From peter.van.dijk at netherlabs.nl Fri Jun 20 12:17:40 2014 From: peter.van.dijk at netherlabs.nl (Peter van Dijk) Date: Fri, 20 Jun 2014 12:17:40 +0200 Subject: [Pdns-dev] Recursor 3.6.0 released Message-ID: <45608F0D-D8BE-40F5-975F-0D80AF36AD63@netherlabs.nl> Hi everybody, version 3.6.0 of the PowerDNS Recursor is now available from https://www.powerdns.com/downloads.html Kees Monshouwer provides native RHEL5/6 packages at http://www.monshouwer.eu/download/3rd_party/pdns-recursor/ Full release notes, with clickable links, are available from: http://doc.powerdns.com/html/changelog.html#changelog-recursor-3.6.0 3.6.0 is the best version of the PowerDNS Recursor currently available, and we recommend upgrading to it. Here is a text-only version: This is a performance, feature and bugfix update to 3.5/3.5.3. It contains important fixes for slightly broken domain names, which your users expect to work anyhow. It also brings robust resilience against certain classes of attacks. Changes between RC1 and release: * g30b13ef: do not apply some of our filters to root and gtlds, plus remove some useless {} * gcc81d90: fix yahttp copy in dist-recursor for BSD cp * gb798618: define __APPLE_USE_RFC_3542 during recursor build on Darwin, fixes t1449 * g1d7f863: Merge pull request t1443 from zeha/recursor-nostrip * g5cdeede: remove (non-working) [aaaa-]additional-processing flags from the recursor. Closes t1448 * g984d747: Support building recursor on kFreeBSD and Hurd * g79240f1: Allow not stripping of binaries in recursor's make install * ge9c2ad3: document pdns.DROP for recursor, add policy-drops metric for it New features: * gaadceba: Implement minimum-ttl-override config setting, plus runtime configurability via 'rec_control set-minimum-ttl'. * Lots of work on the JSON API, which is exposed via Aki Tuomi's 'yahttp'. Massive thanks to Christian Hofstaedtler for delivering this exciting new functionality. Documentation & demo forthcoming, but code to use it is available on GitHub. * Lua modules can now use 'pdnslog(INFO..'), as described in t1074, implemented in g674a305 * Adopt any-to-tcp feature to the recursor. Based on a patch by Winfried Angele. Closes t836, g56b4d21 and ge661a20. * g2c78bd5: implement built-in statistics dumper using the 'carbon' protocol, which is also understood by metronome (our mini-graphite). Use 'carbon-server', 'carbon-ourname' and 'carbon-interval' settings. * New setting 'udp-truncation-threshold' to configure from how many bytes we should truncate. ga09a8ce. * Proper support for CHaos class for CHAOS TXT queries. gc86e1f2, addition for lua in gf94c53d, some warnings in g438db54 however. * Added support for Lua scripts to drop queries w/o further processing. g0478c54. * Kevin Holly added qtype statistics to recursor and rec_control (get-qtypelist) (g79332bf) * Add support for include-files in configuration, also reload ACLs and zones defined in them (g829849d, g242b90e, g302df81). * Paulo Anes contributed server-down-max-fails which helps combat Recursive DNS based amplification attacks. Described in this post. Also comes with new metric 'failed-host-entries' in g406f46f. * g21e7976: Implement "followCNAMERecords" feature in the Lua hooks. Improvements: * g06ea901: make pdns-distributes-queries use a hash so related queries get sent to the same thread. Original idea by Winfried Angele. Astoundingly effective, approximately halves CPU usage! * gb13e737: --help now writes to stdout instead of stderr. Thanks Winfried Angele. * To aid in limiting DoS attacks, when truncating a response, we actually truncate all the way so only the question remains. Suggested in t1092, code in gadd935a. * No longer experimental, the switch 'pdns-distributes-queries' can improve multi-threaded performance on Linux (various cleanup commits). * Update to embedded PolarSSL, plus remove previous AES implementation and shift to PolarSSL (ge22d9b4, g990ad9a) * g92c0733 moves various Lua magic constants into an enum namespace. * set group and supplementary groups before chroot (g6ee50ce, t1198). * g4e9a20e: raise our socket buffer setting so it no longer generates a warning about lowering it. * g4e9a20e: warn about Linux suboptimal IPv6 settings if we detect them. * SIGUSR2 turns on a 'trace' of all DNS traffic, a second SIGUSR2 now turns it off again. g4f217ce. * Various fixes for Lua 5.2. * g81859ba: No longer attempt to answer questions coming in from port 0, reply would not reach them anyhow. Thanks to Niels Bakker and 'sid3windr' for insight & debugging. Closes t844. * gb1a2d6c: now, I'm not one to get OCD over things, but that log message about stats based on 1801 seconds got to me. 1800 now. Fixes: * 0c9de4fc: stay away from getaddrinfo unless we really can't help it for ascii ipv6 conversions to binary * g08f3f63: fix average latency calculation, closing t424. * g75ba907: Some of our counters were still 32 bits, now 64. * g2f22827: Fix statistics and stability when running with pdns-distributes-queries. * g6196f90: avoid merging old and new additional data, fixes an issue caused by weird (but probably legal) Akamai behaviour * g3a8a4d6: make sure we don't exceed the number of available filedescriptors for mthreads. Raises performance in case of DoS. See this post for further details. * g7313fe6: implement indexed packet cache wiping for recursor, orders of magnitude faster. Important when reloading all zones, which causes massive cache cleaning. * rec_control get-all would include 'cache-bytes' and 'packetcache-bytes', which were expensive operations, too expensive for frequent polling. Removed in g8e42d27. * All old workarounds for supporting Windows of the XP era have been removed. * Fix issues on S390X based systems which have unsigned characters (g916a0fd) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: