Moving CentOS 8 builds to Oracle Linux 8

As you might be aware, CentOS 8 has reached End of Life on December 31st 2021. Furthermore, yesterday, CentOS 8 actually disappeared from the distribution mirrors. While we had made plans for this, we failed to execute those plans until now. This means we will need to switch build environments on some of our supported branches (Recursor and Authoritative 4.4/4.5/4.6, and dnsdist 1.5/1.6/1.7) mid release cycle. We are making those changes this week.

In mid-2021, we did extensive testing of building and running on the various CentOS alternatives, and came to one very clear conclusion – while the resulting binaries were not always bit for bit identical, the differences were uninteresting. Because of this, we believe users will not notice this change in our build environment at all and can continue to run our packages on their RHEL-derivative of choice.

However, just in case incompatible changes pop up, we are not switching the 7 build environment at this time.

Authoritative Server 4.6.0

Hello!

after a very useful beta/RC period in which we received some excellent bug reports, we released Authoritative Server version 4.6.0 today.

Version 4.6.0 mostly brings small improvements and fixes, but there are three notable new features:

  • support for incoming PROXY headers
  • support for EDNS cookies
  • autoprimary management via pdnsutil and the API

Support for PROXY headers allows you to put a load balancer (such as dnsdist) in front of the Authoritative Server, while still having the Auth see the actual IPs of clients talking to it.

EDNS Cookies allow resolvers that support it to have an extra layer of authentication on their communication with the Authoritative Server.

Compared to 4.6.0-alpha1, the major user visible change is the new NSEC3PARAM settings – check the upgrade docs below for more information. Besides that, various bugs have been fixed.

A full list of changes can be found in the changelog.

Please make sure to read the Upgrade Notes before upgrading.

The tarball (signature) is available at downloads.powerdns.com. Packages for various distributions are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

PowerDNS Authoritative Server 4.5.3

Hello!

Today we published release 4.5.3 of the Authoritative Server. It contains several robustness fixes for the LMDB backend, and for the zone cache.

Please find a full list in the changelog.

Please make sure to read the Upgrade Notes before upgrading.

The tarball (signature) is available at downloads.powerdns.com and packages for various Linux distributions are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

dnsdist 1.7.0 released

Hello!

We are proud to announce the release of dnsdist 1.7.0. This release contains several new exciting features since 1.6.1, as well as improvements and bug fixes. It contains one single change from the first release candidate, a fix for DynBlockRatioRule::warningRatioExceeded provided by Doug Freed.

In our view, the most exciting new feature of 1.7.0 is the support of outgoing DNS over TLS and DNS over HTTPS, as well as the ability to do “cross-protocol” queries, meaning a query received over a given protocol (UDP, TCP, DoT, DoH, …) can be forwarded over a different one. Now that dnsdist is capable of contacting its backend over an encrypted channel, full end-to-end encryption is possible, offering improved confidentiality and integrity.

Among the new features is the ability to add a custom EDNS option to a query before forwarding it to a backend, via SetEDNSOptionAction. phonedph1 also contributed a new rule making it possible to route a query based on the number of outstanding queries in a pool, PoolOutstandingRule.

Pierre Grié from Nameshield contributed an XDP program to reply to blocked UDP queries with a truncated response directly from the kernel, in a similar way to what we were already doing using eBPF socket filters. This version adds support for eBPF pinned maps, allowing dnsdist to populate the maps using our dynamic blocking mechanism, and letting the external XDP program do the actual blocking or response.

The packet cache has been improved so that one can now configure which EDNS options should be ignored, raising the cache hit ratio behind customer-premises equipment. The incoming and outgoing protocols have been added to the output of the grepq command for a better understanding of the recently processed traffic.

Dimitrios Mavrommatis improved the handling of AXFR and IXFR queries, making it possible to reuse a TCP connection used for a zone transfer much more efficiently.

We added support for generating the still experimental SVCB and HTTPS records directly from dnsdist, offering potential benefits to both performance and privacy.

Our LMDB code has gained the ability to do range-based lookups, and is now more performant even for simple lookups.

