Category: Uncategorized

PowerDNS Jobs, 4.1 roadmap, DNSSEC research

Hi everyone,

In this post, we want to mention a few things: PowerDNS Jobs, 4.1 plans & some DNSSEC research.

First, PowerDNS is growing rapidly as more and more large scale service providers displace closed DNS systems by PowerDNS, especially for security enhanced DNS and “parental control”. More on this PowerDNS Platform product can be found on the Open-Xchange website and here.

To support this growth, we have two job openings currently. Full details are here, brief descriptions:

Solution Engineer

Daily activities alternate between working on customer issues and actual Professional Services for customer implementations (both on-site and off-site). As Solution Engineer (with a focus on PowerDNS) you will work closely with the PowerDNS development team, as well as with other parts of Open-Xchange and Dovecot development, sales, and Product Management teams from within a European Services team.

We think Support & Implementation is a great step into a promising career. We are specifically looking for employees willing to learn quickly while delivering great support and service, while keeping an eye towards growing within the Global Services department or into different roles in the larger Open-Xchange organisation.

Versatile frontend developer with moderate middleware skills

We are looking for people with any or more of the following skills:

  • Modern web development (key words are AngularJS, JSON, RESTful, D3.js, Backbone and other frameworks that aren’t TOO hip)
  • Django
  • Ability to enhance middleware in Python
  • Ability to propose changes to core C++ code and make small additions
  • Automated UI testing

Full details and how to apply can be found here.

4.1 plans

We have started the process of 4.1 release planning. We have identified a number of areas that need to be addressed, but your input is most welcome. The 4.0 roadmap process was rather successful, but only because users vocally reminded us of what was missing.

So please let us know: what are we simply not talking about that you think is vital for PowerDNS. If we are not doing something, it is probably because we don’t know that you need it! So please let us know whatever you are missing on

DNSSEC research

We wrote some perhaps interesting stuff on DNSSEC here:

With this technique, we’ve been able to measure the DNSSEC penetration on all top level domains (including and The list is here:, and here are the top domains:


All in all we have found there are around 7.4 million signed DNSSEC domains.

Given what we know of the zones involved (.se, .nl, .de, .be), it looks like the majority of these are signed and mostly served by PowerDNS.


PowerDNS Authoritative Server 4.0.3 released!

Today we’ve released version 4.0.3 of the PowerDNS Authoritative Server. This release fixes an issue when using multiple backends, where one of the backends is the BIND backend. This regression was introduced in version 4.0.2.

This makes the changelog very short:

  • #4905: Revert “In `Bind2Backend::lookup()`, use the `zoneId` when we have it”

Users with multiple backends are encouraged to upgrade.

Tarballs(sig) can be downloaded from the releases page. And the packages in the repositories have been updated.

PowerDNS Authoritative Server 3.4.11 and Recursor 3.7.4 released!

Today, we are releasing version 3.4.11 of the PowerDNS Authoritative Server and version 3.7.4 of the PowerDNS Recursor. These releases fix several security issues that were reported to PowerDNS.

It concerns the following security advisories:

  • 2016-02: Crafted queries can cause abnormal CPU usage
  • 2016-03: Denial of service via the web server (Authoritative only)
  • 2016-04: Insufficient validation of TSIG signatures (Authoritative only)
  • 2016-05: Crafted zone record can cause a denial of service (Authoritative only)

For those who cannot update, minimal patches are available (2016-02, 2016-03, 2016-04, 2016-05).

A few other issues have been fixed as well, see the Authoritative Server 3.4.11 changelog and the Recursor 3.7.4 changelog.

We urge all users to upgrade to these new versions.

Source tarballs and packages are available on:

PowerDNS Recursor 4.0.4 released!

We are happy to announce the release of the PowerDNS Recursor version 4.0.4. This release fixes 2 security issues and adds several improvements to the DNSSEC validation code.

