Category: Uncategorized

PowerDNS Authoritative Server 4.5.0-beta1

Hello!

Today we released the first Beta version for Authoritative Server version 4.5.0.

Version 4.5.0 mostly brings small improvements and fixes, but there is one notable new feature: the zone cache.

The zone cache allows PowerDNS to keep a list of zones in memory, updated periodically. With this cache, PowerDNS can avoid hitting the database with queries for unknown domains. In some setups, and some attack scenarios, this can make a serious performance difference.

In beta1, the zone cache is enabled by default.

A full list of changes can be found in the changelog.

Please make sure to read the Upgrade Notes before upgrading.

With version 4.5.0, support for platforms with a time_t type smaller than 64 bits is dropped. This means that we do not build packages for Raspberry Pi OS.

The tarball (signature) is available at downloads.powerdns.com. Packages for various distributions are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

PowerDNS Recursor 4.4.4 and 4.5.2 Released

We are proud to announce the release of PowerDNS Recursor 4.4.4. and 4.5.2. Both releases contain mostly smaller bug fixes. For the 4.5.2 release the default value of nsec3-max-iterations has  been lowered to 150, in accordance with new guidelines and in coordination with other vendors. Furthermore, an issue affecting the “refresh almost expired” function has been fixed.

Please refer to the change logs for the 4.4.4 and 4.5.2 release for additional details.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

The tarballs (4.4.4, 4.5.2) and signatures (4.4.4, 4.5.2) are available from our download server and packages for several distributions are available from our repository.

With the previous 4.5.1 release, the 4.2.x releases will be EOL and the 4.3.x and 4.4.x releases will go into critical fixes only mode. Consult the EOL policy for more details.

We would also like to announce that with this release we will stop supporting systems using 32-bit time. This includes 32-bit Linux platforms like arm6, arm7, and i386.

We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features.

PowerDNS Authoritative Server 4.5.0-alpha1

Hello!

Today we released the first Alpha version for Authoritative Server version 4.5.0.

Version 4.5.0 mostly brings small improvements and fixes, but there is one notable new feature: the zone cache.

The zone cache allows PowerDNS to keep a list of zones in memory, updated periodically. With this cache, PowerDNS can avoid hitting the database with queries for unknown domains. In some setups, and some attack scenarios, this can make a serious performance difference.

A full list of changes can be found in the changelog.

Please make sure to read the Upgrade Notes before upgrading.

With version 4.5.0, support for platforms with a time_t type smaller than 64 bits is dropped. This means that we do not build packages for Raspberry Pi OS.

The tarball (signature) is available at downloads.powerdns.com. Packages for various distributions are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

PowerDNS Recursor 4.5.1 Released

We are proud to announce the release of PowerDNS Recursor 4.5.1. Compared to the release candidate, this release contains two bug fixes. Note that 4.5.0 was never released publicly, since an issue was found during QA.

Compared to the previous major (4.4) release of PowerDNS Recursor, this release contains a rewrite of the way zone cuts are determined, reducing the number of outgoing queries by up to 17% when doing DNSSEC validation while reducing the CPU usage more than 20% .

Another notable feature is the implementation of EDNS0 padding (RFC 7830) for answers sent to clients.

This 4.5.1 release includes an important addition: the implementation of RFC 8198: Aggressive use of DNSSEC-Validated Cache. This enables the Recursor to answer queries for non-existing names with less effort in many cases. This feature uses both NSEC and NSEC3 records. Additionally the DNSSEC default mode is now “process”, while it was “process-no-validate” before. This means that clients asking for it will get DNSSEC validated answers by default.

We also added a cache of non-resolving nameservers. This enhances performance when the Recursor encounters domains that list nameservers that do not resolve and further mitigates the TsuNAME vulnerability.

This release also features a re-worked negative cache that is shared between threads, allowing more efficient use of the cache and reduced memory consumption.

Support for Extended DNS Errors (RFC 8914) has been added. These can be enabled by setting the extended-resolution-errors setting to ‘yes’, this will send DNSSEC and resolution related errors to clients. Extended Errors are also hooked up to the Lua scripting engine, allowing fine-grained setting of both the error code and extra information in the response.

A “refresh almost expired records” (also called “refetch”) mechanism has been introduced to keep the record cache warm. In short, if a query comes in and the cached record’s TTL is almost expired (within N percent of its original value) the cached record is served to the client and the record queried for in the background, ensuring that new queries for that record are fresh and served from the cache.

Other new features and improvements are:

  • The complete protobuf and dnstap logging code has been rewritten to have much smaller performance impact.
  • We have introduced non-offensive synonyms for words used in settings. See the upgrade guide.
  • The default minimum TTL override has been changed from 0 to 1.
  • The spoof-nearmiss-max setting‘s default has been changed to 1. This has the consequence that the Recursor will switch to do TCP queries to authoritative nameservers sooner as an effective measure against many spoofing attacks.
  • Incoming queries over TCP now also use the packet cache, providing another performance increase.
  • File written to by the rec_control command are new opened by the command itself. It is also possible to write the content to the standard output stream by using a hyphen as file name.
  • TCP FastOpen (RFC 7413) support for outgoing TCP connections to authoritative servers and forwarders.

Please refer to the changelog for additional details.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

The tarball (signature) is available from our download server and packages for several distributions are available from our repository.

With this 4.5.1 release, the 4.2.x releases will be EOL and the 4.3.x and 4.4.x releases will go into critical fixes only mode. Consult the EOL policy for more details.

We would also like to announce that with this release we will stop supporting systems using 32-bit time. This includes 32-bit Linux platforms like arm6, arm7, and i386.

We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features.

TsuNAME vulnerability and PowerDNS Recursor

Recently, the TsuNAME vulnerability was published. It concerns DNS recursors endlessly querying authoritative nameservers if the nameservers listed in the domains form a loop.

The researchers contacted us before publication, and we established then that while a very old version of PowerDNS recursor was found to be looping, all version of PowerDNS Recursor since 4.0 are not affected. Note that PowerDNS Recursor versions prior to 4.2 are End Of Life. For details, consult our EOL policy page.

While not looping endlessly, PowerDNS does issue more queries than strictly necessary while encountering a nameserver loop, so we decided to implement a further mitigation of the issue. This mechanism, (the non-resolving nameserver cache) will be available and enabled by default in the upcoming PowerDNS Recursor 4.5 release.

Actions for system administrators running PowerDNS Recursor

Make sure you run a supported version of PowerDNS Recursor. Currently this means version 4.2.5, 4.3.7, 4.4.3 or newer. Note that some distributions ship unsupported versions of PowerDNS recursor. This is something out of our control, but for popular distributions you can install the latest supported version from our repository.

First Release Candidate of PowerDNS Recursor 4.5.0

Hello!,

We are proud to announce the first release candidate of what should become PowerDNS Recursor 4.5.0. Compared to the last beta release, this release contains a few minor bug fixes and improvements.

Compared to the previous major (4.4) release of PowerDNS Recursor, this release contains a rewrite of the way zone cuts are determined, reducing the number of outgoing queries by up to 17% when doing DNSSEC validation while reducing the CPU usage more than 20% . This is a rather substantial change and we would be very grateful for tests and feedback from the community.

Another notable feature is the implementation of EDNS0 padding (RFC 7830) for answers sent to clients.

The upcoming 4.5.0 release includes an important addition: the implementation of RFC 8198: Aggressive use of DNSSEC-Validated Cache. This enables the Recursor to answer queries for non-existing names with less effort in many cases. This feature uses both NSEC and NSEC3 records. Additionally the DNSSEC default mode is now “process”, while it was “process-no-validate” before. This means that clients asking for it will get DNSSEC validated answers by default.

We also added a cache of non-resolving nameservers. This enhances performance when the Recursor encounters domains that have nameservers that do not resolve.

This release also features a re-worked negative cache that is shared between threads, allowing more efficient use of the cache and reduced memory consumption.

Support for Extended DNS Errors (RFC 8914) has been added. These can be enabled by setting the extended-resolution-errors setting to ‘yes’, this will send DNSSEC and resolution related errors to clients. Extended Errors are also hooked up to the Lua scripting engine, allowing fine-grained setting of both the error code and extra information in the response.

A “refresh almost expired records” (also called “refetch”) mechanism has been introduced to keep the record cache warm. In short, if a query comes in and the cached record’s TTL is almost expired (within N percent of its original value) the cached record is served to the client and the record queried for in the background, ensuring that new queries for that record are fresh and served from the cache.

Other new features and improvements are:

  • The complete protobuf and dnstap logging code has been rewritten to have much smaller performance impact.
  • We have introduced non-offensive synonyms for words used in settings. See the upgrade guide.
  • The default minimum TTL override has been changed from 0 to 1.
  • The spoof-nearmiss-max setting‘s default has been changed to 1. This has the consequence that the Recursor will switch to do TCP queries to authoritative nameservers sooner as an effective measure against many spoofing attacks.
  • Incoming queries over TCP now also use the packet cache, providing another performance increase.
  • File written to by the rec_control command are new opened by the command itself. It is also possible to write the content to the standard output stream by using a hyphen as file name.
  • TCP FastOpen (RFC 7413) support for outgoing TCP connections to authoritative servers and forwarders.

