[Pdns-announce] PowerDNS Authoritative Server 3.2-RC3 released!

bert hubert bert.hubert at netherlabs.nl
Sun Dec 23 12:04:34 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi everybody,

Release Candidate 3 of the PowerDNS Authoritative Server 3.2 is available from:

http://powerdnssec.org/downloads/pdns-3.2-rc3.tar.gz
http://powerdnssec.org/downloads/packages/pdns-static-3.2rc3-1.i386.rpm
http://powerdnssec.org/downloads/packages/pdns-static-3.2rc3-1.x86_64.rpm
http://powerdnssec.org/downloads/packages/pdns-static_3.2-rc3-1_amd64.deb
http://powerdnssec.org/downloads/packages/pdns-static_3.2-rc3-1_i386.deb

You are cordially invited to (carefully) test this Release Candidate for
correct behaviour.

This version fixes one small important bug for high-load users, and we
sincerely hope we can do the real 3.2 release early in 2013. PowerDNS itself
already runs this RC in production.

Full release notes, with clickable links, are available from:
http://doc.powerdns.com/changelog.html#changelog-auth-3-2

This is a stability and confirmity update to 3.1. It mostly makes our DNSSEC
implementation more robust, and improves interoperability with various
validators. 3.2 has received very extensive testing on a lot of edge cases,
verifying output both against common validators and compared against other
authoritative servers.

In addition to all the changes below, we now auto-build semi-static packages.
Relevant changes to make that possible are in commit 2849, commit 2853, 2858,
commit 2859, commit 2860.

Changes between 3.2-RC3 and 3.2-RC2:

  * Michael Scheffler noticed that the lazy-recursion setting had no effect at
    all. Setting removed in commit 3003.

  * Mark Zealey found that an earlier performance improvement could cause
    crashes under high load, with lots of IPs configured in local-address and
    receiver-threads higher than 1. Fixed in commit 3005.

Changes between 3.2-RC1 and 3.2-RC2:

  * The udp-queries metric would only count on the first thread launched,
    instead of on all threads. Additionally, it was initialised at MAXINT at
    startup, instead of at 0. Both issues fixed by Kees Monshouwer in commit
    2999, closing ticket 491 and ticket 582.

  * Aki Tuomi contributed zone2json, a great way for programmers to benefit
    from our zone file parser. Code in commit 2997, closes ticket 509.

  * Our DNS TXT parser is not 8-bit safe, but our DNS TXT writer assumes the
    reader is! Reported by Jan-Piet Mens in ticket 541, commit 2993 fixes our
    writer but not yet our parser.

  * Ruben d'Arco did some improvements to the MyDNS backend, and provided a
    full test suite for it, that we now run after every commit. Code in commit
    2988.

  * Some exceptions from backends would lose their meaning while bubbling up.
    Fixed by Aki Tuomi in commit 2985, closing ticket 639.

  * The packet-cache honours max reply length while matching cached packets
    against queries, but not EDNS status. This would mean that EDNS-enabled
    replies with a 512 reply len could be returned on non-EDNS queries. Spotted
    while investigating a report from Winfried Angele, patched by Ruben d'Arco
    in commit 2982, closing ticket 630.

  * Errors involving creating, deletion or changing permissions on the control
    socket were unclear. Ruben d'Arco improved this in commit 2981.

  * pipe-timeout was always documented to be in milliseconds, but it turns out
    it was in seconds! commit 2971 changes them to actually be in ms, and
    'increases' the default from 1000 seconds to 2000 milliseconds.

  * Some exceptions would get dropped during inbound AXFR, yielding a log file
    that says 'transaction started' and nothing after that, making AXFR fail
    silently. commit 2976 and commit 2977 improve this somewhat.

  * We now error out on empty labels inside of names (www..example.com) instead
    of generating bogus reply packets. Code in commit 2972, reported by several
    users.

  * Doing chmod before chown, instead of the other way around, apparently
    avoids requiring a whole SELinux capability. Reported by Sander Hoentjen,
    fixed in r2965.

  * Christian Hofstaedtler fixed a bug in our Debian init.d script. Code in
    commit 2963.

  * Superslave errors ('Unable to find backend willing to host ..') now include
    the NSset found at the master, to aid debugging. Code in commit 2887.

  * commit 2874 in RC1 broke compilation without SQLite3 and made query logging
    unreliable. Fixed in commit 2888, commit 2889.

  * The dnsreplay tool now processes single packet pcaps. Fix in commit 2895.

  * PowerDNS always derives NSEC/NSEC3 from the actual zone content. To
    accomodate this, zone2sql now drops NSEC/NSEC3 records, as those should
    never be in a PowerDNS backend directly (commit 2915), bindbackend ignores
    NSEC/NSEC3 while reading zonefiles (commit 2917) and pdnssec reports NSEC/
    NSEC3 in the database as an error condition (commit 2918).

  * The bindbackend now ignores NSEC/NSEC3 records while reading zonefiles.
    Change in commit 2917.