The following PowerDNS Security Advisories are fixes:

  • 2016-02: Crafted queries can cause abnormal CPU usage
  • 2016-04: Insufficient validation of TSIG signatures

Minimal patches are available for those unable to fully upgrade (2016-02, 2016-04)

The full changelog is available, highlights include:

  • Check TSIG signature on IXFR (Security Advisory 2016-04)
  • Don’t parse spurious RRs in queries when we don’t need them (Security Advisory 2016-02)
  • Add `max-recursion-depth` to limit the number of internal recursion
  • Wait until after daemonizing to start the RPZ and protobuf threads
  • On RPZ customPolicy, follow the resulting CNAME
  • Make the negcache forwarded zones aware
  • Cache records for zones that were delegated to from a forwarded zone
  • DNSSEC: don’t go bogus on zero configured DSs
  • DNSSEC: NSEC3 optout and Bogus insecure forward fixes
  • DNSSEC: Handle CNAMEs at the apex of secure zones to other secure zones

We recommend all users of the Recursor to upgrade to this version. Tarballs with sources are available (signature).

Packages for Debian Stable, Ubuntu Trusty, Xenial and Wily and CentOS 6 and 7 are available from our repositories.

PowerDNS Authoritative Server 4.0.2 released!

We are pleased to announce the release of the PowerDNS Authoritative Server 4.0.2. This release fixes several security issues reported to us in the last few months, as well as a memory leak in the Postgresql backend.

The following security issues were fixed:

  • 2016-02: Crafted queries can cause abnormal CPU usage
  • 2016-03: Denial of service via the web server
  • 2016-04: Insufficient validation of TSIG signatures
  • 2016-05: Crafted zone record can cause a denial of service

For those who cannot update, minimal patches are available (2016-02, 2016-03, 2016-04, 2016-05).

The full changelog is available, highlights include:

  • Don’t parse spurious RRs in queries when we don’t need them (Security Advisory 2016-02)
  • Don’t exit if the webserver can’t accept a connection (Security Advisory 2016-03)
  • Check TSIG signature on IXFR (Security Advisory 2016-04)
  • Correctly check unknown record content size (Security Advisory 2016-05)
  • ODBC backend: actually prepare statements
  • Improve root-zone performance
  • Plug memory leak in postgresql backend (Christian Hofstaedtler)
  • calidns: Don’t crash if we don’t have enough ‘unknown’ queries remaining
  • Improve PacketCache cleaning (Kees Monshouwer)
  • Bind backend: update status message on reload, keep the existing zone on failure
  • Fix TSIG for single thread distributor (Kees Monshouwer)
  • Change default for any-to-tcp to yes (Kees Monshouwer)
  • Don’t look up the packet cache for TSIG-enabled queries
  • Fix build with OpenSSL 1.1.0 final (Christian Hofstaedtler)
  • pdnsutil: create-slave-zone accept multiple masters (Hannu Ylitalo)

We highly recommend all users to update to the latest version.

Source tarball(signature) is available and packages for Debian Stable, Ubuntu Trusty, Xenial and Wily and CentOS 6 and 7 are available form our repositories.

dnsdist 1.1.0 released

We are very pleased to announce the availability of dnsdist 1.1.0. There have been very few changes since 1.1.0-beta2, the most significant ones being that we now handle header-only responses, and that “Refused” responses are now handled by the cache in the same way as “ServFail” ones.

dnsdist 1.1.0 has seen a significant amount of development, mostly based on feedback from they many 1.0 deployments. The majority of the new features have already been taken into production by pre-release and beta users.

Highlights include:

  • TeeAction: send queries to a second nameserver, but ignore responses. Used to test new installations on existing traffic. Also used by the Yeti rootserver project.
  • Response rules which act on received responses
  • AXFR/IXFR support, including filtering options
  • Linux kernel based query type and query name filtering (eBPF), for very high speed packet rejection. Includes counters and statistics
  • Query counting infrastructure (contributed by TransIP’s Reinier Schoof)

For the many other new features, improvements and bug fixes, please see the dnsdist website for the more complete changelog and the current documentation.

Release tarballs are available on the downloads website.

Several packages are also available on our repository.

PowerDNS: 2016 in review

Hi everyone,

As 2016 draws to a close, we’d like to share a few words on what has been achieved over the past year, our second year within Open-Xchange. This post will cover both our technical and commercial efforts, including the PowerDNS Platform which provides per-subscriber malware filtering & parental control. And, we are hiring!

At the end of 2015, we released ‘Technology Preview Releases’ of PowerDNS Authoritative Server 4, PowerDNS Recursor 4 and dnsdist 1.0. This was done to somewhat keep our promise of releasing those versions in 2015, but fell short of what we had hoped to achieve.