Extending the per-thread custom load-balancing policies introduced in 1.6.0, it is now possible to write blazing-fast, lock-less per-thread custom actions using the Lua foreign function interface.

Holger Hoffstätte also improved the reporting of an unavailable backend, making sure the existing metrics are no longer reported to prevent any confusion.

This release also reduces the memory footprint of dnsdist in several places, which makes it easier to use in resource-constrained environments.

Please see the dnsdist website for the more complete changelog and the current documentation.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

The release tarball and its signature are available on the downloads website, and packages for several distributions are available from our repository.

With this release, the 1.4.x releases become be EOL and the 1.5.x and 1.6.x releases go into critical security fixes only mode.

Finally, we would like to thank the PowerDNS community and all external contributors for their great work in this release!

First Release Candidate for Authoritative Server 4.6.0

Hello!

Today we released the first Release Candidate for Authoritative Server version 4.6.0.

Version 4.6.0 mostly brings small improvements and fixes, but there are three notable new features:

  • support for incoming PROXY headers
  • support for EDNS cookies
  • autoprimary management via pdnsutil and the API

Support for PROXY headers allows you to put a load balancer (such as dnsdist) in front of the Authoritative Server, while still having the Auth see the actual IPs of clients talking to it.

EDNS Cookies allow resolvers that support it to have an extra layer of authentication on their communication with the Authoritative Server.

Compared to 4.6.0-alpha1, the major user visible change is the new NSEC3PARAM settings – check the upgrade docs below for more information. Besides that, various bugs have been fixed.

A full list of changes can be found in the changelog.

Please make sure to read the Upgrade Notes before upgrading.

The tarball (signature) is available at downloads.powerdns.com. Packages for various distributions are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

First release candidate of dnsdist 1.7.0

Hello!

We are happy to announce the first release candidate of what will become dnsdist 1.7.0, with only one fix and one improvement since the second beta.

We fixed a crash introduced in 1.7.0-alpha1 that could occur when a DoH query was forwarded to a backend over TCP, DoT or DoH and the response was dropped by a rule.

We also improved the health-checks queries done over DoT so that we could use any cached TLS ticket when connecting to the server, but also save new tickets so that they can be used for later connections. That reduces the CPU load and improves response time on devices dealing with a low number of queries per second.

Please see the dnsdist website for the more complete changelog and the current documentation.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

The release tarball and its signature are available on the downloads website, and packages for several distributions are available from our repository.

With the future 1.7.0 final release, the 1.4.x releases will be EOL and the 1.5.x and 1.6.x releases will go into critical security fixes only mode.

PowerDNS Recursor 4.6.0 Released

We are proud to announce the release of PowerDNS Recursor 4.6.0.

Compared to the previous major (4.5) release of PowerDNS Recursor, this release contains several sets of changes:

  • The ability to flush records from the caches on a incoming notify requests. Many thanks to Kevin P. Fleming for this feature!
  • A rewrite of the outgoing TCP code, adding both re-use of connections and support for DoT to authoritative servers or forwarders.
  • Many improvements in the area of metrics: more metrics are collected and more metrics are now exported in a Prometheus friendly way.
  • A new Zone to Cache function that will retrieve a zone (using AXFR, HTTP, HTTPS or a local file) periodically and insert the contents into the record cache, allowing the cache to be always hot for a zone. This can be used for the root or any other zone.
  • An experimental Event Tracing function, providing insight into the time taken by the steps in the process of resolving a name.

Re-use of TCP/DoT connections is achieved by not closing connections, leaving them open for re-use. Previously, a TCP connection would be closed after a single query-reply exchange. The policy used to keep idle connections open is governed by various settings.

By default, if a forwarder is specified using port 853, DoT will be used to connect to that forwarder. It is also possible to list specific nameservers that should be contacted over DoT. Note that no certificate validation is done. After the standard committees define discovery of authoritative servers offering DoT, we will add functionality to allow automatic switching to DoT including validation of certificates.

As always, there are also many smaller bug fixes and improvements, please refer to the changelog for additional details. When upgrading do not forget to check the upgrade guide.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

The tarball (signature) is available from our download server and packages for several distributions are available from our repository.