  * An EXPERIMENTAL feature ('direct-dnskey') for reading ZSKs from the records
    table/your BIND zonefile was added in commit 2920, commit 2921, commit 2922
    .

  * While fully optional, PowerDNS supports direct RRSIG queries. Kees
    Monshouwer improved on our behaviour for those queries in commit 2927.

  * IPv6 glue situations require AAAA records for the receiving end of a
    delegation in the ADDITIONAL section of a referral. This was supported
    ('do-ipv6-additional-processing') but not enabled by default. commit 2929
    enables it by default.

  * pdnssec check-zone now warns for CNAME-and-other data at names in your
    zones. Code by Ruben d'Arco in commit 2930.

  * Positive ANY-responses would include a spurious NSEC3. Corrected in commit
    2932 and commit 2933, cleaned up by Kees Monshouwer in commit 2935.

  * The ldapbackend now allows overriding the base dn for AXFR subtree search.
    Fixed in commit 2934, closing ticket 536.

Changes below are in 3.2-RC1 but not RC2 and up.

DNSSEC changes in 3.2:

  * Kees Monshouwer did a tremendous amount of work to improve and perfect our
    DNSSEC implementation, mostly in the NSEC3 area. Code in commit 2687,
    commit 2689, commit 2691, fixing ticket 486, ticket 537, ticket 540. He
    also implemented support for Empty Non-Terminals, code in commit 2721,
    commit 2732, commit 2745, fixing ticket 127 and ticket 558.

  * Presigned wildcard operation was improved with the help of many parties
    (see commit message for commit 2676). Presigned operation was also changed
    to be more consistent with master/live-signing operation. Code and a full
    test suite in commit 2709, which also improves TTL behaviour for various
    situations. Fixes ticket 460, ticket 533, ticket 559.

  * Depending on database & locale settings, names starting with underscore
    would sometimes cause broken records. commit 2710 contains schema and code
    changes for the gpgsql and gmysql backends to sort this (no pun intended)
    definitively, closing ticket 550. In addition, a pdnssec test-schema
    command was added (experimental and incomplete). It can be used to verify
    underscore sorting and a few other parameters of the database. Code in
    commit 2714.

  * We now always include an EDNS section in responses to queries that also had
    an EDNS section. This was thought to improve BIND interoperability, but
    this turned out to be false. In any case, this change improves standards
    compliance. Spotted by Mats Dufberg, code in commit 2649.

  * It turns out we were storing Botan keys the wrong way. Botan did not care
    but Polar did, causing interoperability problems. Fixed in commit 2720,
    with the kind help of Paul Bakker of PolarSSL. Fixes ticket 492 as reported
    by Florian Obser via Debian.

  * pdnssec add-zone-key now defaults to RSASHA256, like secure-zone already
    did. Code in commit 2692.

  * pdns_control purge now also purges DNSSEC-related caches (keys and
    metadata). Code in commit 2694, by Ruben d'Arco. Fixes ticket 530.

  * The signer thread would die in specific situations, leaving you with a
    non-working but very busy system. Fixed in commit 2668, commit 2670,
    closing ticket 517.

  * pdnssec secure-zone now warns when you just signed a slave zone. Suggested
    by Mark Scholten, code in commit 2795, closes ticket 592.

  * pdnssec check-zone now warns about out-of-zone data. Patch by Kees
    Monshouwer in commit 2826, closing ticket 604.

  * pdnssec now honours --no-config. Patch by Kees Monshouwer in commit 2810.

  * Various fixes for bindbackend presigned operation, mostly by Kees
    Monshouwer. Code in commit 2815, closing ticket 600.

  * Bindbackend could get confused about domain metadata, sometimes even
    causing hangs. Fixes by Kees Monshouwer in commit 2819 and commit 2834,
    closing ticket 600 and ticket 603.

  * SQL queries in gsql backends that reference the domain_id column have been
    made explicit about from what table they want this column. This makes it
    easier to operate custom schemas without changing the queries. Fix by Nicky
    Gerritsen in commit 2821.

  * In various situations involving CNAMEs and wildcards, and for ANY queries
    involving CNAMEs, we would sometimes return bogus results. Fixed in commit
    2825 by Kees Monshouwer.

  * rectify-zone accidentally set auth=1 on NS records of secure delegations.
    Reported by George Notaras, fixed by Kees Monshouwer in r2831, closing
    ticket 605.

  * The DNSSEC signature cache now actually gets cleaned up, avoiding lasting
    spikes in memory usage every thursday. Code in commit 2836 and commit 2843,
    closing ticket 594.

  * Signatures used to roll at midnight on thursday. We now roll them one hour
    after midnight, with inception still set to midnight, to allow for some
    variations in clock quality on resolvers. Code in commit 2857.

  * Duplicate records (same name/type/content/priority) would sometimes get
    broken RRSIGs during outgoing AXFR. Fixed in commit 2856.

  * A root zone (name="") with DNSSEC would cause crashes in some situations.
    Reported by Luuk Hendriks. