PowerDNS Blog

PowerDNS Authoritative Server 4.2.0 | PowerDNS Blog

Written by Peter van Dijk | Aug 30, 2019 4:00:00 AM

Hello everybody!

We are very happy to announce the release of Authoritative Server 4.2.0. Besides a ton of bug fixes (please see the Changelog), this release also offers a nice collection of new features.

This release was made possible by the contributions of a huge number of people. Please refer to alpha/beta/RC release announcements,  and, of course, the Changelog, to find them all. Thank you all!

Lua records

An important new feature is the support for Lua Records, which make the following possible, from any backend (even BIND, and LMDB!):

 

 
@ IN LUA A "ifportup(443, {'52.48.64.3', '45.55.10.200'})"

 

 
This will poll the named IP addresses (in the background) and only serve up hosts that are available. Far more powerful constructs are possible, for example to pick servers from regional pools close to the user, except if all servers in that pool are down. It is also possible to do traffic engineering based on subnets or AS numbers. A simple example:

 

 
@ IN LUA A ( "ifportup(443, {'52.48.64.3', '45.55.10.200'}, {selector='closest'})

 

 
For more about this feature, please head to the documentation.

ixfrdist

A new tool ixfrdist transfers zones from an authoritative server and re-serves these zones over AXFR and IXFR. It checks the SOA serial for all configured domains and downloads new versions to disk. This makes it possible for hundreds of PowerDNS Recursors (or authoritative servers) to slave an (RPZ) zone from a single server, without overwhelming providers like our friends over at Spamhaus/Deteque and Farsight.

UDP fragmentation

In accordance with the preliminary plans for DNS Flag Day 2020, this release lowers the default for udp-truncation-threshold from 1680 to 1232. This avoids most cases of UDP fragmentation, leading to better performance and security.

LMDB backend

Another new feature in 4.2.0 is the LMDB backend. As an in-process, memory mapped database, it should provide performance superior to most other backends. It supports master and slave operation and is fully DNSSEC capable. Sadly, just before 4.2.0, a fix for other backends somewhat broke the LMDB backend. Slaving zones works, and loading zones with pdnsutil works, but finer-grained tools like ‘pdnsutil edit-zone’ do not. We hope to fix this in an upcoming 4.2.x release soon!

If you want to try the LMDB backend, please review the two known bugs to avoid any surprises.

Deprecations

4.2 will see the removal of the poorly documented ‘autoserial’ feature. This removal decision was not taken lightly but as noted, its removal allows us to fix other bugs. Autoserial was holding us back. We realise it is no fun when a feature disappears, but since Authoritative Server 4.1 is still around, you can still use that if you require ‘autoserial’.
 
In compliance with the new Algorithm Implementation Requirements and Usage Guidance for DNSSEC RFC, support for ECC-GOST signing, validation, and support for GOST DS digests have all been removed.

Other developments

We always strive to deliver secure and performant software. As part of that policy, we joined OSS-Fuzz late last year. Please see that blog post for a nice overview of everything we do to deliver secure software to you, every release.

Release cycles

Starting with this release, we intend to move to 6 month release cycles. This means the next release of PowerDNS Authoritative (4.3) is scheduled for February 2020. We will support a release for two cycles (one year). After that, a release will only get security fixes for one more cycle and then move to end of life status. Recursor and dnsdist are adopting the same cycle.

Specific information can be found in the end of life statement.

Getting the new software

The tarball (signature) is available at downloads.powerdns.com and packages for CentOS 6 and 7, Debian Stretch and Buster, Ubuntu Xenial and Bionic are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.