With this 4.6.0 release, the 4.3.x releases will be marked EOL and the 4.4.x and 4.5.x releases will go into critical fixes only mode. Consult the EOL policy for more details.

We would also like to mention that with the 4.5 release we stopped supporting systems using 32-bit time. This includes most 32-bit Linux platforms.

We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features.

PowerDNS and Log4J/Log4Shell

As you may have heard, a critical vulnerability in the Log4J library was published recently. We have received questions about our software’s vulnerability to these exploits.

None of our open source products use Java:

  • PowerDNS Authoritative Server
  • PowerDNS Recursor
  • dnsdist
  • metronome

Also, none of the commercial PowerDNS products use Java. If you are a customer and you have concerns, please contact us.

However, we do know that some of our users output various data streams (logs, dnstap, our own Protobuf logging, etc.) from our software. Those streams may end up in 3rd-party products like Elasticsearch, which is vulnerable (Elastic advisory on Log4J).

So, to judge if you, as a PowerDNS user, are affected by the Log4J vulnerability, please take into account what you do with your DNS data!

First Beta Release for Authoritative Server 4.6.0

Hello!

Today we released the first Beta version for Authoritative Server version 4.6.0.

Version 4.6.0 mostly brings small improvements and fixes, but there are two notable new features:

  • support for incoming PROXY headers
  • support for EDNS cookies

Support for PROXY headers allows you to put a load balancer (such as dnsdist) in front of the Authoritative Server, while still having the Auth see the actual IPs of clients talking to it.

EDNS Cookies allow resolvers that support it to have an extra layer of authentication on their communication with the Authoritative Server.

Compared to 4.6.0-alpha1, the major user visible change is the new NSEC3PARAM settings – check the upgrade docs below for more information. Besides that, various bugs have been fixed.

A full list of changes can be found in the changelog.

Please make sure to read the Upgrade Notes before upgrading.

The tarball (signature) is available at downloads.powerdns.com. Packages for various distributions are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

First release candidate of PowerDNS Recursor 4.6.0

We are proud to announce the first release candidate of PowerDNS Recursor 4.6.0.

Compared to the beta2 release, this release fixes an issue with incoming queries over TCP and with the systemd unit file for virtual hosting.

Compared to the previous major (4.5) release of PowerDNS Recursor, this release contains several sets of changes:

  • The ability to flush records from the caches on a incoming notify requests. Many thanks to Kevin P. Fleming for this feature!
  • A rewrite of the outgoing TCP code, adding both re-use of connections and support for DoT to authoritative servers or forwarders.
  • Many improvements in the area of metrics: more metrics are collected and more metrics are now exported in a Prometheus friendly way.
  • A new Zone to Cache function that will retrieve a zone (using AXFR, HTTP, HTTPS or a local file) periodically and insert the contents into the record cache, allowing the cache to be always hot for a zone. This can be used for the root or any other zone.
  • An experimental Event Tracing function, providing insight into the time taken by the steps in the process of resolving a name.

Re-use of TCP/DoT connections is achieved by not closing connections, leaving them open for re-use. Previously, a TCP connection would be closed after a single query-reply exchange. The policy used to keep idle connections open is governed by various settings.

By default, if a forwarder is specified using port 853, DoT will be used to connect to that forwarder. It is also possible to list specific nameservers that should be contacted over DoT. Note that no certificate validation is done. After the standard committees define discovery of authoritative servers offering DoT, we will add functionality to allow automatic switching to DoT including validation of certificates.

As always, there are also many smaller bug fixes and improvements, please refer to the changelog for additional details. When upgrading do not forget to check the upgrade guide.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

The tarball (signature) is available from our download server and packages for several distributions are available from our repository.

With the final 4.6 release, the 4.3.x releases will be marked EOL and the 4.4.x and 4.5.x releases will go into critical fixes only mode. Consult the EOL policy for more details.

We would also like to mention that with the 4.5 release we stopped supporting systems using 32-bit time. This includes most 32-bit Linux platforms.

We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features.