[Pdns-announce] PowerDNS Authoritative Server 3.2-RC3 released!
bert.hubert at netherlabs.nl
Sun Dec 23 12:04:34 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Release Candidate 3 of the PowerDNS Authoritative Server 3.2 is available from:
You are cordially invited to (carefully) test this Release Candidate for
This version fixes one small important bug for high-load users, and we
sincerely hope we can do the real 3.2 release early in 2013. PowerDNS itself
already runs this RC in production.
Full release notes, with clickable links, are available from:
This is a stability and confirmity update to 3.1. It mostly makes our DNSSEC
implementation more robust, and improves interoperability with various
validators. 3.2 has received very extensive testing on a lot of edge cases,
verifying output both against common validators and compared against other
In addition to all the changes below, we now auto-build semi-static packages.
Relevant changes to make that possible are in commit 2849, commit 2853, 2858,
commit 2859, commit 2860.
Changes between 3.2-RC3 and 3.2-RC2:
* Michael Scheffler noticed that the lazy-recursion setting had no effect at
all. Setting removed in commit 3003.
* Mark Zealey found that an earlier performance improvement could cause
crashes under high load, with lots of IPs configured in local-address and
receiver-threads higher than 1. Fixed in commit 3005.
Changes between 3.2-RC1 and 3.2-RC2:
* The udp-queries metric would only count on the first thread launched,
instead of on all threads. Additionally, it was initialised at MAXINT at
startup, instead of at 0. Both issues fixed by Kees Monshouwer in commit
2999, closing ticket 491 and ticket 582.
* Aki Tuomi contributed zone2json, a great way for programmers to benefit
from our zone file parser. Code in commit 2997, closes ticket 509.
* Our DNS TXT parser is not 8-bit safe, but our DNS TXT writer assumes the
reader is! Reported by Jan-Piet Mens in ticket 541, commit 2993 fixes our
writer but not yet our parser.
* Ruben d'Arco did some improvements to the MyDNS backend, and provided a
full test suite for it, that we now run after every commit. Code in commit
* Some exceptions from backends would lose their meaning while bubbling up.
Fixed by Aki Tuomi in commit 2985, closing ticket 639.
* The packet-cache honours max reply length while matching cached packets
against queries, but not EDNS status. This would mean that EDNS-enabled
replies with a 512 reply len could be returned on non-EDNS queries. Spotted
while investigating a report from Winfried Angele, patched by Ruben d'Arco
in commit 2982, closing ticket 630.
* Errors involving creating, deletion or changing permissions on the control
socket were unclear. Ruben d'Arco improved this in commit 2981.
* pipe-timeout was always documented to be in milliseconds, but it turns out
it was in seconds! commit 2971 changes them to actually be in ms, and
'increases' the default from 1000 seconds to 2000 milliseconds.
* Some exceptions would get dropped during inbound AXFR, yielding a log file
that says 'transaction started' and nothing after that, making AXFR fail
silently. commit 2976 and commit 2977 improve this somewhat.
* We now error out on empty labels inside of names (www..example.com) instead
of generating bogus reply packets. Code in commit 2972, reported by several
* Doing chmod before chown, instead of the other way around, apparently
avoids requiring a whole SELinux capability. Reported by Sander Hoentjen,
fixed in r2965.
* Christian Hofstaedtler fixed a bug in our Debian init.d script. Code in
* Superslave errors ('Unable to find backend willing to host ..') now include
the NSset found at the master, to aid debugging. Code in commit 2887.
* commit 2874 in RC1 broke compilation without SQLite3 and made query logging
unreliable. Fixed in commit 2888, commit 2889.
* The dnsreplay tool now processes single packet pcaps. Fix in commit 2895.
* PowerDNS always derives NSEC/NSEC3 from the actual zone content. To
accomodate this, zone2sql now drops NSEC/NSEC3 records, as those should
never be in a PowerDNS backend directly (commit 2915), bindbackend ignores
NSEC/NSEC3 while reading zonefiles (commit 2917) and pdnssec reports NSEC/
NSEC3 in the database as an error condition (commit 2918).
* The bindbackend now ignores NSEC/NSEC3 records while reading zonefiles.
