Category: Uncategorized

First Alpha Release of PowerDNS Recursor 4.5.0

Hello!,

We are proud to announce the first alpha release of what should become PowerDNS Recursor 4.5.0. This release contains various bug fixes, improvements and new features. 

The upcoming 4.5.0 release features a re-worked negative cache that is shared between threads, allowing more efficient use of the cache and reduced memory consumption.

Support for Extended DNS Errors (RFC 8914) has been added. These can be enabled by setting the extended-resolution-errors setting to ‘yes’, this will send DNSSEC and resolution related errors to clients. Extended Errors are also hooked up to the Lua scripting engine, allowing fine-grained setting of both the error code and extra information in the response.

A “refresh almost expired records” (also called “refetch”) mechanism has been introduced to keep the record cache warm. In short, if a query comes in and the cached record’s TTL is almost expired (within N percent of its original value) the cached record is served to the client and the record queried for in the background, ensuring that new queries for that record are fresh and served from the cache.

Other new features and improvements are:

  • The complete protobuffer and dnstap logging code has been rewritten to have much smaller performance impact.
  • We have introduced non-offensive synonyms for words used in settings. See the upgrade guide.
  • The default minimum TTL override has been changed from 0 to 1.

Please refer to the changelog for additional details.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

The tarball (signature) is available from our download server and packages for CentOS 7 and 8, Debian Buster and Ubuntu Bionic and Focal are available from our repository.

With the future 4.5.0 final release, the 4.2.x releases will be EOL and the 4.3.x releases will go into critical security fixes only mode. Consult the EOL policy for more details.

We would also like to take this opportunity to announce that we will stop supporting systems using 32-bit time. This includes 32-bit Linux platforms like arm and i386 before kernel version 5.1.

We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and features.

PowerDNS Authoritative Server 4.4.0

Hello!

We are proud to announce version 4.4.0 of the Authoritative Server.

This release drops GSS/TSIG support, please see PowerDNS Security Advisory 2020-06.

As of now, versions 4.1.x and older are End Of Life.

Version 4.4.0 brings a bunch of exciting changes:

  • the LMDB backend now supports long record content, making it production ready for everybody
  • the SVCB and HTTPS record types are supported, with limited additional processing
  • transaction handling in the 2136 handler and the HTTP API was again improved a lot, avoiding various spurious issues users may have noticed if they do a lot of changes
  • a new setting (consistent-backends) offers a roughly 30% speedup, subject to conditions
  • we finally emit Prometheus metrics!

Authoritative 4.3.x was the last release branch with support for CentOS/RHEL 6. Problems running Authoritative 4.4.x on CentOS/RHEL 6 will not be treated as bugs by us.

We want to specifically thank Robin Geuze, Kees Monshouwer, Mischan Toosarani-Hausberger, Chris Hofstaedtler, and Kevin Fleming for their contributions to this release. We are also grateful to all other reporters of bugs, issues, feature requests, and submitters of smaller fixes and features.

Please make sure to read the Upgrade Notes before upgrading.

The tarball (signature) is available at downloads.powerdns.com and packages for CentOS 7 and 8, Debian Stretch and Buster, Ubuntu Bionic and Focal are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

PowerDNS Recursor 4.4.2 Released

Hello!

Today we are releasing PowerDNS Recursor 4.4.2.

This release fixes a bug where the wrong type could be used while verifying DNSSEC signatures, causing domains to be incorrectly marked as Bogus. Additionally, the recursor no longer resolves unneeded names when chasing CNAME records if QName Minimization is enabled. The recursor now also logs more detailed information if a name is found to be Bogus during DNSSEC validation.

As usual, there were also other smaller enhancements and bugfixes. Please refer to the 4.4.2 changelog  for details.

The 4.4.2 tarball (signature) is available at downloads.powerdns.com and packages for CentOS 7 and 8, Debian Stretch and Buster, Ubuntu Xenial, Bionic and Focal are available from repo.powerdns.com.

4.1 and older releases are EOL, refer to the documentation for details about our release cycles.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

First Release Candidate for Authoritative 4.4.0

Hello!

This is the first Release Candidate for version 4.4.0 of the Authoritative Server.
If no trouble surfaces, we will release the actual 4.4.0 within a few weeks.

This release drops GSS/TSIG support, please see PowerDNS Security Advisory 2020-06.

Version 4.4.0 brings a bunch of exciting changes:

  • the LMDB backend now supports long record content, making it production ready for everybody
  • the SVCB and HTTPS record types are supported, with limited additional processing
  • transaction handling in the 2136 handler and the HTTP API was again improved a lot, avoiding various spurious issues users may have noticed if they do a lot of changes
  • a new setting (consistent-backends) offers a roughly 30% speedup, subject to conditions
  • we finally emit Prometheus metrics!

Authoritative 4.3.x was the last release branch with support for CentOS/RHEL 6. Problems running Authoritative 4.4.x on CentOS/RHEL 6 will not be treated as bugs by us.

We want to specifically thank Robin Geuze, Kees Monshouwer, Mischan Toosarani-Hausberger, Chris Hofstaedtler, and Kevin Fleming for their contributions to this release. We are also grateful to all other reporters of bugs, issues, feature requests, and submitters of smaller fixes and features.

Please make sure to read the Upgrade Notes before upgrading.

The tarball (signature) is available at downloads.powerdns.com and packages for CentOS 7 and 8, Debian Stretch and Buster, Ubuntu Xenial, Bionic and Focal are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

Goodbye DNS, Goodbye PowerDNS!

After over 20 years of DNS and PowerDNS, I am moving on. Separate from this page, I am releasing a series of three huge posts on the history of PowerDNS, so I won’t dwell too much on that here.

This is not an easy story to write. I don’t like to grandstand, but when the founder of a project decides to leave after two decades, people do expect some form of an explanation.

It is also customary to describe such an exit in upbeat terms, sometimes to the point that you wonder that if things were so great, why is this person leaving?

But the reality is, I got bored and wanted to do new things. PowerDNS and the wonderful people who I met along the way have taught me so much – software development, operations, marketing, sales, business development, community building, writing internet standards & much more. It has been a wonderful ride.

But now it appears DNS and I are somewhat at the end of our relationship (even though I will remain a minor PowerDNS shareholder). Formally I leave on December 31st.

Helping build PowerDNS to what it is today – a flourishing department of Open-Xchange, able to fund itself by delivering its software to paying users, while maintaining good relations with the open source community, has been an incredible honour. 

As I leave the company, management and software development have long been in the hands of people I am proud to call my successors. They are doing a better job than I ever did – the only claim I have on the current success is that I helped recruit this next generation. I don’t think there is much more to aspire to when you create a company than leaving it behind in good shape.

(please do read on till the end of this post for the Oscar-speech round of thanks!)

Some observations

A few years ago, I became somewhat upset with DNS. This is not the main reason for quitting the profession, but now that I have your attention for one final time I do want to take one last stand on two important issues.

In 2018 I did a talk over at the IETF on the ever increasing size of the combined set of DNS specifications – I had looked through the upcoming work from the various standards groups. I plotted the amount of text involved, and also extended this to the historical beginnings of DNS. And it turned out that DNS was growing at one page every two days – without getting any better. I titled this talk “The DNS Camel”, and I wondered if just one more standard might break the back of the protocol.

Many listeners were sympathetic to this story, but also, nothing happened. The protocol just continued to grow. There was the legitimate question if I could please do more than complain. My main worry was that DNS would become even more inaccessible than it was already. I launched the ‘Hello DNS’ project to create a unified point to start learning about this protocol. I think that helped.

But I still fervently believe DNS is getting way, way too big. Not only does this make our software ever more complicated, it is also ever harder for new people to enter the field. You just don’t get all this *stuff* without half a decade of experience. This will lead to dangerous bugs but it also means we’ll miss out on younger talent that has not yet had the chance to incorporate the wisdom we’ve been imparting via the many RFCs we write each year.

And I think I am not alone in believing this – as I type this I am surrounded by no less than 4 (tiny) camels that people sent me as gifts (thanks!). 

DNS and the Cloud

Later, I saw that there was a push for “the cloud” to take over yet another part of our Internet. Encrypted DNS is great, we should all do far more of that. But I was (and am) tremendously unhappy that more and more of DNS is now set to move to (among others) Google and Cloudflare control – both of whom protest that they have nothing but the best intentions. But still I see yet more of the Internet getting centralised, and I worry where that will go

I also worry that people somehow are not worrying about this – somehow we’ve made peace with the fact that companies far away get very detailed records on everything we do online, and that we just have to live with that.

Together with Open-Xchange we spent two years spreading the word on centralised DNS over HTTPS, and I do hope we have made people think about this wisdom of moving DNS to centralised third parties.

A round of thanks and appreciations

To end on a happier note – I want to thank the PowerDNS people for the tremendous job they are doing. Already more than a year ago I started removing myself from more and more discussions, and the way you are running the business fills me with pride.

I want to thank the many people who believed in PowerDNS, who believed in me and worked with our technology, sometimes long before it was ready for prime time. You truly helped shape the product. I am very grateful for the people that decided to work with and for us, even when we did not look like much of a normal company. And of course, so much of PowerDNS actually came from the open source community, including key and core components. I can’t thank the contributors enough. 

One area of special pride is how we enabled a number of PowerDNS contributors & consultants to grow their own business or to enhance their own career. It is wonderful to see how we’ve been able to help each other get ahead in life, while doing useful things.

I also want to thank Open-Xchange (the PowerDNS parent company) for taking such good care of the company. As noted in the PowerDNS history posts, OX took in PowerDNS at a time where business was good, but the future was highly uncertain. Rafael and crew believed in the story and acquired the company. 

Open-Xchange provided a powerful sales organization, but also a rock solid project department that helped actually close deals and to deliver working solutions over at complicated customers.

It is very rare for acquisitions to be truly successful, but PowerDNS and Open-Xchange really are better together. Using the skills from both companies, PowerDNS expanded into the PowerDNS Platform that delivers the solutions that large scale internet operators need and can use.

I wish everyone the best of luck, and I sincerely hope PowerDNS continues to be a place where people love to work and that it continues to be a force that helps improve the open internet!

Signing off – 

Bert Hubert – PowerDNS co-founder (a title no one will ever take away from me!)

PowerDNS Recursor 4.4.1 and 4.3.6 Released

Hello!,

Today we are releasing PowerDNS Recursor 4.4.1 and 4.3.6.

These releases fix a bug where a reply from an authoritative server could get lost, causing timeouts or ServFail answers to clients. Additionally, an issue resolving CNAMEs of the form a.b.c CNAME x.a.b.c when QName Minimization is enabled was fixed.

As usual, there were also other smaller enhancements and bugfixes. Please refer to the 4.4.1 changelog and 4.3.6 changelog for details.

The 4.4.1 tarball (signature), 4.3.6 tarball (signature) are available at downloads.powerdns.com and packages for CentOS 7 and 8, Debian Stretch and Buster, Ubuntu Xenial, Bionic and Focal are available from repo.powerdns.com.

4.1 and older releases are EOL, refer to the documentation for details about our release cycles.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

Authoritative 4.4.0-beta1

Hello!

we are very happy to announce version 4.4.0-beta1 of the Authoritative Server.

This release drops GSS/TSIG support, please see PowerDNS Security Advisory 2020-06.

Version 4.4.0 brings a bunch of exciting changes:

  • the LMDB backend now supports long record content, making it production ready for everybody
  • the SVCB and HTTPS record types are supported, with limited additional processing
  • transaction handling in the 2136 handler and the HTTP API was again improved a lot, avoiding various spurious issues users may have noticed if they do a lot of changes
  • a new setting (consistent-backends) offers a roughly 30% speedup, subject to conditions
  • we finally emit Prometheus metrics!

Authoritative 4.3.x was the last release branch with support for CentOS/RHEL 6. Problems running Authoritative 4.4.x on CentOS/RHEL 6 will not be treated as bugs by us.

We want to specifically thank Robin Geuze, Kees Monshouwer, Mischan Toosarani-Hausberger, Chris Hofstaedtler, and Kevin Fleming for their contributions to this release. We are also grateful to all other reporters of bugs, issues, feature requests, and submitters of smaller fixes and features.

Please make sure to read the Upgrade Notes before upgrading.

The tarball (signature) is available at downloads.powerdns.com and packages for CentOS 7 and 8, Debian Stretch and Buster, Ubuntu Xenial, Bionic and Focal are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

PowerDNS Recursor and the SAD DNS attack

Short version: the PowerDNS Recursor already implements mitigations to the SAD DNS attack. However, our users will likely be vulnerable to the most complex variant of the attack, which exploits kernel behaviour. Unfortunately that is outside our control.

Long version:

Last week, a group of researchers published a new vulnerability in DNS resolvers, that they call ‘a revival of the classic DNS cache poisoning attack’. In short, they have found tricks to get around some of the mitigations that resolver software has put in place to prevent spoofing, especially after the ‘Kaminsky Attack’ in 2008. There is an excellent explanation of the attack on the Cloudflare blog. We strongly suggest reading it to understand the full scope and impact of the attack.

PowerDNS Recursor already implements mitigations against the attack described in the paper, including port and ID randomisation, the use of connected sockets, and a ‘spoof attempt detection’ that we call a ‘near miss counter’ (see the last paragraph behind this link). This means that the only remaining avenue for an attacker is the ‘ICMP rate limit side channel’, which is a kernel problem. For Linux, a kernel patch (also linked on the SAD DNS web page) is available. We suggest asking your OS vendor for a timeline for delivering a patched kernel to you. Until then, blocking outgoing ICMP Port Unreachable messages has been suggested as a mitigation. Please note that we generally recommend against such blanket filters.

Authoritative 4.4.0-alpha3

Hello!

we are very happy to announce version 4.4.0-alpha3 of the Authoritative Server.

(A painful bug in the LMDB backend was found just as we started the Alpha 2 release process, so we decided to skip right on to Alpha 3, with that bug fixed).

This release drops GSS/TSIG support, please see PowerDNS Security Advisory 2020-06.

Version 4.4.0 brings a bunch of exciting changes:

  • the LMDB backend now supports long record content, making it production ready for everybody
  • the SVCB and HTTPS record types are supported, with limited additional processing
  • transaction handling in the 2136 handler and the HTTP API was again improved a lot, avoiding various spurious issues users may have noticed if they do a lot of changes
  • a new setting (consistent-backends) offers a roughly 30% speedup, subject to conditions
  • we finally emit Prometheus metrics!

Authoritative 4.3.x was the last release branch with support for CentOS/RHEL 6. Problems running Authoritative 4.4.x on CentOS/RHEL 6 will not be treated as bugs by us.

We want to specifically thank Robin Geuze, Kees Monshouwer, Mischan Toosarani-Hausberger, and Chris Hofstaedtler for their contributions to this release. We are also grateful to all other reporters of bugs, issues, feature requests, and submitters of smaller fixes and features.

Please make sure to read the Upgrade Notes before upgrading.

The tarball (signature) is available at downloads.powerdns.com and packages for CentOS 7 and 8, Debian Stretch and Buster, Ubuntu Xenial, Bionic and Focal are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

Release of PowerDNS Recursor 4.4.0

Hello!

We are proud to announce the release of PowerDNS Recursor 4.4.0.

Compared to the last release candidate, this release contains a fix for the cache pollution issue described in security advisory 2020-07. Please refer to the changelog for details.

Compared to the 4.3 release of PowerDNS Recursor, this release contains these major enhancements:

  • Native DNS64 support, without the need to use Lua.
  • The ability to add custom tags to RPZ hits.
  • Names encountered while resolving CNAMEs are now subject to RPZ processing.
  • More detailed information about RPZ handling is now available while tracing, in Lua and in the protobuf logging messages.
  • To allow more efficient use, the record cache is now shared between threads.
  • A routing tag can be added in Lua code, which will be used as an additional record cache key instead of an EDNS subnet mask, enabling for a simpler record cache structure which will enhance query processing where the EDNS subnet mask is relevant.
  • The Proxy Protocol version 2 has been implemented to allow for a structured exchange of information between a client (typically dnsdist) and the Recursor. See the documentation for details.

We are grateful to all reporters of bugs, issues, feature requests, and submitters of fixes and features. We also like to thank anybody who tested the pre-releases.

Please note that with this release, the 4.1.x branch will be marked End of Life and the 4.2.x branch will go into critical security update mode only. See our release cycle document for more details. The upgrade notes contain information that helps doing upgrades from previous versions.

The tarball (signature) is available at downloads.powerdns.com and packages for CentOS 7 and 8, Debian Stretch and Buster, Ubuntu Xenial, Bionic and Focal are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.