As recently announced, we have finished the great PowerDNS 4.x Spring Cleaning. And it was indeed kind of grand. We consciously set out to fix many things that had been waiting for years to be addressed. We took the liberty to change many things that we could not change (break) within 3.x. However, it was breaking for the better.
As noted in our previous post, we are very grateful to our community, users, developers and customers that we were able to devote significant time to cleaning up past mistakes. This is very rare in the world of software. Additionally, as usual a specific shout-out to Aki Tuomi (these days working for our sister-company Dovecot), our certified consultants Kees Monshouwer, Christian Hofstaedtler and Jan-Piet Mens, our independent code-contributors Ruben Kerkhof, Ruben d’Arco, Mark Zealey, Pavel Boldin, Mark Schouten and all the others who contributed ideas, code and GitHub issues.
With this message, we bring good news and bad news just in time for our holidays. We promised 4.0 releases of PowerDNS Recursor, PowerDNS Authoritative and even a 1.0 release of dnsdist, in “December 2015”. The bad news is that we did not make it. The good news however is that we do have a set of Technology Preview releases that contain everything that 4.0 will.
In other words: the features are done, but we can’t yet sign off on the quality. However! Since most people won’t be deploying x.0 releases in December anyhow, we felt it was worthwhile to launch the 4.x series now with a strong technology preview. This preview will allow you to test our features, both to see if they work and to see if they actually fit in with your needs. And please do test, since that will speed up the advent of the actual 4.x release date!
In terms of roadmap, we consulted PowerDNS customers, community and developers, and out came a plan for 4.x. A few months into the development, various users and customers suddenly chimed in on absolutely mandatory features we had somehow missed. Because of that, 4.x both under- and overdelivers.
In addition to the huge internal cleanup, here are visible changes that did make it:
- Fully-featured load balancer with a number of DNS-relevant load balancing policies. The default policy favours servers with the least amount of queries in flight and the fastest response times. This turns out to deliver tangible user experience improvements
- Comes with a host of rules to block, change, or redirect traffic based on your needs. For example, use dnsdist to implement ‘views’, or what has been called ‘Advanced DNS Protection’ by some closed source resellers of open source.
- dnscrypt, EDNS Client Subnet adding (for CG-NAT traversal, for example)
- Realtime insights via HTTP/JSON/RESTful API & built-in live graphing website
- For more about this new product, please see http://dnsdist.org/
- GeoIP backend has gained many features, and can now run based on explicit netmasks not present in the GeoIP databases
- Caches are now fully canonically ordered, which means entries can be wiped on suffix in all places
- Old geobackend has been deprecated and is no longer part of PowerDNS
- Newly revived ODBC backend for talking to Microsoft SQL Server & Azure, and with some tweaking, any other ODBC-database we do not support natively.
- pdnssec tool does far more than DNSSEC, and has thus been renamed into ‘pdnsutil’.
- ECDSA signing is now supported without external dependencies, and a single combined ECDSA signing key is the new default for securing zones.
- Experimental ed25519 signing support based on draft-sury-dnskey-ed25519-03.
- DNSSEC processing: if you ask for DNSSEC records, you will get them
- DNSSEC validation: if so configured, PowerDNS will attempt to perform DNSSEC validation of your answers
- Completely revamped Lua scripting API that is “DNSName” native and therefore far less error prone, and likely faster for most commonly used scenarios. Loads and indexes a 1 million domain custom policy list in a few seconds
- New asynchronous per-domain, per-ip address, query engine. This allows PowerDNS to consult an external service in realtime to determine client or domain status. This could for example mean looking up actual customer identity from a DHCP server based on IP address (option 82 for example).
- RPZ (from file, over AXFR or IXFR) support. This loads the largest Spamhaus zone in 5 seconds on our hardware, containing around 2 million instructions.
- More details here
- All caches can now be wiped on suffixes, because of canonical ordering
- Many many more relevant performance metrics, including upstream authoritative performance measurements (‘is it me or the network that is slow’)
- EDNS Client Subnet support, including cache awareness of subnet-varying answers
More technical details are available in the changelog.
Finally – the big question is of course: when will the actual 4.0.0 releases (and 1.0 for dnsdist) happen. The answer is that all this depends on what you find out during testing. We may be closer or further from the goal. As of now we can’t tell. We will report back to you in January to let you know when we expect to be able to do a release that meets our standards. But the more you test, the sooner this will be!
You can download tarballs:
- pdns-4.0.0-alpha1.tar.bz2 (sig)
- pdns-recursor-4.0.0-alpha1.tar.bz2 (sig)
- dnsdist-1.0.0-alpha1.tar.bz2 (sig)
Packages for several distributions are available from our repositories.
Once again, thank you everyone for working with us on this release. Happy holidays and a splendid new year!