Change in commit 2917.
* An EXPERIMENTAL feature ('direct-dnskey') for reading ZSKs from the records
table/your BIND zonefile was added in commit 2920, commit 2921, commit 2922
* While fully optional, PowerDNS supports direct RRSIG queries. Kees
Monshouwer improved on our behaviour for those queries in commit 2927.
* IPv6 glue situations require AAAA records for the receiving end of a
delegation in the ADDITIONAL section of a referral. This was supported
('do-ipv6-additional-processing') but not enabled by default. commit 2929
enables it by default.
* pdnssec check-zone now warns for CNAME-and-other data at names in your
zones. Code by Ruben d'Arco in commit 2930.
* Positive ANY-responses would include a spurious NSEC3. Corrected in commit
2932 and commit 2933, cleaned up by Kees Monshouwer in commit 2935.
* The ldapbackend now allows overriding the base dn for AXFR subtree search.
Fixed in commit 2934, closing ticket 536.
Changes below are in 3.2-RC1 but not RC2 and up.
DNSSEC changes in 3.2:
* Kees Monshouwer did a tremendous amount of work to improve and perfect our
DNSSEC implementation, mostly in the NSEC3 area. Code in commit 2687,
commit 2689, commit 2691, fixing ticket 486, ticket 537, ticket 540. He
also implemented support for Empty Non-Terminals, code in commit 2721,
commit 2732, commit 2745, fixing ticket 127 and ticket 558.
* Presigned wildcard operation was improved with the help of many parties
(see commit message for commit 2676). Presigned operation was also changed
to be more consistent with master/live-signing operation. Code and a full
test suite in commit 2709, which also improves TTL behaviour for various
situations. Fixes ticket 460, ticket 533, ticket 559.
* Depending on database & locale settings, names starting with underscore
would sometimes cause broken records. commit 2710 contains schema and code
changes for the gpgsql and gmysql backends to sort this (no pun intended)
definitively, closing ticket 550. In addition, a pdnssec test-schema
command was added (experimental and incomplete). It can be used to verify
underscore sorting and a few other parameters of the database. Code in
* We now always include an EDNS section in responses to queries that also had
an EDNS section. This was thought to improve BIND interoperability, but
this turned out to be false. In any case, this change improves standards
compliance. Spotted by Mats Dufberg, code in commit 2649.
* It turns out we were storing Botan keys the wrong way. Botan did not care
but Polar did, causing interoperability problems. Fixed in commit 2720,
with the kind help of Paul Bakker of PolarSSL. Fixes ticket 492 as reported
by Florian Obser via Debian.
* pdnssec add-zone-key now defaults to RSASHA256, like secure-zone already
did. Code in commit 2692.
* pdns_control purge now also purges DNSSEC-related caches (keys and
metadata). Code in commit 2694, by Ruben d'Arco. Fixes ticket 530.
* The signer thread would die in specific situations, leaving you with a
non-working but very busy system. Fixed in commit 2668, commit 2670,
closing ticket 517.
* pdnssec secure-zone now warns when you just signed a slave zone. Suggested
by Mark Scholten, code in commit 2795, closes ticket 592.
* pdnssec check-zone now warns about out-of-zone data. Patch by Kees
Monshouwer in commit 2826, closing ticket 604.
* pdnssec now honours --no-config. Patch by Kees Monshouwer in commit 2810.
* Various fixes for bindbackend presigned operation, mostly by Kees
Monshouwer. Code in commit 2815, closing ticket 600.
* Bindbackend could get confused about domain metadata, sometimes even
causing hangs. Fixes by Kees Monshouwer in commit 2819 and commit 2834,
closing ticket 600 and ticket 603.
* SQL queries in gsql backends that reference the domain_id column have been
made explicit about from what table they want this column. This makes it
easier to operate custom schemas without changing the queries. Fix by Nicky
Gerritsen in commit 2821.
* In various situations involving CNAMEs and wildcards, and for ANY queries
involving CNAMEs, we would sometimes return bogus results. Fixed in commit
2825 by Kees Monshouwer.
* rectify-zone accidentally set auth=1 on NS records of secure delegations.
