[Pdns-announce] PowerDNS version 2.9.18 released!
bert hubert
bert.hubert at netherlabs.nl
Sat Jul 16 12:08:12 UTC 2005
This release is available on http://www.powerdns.com/downloads
Or more specifically:
http://downloads.powerdns.com/releases/pdns-2.9.18.tar.gz
http://downloads.powerdns.com/releases/deb/stable/pdns-static_2.9.18-1_i386.deb
http://downloads.powerdns.com/releases/rpm/pdns-static-2.9.18-1.i386.rpm
Release notes with clickable links:
http://doc.powerdns.com/changelog.html#CHANGELOG-2-9-18
Latest upgrades: http://wiki.powerdns.com
Pay attention if you run with the LDAP backend, or provide recursion to a
limited IP range, you need to upgrade!
Release notes:
The '8 million domains' release, which also marks the battle
readiness of the PowerDNS Recursor. The latest improvements
have been made possible by financial support and contributions
by Register.com and XS4ALL. Thanks!
This release brings a number of new features (vastly improved
recursor, Generic Oracle Support, DNS analysis and replay
tools, and more) but also has a new build dependency, the
Boost library (version 1.31 or higher).
Currently several big ISPs are evaluating the PowerDNS
recursor for their resolving needs, some of them have switched
already. In the course of testing, over 350 million actual
queries have been recorded and replayed, the answers turn out
to be satisfactory.
This testing has verified that the pdns recursor, as shipped
in this release, can stand up to heavy duty ISP loads (over
20000 queries/second) and in fact does so better than major
other nameservers, giving more complete answers and being
faster to boot.
We invite ISPs who note recursor problems to record their
problematic traffic and replay it using the tools described in
Chapter 19 to discover if PowerDNS does a better job, and to
let us know the results.
Additionally, the bind2backend is almost ready to replace the
stock bind backend. If you run with Bind zones, you are
cordially invited to substitute 'launch=bind2' for
'launch=bind'. This will happen automatically in 2.9.19!
In other news, the entire Wikipedia constellation now runs on
PowerDNS using the Geo Backend! Thanks to Mark Bergsma for
keeping us updated.
There are two bugs with security implications, which only
apply to installations running with the LDAP backend, or
installations providing recursion to a limited range of IP
addresses. If any of these apply to you, an upgrade is highly
advised:
* The LDAP backend did not properly escape all queries,
allowing it to fail and not answer questions. We have not
investigated further risks involved, but we advise LDAP
users to update as quickly as possible (Norbert Sendetzky,
Jan de Groot)
* Questions from clients denied recursion could blank out
answers to clients who are allowed recursion services,
temporarily. Reported by Wilco Baan. This would've made it
possible for outsiders to blank out a domain temporarily
to your users. Luckily PowerDNS would send out SERVFAIL or
Refused, and not a denial of a domain's existence.
General bugs fixed:
* TCP authoritative server would not relaunch a backend
after failure (reported by Norbert Sendetzky)
* Fix backend restarting logic (reported, and fix suggested
by Norbert Sendetzky)
* Launching identical backends multiple times, with
different settings, did not work. Reported by Mario Manno.
* Master/slave queries did not honour the
query-local-address setting. Spotted by David Levy of
Register.com. The fix also randomises the local port used,
slightly improving security.
Compilation fixes:
* Fix compile on Solaris, they define 'PC' for some reason.
Reported by Eric Yiu.
* PowerDNS recursor would not compile on FreeBSD due to
Linux specific defines, as reported in cvstrac ticket 26
(Ralf van der Enden)
* Several 64 bits issues have been fixed, especially in the
Logging subsystem.
* SSQLite would fail to compile on recent Debian systems
(Matthijs Mohlmann)
* Generic MySQL would not compile on 64-bit platforms.
Improvements:
* PowerDNS now reports stray command line arguments, like
when running '--local-port 5300' instead of
'--local-port=5300'. Reported by Christian Welzel.
* We now warn against erroneous logging-facility
specification, ie specifying an unknown facility.
* --version now outputs gcc version used, so we can tell
people 2.95 is no longer supported.
* Extended regression tests, moved them to the new 'sdig'
tool (see below).
* Bind2backend is now blazingly fast, and highly memory
efficient to boot. As a special bonus it can read gzipped
zones directly. The '.NET' zone is hosted using 401MB of
memory, the same size as the zone on disk.
* The Pipe Backend has been improved such that it can send
out different answers based on the IP address the question
was received ON. See Section A.1.1 for how this changed
the Pipe Backend protocol. Note that you need to set
pipebackend-abi-version to benefit from this change,
existing clients are not affected. Change and
documentation contributed by Marc Jauvin of Register4Less.
* LDAP backend has been updated (Norbert Sendetzky).
Recursor improvements and fixes. See Chapter 11 for details.
The changes below mean that all of the caveats listed for the
recursor have now been addressed.
* After half an hour of uptime, the entire cache would be
pruned for each packet, which is a tad slow. It now
appears the pdns recursor is among the faststest around.
* Under high loads, or when unlucky, some query mthreads
would get 'stuck', and show up in the statistics as
eternally running queries.
* Lots of redundant gettimeofday() and time() calls were
removed, which has resulted in a measurable speedup.
* pdns_recursor can now listen on several addresses
simultaneously.
* Now supports setuid and setgid operation to allow running
as a less privileged user (Bram Vandoren)
* Return code of pdns_recursor binary did not make sense
(Matthijs Mohlmann and Thomas Hood)
* Timeouts and errors are now split out in statistics.
* Many people reported broken statistics, it turned out that
no statistics were being reported if there had been no
questions to base them on. We now log a message to that
effect.
* Add query-local-address support, which allows the recursor
to send questions from a specific IP address. Useful for
anycast setups.
* Add outgoing TCP query support and proper truncated answer
support. Needed for Worldnic Denial of Service protection,
which sends out truncated packets to force clients to
connect over TCP, which prevents spoofing.
* Properly truncate our own answers.
* Improve our TCP answers by using writev, which is slightly
friendlier to the network.
* On FreeBSD, TCP errors could cause the recursor to exit
suddenly due to a SIGPIPE signal.
* Maximum number of simultaneous client TCP connections can
now be limited with the max-tcp-clients setting.
* Add agressive timeouts for TCP clients to make sure
resources are not wasted. Defaults to two seconds, can be
configured with the client-tcp-timeout setting.
Backend fixes:
* SQLite backend would not slave properly (Darron Broad)
* Generic MySQL would not compile on 64-bit platforms.
New technology:
* Added the new DNS parser logic, called MOADNSParser.
Completely modular, every memory access checked.
* 'sdig', a simple dig workalike with 'canonical' output,
which is used for the regression tests. Based on the new
DNS parser logic.
* dnswasher, dnsreplay and dnsscope, all DNS analysis tools.
See Chapter 19 for more details.
* Generic Oracle Backend, sponsored by Register.COM. See
Section A.5.3.
--
http://www.PowerDNS.com Open source, database driven DNS Software
http://netherlabs.nl Open and Closed source services
More information about the Pdns-announce
mailing list