[Pdns-announce] PowerDNS Authoritative Server 3.0 Release Candidate 2 available

bert hubert bert.hubert at netherlabs.nl
Tue Apr 19 12:05:54 UTC 2011


Hi everybody,

Release Candidate 2 of the PowerDNS Authoritative Server 3.0 is available from:

http://downloads.powerdns.com/releases/pdns-3.0-rc2.tar.gz
http://downloads.powerdns.com/releases/deb/pdns-static_3.0-rc2-1_i386.deb
http://downloads.powerdns.com/releases/deb/pdns-static_3.0-rc2-1_amd64.deb
http://downloads.powerdns.com/releases/rpm/pdns-static-3.0rc2-1.i386.rpm
http://downloads.powerdns.com/releases/rpm/pdns-static-3.0rc2-1.x86_64.rpm

RC1 received thorough testing by the community, for which we are very
grateful! Issues addressed between RC1 and RC2:

  * Zone2sql sent out the wrong 'COMMIT' statement in sqlite mode. In addition,
    in this mode, zone2sql would not emit statements to update the domains
    table unless the 'slave' setting was chosen. Code in commit 2167.

  * We dropped the Authoritative Answer flag on an out-of-bailiwick CNAME
    referral, which was unneccessary. Code in commit 2170.

  * Kees Monshouwer discovered that we failed to detect the location of
    PostgreSQL on RHEL/CentOS. Fix in commit 2144. In addition, commit 2162
    eases detection of MySQL on RHEL/CentOS 64 bits systems.

  * Marc Laros re-reported an old bug in the internally used 'pdns' backend
    where details of the SOA record were not filled out correctly. Resolved in
    commit 2145.

  * Jan-Piet Mens found that our TSIG signed SOA zone fresheness check was
    signed incorrectly. Fixed in commit 2147. Improved error messages that
    helped debug this issue in commit 2148, commit 2149.

  * Jan-Piet Mens helped debug an issue where some servers were "almost always"
    unable to transfer a TSIG signed zone correctly. Turns out that the TSIG
    signing code used an internal timestamp and not the remote timestamp.
    Because of good NTP synchronization this quite often was not a problem. Fix
    in commit 2159.

  * Thor Spruyt of Telenet discovered that the PowerDNS code would try to emit
    DNS answers over TCP of over 65535 bytes long, which failed. We now
    truncate such answers properly. Code in commit 2150.

  * The Slave engine now reuses an existing database connection, removing the
    need to create a new database connection every minute (and worse, log about
    it). Code in commit 2153.

  * Fix a potential Year 2106 bug in the TSIG signing code. Because we care 
    (commit 2156).

Two new features:

  * Added experimental support for the 'DANE' TLSA record which is used to
    authenticate SSL certificates via DNSSEC. commit 2161.

  * Added experimental support for the MongoDB 'NoSQL' backend, contributed by
    fredrik danerklint in commit 2162.

You are cordially invited to (carefully) test this Release Candidate for
correct behaviour. Please study 
http://doc.powerdns.com/upgrades.html#from2.9to3.0 for guidance.

Full release notes, with clickable links, are available from:
http://doc.powerdns.com/changelog.html#changelog-auth-3-0

Here is a text-only version:

Warning
          Version 3.0 of the PowerDNS Authoritative Server is a major upgrade.
          Please refer to Section 1, “From PowerDNS Authoritative Server 2.9.x
          to 3.0” for important information on correct and stable operation, as
          well as notes on performance and memory use.

          Known issues as of RC2 include:

            * Not all new features are documented yet

            * Queries for 'empty non-terminals' may give confusing results

            * We are not 100% convinced all corner cases of NSEC3/NXDOMAIN give
              correct responses. Common cases function well

            * DNSSEC has only been benchmarked up to 2000 queries/second but
              not beyond

            * A lot more database connections are made and released

Version 3.0 of the PowerDNS Authoritative Server brings a number of important
features, as well as over two years of accumulated bug fixing.

The largest news in 3.0 is of course the advent of DNSSEC. Not only does
PowerDNS now (finally) support DNSSEC, we think that our support of this
important protocol is among the easiest to use available. In addition, all
important algorithms are supported.

Complete detail can be found in Chapter 12, Serving authoritative DNSSEC data.
The goal of 'PowerDNSSEC' is to allow existing PowerDNS installations to start
serving DNSSEC with as little hassle as possible, while maintaining performance
and achieving high levels of security.

Tutorials and examples of how to use DNSSEC in PowerDNS can be found linked
from http://powerdnssec.org.