Reported by George Notaras, fixed by Kees Monshouwer in r2831, closing
* The DNSSEC signature cache now actually gets cleaned up, avoiding lasting
spikes in memory usage every thursday. Code in commit 2836 and commit 2843,
closing ticket 594.
* Signatures used to roll at midnight on thursday. We now roll them one hour
after midnight, with inception still set to midnight, to allow for some
variations in clock quality on resolvers. Code in commit 2857.
* Duplicate records (same name/type/content/priority) would sometimes get
broken RRSIGs during outgoing AXFR. Fixed in commit 2856.
* A root zone (name="") with DNSSEC would cause crashes in some situations.
Reported by Luuk Hendriks. Fixed in commit 2867, commit 2868, closing
* Direct RRSIG queries for zones with auto-completed SOA records would cause
trouble. Reported by Kees Monshouwer and fixed by him in r2869.
* When a name is matched only by a wildcard, but the type in the query is not
present, we would be lacking one NSEC(3) record to prove the existence of
the wildcard. Fixed by Kees Monshouwer in r2872 and r2873.
* Luuk Hendriks spotted that our PolarSSL RSA key generation code was using
inferior entropy. This can be important on virtual machines with badly
implemented clocks. Fixed in commit 2876, closing ticket 615.
Non-DNSSEC improvements/changes in 3.2:
* Bindbackend would sometimes crash on startup, due to a sync_with_stdio
call. This call has been moved to pdns_server proper to occur before any
threads are spawned, avoiding race conditions in this call. Note that this
crash has only been observed twice in thousands of regression test runs and
has never been reported in the real world. Change in commit 2882.
* Leen Besselink submitted query logging support for the SQLite3 parts in the
bindbackend. Code in commit 2874.
* Multi-backend operation would sometimes cause garbage domain IDs to be
passed to backends. Reported by Kees Monshouwer and fixed by him in r2871.
* Bindbackend would sometimes crash during reloads/rediscovers. The changes
in commit 2837 get rid of the crash, at the cost of returning SERVFAIL
during reloads. Closes ticket 564.
* Our label decompression code was naive, causing troubles for slaving of
very specifically formatted zones. Fix in ticket 2822, closes ticket 599.
* Bindbackend slaves would choke on unknown RR types and do silly things with
RP and SRV records. Fixed in commit 2811 and commit 2812.
* The luabackend can now compile against Lua 5.2. Patch by Fredrik Danerklint
in commit 2794, additional luabackend compile fixes in commit 2854.
* A new backend, the 'Remote backend' Section 16, “Remote Backend” was
submitted by Aki Tuomi. It aims to replace the pipebackend with a better
protocol and support for more connection methods, including HTTP. Code in
commit 2755, commit 2756, commit 2757, commit 2758, commit 2759, commit
2824, closing ticket 529, ticket 597.
* The gsqlite (SQLite 2) backend was removed. We were not aware of any users
and it was not actually working anyway. Changes in commits 2773-2777,
closing ticket 565.
* Various tinydnsbackend improvements: ignore-bogus-records option; TAI
offset updated; strip dots on names where suitable; various internal
improvements. Code in commit 2762.
* gpgsql no longer logs the database password in connection errors. Code in
commit 2609, commit 2612, closing ticket 459.
* You can now finally specify 0.0.0.0 or :: as local-address/local-ipv6
without getting replies from the wrong address. This much-requested feature
is implemented in commit 2763, commit 2766, commit 2779 and commit 2781.
Tested on Linux, FreeBSD and Mac OS X.
* 3.2 can be reliably built with or without Lua. This and many other
configure/compile-related fixes in commit 2610, commit 2611 / ticket 461,
commit 2666, commit 2671, commit 2672 / ticket 522, commit 2673 / ticket
522, commit 2696 / ticket 555, commit 2697 / ticket 457, commit 2698,
commit 2708, commit 2742 / ticket 462), commit 2752 / ticket 437, commit
2764, commit 2809, commit 2844, commit 2845, commit 2846, commit 2881.
* Juraj Lutter contributed AXFR-SOURCE per zone metadata settings. Code in
* Initscripts now have exit codes, submitted by Sander Hoentjen. Code in
commit 2728. Guardian now returns 0 instead of 1 when receiving SIGTERM,
requested by Morten Stevens of Fedora. Code in commit 2717.
