Category: Uncategorized

Second Beta Release of PowerDNS Recursor 4.5.0

Hello!,

We are proud to announce the second beta release of what should become PowerDNS Recursor 4.5.0. Compared to the first beta release, this release contains a few bug fixes and improvements, in particular a bugfix concerning zones with “Stranded DNSKEYSs”, zones that are signed but do not publish a DNSKEY.

This release contains a rewrite of the way zone cuts are determined, reducing the number of outgoing queries by up to 17% when doing DNSSEC validation while reducing the CPU usage more than 20% . This is a rather substantial change and we would be very grateful for tests and feedback from the community.

Another notable feature is the implementation of EDNS0 padding (RFC 7830) for answers sent to clients.

The upcoming 4.5.0 release includes an important addition: the implementation of RFC 8198: Aggressive use of DNSSEC-Validated Cache. This enables the Recursor to answer queries for non-existing names with less effort in many cases. This feature uses both NSEC and NSEC3 records. Additionally the DNSSEC default mode is now “process”, while it was “process-no-validate” before. This means that clients asking for it will get DNSSEC validated answers by default.

We also added a cache of non-resolving nameservers. This enhances performance when the Recursor encounters domains that have nameservers that do not resolve.

This release also features a re-worked negative cache that is shared between threads, allowing more efficient use of the cache and reduced memory consumption.

Support for Extended DNS Errors (RFC 8914) has been added. These can be enabled by setting the extended-resolution-errors setting to ‘yes’, this will send DNSSEC and resolution related errors to clients. Extended Errors are also hooked up to the Lua scripting engine, allowing fine-grained setting of both the error code and extra information in the response.

A “refresh almost expired records” (also called “refetch”) mechanism has been introduced to keep the record cache warm. In short, if a query comes in and the cached record’s TTL is almost expired (within N percent of its original value) the cached record is served to the client and the record queried for in the background, ensuring that new queries for that record are fresh and served from the cache.

Other new features and improvements are:

  • The complete protobuf and dnstap logging code has been rewritten to have much smaller performance impact.
  • We have introduced non-offensive synonyms for words used in settings. See the upgrade guide.
  • The default minimum TTL override has been changed from 0 to 1.
  • The spoof-nearmiss-max setting‘s default has been changed to 1. This has the consequence that the Recursor will switch to do TCP queries to authoritative nameservers sooner as an effective measure against many spoofing attacks.
  • Incoming queries over TCP now also use the packet cache, providing another performance increase.
  • File written to by the rec_control command are new opened by the command itself. It is also possible to write the content to the standard output stream by using a hyphen as file name.
  • TCP FastOpen (RFC 7413) support for outgoing TCP connections to authoritative servers and forwarders.

Please refer to the changelog for additional details.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

The tarball (signature) is available from our download server and packages for several distributions are available from our repository.

With the future 4.5.0 final release, the 4.2.x releases will be EOL and the 4.3.x and 4.4.x releases will go into critical fixes only mode. Consult the EOL policy for more details.

We would also like to announce that with this release we will stop supporting systems using 32-bit time. This includes 32-bit Linux platforms like arm and i386.

We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features.

The new face of PowerDNS: GreenDNS

Hello!

Today, we of the PowerDNS team are ready to unveil our bold new product strategy: GreenDNS.

Admitting the following is quite painful, but to make a better world we must muster the courage to be brutally honest: DNS is dirty. In fact, it’s absolutely filthy. Too long have we been accomplices to the industry in covering up this fact. This is, in fact, one of the main drivers in the development of DNS-over-TLS and especially DNS-over-HTTPS. The reasoning was, if no one can see the DNS, nobody will notice how obscenely foul it really is.

No longer. No longer can we look at ourselves in the mirror while continuing to contribute to this squalor. For the sake of our children and their children, DNS must go GREEN.

And so, today, we make a promise. Like the high-profile tech giants, we will strive for carbon-neutrality, but without the privacy invasion. Specifically, to be the premier purveyor of premium, carbon-neutral DNS solutions by 2030.

In the spirit of our new-found transparency, we would like to share which solutions/technologies we will be exploring as part of this product initiative:

  • The blockchain, obviously. But only if it’s solar-powered.
  • Anti-phishing, as the world is obviously being over-phished.
  • Carbon-capture technologies that can be bolted on servers, as these suck in a lot of air.
  • No more CI/CD. The lights flicker in some cities when one of us pushes a branch. Our software quality might suffer a bit, but your children will thank you.
  • Just charging more for our software and buying carbon credits.