This release has received exceptional levels of community support, and we'd
like to thank the following people in addition to those mentioned explicitly
below: Peter Koch (DENIC), Olaf Kolkman (NLNetLabs), Wouter Wijngaards
(NLNetLabs), Marco Davids (SIDN), Markus Travaille (SIDN), Leen Besselink,
Antoin Verschuren (SIDN), Olafur Gudmundsson (IETF), Dan Kaminsky (Recursion
Ventures), Roy Arends (Nominet), Miek Gieben (SIDN), Stephane Bortzmeyer
(AFNIC), Michael Braunoeder (nic.at), Peter van Dijk, Maik Zumstrull, Jose
Arthur Benetasso Villanova (Locaweb), Stefan Schmidt, Roland van Rijswijk
(Surfnet), Paul Bakker (Brainspark/Fox-IT), Mathew Hennessy, Johannes Kuehrer
(Austrian World4You GmbH), Marc van de Geijn (bHosted.nl), Stefan Arentz and
Martin van Hensbergen (Fox-IT), Christof Meerwald, Detlef Peeters, Jack Lloyd,
Frank Altpeter, frederik danerklint, Vasiliy G Tolstov, Brielle Bruns, Evan
Hunt, Ralf van der Enden, Marc Laros.

On to the release notes. Next to DNSSEC, other major new features include:

  * TSIG for authorizing and authenticating AXFR requests & incoming zone
    transfers (Code in 2024, 2025, 2033, 2034). This allows for retrieving TSIG
    protected content, as well as serving it.

  * Per zone also-notify.

  * Added experimental support for the 'DANE' TLSA record which is used to
    authenticate SSL certificates via DNSSEC. commit 2161.

  * Added experimental support for the MongoDB 'NoSQL' backend, contributed by
    fredrik danerklint in commit 2162.

  * MyDNS compatible backend, allowing for 'instantaneous' migration from this
    authoritative nameserver. Code in commit 1418, contributed by Jonathan
    Oddy.

  * PowerDNS can now slave zones over IPv6 and notify IPv6 remotes of updates.
    Already. Code in commit 2009 and beyond.

  * Lua based incoming zone editing, allowing masters or signing slaves to add
    information to the zone they will (re-)serve. Implemented in commit 2065.
    To enable, use LUA-AXFR-SCRIPT zone metadata setting.

  * Native Oracle backend with full DNSSEC support. Contributed by Maik
    Zumstrull, then at the Steinbuch Centre for Computing at the Karlsruhe
    Institute of Technology.

  * "Also-notify" support, implemented by Aki Tuomi in commit 1400. Support for
    Generic SQL backends and for the BIND backend. Further code in commit 1360.

  * Support for binding to thousands of IP addresses, code in commit 1443.

  * Generic MySQL backend now supports stored procedures. Implemented in commit
    2084, closing ticket 231.

  * Generic ODBC backend compiles again, and is reported to work for some users
    that need it. Code contributed in ticket 309, author unknown.

  * Massively parallel slaving infrastructure, able to check the freshness of
    thousands of remote zones per second, plus perform many incoming zone
    transfers simultaneously. Sponsored by Tyler Hall, code in 1449, 1500, 1859

  * Core DNS logic replaced completely to deal with the brave new world of
    DNSSEC.

Bugs fixed:

  * sqlite2 and sqlite3 backends used MySQL-style escaping, leading to SQL
    errors in some cases. Discovered by Sten Spans. Fixed in commit 1342.

  * Internal webserver no longer prints '1e2%'. Bug rediscovered by Jeff Sipek.
    Fixed in commit 1342.

  * PowerDNS would refuse to serve domain names with spaces in them, or
    otherwise non-printable characters. Addressed in commit 2081.

  * PowerDNS can now serve escaped labels, as described by RFC 4343. Data
    should be present in backends in that escaped form. Code in commit 2089.

  * In some cases, we would include duplicate CNAMEs. In addition, we would
    hand out a full root-referral when not configured to in some cases (ticket
    ticket 223). Discovered by Andreas Jakum, fixed in commit 1344.

  * Shane Kerr discovered we would corrupt DNS transaction IDs from the packet
    cache on big endian systems. Fix in commit 1346, closing ticket 222.

  * PowerDNS did not use RFC 1982 serial arithmetic, leading to a SOA serial
    number of 1 to be regarded as older than 4400000000, when in fact it is
    'newer'. Issue (re-)discovered by Jan-Piet Mens.

  * BIND backend got confused of a zone's filename changed after a
    configuration reload. Fix in commit 1347, closing ticket 228.

  * When restarted by the Guardian, PowerDNS will perform a full multi-threaded
    cache cleanup, which took a long time and could crash. Fix in commit 1364.

  * Under artificial circumstances, PowerDNS would never clean its packet
    cache. Found by Marcus Goller, fix in commit 1399 and commit 1408. This
    update also retunes the cleanup frequency.

  * Packetcache would cache things it should not have been caching. Fixes in
    commits 1407, 1488, 1869, 1880

  * When processing incoming notifications, the BIND backend was
    case-sensitive, and would disregard notifications in the wrong case.
    Discovered by 'Dolphin', fix in commit 1420.

