PowerDNS Authoritative Server 4.1.9 Released

This maintenance release of the PowerDNS Authoritative Server has the following changes:

  • by popular demand, the option to disable superslave support has been backported from 4.2.0 to 4.1.9 (#7922)
  • pdnsutil b2b-migrate would lose NSEC3 settings. This has been corrected now. (#7921)

The tarball (signature) is available at downloads.powerdns.com and packages for CentOS 6 and 7, Debian Jessie and Stretch, Ubuntu Trusty, Xenial and Bionic are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

PowerDNS Authoritative Server 4.2.0 Release Candidate 2

We are pleased to announce the second Release Candidate for Authoritative Server version 4.2.0. Many of our users have given RC1 a spin, and we very much appreciate their feedback.

RC2 contains a host of minor robustness improvements, some performance increases, and other improvements. We’ll name a few here; for the rest, please see the changelog:

  • improved logging in gsqlbackend, and in the web server
  • no more path discovery on UDP; no more disabling of TCP
  • when truncating a response might strip out relevant glue, we instead truncate the whole packet now
  • the sdig tool can query DoH servers now
  • backend transactions (from either the API or pdnsutil) now use transactions correctly for most situations. This avoids funky ‘my record disappeared for 1 millisecond and now everybody has that cached’ situations.
  • LUA records can now be configured to reuse their Lua state between invocations, giving a 7x speedup!

Please try this version, especially if you had any problems with RC1. With some luck, RC2 can become 4.2.0 with no changes in just a week or two!

The tarball (signature) is available at downloads.powerdns.com and packages for CentOS 6 and 7, Debian Jessie and Stretch, Ubuntu Bionic, Trusty, Xenial and Cosmic are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

PowerDNS Recursor 4.1.14 Released

This is a maintenance release that adds two counters for the number of queries received with the AD and CD bit set. The counters are named dnssec-authentic-data-queries and dnssec-check-disabled-queries, respectively. Additionally a Lua related bug was fixed.

The changelog:

  • #7906: Add statistics counters for AD and CD queries.
  • #7912: Add missing getRegisteredName Lua function.

The tarball (signature) is available at downloads.powerdns.com and packages for CentOS 6 and 7, Debian Jessie and Stretch, Ubuntu Trusty, Xenial and Bionic are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

dnsdist 1.4.0-beta1

We are very happy to announce the first beta release of the 1.4.0 version of dnsdist. This version fixes a crash in the DNS over HTTPS (DoH) implementation and adds a new rule to route queries based on the incoming TLS Server Name Indication (SNI) value. It also adds latency histograms to the Prometheus export, courtesy of Marlin Cremers.

As with the alpha releases, your feedback will be much appreciated so we can deliver a stable 1.4.0 final release!

Please see the dnsdist website for the more complete changelog and the current documentation.

Release tarballs are available on the downloads website.

Several packages are also available on our repository.

PowerDNS Recursor 4.2.0 Release Candidate 1

We’re proud to announce Release Candidate 1 for the PowerDNS Recursor 4.2 release train.

There have been some minor changes since the beta 1:

  • #7818: Use net-snmp-config --netsnmp-agent-libs instead of --agent-libs,
  • #7826: Fix the detection of snmp_select_info2(),
  • #7813: Ensure a valid range to string() in PacketReader::getUnquotedText().

Please see the changelog for details.

The tarball (signature) is available at downloads.powerdns.com and packages for CentOS 6 and 7, Debian Jessie, Stretch and Buster, Ubuntu Trusty, Xenial, Bionic and Cosmic are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

PowerDNS Recursor 4.1.13 Released

This is a maintenance release to optionally reduce the performance impact of memory-statistics collection and a fix in the DNSSEC processing of wildcard records.

The changelog:

  • #7673: Add the disable-real-memory-usage setting to skip expensive collection of detailed memory usage info,
  • #7816: Fix DNSSEC validation of wildcards expanded onto themselves.

The tarball (signature) is available at downloads.powerdns.com and packages for CentOS 6 and 7, Debian Jessie and Stretch, Ubuntu Trusty, Xenial and Bionic are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

How PowerDNS is Open Source & a successful business, or, why are we talking about 5G?

What does PowerDNS actually do?

This is a good question, one we can ask about any company. How do they stay alive, what services do they deliver, who do they sell them to?

For Open Source companies, the question is doubly interesting: if your software is so great, and you give it away for free (as in freedom), how do you survive?

In this post I want to explain how PowerDNS (and our parent Open-Xchange) have squared this circle. In many large countries, PowerDNS & Open-Xchange are now the DNS supplier to the largest telecommunications companies.

Below you will also read why we are all of a sudden talking about end-to-end monitoring, “the 5G transition“, DNS over HTTPS and (Network Function) Virtualization (NFV).

Products
Everything starts with products of course, and PowerDNS has four main ones. The Authoritative Server hosts domain names, and it dominates the mid-size market of hosters running up to 10 million domains. While there are other very good open source authoritative nameservers, PowerDNS has an edge because of its wide support for databases, its DNS-aware checking API and lately the new LUA records which deliver DNS based traffic-engineering, failover and load-balancing.

The PowerDNS Recursor meanwhile has picked an interesting niche among resolvers & caches, where again the open source landscape delivers outstandingly good software. The Recursor supports the big important features of course, like DNSSEC and shortly QName minimization, but our focus has been on providing servers that deliver great performance & rock-solid stability for high-capacity operators, while retaining the flexibility to do malware filtering, parental control and security analysis. Of specific note is our support for interoperating with CDNs like Akamai that require EDNS Client Subnet, while retaining top performance.