* Mark Zealey submitted various performance improvement patches and
suggestions. Accepted as commit 2729 / ticket 579, commit 2730 / ticket 584
), commit 2731 / ticket 583), commit 2768 / ticket 578). Please see commit
messages for more details.
* pdnssec check-all-zones now reuses database connections, avoiding a socket
exhaustion issue in some situations. Code in commit 2749, closes ticket 519
* Ruben d'Arco submitted various improvements regarding trailing dots.
Additional lookups now try harder, pdnssec errors about trailing dots in
names, pdnssec warns about trailing dots in names inside content fields,
AXFR now strips the dot from SRV hostnames. Code in commit 2748, fixes
* Pre-3.0, backends would get cycled if they threw the right error. 3.2
reinstates this behaviour, as it is more robust. Change in commit 2734
(reverting commit 2100), fixes ticket 386.
* PowerDNS auth does not use the select() kernel/library call anymore. This
means fd-numbers over 1023 (and, in general, more than 1024 sockets,
including more than 1024 listening sockets) should now work reliably. Code
in commit 2739, commit 2740, fixes ticket 408.
* gmysql users can now specify the 'group' we connect as, using the
gmysql-group setting. Submitted by Kees Monshouwer, code in commit 2770,
commit 2771, commit 2778, commit 2780, closing ticket 463.
* The Linux-only traceback handler is now optional (use traceback-handler=off
to disable it). Suggested by Marc Haber. Change in commit 2798, closes
* We now use IPV6_V6ONLY to bind IPv6 sockets. This ensures consistent
behaviour between different operating systems. Change in commit 2799.
* MySQL connections are now logged at a higher loglevel, reducing log
clutter. Change in commit 2800.
* We now ship a systemd unit file in contrib/. Added in commit 2847 and
commit 2848, submitted by Morten Stevens.
* If a slave domain is removed while a transfer for it is queued, we no
longer try the transfer. This also avoids a rare crash in similar
circumstances. Code in commit 2802, closes ticket 596.
* When using pdnssec with gsql backends, sometimes an SSqlException would pop
up without any useful information. This no longer happens and errors are
now in general more meaningful. Fix in commit 2803.
* zone2sql now uses correct string syntax for PostgreSQL. This is needed for
importing with the changed default settings in PostgreSQL 9.2 and up. Code
in commit 2797, closes ticket 471.
* We no longer send v6 notifications if v6 is not available. Same for IPv4.
Code in commit 2772, fixes ticket 515.
* We would sometimes serve stale data after an incoming AXFR. Reported by
Martin Draschl, fixed by Ruben d'Arco in commit 2699, closing ticket 525.
* Duplicate incoming NOTIFYs could cause PowerDNS to try to insert the same
domain name into a database twice. Fixed in commit 2703, closing ticket 453
* pdnssec show-zone now works on a zone that has any number of keys, instead
of requiring active keys. Reported by Jeroen Tushuizen of myH2Oservers,
code in commit 2769, closes ticket 586.
* pdns-control notify-host now accepts v6 literals. Reported by Christof
Meerwald, fixed in commit 2704.
* The tinydnsbackend no longer chokes on questions longer than 64 bytes. Code
in commit 2622.
* *-all-domains commands in pdnssec now work with Postgres (gpgsql) too. Code
in commit 2645, closing ticket 472.
* We would sometimes leave the opcode of an outgoing packet uninitialized.
Fixed in commit 2680, closing ticket 532.
* nproxy can now listen on a configurable port. Code in commit 2684, fixes
* Improve mydnsbackend for SOA queries. Code in commit 2751, fixes ticket 439
, by Ruben d'Arco.
* Various non-functional fixes that make Valgrind happy (note that Valgrind
was right to complain in all of these situations), in commit 2715, commit
2716, commit 2718.
PowerDNS Website: http://www.powerdns.com/
PowerDNS Community Website: http://wiki.powerdns.com/
PowerDNS is supported and developed by Netherlabs: http://www.netherlabs.nl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the Pdns-announce