements.
  • local-address-nonexist-fail and local-ipv6-nonexist-fail allow pdns to start up even if some addresses fail to bind.
  • ‘AXFR-SOURCE’ in domainmetadata sets the source address for an AXFR retrieval.
  • commit 451ba51: Implement pdnssec get-meta/set-meta
  • Experimental RFC2136/DNS UPDATE support from Ruben d’Arco, with extensive testing by Kees Monshouwer.
  • pdns_control bind-add-zone
  • New option bind-ignore-broken-records ignores out-of-zone records while loading zone files.
  • pdnssec now has commands for TSIG key management.
  • We now support other algorithms than MD5 for TSIG.
  • commit ba7244a: implement pdns_control qtypes
  • Support for += syntax for options

Bugfixes:

  • We verify the algorithm used for TSIG queries, and use the right algorithm in signing if there is possible confusion. Plus a few minor TSIG-related fixes.
  • commit ff99a74: making *-threads settings empty now yields a default of one instead of zero.
  • commit 9215e60: we had a deadly embrace in getUpdatedMasters in bindbackend reimplementation, thanks to Winfried for detailed debugging!
  • commit 9245fd9: don’t addSuckRequest after supermaster zone creation to avoid one cause of simultaneous AXFR for the same zone
  • commit 719f902: fix dual-stack superslave when multiple namservers share a ip
  • commit 33966bf: avoid address truncation in doNotifications
  • commit eac85b1: prevent duplicate slave notications caused by different ipv6 address formatting
  • commit 3c8a711: make notification queue ipv6 compatible
  • commit 0c13e45: make isMaster ip check more tolerant for different ipv6 notations
  • Various fixes for possible issues reported by Coverity Scan (commit f17c93b, )
  • commit 9083987: don’t rely on included polarssl header files when using system polarssl. Spotted by Oden Eriksson of Mandriva, thanks!
  • Various users reported pdns_control hangs, especially when using the guardian. We are confident that all causes of these hangs are now gone.
  • Decreasing the webserver ringbuffer size could cause crashes.
  • commit 4c89cce: nproxy: Add missing chdir(“/”) after chroot()
  • commit 016a0ab: actually notice timeout during AXFR retrieve, thanks hkraal

REST API changes:

  • The REST API was much improved and is nearing stability, thanks to Christian Hofstaedtler and others.
  • Mark Schouten at Tuxis contributed a zone importer.

Other changes:

  • Our tarballs and packages now include *.sql schema files for the SQL backends.
  • The webserver (including API) now has an ACL (webserver-allow-from).
  • Webserver (including API) is now powered by YaHTTP.
  • Various autotools usage improvements from Ruben Kerkhof.
  • The dist tarball is now bzip2-compressed instead of gzip.
  • Various remotebackend updates, including replacing curl with (included) yahttp.
  • Dynamic module loading is now allowed on Mac OS X.
  • The AXFR ACL (allow-axfr-ips) now defaults to 127.0.0.0/8,::1 instead of the whole world.
  • commit ba91c2f: remove unused gpgsql-socket option and document postgres socket usage
  • Improved support for Lua 5.2.
  • The edns-subnet option code is now fixed at 8, and the edns-subnet-option-numbers option has been removed.
  • geobackend now has very limited edns-subnet support – it will use the ‘real’ remote if available.
  • pipebackend ABI v4 adds the zone name to the AXFR command.
  • We now avoid getaddrinfo() as much as possible.
  • The packet cache now handles (forwarded) recursive answers better, including TTL aging and respecting allow-recursion.
  • commit ff5ba4f: pdns_server –help no longer exits with 1.
  • Mark Zealey contributed an experimental LMDB backend. Kees Monshouwer added experimental DNSSEC support to it. Thanks, both!
  • commit 81859ba: No longer attempt to answer questions coming in from port 0, reply would not reach them anyhow. Thanks to Niels Bakker and sid3windr for insight & debugging. Closes ticket 844.
  • RCodes are now reported in text in various places, thanks Aki.
  • Kees Monshouwer set up automatic testing for the oracle and goracle backends, and fixed various issues in them.
  • Leftovers of previous support for Windows have been removed, thanks to Kees Monshouwer, Aki Tuomi.
  • Bundled PolarSSL has been upgraded to 1.3.2
  • PolarSSL replaced previously bundled implementations of AES (commit e22d9b4) and SHA (commit 9101035)
  • bindbackend is now a module
  • commit 14a2e52: Use the inet data type for supermasters.ip on postgrsql.
  • We now send an empty SERVFAIL when a CNAME chain is too long, instead of including the partial chain.
  • commit 3613a51: Show built-in features in –version output
  • commit 4bd7d35: make domainmetadata queries case insensitive
  • commit 088c334: output warning message when no to be notified NS’s are found
  • commit 5631b44: gpsqlbackend: use empty defaults for dbname and user; libpq will use the current user name for both by default
  • commit d87ded3: implement udp-truncation-threshold to override the previous 1680 byte maximum response datagram size – no matter what EDNS0 said. Plus document it.
  • Implement udp-truncation-threshold to override the previous 1680 byte maximum response datagram size – no matter what EDNS0 said.
  • On shutdown, PowerDNS now attempts to stop all processes in its process group, especially useful for pipe/remotebackend users. Feature donated by Spotify.
  • Removed settings related to fancy records, as we haven’t supported those since version 3.0
  • Based on earlier work by Mark Zealey, Kees Monshouwer increased our packet cache performance between 200% and 500% depending on the situation, by simplifying some code in commit 801812e and commit 8403ade.

About the author

Peter van Dijk

Peter van Dijk

Senior Developer at PowerDNS

Related Articles

PowerDNS Recursor 5.1.0-beta1 Released

We are proud to announce the first beta release of PowerDNS Recursor 5.1.0!

Otto Moerbeek Jun 6, 2024

PowerDNS Recursor 5.0.6 Released

Today we have released PowerDNS Recursor 5.0.6. This release is a maintenance release. The most important change is that the...

Otto Moerbeek Jun 5, 2024

PowerDNS Authoritative Server 4.9.1

This is release 4.9.1 of the Authoritative Server. It contains a collection of small fixes. A detailed list of changes can...

Peter van Dijk May 28, 2024

PowerDNS Recursor 5.1.0-alpha1 Released

We are proud to announce the first alpha release of PowerDNS Recursor 5.1.0!

Otto Moerbeek May 15, 2024