Now at the end of 2016 the news is a lot better. The actual 4.0 and 1.0 (dnsdist) releases have happened and are being deployed far faster than we’d been hoping for. This is probably due to some of the exciting new features:

  • RPZ for security & DNS filtering purposes (including IXFR)
  • dnsdist for reliability, flexibility and DoS protection
  • pdnsutil edit-zone for a pretty awesome way to edit DNS zones
  • DNSSEC validation in Recursor
  • Vastly more powerful Lua engines
  • ALIAS record type that now powers many of the .GOV search engines DNSSEC (including the White House!)

A notable DNSSEC deployment is over at our friends of xs4all who not only sign domains with the PowerDNS Authoritative Server, but recently have also turned on validation on their PowerDNS Recursors for their large userbase.

4.0 and dnsdist were both part of a ‘spring cleaning’ exercise. It is good to realize how rare it is for a software project to go through such an exercise. 4.0 and dnsdist are based on a much cleaned up and improved codebase.

We are also very grateful for our community that stepped up to contribute to 4.x in the form of code, great bug reports, design ideas, documentation and actual bug fixes. Our meagre offering of ‘PowerDNS Crew’ mugs is the least we could do!

Some stats that bear out the community involvement: In 2016, our Github repository was forked over a 100 times, yielding almost a 1000 Pull Requests most of which were merged, for a total of over 2500 new commits. These commits closed 1300 issue tickets.

As you may recall, since 2015 PowerDNS is part of OX, together with our cousins from Dovecot. When we announced the merger, some voiced fear about what this would mean for PowerDNS. We can now safely say that the state of the PowerDNS source in 2016 is way stronger than it was in 2015.

Besides finishing the spring cleaning of our open source products, 2016 also saw the release of the PowerDNS Platform which, unusually for us, is not fully open source. We explained this in our blog post as follows:

Putting it more strongly: we have learned that many organizations simply no longer have the time or desire to assemble all the technologies themselves around our Open Source products.

We will therefore be marketing the additional functionalities we have been delivering to our customers as a product tentatively called the “PowerDNS Platform”

The “PowerDNS Platform” as we ship it consists of our core unmodified Open Source products, plus loads of other open source technologies, combined with a management shell that is not an Open Source product that we’ll in fact sell.

The PowerDNS Platform is described here. Feedback on the move to supply the Platform has been good, both from our commercial users and from the PowerDNS development  and wider DNS community, for which we are grateful.

Now at the end of 2016 we can report that the PowerDNS Platform has been selected to provide a malware & parental control enabled DNS solution for over 10 million Internet subscribers in Europe. We will be displacing a fully closed solution, which is a win for an open internet.

In addition, this commercial progress provides a healthy & sustainable basis on which to continue to develop the PowerDNS nameservers and dnsdist.

We have regained control over As outlined in our blogpost:

Recently we decided it was time to get the .org back anyhow and after negotiating for a few days we finally paid up, and shortly after that we were back in control of, at a cost of $1000.

This personally left me with a bad aftertaste since effectively we have paid a chain of people that specialise in taking over domains for ransom purposes.


To compensate for all this, we’ve decided to donate €1000 to the Doctors without Borders charity.


We have shipped close to 500 PowerDNS Release mugs to contributors, friends and conference visitors. If you missed out on our giveaway, you can order PowerDNS mugs online from our friends over at Mugbug, who have been an absolute joy to work with.

Root-server speedup

We also had a good time working with the fine people of the RIPE NCC. Anand Buddhdev there decided to do some benchmarking to determine the root-server suitability of a bunch of nameservers. And lo, during his testing, he found that PowerDNS 4.0 was not very suitable. After a good month of investigations & improvements, we managed to achieve a 400% speedup in the PowerDNS Authoritative Server which actually also helped the PowerDNS Recursor.

We shared our learnings on modern optimization in this Medium post which at >10k visits is the second best read post we have ever done. These speedups will be available in the 4.1 releases of our software.


PowerDNS grew this year! Open-Xchange gained a product manager (Alexander ter Haar) and we are also benefiting greatly from Nico Cartron (previously of EfficientIP) and Andrea Tosatto who are helping with automation, deployability and pre-sales work. In addition, we continue to work happily with members of the extended PowerDNS family who we contract with for development, training, documentation and professional services.

But.. it is not enough. We are still looking for two permanent positions, one in professional services, one in front-end development with a smattering of backend. For more details, please head to our careers page.


Thank you for being involved with PowerDNS, the software and the community. Reading this post to the end means you really care. 🙂

We wish you a great 2017!