Our third product, dnsdist, for now appears to be unique – a scriptable high performance, DoS-aware load balancer & distributor of DNS queries.  It protects installations from denial of service attacks, of which even small ones can burn up a lot of CPU. Dnsdist also delivers such modern encrypted variants of DNS as DNS over HTTPs and DNS over TLS. It has a built-in cache that delivers stellar performance even on top of slow backend. Dnsdist is highly flexible and can redirect queries based on almost every aspect of a question. It frequently replaces dedicated load-balancer hardware. Although only a few years old, we were very pleased to learn dnsdist was part of the recent NATO Locked Shields cybersecurity exercise in Estonia.

These first three products are built in close cooperation with our lovely community. A community is far more than people supplying patches. It also consists of users vocally telling us what they need or pointing out that what we do is exactly what they don’t need. It consists of the heroes that test pre-releases and let us know if the quality or the features are where they should be. We are also super happy with users that point out where documentation is missing or wrong. Conversely, we truly enjoy helping our users improve their lives with open source, where we cooperate daily with other open source projects.

Finally there is the part that is not open source, the PowerDNS Platform that delivers the first three products in an integrated, automated, monitored and graphed solution, with a central graphical & scriptable control plane. In addition, with OX Protect, this platform provides for malware filtering & parental control.

What we actually sell
Who would buy a nameserver when there are so many good ones available to download for free? Asking the question almost answers it: operators that do not wish to deploy and assemble the raw goods they can find on the internet. While it is entirely possible to have teams and infrastructure in place to do just that, many modern telecommunications operators have decided to only deploy fully supported units of functionality.

While it is entirely possible to assemble similar functionality to our Platform with open source components, this is a lot of work and operators would have to learn how to scale, monitor and control such a system. There is value in getting this as a preassambled whole – even as we retain our open interfaces for integration into existing monitoring and graphing systems. But beyond that – assembling platforms by hand is a risky business.

This is a variant of the old story that no serious company would run software without a support contract in place. While this was not quite true, what we are seeing today is a step even beyond that. A support contract is a suitable solution if the operator decides to take full ownership of architecting, deploying, testing and running a project. The support is important for the rare cases where things do not go as planned – it is in fact a warranty.

Although we have a number of excellent customers where we provide such support as a service, in almost all cases our engagement these days goes far beyond answering email messages.

Delivering functionality
A large scale enterprise, like a telecommunication service provider, is a complex organization. For every project there are many stakeholders – there are product departments that want specific functionalities and performance for the subscribers. There are legal and compliance departments that make sure vendors have the right certifications and can be held liable for intellectual property violations. Service Level Agreements need to be spelled out in great detail, including penalty clauses. Whenever consumer communications are touched, GDPR compliance is of utmost importance.

Then there are network and infrastructure teams that each have their own requirements for hardware, virtualization specifications and capacity. On top of this, there are always existing software installations with sometimes custom features that need to be retained and migrated.

Of supreme importance is high-level sign-off. Senior management needs to be reassured that this is a vendor worth betting on. Or as a big PowerDNS customer once phrased it “you need to hire more golf players to grow”. We took this message on board. This is also why you will be seeing PowerDNS opine on 5G deployments, on Network Function Virtualization and End-to-End performance monitoring and reporting.

To round this off, a project of any serious size will be run through a procurement department, often at group level, sometimes even in a different company. Navigating an RFP is a skill in itself – especially when third party integrators or vendors are fronting the project.

In short, to deliver a working solution requires coordination among all these departments and the creation of an architecture, a training plan, a support structure, a hardware/software layout, a migration procedure, and all of this needs to be ‘sold’ through the procurement department.

So if a modern telecommunications company wants to deploy a new nameserver constellation, it will require not just the software but all of the above.

Deploying functionality
After a project has been specced up properly and the papers are signed, next up is the actual deployment and migration. When we launched PowerDNS in the late 1990s, it was clearly up to the operator to perform deployment and migrations. This made sense on one level: testing & deploying software (or hardware) is the best way to make sure operators fully understand what they bought and that they can support it themselves.

Conversely however, a vendor deploys and migrates its products all the time. Vendors therefore have developed tooling and procedures to make this happen swiftly. We can’t expect a service provider that does a hardware refresh once every 4 years to have performed many migrations itself with the existing staff – it simply does not happen that often.

These days, most customers ask us to be very or even completely hands-on during testing, rollout and migration. We do however vastly prefer to perform such operations in close cooperation with the intended operators – because it remains true that “doing” is the ultimate form of training.

Collaborative operations
Traditionally, vendors grudgingly provide support in case of proven malfunctions. It is now so hard to open tickets with major network vendors that at least one company we know of sells “opening network vendor tickets” as-a-service – allowing operators to focus on solving problems. This is not how we want our customers to work with us however!

To our large scale operators, we provide collaborative operations services. This means there is no need to ‘escalate’ something so it is an issue. Whenever there is a need for a configuration change, or there is a worry because of a graph that is going in the wrong way, we are there to provide guidance, scripts or hands on help.

What we have managed to do is retain our open source collaborative nature, but deliver it also to the largest of operators, wrapped in solid service level agreements.

Summing it up
“The secret to PowerDNS’s success” is that we are able to take excellent open source software, and deliver it to large scale telecommunications service providers, while continuing to be an open and accessible vendor. And it turns out that everything we provide on top of the raw open source software is worth good money to our customers.

As of 2019, PowerDNS is growing rapidly. And as the rollout of DNS over TLS/HTTPS, 5G transition, (Network Function) Virtualization at service providers continues, it appears we will be an ever larger part of the telecommunication landscape.

If you our your company are interested in working with us for your next DNS project, please do not hesitate to contact us! For more about PowerDNS, please head to https://powerdns.com or to https://open-xchange.com/.