We know, the list is short, but to be honest after all the repentance we were a bit spent.

Anyway, when armageddon comes and the survivors are huddled around campfires in the empty wastelands, reflecting on how everything went so wrong, at least no one will say: “it was DNS.”

PowerDNS Recursor 4.4.3 Released

Hello!

Today we are releasing PowerDNS Recursor 4.4.3.

This release fixes a bug where corrupted Newly Discovered Domain files could crash the recursor on startup and a bug where the wrong TTL could be used when inserting records into the packet cache. Additionally, a few minor DNSSEC related issues were fixed.

As usual, there were also other smaller enhancements and bugfixes. Please refer to the 4.4.3 changelog  for details.

The 4.4.3 tarball (signature) is available at downloads.powerdns.com and packages for several distributions are available from repo.powerdns.com.

4.1 and older releases are EOL, refer to the documentation for details about our release cycles.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

Upcoming package removals

As you may know, PowerDNS hosts RPM and Debian packages in our package repositories. Packages are available in binary form as RPM and Debian packages for various distributions. Some of these distributions are coming up to their End Of Life dates and will therefore not be supported by PowerDNS anymore. This blogpost explains which distributions and packages will no longer be supported or available.

CentOS 6 / Red Hat Enterprise Linux 6

CentOS 6 became EOL in November 2020. New versions of PowerDNS products will no longer be built for CentOS 6. Some of the EL6 repositories have not yet been removed for contractual reasons, but will be removed at an unspecified future date. This removal will not be announced and we urge those with extended RHEL 6 support to mirror these packages themselves.

All CentOS 6 packages will be removed at an unspecified future moment, without warning.

Ubuntu 16.04 Xenial

Ubuntu 16.04 Xenial will be EOL in April 2021. Auth 4.4, Recursor 4.4 and dnsdist 1.5 are the last versions supported for Xenial. Canonical offers paid Extended Security Maintenance (ESM) on selected packages in Xenial until April 2024, however, PowerDNS does not offer this kind of support on the Xenial packages. Hence, we will remove all Xenial repositories when Xenial goes EOL at the end of April 2021.

We advise you to upgrade to Ubuntu Bionic or Focal. If upgrading is not possible, we suggest you mirror the existing packages to prevent business continuity problems, and build any upcoming versions with security fixes yourself.

All Ubuntu Xenial packages will be removed end of April 2021.

Debian 9 ‘Stretch’

Debian 9 “Stretch” became EOL in July 2020 and is now in (free, open source) Long Term Support mode until 2022. Its successor “Buster” came out in July 2019. Until now, we have been building packages for newer PowerDNS releases for Stretch. For the upcoming releases (Auth 4.5, Recursor 4.5, dnsdist 1.6), we have stopped doing this. The older releases will be supported on Debian Stretch until that next release (4.5 or 1.6) comes out.

All Debian Stretch packages for the Authoritative Server will be removed when Auth 4.5 is released.

All Debian Stretch packages for the Recursor will be removed when Recursor 4.5 is released.

All Debian Stretch packages for dnsdist will be removed when dnsdist 1.6 is released.

Raspbian/Raspberry Pi OS

To simplify time handling, we have recently decided to no longer support systems where time_t is 32 bits. This means that Auth/Rec 4.4 and dnsdist 1.5 are the last supported releases for (32-bit) Raspbian/Raspberry Pi OS. In addition to that, Raspbian deprecation follows our Debian deprecation roadmap.

We are working on ARM64 builds for various OSes, but no timeline has been decided yet.

All Raspbian Stretch packages for the Authoritative Server will be removed when Auth 4.5 is released.

All Raspbian Stretch packages for the Recursor will be removed when Recursor 4.5 is released.

All Raspbian Stretch packages for dnsdist will be removed when dnsdist 1.6 is released.

No Raspbian packages (any release) will be built for Auth 4.5 and up, Recursor 4.5, and dnsdist 1.6 and up.

Raspbian Buster will be supported in Auth 4.4, Rec 4.4 and dnsdist 1.5 until those versions go EOL.

PowerDNS open source support policy

Each PowerDNS product is supported for about 1.5 years from a x.y.0 release. (see the EOL policy). The first 6 months of this support includes bug and stability fixes. In the future, we will not even ship x.y.0 releases for distributions that will go EOL before the end of that initial 6 month period.

First Beta Release of PowerDNS Recursor 4.5.0

Hello!,

We are proud to announce the first beta release of what should become PowerDNS Recursor 4.5.0. This release contains various bug fixes, improvements and new features.

This first beta contains a rewrite of the way zone cuts are determined, reducing the number of outgoing queries by up to 17% when doing DNSSEC validation while reducing the CPU usage more than 20% . This is a rather substantial change and we would be very grateful for tests and feedback from the community.

Another notable feature is the implementation of EDNS0 padding (RFC 7830) for answers sent to clients.

The upcoming 4.5.0 release includes an important addition: the implementation of RFC 8198: Aggressive use of DNSSEC-Validated Cache. This enables the Recursor to answer queries for non-existing names with less effort in many cases. This feature uses both NSEC and NSEC3 records. Additionally the DNSSEC default mode is now “process”, while it was “process-no-validate” before. This means that clients asking for it will get DNSSEC validated answers by default.

We also added a cache of non-resolving nameservers. This enhances performance when the Recursor encounters domains that have nameservers that do not resolve.

This release also features a re-worked negative cache that is shared between threads, allowing more efficient use of the cache and reduced memory consumption.

Support for Extended DNS Errors (RFC 8914) has been added. These can be enabled by setting the extended-resolution-errors setting to ‘yes’, this will send DNSSEC and resolution related errors to clients. Extended Errors are also hooked up to the Lua scripting engine, allowing fine-grained setting of both the error code and extra information in the response.

A “refresh almost expired records” (also called “refetch”) mechanism has been introduced to keep the record cache warm. In short, if a query comes in and the cached record’s TTL is almost expired (within N percent of its original value) the cached record is served to the client and the record queried for in the background, ensuring that new queries for that record are fresh and served from the cache.

Other new features and improvements are:

  • The complete protobuf and dnstap logging code has been rewritten to have much smaller performance impact.
  • We have introduced non-offensive synonyms for words used in settings. See the upgrade guide.
  • The default minimum TTL override has been changed from 0 to 1.
  • The spoof-nearmiss-max setting‘s default has been changed to 1. This has the consequence that the Recursor will switch to do TCP queries to authoritative nameservers sooner as an effective measure against many spoofing attacks.
  • Incoming queries over TCP now also use the packet cache, providing another performance increase.
  • File written to by the rec_control command are new opened by the command itself. It is also possible to write the content to the standard output stream by using a hyphen as file name.
  • TCP FastOpen (RFC 7413)  support for outgoing TCP connections to authoritative servers and forwarders.

Please refer to the changelog for additional details.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

The tarball (signature) is available from our download server and packages for several distributions are available from our repository.

With the future 4.5.0 final release, the 4.2.x releases will be EOL and the 4.3.x and 4.4.x releases will go into critical fixes only mode. Consult the EOL policy for more details.

We would also like to announce that with this release we will stop supporting systems using 32-bit time. This includes 32-bit Linux platforms like arm and i386.

We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features.

PowerDNS Recursor 4.3.7 Released

Hello!

Today we are releasing PowerDNS Recursor 4.3.7.

This release fixes a bug where the wrong TTL could be used when inserting records into the packet cache. Additionally, the recursor no longer resolves unneeded names when chasing CNAME records if QName Minimization is enabled.

Please refer to the 4.3.7 changelog  for details.

The 4.3.7 tarball (signature) is available at downloads.powerdns.com and packages for various Linux distributions are available from repo.powerdns.com.

4.1 and older releases are EOL, refer to the documentation for details about our release cycles.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

Authoritative Server 4.3.2

Hello,

We are happy to announce version 4.3.2 of the Authoritative Server.

This release fixes latency calculations to match the approach used in 4.4.0, to make comparisons between 4.3 and 4.4 more useful.

It also contains a few build-related improvements.

Please find a full list in the changelog.

The tarball (signature) is available at downloads.powerdns.com and packages for various Linux distributions are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

Third Alpha Release of PowerDNS Recursor 4.5.0

Hello!,

We are proud to announce the third alpha release of what should become PowerDNS Recursor 4.5.0. This release contains various bug fixes, improvements and new features. The seond alpha was an internal release only and never went public.

The upcoming 4.5.0 release includes an important addition: the implementation of RFC 8198: Aggressive use of DNSSEC-Validated Cache. This enables the Recursor to answer queries for non-existing names with less effort in many cases. This feature uses both NSEC and NSEC3 records. Additionally the DNSSEC default mode is now “process”, while it was “process-no-validate” before. This means that clients asking for it will get DNSSEC validated answers by default.

We also added a cache of non-resolving nameservers. This enhances performance when the Recursor encounters domains that have nameservers that do not resolve.

This release also features a re-worked negative cache that is shared between threads, allowing more efficient use of the cache and reduced memory consumption.

Support for Extended DNS Errors (RFC 8914) has been added. These can be enabled by setting the extended-resolution-errors setting to ‘yes’, this will send DNSSEC and resolution related errors to clients. Extended Errors are also hooked up to the Lua scripting engine, allowing fine-grained setting of both the error code and extra information in the response.

A “refresh almost expired records” (also called “refetch”) mechanism has been introduced to keep the record cache warm. In short, if a query comes in and the cached record’s TTL is almost expired (within N percent of its original value) the cached record is served to the client and the record queried for in the background, ensuring that new queries for that record are fresh and served from the cache.

Other new features and improvements are:

  • The complete protobuf and dnstap logging code has been rewritten to have much smaller performance impact.
  • We have introduced non-offensive synonyms for words used in settings. See the upgrade guide.
  • The default minimum TTL override has been changed from 0 to 1.
  • The spoof-nearmiss-max setting‘s default has been changed to 1. This has the consequence that the Recursor will switch to do TCP queries to authoritative nameservers sooner as an effective measure against many spoofing attacks.
  • Incoming queries over TCP now also use the packet cache, providing another performance increase.
  • File written to by the rec_control command are new opened by the command itself. It is also possible to write the content to the standard output stream by using a hyphen as file name.

Please refer to the changelog for additional details.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

The tarball (signature) is available from our download server and packages for CentOS 7 and 8, Debian Buster and Ubuntu Bionic and Focal are available from our repository.

With the future 4.5.0 final release, the 4.2.x releases will be EOL and the 4.3.x releases will go into critical security fixes only mode. Consult the EOL policy for more details.

We would also like to announce that with this release we will stop supporting systems using 32-bit time. This includes 32-bit Linux platforms like arm and i386 before kernel version 5.1.

We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and features.

PowerDNS Authoritative Server 4.4.1

Hello!

We are proud to announce version 4.4.1 of the Authoritative Server. This releases fixes several small issues discovered since the release of 4.4.0.

Please find a full list in the changelog.

Please make sure to read the Upgrade Notes before upgrading.

The tarball (signature) is available at downloads.powerdns.com and packages for CentOS 7 and 8, Debian Buster, Ubuntu Bionic and Focal are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

First Alpha Release of PowerDNS Recursor 4.5.0

Hello!,

We are proud to announce the first alpha release of what should become PowerDNS Recursor 4.5.0. This release contains various bug fixes, improvements and new features. 

The upcoming 4.5.0 release features a re-worked negative cache that is shared between threads, allowing more efficient use of the cache and reduced memory consumption.

Support for Extended DNS Errors (RFC 8914) has been added. These can be enabled by setting the extended-resolution-errors setting to ‘yes’, this will send DNSSEC and resolution related errors to clients. Extended Errors are also hooked up to the Lua scripting engine, allowing fine-grained setting of both the error code and extra information in the response.

A “refresh almost expired records” (also called “refetch”) mechanism has been introduced to keep the record cache warm. In short, if a query comes in and the cached record’s TTL is almost expired (within N percent of its original value) the cached record is served to the client and the record queried for in the background, ensuring that new queries for that record are fresh and served from the cache.

Other new features and improvements are:

  • The complete protobuffer and dnstap logging code has been rewritten to have much smaller performance impact.
  • We have introduced non-offensive synonyms for words used in settings. See the upgrade guide.
  • The default minimum TTL override has been changed from 0 to 1.

Please refer to the changelog for additional details.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

The tarball (signature) is available from our download server and packages for CentOS 7 and 8, Debian Buster and Ubuntu Bionic and Focal are available from our repository.

With the future 4.5.0 final release, the 4.2.x releases will be EOL and the 4.3.x releases will go into critical security fixes only mode. Consult the EOL policy for more details.

We would also like to take this opportunity to announce that we will stop supporting systems using 32-bit time. This includes 32-bit Linux platforms like arm and i386 before kernel version 5.1.

We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and features.