Warning: Version 3.4.2 of the PowerDNS Authoritative Server is a major upgrade if you are coming from 2.9.x. Additionally, if you are coming from any 3.x version (including 3.3.1), there is a mandatory SQL schema upgrade. Please refer to the Upgrade documentation for important information on correct and stable operation, as well as notes on performance and memory use.
Released February 3rd, 2015
Find the downloads on our download page.
This is a performance and bugfix update to 3.4.1 and any earlier version. For high traffic setups, including those using DNSSEC, upgrading to 3.4.2 may show tremendous performance increases. Please let us know!
We would like to thank Patrik Wallström of IIS, Kees Monshouwer and Fredrik Eriksson of Loopia for working with us on solving several issues that only became apparent on a 750000 domain (!) DNSSEC installation, the last of which we could eventually trace to memory fragmentation in the secure allocator of our cryptography library. This bug chase, which lasted for over a month, led to numerous other improvements, like better statistical metrics for plotting (actual CPU usage, uptime, key cache size, signatures/s) and the ‘sharding’ of our internal caches to better support multi-CPU operations.
A list of changes since 3.4.1 follows:
- commit 73004f1: implement CORS for the HTTP API
- commit 4d9c289: qtype is now case insensitive in API and database
- commit 13af5d8, commit 223373a, commit 1d5a68d, commit 705a73f, commit b418d52: Allow (optional) PIE hardening
- commit 2f86f20: json-api: remove priority from json
- commit cefcf9f: backport remotebackend fixes
- commit 920f987, commit dd8853c: Support Lua 5.3
- commit 003aae5: support single-type ZSK signing
- commit 1c57e1d: Potential fix for ticket #1907, we now try to trigger libgcc_s.so.1 to load before we chroot. I can’t reproduce the bug on my local system, but this “should” help.
- commit 031ab21: update polarssl to 1.3.9
- commit 60b2b7c, commit d962fbc: refuse overly long labels in names
- commit a64fd6a: auth: limit long version strings to 63 characters and catch exceptions in secpoll
- commit fa52e02: pdnssec: fix ttl check for RRSIG records
- commit 0678b25: fix up latency reporting for sub-millisecond latencies (would clip to 0)
- commit d45c1f1: make sure we don’t throw an exception on “pdns_control show” of an unknown variable
- commit 63c8088: fix startup race condition with carbon thread already trying to broadcast uninitialized data
- commit 796321c: make qsize-q more robust
- commit 407867c: Kees Monshouwer discovered we count corrupt packets and EAGAIN situations as validly received packets, skewing the udp questions/answers graphs on auth.
- commit f06d069: make latency & qsize reporting ‘live’. Plus fix that we only reported the qsize of the first distributor.
- commit 2f3498e: fix up statbag for carbon protocol and function pointers
- commit 0f2f999: get priority from table in Lua axfrfilter; fixes ticket #1857
- commit 96963e2, commit bbcbbbe, commit d5c9c07: various backends: fix records pointing at root
- commit e94c2c4: remove additional layer of trailing . stripping, which broke MX records to the root in the BIND backend. Should close ticket #1243.
- commit 8f35ba2: api: use uncached results for getKeys()
- commit c574336: read ALLOW-AXFR-FROM from the backend with the metadata
- commit 1e39b4c: move manpages to section 1
- commit b3992d9: secpoll: Replace ~ with _
- commit 9799ef5: only zones with an active ksk are secure
- commit d02744f: api: show keys for zones without active ksk
- commit 1b97ba0: add signatures metric to auth, so we can plot signatures/second
- commit 92cef2d: pdns_control: make it posible to notify all zones at once
- commit f648752: JSON API: provide flush-cache, notify, axfr-receive
- commit 02653a7: add ‘bench-db’ to do very simple database backend performance benchmark
- commit a83257a: enable callback based metrics to statbas, and add 5 such metrics: uptime, sys-msec, user-msec, key-cache-size, meta-cache-size, signature-cache-size
- commit a37fe8c: better key for packetcache
- commit e5217bb: don’t do time(0) under signature cache lock
- commit d061045, commit 135db51, commit 7d0f392: shard the packet cache, closing ticket #1910.
- commit d71a712: with thanks to Jack Lloyd, this works around the default Botan allocator slowing down for us during production use.