  * The init.d script did not mention the 'reload' command. Code in commit 1463
    , closes ticket 233.

  * Generic SQL Backends would sometimes emit obscure error messages. Fix in
    commit 2049.

  * PowerDNS would be confused by embedded NULs in domain names, and would also
    mess up the escaping of some characters. Fix in commit 1468, commit 1469,
    commit 1478, commit 1480,

  * SOA queries for the name of a delegation point were not referred. Fix in
    commit 1466, closing ticket 224. In addition, queries for AAAA for a CNAMEd
    record pointing to a name with no AAAA would deliver a direct SOA, without
    the CNAME in between. Fix in commit 1542, commit 1607. Also, wildcard
    CNAMEs pointing to a record without the type requested suffered from the
    same issue, fix in commit 1543.

  * On processing an incoming AXFR, once an MX or SRV record had been seen, all
    future fields got a 'priority' entry as well. This had no operational
    impact, but looked messy. Fixed in commit 1437.

  * Aki Tuomi discovered that the BIND zonefile parser would misrepresent
    'something IN MX 15 @'. Fix in commit 1621.

  * Marco Davids discovered the BIND zonefile parser would trip over really
    long lines. Fix in commit 1624, commit 1625.

  * Thomas Mieslinger discovered that our webserver would only be started after
    dropping privileges, which could cause problems. Fix in commit 1629.

  * Zone2sql did quite often not do exactly what was required, which users
    fixed by editing the SQL output. Revamped in commit 2032.

  * An Ubuntu user discovered in Launchpad bug 600479 that restarting database
    threads cost a lot of memory. Normally this is rare, except in case of
    problems. Addressed in commit 1676.

  * BIND backend could crash under (very) high load with very large numbers of
    zones (hundreds of thousands). Fixed in commit 1690.

  * Miek Gieben and Marco Davids spotted that PowerDNS would answer the
    version.bind query in the IN class too. Bug reported via twitter! Fix in
    commit 1709.

  * Marcus Lauer and the OpenDNSSEC project discovered that outgoing
    notifications did not carry the 'aa' flag. Fixed in commit 1746.

  * Debugging PowerDNS, or backgrounding it, could cause crashes. Fixed by
    Anders Kaseorg in commit 1747.

  * Fixed a bug that could cause crashes on launching thousands of backend
    connections. Never observed to occur, but who knows. Fix in commit 1792.

  * Under some circumstances, large answers could be truncated in mid-record.
    While technically legal, this upset a number of resolver implementations
    (including the PowerDNS Recursor!). Fixed in commit 1830, re-closes ticket
    200.

  * Jan Piet Mens and Florian Weimer discovered we had problems dealing with
    escaped labels and escaped TXT fields. Fixed in commit 2000.

  * After 2.2 billion queries, statistics would wrap oddly. Fix in commit 2019,
    closing ticket 327.

Improvements:

  * Long TXT records are now split into 255-byte components automatically.
    Implemented in commit 1340, reported by Darren Gamble in ticket 188.

  * When receiving large numbers of notifications, PowerDNS would check these
    synchronously, leading to a slowdown for other services. Fixed in commit
    2058, problem diagnosed by Richard Poole of Heart Internet.

  * Fixed compilation on newer compilers and newer versions of Boost. Changes
    in 1345 (closes ticket 227), 1391, 1394, 1425, 1427, 1428, 1429, 1440, 1653
    , thanks to Ruben Kerkhof and others.

  * Moved Generic PostgreSQL backend over to the newer E'' style escapes.
    commit 2094.

  * Compilation fixes for Mac OS X 10.5.7 in commit 1389, thanks to Tobias
    Markmann.

  * We can now bind to scoped IPv6 addresses, lack spotted by Darren Gamble.
    Part of the fix is in commit 2018.

  * Built-in query cache can now also cache queries which lead to multiple
    answers. Code in commit 2069.

  * Prodded on by Jan Piet Mens, we now support 'unknown types' (which look
    like TYPE65534).

  * Add 'slave-renotify' to retransmit notifies for slaved zones, which is
    helpful when acting as a 'signing slave' for a hidden master. Code in
    commit 1950.

  * No longer let zone2sql and zone2ldap import BIND 'hint' zones. commit 1998.

  * Allow for timestamps to explicitly be specified in (s)econds. Code in
    commit 1398, closing ticket 250.

  * Zones with URL and MBOXFW records can be transferred over AXFR, code in
    commit 1464.

  * Maik Zumstrull cleaned up the BIND Backend makefile, plus taught our init.d
    script to read /etc/default/pdns. Code in commit 1601, commit 1602.

  * Generic SQL backends now support multiple masters in the domains table.
    Code in commit 1857. Additionally, masters can also have :port numbers.
    Code in commit 1858.




More information about the Pdns-announce mailing list