Skip to content

PowerDNS Recursor 4.0.0 released!

Jul 11, 2016 6:00:00 AM

We are pleased to announce the availability of the PowerDNS Recursor 4.0.0. As announced, the Recursor was part of the great PowerDNS 4.x Spring Cleaning. And it was indeed kind of grand. More about the 4.0.0 release process can be found here.

We changed many things internally to the nameserver:

  • Moved to C++ 2011, a cleaner more powerful version of C++ that has allowed us to improve the quality of implementation in many places.
  • Implemented dedicated infrastructure for dealing with DNS names that is fully “DNS Native” and needs less escaping and unescaping.
  • Switched to binary storage of DNS records in all places.
  • Moved ACLs to a dedicated Netmask Tree.
  • Implemented a version of RCU for configuration changes
  • Instrumented our use of the memory allocator, reduced number of malloc calls substantially.
  • The Lua hook infrastructure was redone using LuaWrapper; old scripts will no longer work, but new scripts are easier to write under the new interface. See the examples:

Due to these changes, PowerDNS Recursor 4.0.0 is almost an order of magnitude faster than the 3.7 branch.

  • DNSSEC processing: if you ask for DNSSEC records, you will get them.
  • DNSSEC validation: if so configured, PowerDNS perform DNSSEC validation of your answers.
  • Completely revamped Lua scripting API that is “DNSName” native and therefore far less error prone, and likely faster for most commonly used scenarios. Loads and indexes a 1 million domain custom policy list in a few seconds.
  • New asynchronous per-domain, per-ip address, query engine. This allows PowerDNS to consult an external service in realtime to determine client or domain status. This could for example mean looking up actual customer identity from a DHCP server based on IP address (option 82 for example).
  • RPZ (from file, over AXFR or IXFR) support. This loads the largest Spamhaus zone in 5 seconds on our hardware, containing around 2 million instructions.
  • All caches can now be wiped on suffixes, because of canonical ordering.
  • Many, many more relevant performance metrics, including upstream authoritative performance measurements (‘is it me or the network that is slow’).
  • EDNS Client Subnet support, including cache awareness of subnet-varying answers.

DNSSEC

As stated in the features section above, the PowerDNS Recursor now has DNSSEC processing and experimental DNSSEC validation support.

DNSSEC processing means the nameserver will return RRSIG records when requested to do so by the client (by means of the DO-bit) and will always retrieve the RRSIGs even if the client does not ask for. It will perform validation and set the AD-bit in the response if the client requests validation.

In fullblown DNSSEC-mode, the PowerDNS Recursor will validate the answers and set the AD-bit in validated answers if the client requests it and will SERVFAIL on bogus answers to all clients.

The DNSSEC support is marked experimental, but functional at the moment, as it has 2 limitations:

  • Negative answers validated but the NSEC(3) proof is not fully checked.
  • Zones that have a CNAME at the apex (which is ‘wrong’ anyway) validate as Bogus.

If you run with DNSSEC enabled and notice broken domains, do file an issue.

Changes compared to Release Candidate 1

This release features the following fixes compared to rc1:

  • #3989 Fix usage of std::distance() in DNSName::isPartOf() (signed/unsigned comparisons)
  • #4017 Fix building without Lua. Add isTcp to dq.
  • #4023 Actually log on dnssec=log-fail
  • #4028 DNSSEC fixes (NSEC casing, send DO-bit over TCP, DNSSEC trace additions)
  • #4052 Don’t fail configure on missing fcontext.hpp
  • #4096 Don’t call commit() if we skipped all the records

It has the following improvements:

  • #3400 Enable building on OpenIndiana
  • #4016 Log protobuf messages for cache hits. Add policy tags in gettag()
  • #4040 Allow DNSSEC validation when chrooted
  • #4094 Sort included html files for improved reproducibility (Christian Hofstaedtler)

And these additions:

  • #3981 Import Javascript sources for libs shipped with Recursor (Christian Hofstaedtler)
  • #4012 add tags support to ProtobufLogger.py
  • #4032 Set the existing policy tags in dq for {pre,post}resolve
  • #4077 Add DNSSEC validation statistics
  • #4090 Allow reloading the lua-config-file at runtime
  • #4097 Allow logging DNSSEC bogus in any mode
  • #4125 Add protobuf fields for the query’s time in the response

Getting the Recursor

The tarball is here(sig), and packages for Debian Jessie, Ubuntu Trusty, Wily and Xenial, CentOS 6 and 7, SUSE Linux Enterprise 12.1 and Raspbian Jessie are available from our repositories.

We would like to thank everybody who helped with ideas, code and testing the Recursor.

Back to overview

Related Articles