Third Alpha Release of DNSDist 1.6.0

Hi everyone,

We are happy to announce the third alpha release of dnsdist 1.6.0. This release contains a few fixes for issues reported in the second alpha:

  • DNS over HTTPS queries with a non-zero ID were not properly handled. Very few DoH clients actually send an ID with a value different than 0 but it does happen and is allowed by RFC 8484. Many thanks to Frank Denis for reporting the issue !
  • The connect timeout was not used for outgoing TCP connections, and the write timeout was used instead.

In addition to these fixes, several improvements were made:

  • Reduced memory usage for idle DNS over HTTPS and DNS over TLS connections, saving roughly 35 kB per connection.
  • Smarter caching of outgoing TCP connections, ability to configure the number of concurrent incoming TCP connections per frontend, with more metrics.
  • Sharding has been enabled in the ring buffers and the packet cache by default, leading to better performance in the default configuration.
  • TLS renegotiation is now disabled by default, to prevent issues like CVE-2021-3449 in the future.

Please see the dnsdist website for the more complete changelog and the current documentation.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

Release tarballs are available on the downloads website, and packages for CentOS 7 and 8, Debian Buster and Ubuntu Bionic and Focal are available from our repository.

With the future 1.6.0 final release, the 1.3.x releases will be EOL and the 1.4.x releases will go into critical security fixes only mode.

We would also like to take this opportunity to announce that we will stop supporting systems using 32-bit time. This includes 32-bit Linux platforms like arm and i386 before kernel version 5.1.

Upcoming package removals

As you may know, PowerDNS hosts RPM and Debian packages in our package repositories. Packages are available in binary form as RPM and Debian packages for various distributions. Some of these distributions are coming up to their End Of Life dates and will therefore not be supported by PowerDNS anymore. This blogpost explains which distributions and packages will no longer be supported or available.

CentOS 6 / Red Hat Enterprise Linux 6

CentOS 6 became EOL in November 2020. New versions of PowerDNS products will no longer be built for CentOS 6. Some of the EL6 repositories have not yet been removed for contractual reasons, but will be removed at an unspecified future date. This removal will not be announced and we urge those with extended RHEL 6 support to mirror these packages themselves.

All CentOS 6 packages will be removed at an unspecified future moment, without warning.

Ubuntu 16.04 Xenial

Ubuntu 16.04 Xenial will be EOL in April 2021. Auth 4.4, Recursor 4.4 and dnsdist 1.5 are the last versions supported for Xenial. Canonical offers paid Extended Security Maintenance (ESM) on selected packages in Xenial until April 2024, however, PowerDNS does not offer this kind of support on the Xenial packages. Hence, we will remove all Xenial repositories when Xenial goes EOL at the end of April 2021.

We advise you to upgrade to Ubuntu Bionic or Focal. If upgrading is not possible, we suggest you mirror the existing packages to prevent business continuity problems, and build any upcoming versions with security fixes yourself.

All Ubuntu Xenial packages will be removed end of April 2021.

Debian 9 ‘Stretch’

Debian 9 “Stretch” became EOL in July 2020 and is now in (free, open source) Long Term Support mode until 2022. Its successor “Buster” came out in July 2019. Until now, we have been building packages for newer PowerDNS releases for Stretch. For the upcoming releases (Auth 4.5, Recursor 4.5, dnsdist 1.6), we have stopped doing this. The older releases will be supported on Debian Stretch until that next release (4.5 or 1.6) comes out.

All Debian Stretch packages for the Authoritative Server will be removed when Auth 4.5 is released.

All Debian Stretch packages for the Recursor will be removed when Recursor 4.5 is released.

All Debian Stretch packages for dnsdist will be removed when dnsdist 1.6 is released.

Raspbian/Raspberry Pi OS

To simplify time handling, we have recently decided to no longer support systems where time_t is 32 bits. This means that Auth/Rec 4.4 and dnsdist 1.5 are the last supported releases for (32-bit) Raspbian/Raspberry Pi OS. In addition to that, Raspbian deprecation follows our Debian deprecation roadmap.

We are working on ARM64 builds for various OSes, but no timeline has been decided yet.

All Raspbian Stretch packages for the Authoritative Server will be removed when Auth 4.5 is released.

All Raspbian Stretch packages for the Recursor will be removed when Recursor 4.5 is released.

All Raspbian Stretch packages for dnsdist will be removed when dnsdist 1.6 is released.

No Raspbian packages (any release) will be built for Auth 4.5 and up, Recursor 4.5, and dnsdist 1.6 and up.

Raspbian Buster will be supported in Auth 4.4, Rec 4.4 and dnsdist 1.5 until those versions go EOL.

PowerDNS open source support policy

Each PowerDNS product is supported for about 1.5 years from a x.y.0 release. (see the EOL policy). The first 6 months of this support includes bug and stability fixes. In the future, we will not even ship x.y.0 releases for distributions that will go EOL before the end of that initial 6 month period.

First Beta Release of PowerDNS Recursor 4.5.0

Hello!,

We are proud to announce the first beta release of what should become PowerDNS Recursor 4.5.0. This release contains various bug fixes, improvements and new features.

This first beta contains a rewrite of the way zone cuts are determined, reducing the number of outgoing queries by up to 17% when doing DNSSEC validation while reducing the CPU usage more than 20% . This is a rather substantial change and we would be very grateful for tests and feedback from the community.

Another notable feature is the implementation of EDNS0 padding (RFC 7830) for answers sent to clients.

The upcoming 4.5.0 release includes an important addition: the implementation of RFC 8198: Aggressive use of DNSSEC-Validated Cache. This enables the Recursor to answer queries for non-existing names with less effort in many cases. This feature uses both NSEC and NSEC3 records. Additionally the DNSSEC default mode is now “process”, while it was “process-no-validate” before. This means that clients asking for it will get DNSSEC validated answers by default.

We also added a cache of non-resolving nameservers. This enhances performance when the Recursor encounters domains that have nameservers that do not resolve.

This release also features a re-worked negative cache that is shared between threads, allowing more efficient use of the cache and reduced memory consumption.

Support for Extended DNS Errors (RFC 8914) has been added. These can be enabled by setting the extended-resolution-errors setting to ‘yes’, this will send DNSSEC and resolution related errors to clients. Extended Errors are also hooked up to the Lua scripting engine, allowing fine-grained setting of both the error code and extra information in the response.

A “refresh almost expired records” (also called “refetch”) mechanism has been introduced to keep the record cache warm. In short, if a query comes in and the cached record’s TTL is almost expired (within N percent of its original value) the cached record is served to the client and the record queried for in the background, ensuring that new queries for that record are fresh and served from the cache.

Other new features and improvements are:

  • The complete protobuf and dnstap logging code has been rewritten to have much smaller performance impact.
  • We have introduced non-offensive synonyms for words used in settings. See the upgrade guide.
  • The default minimum TTL override has been changed from 0 to 1.
  • The spoof-nearmiss-max setting‘s default has been changed to 1. This has the consequence that the Recursor will switch to do TCP queries to authoritative nameservers sooner as an effective measure against many spoofing attacks.
  • Incoming queries over TCP now also use the packet cache, providing another performance increase.
  • File written to by the rec_control command are new opened by the command itself. It is also possible to write the content to the standard output stream by using a hyphen as file name.
  • TCP FastOpen (RFC 7413)  support for outgoing TCP connections to authoritative servers and forwarders.

Please refer to the changelog for additional details.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

The tarball (signature) is available from our download server and packages for several distributions are available from our repository.

With the future 4.5.0 final release, the 4.2.x releases will be EOL and the 4.3.x and 4.4.x releases will go into critical fixes only mode. Consult the EOL policy for more details.

We would also like to announce that with this release we will stop supporting systems using 32-bit time. This includes 32-bit Linux platforms like arm and i386.

We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features.

PowerDNS Recursor 4.3.7 Released

Hello!

Today we are releasing PowerDNS Recursor 4.3.7.

This release fixes a bug where the wrong TTL could be used when inserting records into the packet cache. Additionally, the recursor no longer resolves unneeded names when chasing CNAME records if QName Minimization is enabled.

Please refer to the 4.3.7 changelog  for details.

The 4.3.7 tarball (signature) is available at downloads.powerdns.com and packages for various Linux distributions are available from repo.powerdns.com.

4.1 and older releases are EOL, refer to the documentation for details about our release cycles.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

Authoritative Server 4.3.2

Hello,

We are happy to announce version 4.3.2 of the Authoritative Server.

This release fixes latency calculations to match the approach used in 4.4.0, to make comparisons between 4.3 and 4.4 more useful.

It also contains a few build-related improvements.

Please find a full list in the changelog.

The tarball (signature) is available at downloads.powerdns.com and packages for various Linux distributions are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

Third Alpha Release of PowerDNS Recursor 4.5.0

Hello!,

We are proud to announce the third alpha release of what should become PowerDNS Recursor 4.5.0. This release contains various bug fixes, improvements and new features. The seond alpha was an internal release only and never went public.

The upcoming 4.5.0 release includes an important addition: the implementation of RFC 8198: Aggressive use of DNSSEC-Validated Cache. This enables the Recursor to answer queries for non-existing names with less effort in many cases. This feature uses both NSEC and NSEC3 records. Additionally the DNSSEC default mode is now “process”, while it was “process-no-validate” before. This means that clients asking for it will get DNSSEC validated answers by default.

