[Pdns-announce] PowerDNS Recursor 3.2 Available
bert.hubert at netherlabs.nl
Sun Mar 7 12:29:51 CET 2010
-----BEGIN PGP SIGNED MESSAGE-----
Please find below the release notes of the PowerDNS Recursor version 3.2!
Compared to RC1 and RC2 this version mostly contains compilation and
platform fixes (for Solaris and CentOS4/RHEL4), as well as improved
statistics, diagnostics and '--help' output, and assorted small useability
RC1 and RC2 are already deployed in a number of large places, and it appears
to be holding up well. In addition, a number of future users have performed
stringent testing and performance measurements, and it appears this version
It is also observed that this release candidate provides for vastly improved
performance compared to 3.1.7.*, even bringing us close to the very
impressive numbers measured by users of the Nominum Vantio and Nominum CNS
software. On modern hardware, the PowerDNS Recursor may in fact be faster,
and certainly better value for money. For more details, please see below.
The PowerDNS Recursor 3.2 releases is a highly recommended upgrade.
We are very interested in hearing your experiences, and if there are any
issues, please let us know.
These directories also contain PGP signatures.
Please note that the 'universal' RPMs are, in fact, too new for RHEL4 and
derived distributions. It is expected that in the coming week,
RHEL4-compatible RPMs will be announced.
(Nominum, Nominum CNS & Nominum Vantio are trademarks owned by
Version with clickable links:
Lua scripts from version 3.1.7.* are fully compatible with
version 3.2. However, scripts written for development snapshot
releases, are NOT. Please see Section 12.7 for details!
The 3.2 release is the first major release of the PowerDNS
Recursor in a long time. Partly this is because 3.1.7.*
functioned very well, and delivered satisfying performance,
partly this is because in order to really move forward, some
heavy lifting had to be done.
As always, we are grateful for the large PowerDNS community
that is actively involved in improving the quality of our
software, be it by submitting patches, by testing development
versions of our software or helping debug interesting issues.
We specifically want to thank Stefan Schmidt and Florian
Weimer, who both over the years have helped tremendously in
keeping PowerDNS fast, stable and secure.
This version of the PowerDNS Recursor contains a rather novel
form of lock-free multithreading, a situation that comes close
to the old '--fork' trick, but allows the Recursor to fully
utilize multiple CPUs, while delivering unified statistics and
In effect, this delivers the best of both worlds: near linear
scaling, with almost no administrative overhead.
Compared to 'regular multithreading', whereby threads cooperate
more closely, more memory is used, since each thread maintains
its own DNS cache. However, given the economics, and the
relatively limited total amount of memory needed for high
performance, this price is well worth it.
In practical numbers, over 40,000 queries/second sustained
performance has now been measured by a third party, with a
100.0% packet response rate. This means that the needs of
around 400,000 residential connections can now be met by a
single commodity server.
In addition to the above, the PowerDNS Recursor is now
providing resolver service for many more Internet users than
ever before. This has brought with it 24/7 Service Level
Agreements, and 24/7 operational monitoring by networking
personnel at some of the largest telecommunications companies
in the world.
In order to facilitate such operation, more statistics are now
provided that allow the visual verification of proper PowerDNS
Recursor operation. As an example of this there are now graphs
that plot how many queries were dropped by the operating system
because of a CPU overload, plus statistics that can be
monitored to determine if the PowerDNS deployment is under a
All in all, this is a large and important PowerDNS Release,
paving the way for further innovation.
This release removes support for the 'fork' multi-processor
option. In addition, the default is now to spawn two threads.
This has been done in such a way that total memory usage will
remain identical, so each thread will use half of the allocated
maximum number of cache entries.
Changes between RC2 and -release:
* 'Make install' when an existing configuration file
contained a 'fork' statement has been fixed. Spotted by
Darren Gamble, code in commit 1534.
