[Pdns-announce] PowerDNS version 2.9.18 released!

bert hubert bert.hubert at netherlabs.nl
Sat Jul 16 12:08:12 UTC 2005

This release is available on http://www.powerdns.com/downloads 
Or more specifically:

Release notes with clickable links: 
Latest upgrades: http://wiki.powerdns.com

Pay attention if you run with the LDAP backend, or provide recursion to a
limited IP range, you need to upgrade!

Release notes:
   The '8 million domains' release, which also marks the battle
   readiness of the PowerDNS Recursor. The latest improvements
   have been made possible by financial support and contributions
   by Register.com and XS4ALL. Thanks!

   This release brings a number of new features (vastly improved
   recursor, Generic Oracle Support, DNS analysis and replay
   tools, and more) but also has a new build dependency, the
   Boost library (version 1.31 or higher).

   Currently several big ISPs are evaluating the PowerDNS
   recursor for their resolving needs, some of them have switched
   already. In the course of testing, over 350 million actual
   queries have been recorded and replayed, the answers turn out
   to be satisfactory.

   This testing has verified that the pdns recursor, as shipped
   in this release, can stand up to heavy duty ISP loads (over
   20000 queries/second) and in fact does so better than major
   other nameservers, giving more complete answers and being
   faster to boot.

   We invite ISPs who note recursor problems to record their
   problematic traffic and replay it using the tools described in
   Chapter 19 to discover if PowerDNS does a better job, and to
   let us know the results.

   Additionally, the bind2backend is almost ready to replace the
   stock bind backend. If you run with Bind zones, you are
   cordially invited to substitute 'launch=bind2' for
   'launch=bind'. This will happen automatically in 2.9.19!

   In other news, the entire Wikipedia constellation now runs on
   PowerDNS using the Geo Backend! Thanks to Mark Bergsma for
   keeping us updated.

   There are two bugs with security implications, which only
   apply to installations running with the LDAP backend, or
   installations providing recursion to a limited range of IP
   addresses. If any of these apply to you, an upgrade is highly

     * The LDAP backend did not properly escape all queries,
       allowing it to fail and not answer questions. We have not
       investigated further risks involved, but we advise LDAP
       users to update as quickly as possible (Norbert Sendetzky,
       Jan de Groot)
     * Questions from clients denied recursion could blank out
       answers to clients who are allowed recursion services,
       temporarily. Reported by Wilco Baan. This would've made it
       possible for outsiders to blank out a domain temporarily
       to your users. Luckily PowerDNS would send out SERVFAIL or
       Refused, and not a denial of a domain's existence.

   General bugs fixed:

     * TCP authoritative server would not relaunch a backend
       after failure (reported by Norbert Sendetzky)
     * Fix backend restarting logic (reported, and fix suggested
       by Norbert Sendetzky)
     * Launching identical backends multiple times, with
       different settings, did not work. Reported by Mario Manno.
     * Master/slave queries did not honour the
       query-local-address setting. Spotted by David Levy of
       Register.com. The fix also randomises the local port used,
       slightly improving security.

   Compilation fixes:

     * Fix compile on Solaris, they define 'PC' for some reason.
       Reported by Eric Yiu.
     * PowerDNS recursor would not compile on FreeBSD due to
       Linux specific defines, as reported in cvstrac ticket 26
       (Ralf van der Enden)
     * Several 64 bits issues have been fixed, especially in the
       Logging subsystem.
     * SSQLite would fail to compile on recent Debian systems
       (Matthijs Mohlmann)
     * Generic MySQL would not compile on 64-bit platforms.


     * PowerDNS now reports stray command line arguments, like
       when running '--local-port 5300' instead of
       '--local-port=5300'. Reported by Christian Welzel.
     * We now warn against erroneous logging-facility
       specification, ie specifying an unknown facility.
     * --version now outputs gcc version used, so we can tell
       people 2.95 is no longer supported.
     * Extended regression tests, moved them to the new 'sdig'
       tool (see below).
     * Bind2backend is now blazingly fast, and highly memory
       efficient to boot. As a special bonus it can read gzipped
       zones directly. The '.NET' zone is hosted using 401MB of
       memory, the same size as the zone on disk.
     * The Pipe Backend has been improved such that it can send
       out different answers based on the IP address the question
       was received ON. See Section A.1.1 for how this changed
       the Pipe Backend protocol. Note that you need to set
       pipebackend-abi-version to benefit from this change,
       existing clients are not affected. Change and
       documentation contributed by Marc Jauvin of Register4Less.
     * LDAP backend has been updated (Norbert Sendetzky).

   Recursor improvements and fixes. See Chapter 11 for details.
   The changes below mean that all of the caveats listed for the
   recursor have now been addressed.

     * After half an hour of uptime, the entire cache would be
       pruned for each packet, which is a tad slow. It now
       appears the pdns recursor is among the faststest around.
     * Under high loads, or when unlucky, some query mthreads
       would get 'stuck', and show up in the statistics as
       eternally running queries.
     * Lots of redundant gettimeofday() and time() calls were
       removed, which has resulted in a measurable speedup.
     * pdns_recursor can now listen on several addresses
     * Now supports setuid and setgid operation to allow running
       as a less privileged user (Bram Vandoren)
     * Return code of pdns_recursor binary did not make sense
       (Matthijs Mohlmann and Thomas Hood)
     * Timeouts and errors are now split out in statistics.
     * Many people reported broken statistics, it turned out that
       no statistics were being reported if there had been no
       questions to base them on. We now log a message to that
     * Add query-local-address support, which allows the recursor
       to send questions from a specific IP address. Useful for
       anycast setups.
     * Add outgoing TCP query support and proper truncated answer
       support. Needed for Worldnic Denial of Service protection,
       which sends out truncated packets to force clients to
       connect over TCP, which prevents spoofing.
     * Properly truncate our own answers.
     * Improve our TCP answers by using writev, which is slightly
       friendlier to the network.
     * On FreeBSD, TCP errors could cause the recursor to exit
       suddenly due to a SIGPIPE signal.
     * Maximum number of simultaneous client TCP connections can
       now be limited with the max-tcp-clients setting.
     * Add agressive timeouts for TCP clients to make sure
       resources are not wasted. Defaults to two seconds, can be
       configured with the client-tcp-timeout setting.

   Backend fixes:

     * SQLite backend would not slave properly (Darron Broad)
     * Generic MySQL would not compile on 64-bit platforms.

   New technology:

     * Added the new DNS parser logic, called MOADNSParser.
       Completely modular, every memory access checked.
     * 'sdig', a simple dig workalike with 'canonical' output,
       which is used for the regression tests. Based on the new
       DNS parser logic.
     * dnswasher, dnsreplay and dnsscope, all DNS analysis tools.
       See Chapter 19 for more details.
     * Generic Oracle Backend, sponsored by Register.COM. See
       Section A.5.3.

http://www.PowerDNS.com      Open source, database driven DNS Software 
http://netherlabs.nl              Open and Closed source services

More information about the Pdns-announce mailing list