Please refer to the changelog for additional details.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

The tarball (signature) is available from our download server and packages for several distributions are available from our repository.

With the future 4.5.0 final release, the 4.2.x releases will be EOL and the 4.3.x and 4.4.x releases will go into critical fixes only mode. Consult the EOL policy for more details.

We would also like to announce that with this release we will stop supporting systems using 32-bit time. This includes 32-bit Linux platforms like arm and i386.

We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features.

Second Beta Release of PowerDNS Recursor 4.5.0

Hello!,

We are proud to announce the second beta release of what should become PowerDNS Recursor 4.5.0. Compared to the first beta release, this release contains a few bug fixes and improvements, in particular a bugfix concerning zones with “Stranded DNSKEYSs”, zones that are signed but do not publish a DNSKEY.

This release contains a rewrite of the way zone cuts are determined, reducing the number of outgoing queries by up to 17% when doing DNSSEC validation while reducing the CPU usage more than 20% . This is a rather substantial change and we would be very grateful for tests and feedback from the community.

Another notable feature is the implementation of EDNS0 padding (RFC 7830) for answers sent to clients.

The upcoming 4.5.0 release includes an important addition: the implementation of RFC 8198: Aggressive use of DNSSEC-Validated Cache. This enables the Recursor to answer queries for non-existing names with less effort in many cases. This feature uses both NSEC and NSEC3 records. Additionally the DNSSEC default mode is now “process”, while it was “process-no-validate” before. This means that clients asking for it will get DNSSEC validated answers by default.

We also added a cache of non-resolving nameservers. This enhances performance when the Recursor encounters domains that have nameservers that do not resolve.

This release also features a re-worked negative cache that is shared between threads, allowing more efficient use of the cache and reduced memory consumption.

Support for Extended DNS Errors (RFC 8914) has been added. These can be enabled by setting the extended-resolution-errors setting to ‘yes’, this will send DNSSEC and resolution related errors to clients. Extended Errors are also hooked up to the Lua scripting engine, allowing fine-grained setting of both the error code and extra information in the response.

A “refresh almost expired records” (also called “refetch”) mechanism has been introduced to keep the record cache warm. In short, if a query comes in and the cached record’s TTL is almost expired (within N percent of its original value) the cached record is served to the client and the record queried for in the background, ensuring that new queries for that record are fresh and served from the cache.

Other new features and improvements are:

  • The complete protobuf and dnstap logging code has been rewritten to have much smaller performance impact.
  • We have introduced non-offensive synonyms for words used in settings. See the upgrade guide.
  • The default minimum TTL override has been changed from 0 to 1.
  • The spoof-nearmiss-max setting‘s default has been changed to 1. This has the consequence that the Recursor will switch to do TCP queries to authoritative nameservers sooner as an effective measure against many spoofing attacks.
  • Incoming queries over TCP now also use the packet cache, providing another performance increase.
  • File written to by the rec_control command are new opened by the command itself. It is also possible to write the content to the standard output stream by using a hyphen as file name.
  • TCP FastOpen (RFC 7413) support for outgoing TCP connections to authoritative servers and forwarders.

Please refer to the changelog for additional details.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

The tarball (signature) is available from our download server and packages for several distributions are available from our repository.

With the future 4.5.0 final release, the 4.2.x releases will be EOL and the 4.3.x and 4.4.x releases will go into critical fixes only mode. Consult the EOL policy for more details.

We would also like to announce that with this release we will stop supporting systems using 32-bit time. This includes 32-bit Linux platforms like arm and i386.

We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features.

The new face of PowerDNS: GreenDNS

Hello!

Today, we of the PowerDNS team are ready to unveil our bold new product strategy: GreenDNS.

Admitting the following is quite painful, but to make a better world we must muster the courage to be brutally honest: DNS is dirty. In fact, it’s absolutely filthy. Too long have we been accomplices to the industry in covering up this fact. This is, in fact, one of the main drivers in the development of DNS-over-TLS and especially DNS-over-HTTPS. The reasoning was, if no one can see the DNS, nobody will notice how obscenely foul it really is.

No longer. No longer can we look at ourselves in the mirror while continuing to contribute to this squalor. For the sake of our children and their children, DNS must go GREEN.

And so, today, we make a promise. Like the high-profile tech giants, we will strive for carbon-neutrality, but without the privacy invasion. Specifically, to be the premier purveyor of premium, carbon-neutral DNS solutions by 2030.