We also added a cache of non-resolving nameservers. This enhances performance when the Recursor encounters domains that have nameservers that do not resolve.

This release also features a re-worked negative cache that is shared between threads, allowing more efficient use of the cache and reduced memory consumption.

Support for Extended DNS Errors (RFC 8914) has been added. These can be enabled by setting the extended-resolution-errors setting to ‘yes’, this will send DNSSEC and resolution related errors to clients. Extended Errors are also hooked up to the Lua scripting engine, allowing fine-grained setting of both the error code and extra information in the response.

A “refresh almost expired records” (also called “refetch”) mechanism has been introduced to keep the record cache warm. In short, if a query comes in and the cached record’s TTL is almost expired (within N percent of its original value) the cached record is served to the client and the record queried for in the background, ensuring that new queries for that record are fresh and served from the cache.

Other new features and improvements are:

  • The complete protobuf and dnstap logging code has been rewritten to have much smaller performance impact.
  • We have introduced non-offensive synonyms for words used in settings. See the upgrade guide.
  • The default minimum TTL override has been changed from 0 to 1.
  • The spoof-nearmiss-max setting‘s default has been changed to 1. This has the consequence that the Recursor will switch to do TCP queries to authoritative nameservers sooner as an effective measure against many spoofing attacks.
  • Incoming queries over TCP now also use the packet cache, providing another performance increase.
  • File written to by the rec_control command are new opened by the command itself. It is also possible to write the content to the standard output stream by using a hyphen as file name.

Please refer to the changelog for additional details.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

The tarball (signature) is available from our download server and packages for CentOS 7 and 8, Debian Buster and Ubuntu Bionic and Focal are available from our repository.

With the future 4.5.0 final release, the 4.2.x releases will be EOL and the 4.3.x releases will go into critical security fixes only mode. Consult the EOL policy for more details.

We would also like to announce that with this release we will stop supporting systems using 32-bit time. This includes 32-bit Linux platforms like arm and i386 before kernel version 5.1.

We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and features.

Second Alpha Release of DNSDist 1.6.0

Hi everyone,

We are happy to announce the second alpha release of dnsdist 1.6.0. This release contains mostly fixes for issues reported in the first release candidate:

  • A race condition was found to sometimes occur at startup, making it possible for the first TCP connection to happen before the creation of TCP workers and lead to a crash.
  • Stéphane Bortzmeyer reported many TCP timeouts with the first alpha that did not happen with 1.5.x. We unfortunately did not manage to reproduce these timeouts, but we spent quite some time expanding the coverage of our TCP code, uncovering several bugs in the process. Although we unfortunately cannot be sure that the issue experienced by Stéphane has been fixed, the resulting code has seen much more testing and we have received excellent feedback from other users in the meantime, leading to this second alpha candidate.
  • The cache cleaning algorithm did not properly remove expired entries from all shards, when more than one shard was used and setCacheCleaningPercentage set below 100%. This led to a drop in the cache efficiency in the long run.
  • A null pointer dereference has been found when accessing a dynamic BPF block (DynBPF) object in client mode.
  • A debug line was not properly removed in the web server code, logging a new line for every HTTP query.

In addition to these fixes, Sander Hoentjen contributed several improvements to allow spoofing answers with multiple records, and Aki Tuomi introduced automatic conversion to string for several objects in Lua. Many thanks to them!

Please see the dnsdist website for the more complete changelog and the current documentation.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

Release tarballs are available on the downloads website, and packages for CentOS 7 and 8, Debian Buster and Ubuntu Bionic and Focal are available from our repository.

With the future 1.6.0 final release, the 1.3.x releases will be EOL and the 1.4.x releases will go into critical security fixes only mode.

We would also like to take this opportunity to announce that we will stop supporting systems using 32-bit time. This includes 32-bit Linux platforms like arm and i386 before kernel version 5.1.

PowerDNS Authoritative Server 4.4.1

Hello!

We are proud to announce version 4.4.1 of the Authoritative Server. This releases fixes several small issues discovered since the release of 4.4.0.

Please find a full list in the changelog.

Please make sure to read the Upgrade Notes before upgrading.

The tarball (signature) is available at downloads.powerdns.com and packages for CentOS 7 and 8, Debian Buster, Ubuntu Bionic and Focal are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

First Alpha Release of DNSDist 1.6.0

Hello!

We are proud to announce the first alpha release of dnsdist 1.6.0. This release contains several new exciting features, as well as improvements and bug fixes.

