Thanks to an overwhelming amount of testing by our fabulous user community, this release candidate contains a ton of bug fixes (and a few improvements) compared to the previous one. We hope this has shaken out all of the important bugs, so that we can release 4.2.0 soon!
The changelog summary:
- lots of bug fixes!
The 4.1.12 release was skipped due to a packaging issue.
This is a bugfix release for high traffic setups using the pipebackend or remotebackend. It contains the following changes:
- gpgsqlbackend: add missing schema file to Makefile (#8157)
- stop using select() in places where FDs can be >1023 (#8162)
Last Tuesday we published PowerDNS Security Advisory 2019-06, which called for a schema update if you are using PostgreSQL with the Authoritative Server. We have now released updated packages for the 4.0.x and 4.1.x branches. These packages contain no software changes, they only contain the updated schema. Simply updating your packages will NOT correct your PostgreSQL schema.
The 4.0.9 tarball (signature) and 4.1.11 tarball (signature) are available at downloads.powerdns.com and packages for CentOS 6 and 7, Debian Jessie and Stretch, Ubuntu Trusty, Xenial and Bionic (only for 4.1.11) are available from repo.powerdns.com.
We’re proud to announce version 4.2.0 for the PowerDNS Recursor 4.2 release train.
The 4.2.0 release of the PowerDNS Recursor brings a lot of small, incremental changes over the 4.1.x releases. We expect little operational impact when upgrading from 4.1.x. However, several new features have been implemented and some features have changed.
This release was made possible by contributions from: Gibheer, cclauss, Aki Tuomi, Ruben, Doug Freed, Richard Gibson, Peter Gervai, Oli, Josh Soref, Rens Houben, Kirill Ponomarev, Kees Monshouwer, Matt Nordhoff, OSSO B.V., phonedph1, Rafael Buchbinder, Ruben Kerkhof, spirillen, Tom Ivar Helbekkmo and Chris Hofstaedtler. Thanks!
DNS Flag Day
The 4.2.0 release of the PowerDNS Recursor removes several workarounds for authoritative servers that respond badly to EDNS(0) queries. This is part of a multi-vendor effort known as DNS flag day to move the DNS ecosystem forward by being less lenient on non-conforming implementations.
This release adds support for DNS X-Proxied-For (draft-bellis-dnsop-xpf-04).
This technique is roughly equivalent to HTTP’s X-Forwarded-For header,
it can communicate the IP address and port of the original requestor
from a loadbalancer/frontend (like dnsdist)
to the backend server. This can allow the backend server to make
decisions regarding that specific client. XPF is disabled by default and
can be enabled by setting the
xpf-allow-from setting to the source IP address of the front-end proxy and setting
xpf-rr-code to the code of the resource record used by the frontend.
EDNS Client Subnet Improvements
More granularity has been added for the users of EDNS Client Subnet. The new
ecs-add-for setting can be set to a list of netmasks for which the requestor’s IP address should be used as the EDNS Client Subnet for outgoing queries. For IP addresses not on this list, the PowerDNS Recursor will use the
ecs-scope-zero-address instead, which matches the behavior of 4.1.x. Valid incoming ECS values from use-incoming-edns-subnet are not replaced.
New and Updated Settings
Sites that process large numbers of queries per second (100k+), may benefit from the new
distributor-threads setting. This can be used in combination with
pdns-distributes-queries=yes to spawn multiple threads that will pick up incoming queries and distribute them over the worker threads.
For several statistics, the PowerDNS Recursor uses a public suffix list to group queries. Before, this list was built into the binary and only updated for every release. This release adds the
setting that allows operators to supply their own public suffix list.
This option is unset by default, which means the built-in list is used.
Over the last years it has become clear that many networks on the
internet lose large UDP packets, leading to authoritative servers being
seen as dead from the recursor’s perspective. To ensure return packets
from authoritative servers have a better chance of reaching the
setting’s default has changed from 1680 to 1232. 1232 was chosen
because it is the largest DNS response that can be carried on an IPv6
link with the IPv6 minimal MTU (1280). In tandem with this change, the
udp-truncation-threshold that decides when to truncate responses to clients has also been changed from 1680 to 1232.
Changes since release candidate 2
There have been some minor changes since release candidate 2:
- #8074: Make sure we always compile with BOOST_CB_ENABLE_DEBUG set to 0
- #8052: Limit compression pointers to 14 bits
- #8009: Fix the export of only outgoing queries or incoming responses
- #8005: Clear CMSG_SPACE(sizeof(data)) in cmsghdr to appease valgrind
Please see the changelog for details.
Starting with this release, we intend to move to 6 month release cycles. This means the next release of PowerDNS recursor (4.3) is scheduled for January 2020. We will support a release for two cycles (one year). After that, a release will only get security fixes for one more cycle and then move to end of life status. Starting with the upcoming releases, our other two open source products dnsdist and the authoritative server will also move to a 6 month cycle with the same support periods.
Specific information can be found in the end of life statement.
The tarball (signature) is available at downloads.powerdns.com and packages for CentOS 6 and 7, Debian Stretch and Buster, Ubuntu Xenial and Bionic are available from repo.powerdns.com. We no longer build Debian Jessie and Ubuntu Trusty packages.
We would like to thank the PowerDNS community for continued support, feedback, bug fixes and submitted features.
We’re proud to announce Release Candidate 2 for the PowerDNS Recursor 4.2 release train.
There have been some minor changes since release candidate 1:
- #7955: Handle short reads from our random device
- #7953: Check if
-latomicis needed instead of hardcoding
- #7939: Compare the
CacheKeytype and place first then the name
- #7931: Don’t mix
gettimeofday()in our unit tests
Please see the changelog for details.
Please try this version. With some luck, RC2 can become 4.2.0 with no changes in just a week or two!
The tarball (signature) is available at downloads.powerdns.com and packages for CentOS 6 and 7, Debian Jessie, Stretch and Buster, Ubuntu Trusty, Xenial, Bionic and Cosmic are available from repo.powerdns.com.
These are security releases.
The 4.0.8 and 4.1.10 (together with 4.1.9) releases fix the following security advisories:
- PowerDNS Security Advisory 2019-04 (CVE-2019-10162)
- PowerDNS Security Advisory 2019-05 (CVE-2019-10163)
The 4.0.8 tarball (signature) and 4.1.10 tarball (signature) are available at downloads.powerdns.com and packages for CentOS 6 and 7, Debian Jessie and Stretch, Ubuntu Trusty, Xenial and Bionic (only for 4.1.10) are available from repo.powerdns.com.
This maintenance release of the PowerDNS Authoritative Server has the following changes:
- by popular demand, the option to disable superslave support has been backported from 4.2.0 to 4.1.9 (#7922)
pdnsutil b2b-migratewould lose NSEC3 settings. This has been corrected now. (#7921)