In the spirit of our new-found transparency, we would like to share which solutions/technologies we will be exploring as part of this product initiative:

  • The blockchain, obviously. But only if it’s solar-powered.
  • Anti-phishing, as the world is obviously being over-phished.
  • Carbon-capture technologies that can be bolted on servers, as these suck in a lot of air.
  • No more CI/CD. The lights flicker in some cities when one of us pushes a branch. Our software quality might suffer a bit, but your children will thank you.
  • Just charging more for our software and buying carbon credits.

We know, the list is short, but to be honest after all the repentance we were a bit spent.

Anyway, when armageddon comes and the survivors are huddled around campfires in the empty wastelands, reflecting on how everything went so wrong, at least no one will say: “it was DNS.”

PowerDNS Recursor 4.4.3 Released

Hello!

Today we are releasing PowerDNS Recursor 4.4.3.

This release fixes a bug where corrupted Newly Discovered Domain files could crash the recursor on startup and a bug where the wrong TTL could be used when inserting records into the packet cache. Additionally, a few minor DNSSEC related issues were fixed.

As usual, there were also other smaller enhancements and bugfixes. Please refer to the 4.4.3 changelog  for details.

The 4.4.3 tarball (signature) is available at downloads.powerdns.com and packages for several distributions are available from repo.powerdns.com.

4.1 and older releases are EOL, refer to the documentation for details about our release cycles.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

Upcoming package removals

As you may know, PowerDNS hosts RPM and Debian packages in our package repositories. Packages are available in binary form as RPM and Debian packages for various distributions. Some of these distributions are coming up to their End Of Life dates and will therefore not be supported by PowerDNS anymore. This blogpost explains which distributions and packages will no longer be supported or available.

CentOS 6 / Red Hat Enterprise Linux 6

CentOS 6 became EOL in November 2020. New versions of PowerDNS products will no longer be built for CentOS 6. Some of the EL6 repositories have not yet been removed for contractual reasons, but will be removed at an unspecified future date. This removal will not be announced and we urge those with extended RHEL 6 support to mirror these packages themselves.

All CentOS 6 packages will be removed at an unspecified future moment, without warning.

Ubuntu 16.04 Xenial

Ubuntu 16.04 Xenial will be EOL in April 2021. Auth 4.4, Recursor 4.4 and dnsdist 1.5 are the last versions supported for Xenial. Canonical offers paid Extended Security Maintenance (ESM) on selected packages in Xenial until April 2024, however, PowerDNS does not offer this kind of support on the Xenial packages. Hence, we will remove all Xenial repositories when Xenial goes EOL at the end of April 2021.

We advise you to upgrade to Ubuntu Bionic or Focal. If upgrading is not possible, we suggest you mirror the existing packages to prevent business continuity problems, and build any upcoming versions with security fixes yourself.

All Ubuntu Xenial packages will be removed end of April 2021.

Debian 9 ‘Stretch’

Debian 9 “Stretch” became EOL in July 2020 and is now in (free, open source) Long Term Support mode until 2022. Its successor “Buster” came out in July 2019. Until now, we have been building packages for newer PowerDNS releases for Stretch. For the upcoming releases (Auth 4.5, Recursor 4.5, dnsdist 1.6), we have stopped doing this. The older releases will be supported on Debian Stretch until that next release (4.5 or 1.6) comes out.

All Debian Stretch packages for the Authoritative Server will be removed when Auth 4.5 is released.

All Debian Stretch packages for the Recursor will be removed when Recursor 4.5 is released.

All Debian Stretch packages for dnsdist will be removed when dnsdist 1.6 is released.

Raspbian/Raspberry Pi OS

To simplify time handling, we have recently decided to no longer support systems where time_t is 32 bits. This means that Auth/Rec 4.4 and dnsdist 1.5 are the last supported releases for (32-bit) Raspbian/Raspberry Pi OS. In addition to that, Raspbian deprecation follows our Debian deprecation roadmap.

We are working on ARM64 builds for various OSes, but no timeline has been decided yet.

All Raspbian Stretch packages for the Authoritative Server will be removed when Auth 4.5 is released.

All Raspbian Stretch packages for the Recursor will be removed when Recursor 4.5 is released.

All Raspbian Stretch packages for dnsdist will be removed when dnsdist 1.6 is released.

No Raspbian packages (any release) will be built for Auth 4.5 and up, Recursor 4.5, and dnsdist 1.6 and up.

Raspbian Buster will be supported in Auth 4.4, Rec 4.4 and dnsdist 1.5 until those versions go EOL.

PowerDNS open source support policy

Each PowerDNS product is supported for about 1.5 years from a x.y.0 release. (see the EOL policy). The first 6 months of this support includes bug and stability fixes. In the future, we will not even ship x.y.0 releases for distributions that will go EOL before the end of that initial 6 month period.