In our view, the most exciting new feature is the support of out-of-order processing for TCP and DNS over TLS connections. Out-of-order processing makes it possible to have several concurrent queries on the same TCP connection, and to receive the answers to these queries as soon as they are ready. Along with connection reuse, this reduces the overhead of TCP by a huge factor. Starting with 1.6.0, dnsdist will accept up to 65536 concurrent queries on the same incoming TCP connection, and will pass all of these to the backend over a single connection as well, provided that the backend supports it. This feature is not enabled by default, and can be enabled via the maxInFlight parameter of the addLocal/addTLSLocal (client-side) and the newServer (backend-side) commands.

This new version also brings support for accepting a Proxy Protocol header on incoming connections, making it possible for a frontend to provide dnsdist with the initial source and destination ports and addresses, as well as custom values. dnsdist can then process, add and remove values before passing the information to the backend. Chaining two dnsdist instances has never been this easy!

Other new features include the ability to define custom web endpoints in Lua, to extend the existing API, as well as the ability to create blazing-fast, lock-less per-thread custom load-balancing policies using the Lua foreign function interface (FFI).

Among the many improvements, dnsdist’s packet cache no longer hashes EDNS Cookies by default, which means that two queries that are identical except for the content of their cookies will now be served the same answer. Note that it might necessary to restore the existing behaviour when dnsdist is in front of a backend actually using EDNS Cookies, which can be done via the cookieHashing parameter to newPacketCache.

Users of our own protocol buffer logging mechanism, or of dnstap, will be happy to learn that we replaced our implementation based on Google’s protocol buffer library by a tremendously faster one, based on the protozero library. This change results in much lower CPU utilization and increased scalability in a transparent way.

If you intend to test this alpha release, for which we would be very grateful, please be aware that a few actions and commands have been renamed to clear some ambiguities. Almost all actions that allow further processing of rules now start with ‘Set’, to prevent mistakes:

Some commands changing the order of the rules could have easily been confused with the ones providing insight into the current traffic, and have therefore also been renamed:

Please also note that the use of additional parameters on the webserver command has been deprecated in favor of using setWebserverConfig.

Regular users should not be impacted by this change, but packagers should be aware that since 1.6.0 dnsdist now uses the C++17 standard instead of the C++11 one it was previously using.

Please see the dnsdist website for the more complete changelog and the current documentation.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

Release tarballs are available on the downloads website, and packages for CentOS 7 and 8, Debian Buster and Ubuntu Bionic and Focal are available from our repository.

With the future 1.6.0 final release, the 1.3.x releases will be EOL and the 1.4.x releases will go into critical security fixes only mode.

We would also like to take this opportunity to announce that we will stop supporting systems using 32-bit time. This includes 32-bit Linux platforms like arm and i386 before kernel version 5.1.

Finally, we would like to thank the PowerDNS community and all external contributors for their great work in this release, and in particular Stephane Bakhos, Georgeto, Matti Hiljanen, Nuitari, Sukhbir Singh and Mischan Toosarani-Hausberger!

First Alpha Release of PowerDNS Recursor 4.5.0

Hello!,

We are proud to announce the first alpha release of what should become PowerDNS Recursor 4.5.0. This release contains various bug fixes, improvements and new features. 

The upcoming 4.5.0 release features a re-worked negative cache that is shared between threads, allowing more efficient use of the cache and reduced memory consumption.

Support for Extended DNS Errors (RFC 8914) has been added. These can be enabled by setting the extended-resolution-errors setting to ‘yes’, this will send DNSSEC and resolution related errors to clients. Extended Errors are also hooked up to the Lua scripting engine, allowing fine-grained setting of both the error code and extra information in the response.

A “refresh almost expired records” (also called “refetch”) mechanism has been introduced to keep the record cache warm. In short, if a query comes in and the cached record’s TTL is almost expired (within N percent of its original value) the cached record is served to the client and the record queried for in the background, ensuring that new queries for that record are fresh and served from the cache.

Other new features and improvements are:

  • The complete protobuffer and dnstap logging code has been rewritten to have much smaller performance impact.
  • We have introduced non-offensive synonyms for words used in settings. See the upgrade guide.
  • The default minimum TTL override has been changed from 0 to 1.

Please refer to the changelog for additional details.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

The tarball (signature) is available from our download server and packages for CentOS 7 and 8, Debian Buster and Ubuntu Bionic and Focal are available from our repository.

With the future 4.5.0 final release, the 4.2.x releases will be EOL and the 4.3.x releases will go into critical security fixes only mode. Consult the EOL policy for more details.

We would also like to take this opportunity to announce that we will stop supporting systems using 32-bit time. This includes 32-bit Linux platforms like arm and i386 before kernel version 5.1.

We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and features.