PowerDNS Authoritative Server 4.1.0 Release Candidate 2 Available

Now that the Release Candidate 1 has simmered for a while, we present PowerDNS Authoritative Server Release Candidate 2!

Thanks to everyone who tested RC1.

This release has several performance improvements, stability and correctness fixes.

Of course, this release also has corrected typos, improvements to the documentation and a lot of minor improvements of issues discovered by Jan-Piet Mens.

Thanks for fixing issues not mentioned below go out to: Kees Monshouwer.

Additional documentation improvements by: Anhad Jai Singh and Christian Hofstaedtler.

The full changelog looks like this:

New Features

  • #5779: Rectify zones via the API. (Nils Wisiol)
    • Move the pdnsutil rectification code to the DNSSECKeeper
    • Generate DNSSEC keys for a zone when “dnssec” is true in an API POST/PATCH for zones
    • Rectify DNSSEC zones after POST/PATCH when API-RECTIFY metadata is 1
    • Allow setting this metadata via the “api-rectify” param in a Zone object
    • Show “nsec3param” and “nsec3narrow” in Zone API responses
    • Add an “rrsets” request parameter for a zone to skip sending RRSets in the response
    • Add rectify endpoint in the API
  • #5665: Add PKCS#11 support to packages on Operating Systems that support it.


  • #5498: Add support for Botan 2.x and drop support for Botan 1.10 (the latter thanks to Kees Monshouwer).
  • #5810: Fix issues when b2b-migrating from the BIND backend to a database:
    • No masters were set in the target db (#5807)
    • Only the last master in the list of masters would be added to the target database
    • The BIND backend was not fully aware of native zones
  • #5584: Add support for new record types to the LDAP backend.
  • #5842: Add log-timestamp option. This option can be used to disable printing timestamps to stdout, this is useful when using systemd-journald or another supervisor that timestamps stdout by itself. As the logs will not have 2 timestamps.
  • #5838: Stop doing individual RRSIG queries during outbound AXFR. (Kees Monshouwer)

Bug Fixes

  • #5684: Improve trailing dot handling internally which lead to a segfault in pdnsutil before.
  • #5678: Treat requestor’s payload size lower than 512 as equal to 512. Before, we did not follow RFC 6891 section 6.2.3 correctly.
  • #5766: Correctly purge entries from the caches after a transfer. Since the QC/PC split up, we only removed entries for the AXFR’d domain from the packet cache, not the query cache. We also did not remove entries in case of IXFR.
  • #5791: When throwing because of bogus content in the tinydns database, report the offending name+type so the admin can find the offending record.
  • #5696: For zone PATCH requests, add new “X-PDNS-Old-Serial” and “X-PDNS-New-Serial” response headers with the zone serials before and after the changes.
  • #5704: Make default options singular and use defaults in Cryptokey API-endpoint
  • #5729: Remove printing of DS records from “pdnsutil export-zone-dnskey …”. This was not only inconsistent behaviour but also done incorrectly.
  • #5702: Make bindbackend startTransaction to return false when it has failed. (Aki Tuomi)
  • #5820: Log the needed size when a MySQL result was truncated.
  • #5710: Remove “” around secpoll result which fixes “pdns_control show security-status” not working.
  • #5722: Make the auth also publish CDS/CDNSKEY records for inactive keys, as this is needed to roll without double sigs.
  • #5734: Fix a crash when getting a public GOST key if the private one is not set.
  • #5815: Ignore SOA-EDIT for PRESIGNED zones.

The tarball is available on downloads.powerdns.com (signature) and packages for CentOS 6 and 7, Debian Jessie and Stretch, Ubuntu Trusty, Yakkety, Xenial and Zesty are available from repo.powerdns.com. (The Raspbian packages will come later, possibly Monday, because they are still building.)

We invite you to test this release candidate and send us all feedback and issues you might have via the mailinglist, or in case of a bug, via GitHub.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s