* Reloading a non-existant allow-from-file caused the control
thread to stop working. Spotted by Imre Gergely, code in
* Parser got confused by reading en empty line in
auth-forward-zones. Spotted by Imre Gergely, code in commit
* David Gavarret discovered undocumented and not-working
settings to set the owner, group and access modes of the
control socket. Code by Aki Tuomi and documentation in
commit 1535. Fixup in commit 1536 for FreeBSD as found by
Ralf van der Enden.
* Tiny improvement possibly solving an issue on Solaris 10's
completion port event multiplexer (commit 1537).
Changes between RC1 and RC2:
* Compilation on Solaris 10 has been fixed (various
patchlevels had different issues), code in commit 1522.
* Compatibility with CentOS4/RHEL4 has been restored, the gcc
and glibc versions shipped with this distribution contain a
Thread Local Storage bug which we now work around. Thanks
to Darren Gamble and Imre Gergely for debugging this issue,
code in commit 1527.
* A failed setuid operation, because of misconfiguration,
would result in a crash instead of an error message. Fixed
in commit 1523.
* Imre Gergely discovered that PowerDNS was doing spurious
root repriming when invalidating nssets. Fixed in commit
* Imre Gergely discovered our rrd graphs had not been changed
for the new multithreaded world, and did not allow scaling
beyond 200% cpu use. In addition, CPU usage graphs did not
add up correctly. Implemented in commit 1524.
* Andreas Jakum discovered the description of
'max-packetcache-entries' and 'forward-zones-recurse' was
wrong in the output of '--help' and '--config'. In
addition, some stray backup files made it into the RC1
release. Addressed in commit 1529.
Full release notes follow, including some overlap with the
incremental release notes above. Improvements:
* Multithreading, allowing near linear scaling to multiple
CPUs or cores. Configured using 'threads=' (many commits).
This also deprecates the '--fork' option.
* Added ability to read a configuration item of a running
PowerDNS Recursor using 'rec_control get-parameter' (commit
1243), suggested by Wouter de Jong.
* Added ability to read all statistics in one go of a running
PowerDNS Recursor using 'rec_control get-all' (commit
1496), suggested by Michael Renner.
* Speedups in packet generation (Commits 1258, 1259, 1262)
* TCP deferred accept() filter is turned on again for slight
DoS protection. Code in commit 1414.
* PowerDNS Recursor can now do TCP/IP queries to remote IPv6
addresses (commit 1412).
* Solaris 9 '/dev/poll' support added, Solaris 8 now
deprecated. Changes in commit 1421, commit 1422, commit
1424, commit 1413.
* Lua functions can now also see the address _to_ which a
question was sent, using getlocaladdress(). Implemented in
commit 1309 and commit 1315.
* Maximum cache sizes now default to a sensible value.
Suggested by Roel van der Made, implemented in commit 1354.
* Domains can now be forwarded to IPv6 addresses too, using
either ::1 syntax or [::1]:25. Thanks to Wijnand Modderman
for discovering this issue, fixed in commit 1349.
* Lua scripts can now load libraries at runtime, for example
to calculate md5 hashes. Code by Winfried Angele in commit
* Periodic statistics output now includes average queries per
second, as well as packet cache numbers (commit 1493).
* New metrics are available for graphing, plus added to the
default graphs (commit 1495, commit 1498, commit 1503)
* Fix errors/crashes on more recent versions of Solaris 10,
where the ports functions could return ENOENT under some
circumstances. Reported and debugged by Jan Gyselinck,
fixed in commit 1372.
* Add pdnslog() function for Lua scripts, so errors or other
messages can be logged properly.
* New settings to set the owner, group and access modes of
the control socket (socket-owner, socket-group,
socket-mode). Code by Aki Tuomi and documentation in commit
1535. Fixup in commit 1536 for FreeBSD as found by Ralf van
* rec_control now accepts a --timeout parameter, which can be
useful when reloading huge Lua scripts. Implemented in
* Domains can now be forwarded with the 'recursion-desired'
bit on or off, using either forward-zones-recurse or by
prefixing the name of a zone with a '+' in
forward-zones-file. Feature suggested by Darren Gamble,
implemented in commit 1451.
* Access control lists can now be reloaded at runtime
(implemented in commit 1457).
* PowerDNS Recursor can now use a pool of
query-local-addresses to further increase resilience
against spoofing. Suggested by Ad Spelt, implemented in
* PowerDNS Recursor now also has a packet cache, greatly
speeding up operations. Implemented in commit 1426, commit
1433 and further.
* Cache can be limited in how long it maximally stores
records, for BIND compatibility (TTL limiting), by setting
max-cache-ttl.Idea by Winfried Angele, implemented in
* Cache cleaning turned out to be scanning more of the cache
than necessary for cache maintenance. In addition, far more
frequent but smaller cache cleanups improve responsiveness.
Thanks to Winfried Angele for discovering this issue.
(commits 1501, 1507)
* Performance graphs enhanced with separate CPU load and
cache effectiveness plots, plus display of various overload
situations (commits 1503)
Compiler/Operating system/Library updates:
* PowerDNS Recursor can now compile against newer versions of
Boost (verified up to and including 1.42.0). Reported &
fixed by Darix in commit 1274. Further fixes in commit
1275, commit 1276, commit 1277, commit 1283.
* Fix compatibility with newer versions of GCC (closes ticket
ticket 227, spotted by Ruben Kerkhof, code in commit 1345,
more fixes in commit 1394, 1416, 1440).
* Rrdtool update graph is now compatible with FreeBSD out of
the box. Thanks to Bryan Seitz (commit 1517).
* Fix up Makefile for older versions of Make (commit 1229).
* Solaris compilation improvements (out of the box, no
* Solaris 9 MTasker compilation fixes, as suggested by John
Levon. Changes in commit 1431.
* Under rare circumstances, the recursor could crash on 64
bit Linux systems running glibc 2.7, as found in Debian
Lenny. These circumstances became a lot less rare for the
3.2 release. Discovered by Andreas Jakum and debugged by
#powerdns, fix in commit 1519.
* Imre Gergely discovered that PowerDNS was doing spurious
root repriming when invalidating nssets. Fixed in commit
* Configuration parser is now resistant against trailing tabs
and other whitespace (commit 1242)
* Fix typo in a Lua error message. Close ticket 210, as
reported by Stefan Schmidt (commit 1319).
* Profiled-build instructions were broken, discovered & fixes
suggested by Stefan Schmidt. ticket 239, fix in commit
* Fix up duplicate SOA from a remote authoritative server
from showing up in our output (commit 1475).
* All security fixes from 126.96.36.199 are included.
* Under highly exceptional circumstances on FreeBSD the
PowerDNS Recursor could crash because of a TCP/IP error.
Reported and fixed by Andrei Poelov in ticket 192, fixed in
* PowerDNS Recursor can be a root-server again. Error spotted
by the ever vigilant Darren Gamble (t229), fix in commit
* Rare TCP/IP errors no longer lead to PowerDNS Recursor
logging errors or becoming confused. Debugged by Josh Berry
of Plusnet PLC. Code in commit 1457.
* Do not hammer parent servers in case child zones are
misconfigured, requery at most once every 10 seconds.
Reported & investigated by Stefan Schmidt and Andreas
Jakum, fixed in commit 1265.
* Properly process answers from remote authoritative servers
that send error answers without including the original
question (commit 1329, commit 1327).
* No longer spontaneously turn on 'export-etc-hosts' after
reloading zones. Discovered by Paul Cairney, reported in
ticket 225, addressed in commit 1348.
* Very abrupt server failure of large numbers of high-volume
authoritative servers could trigger an out of memory
situation. Addressed in commit 1505.
* Make timeouts for queries to remote authoritative servers
configurable with millisecond granularity. In addition, the
old code turned out to consider the timeout expired when
the integral number of seconds since 1970 increased by 1 -
which *on average* is after 500ms. This might have caused
spurious timeouts! New default timeout is 1500ms. See
network-timeout setting for more details. Code in commit
- - ends -
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the Pdns-announce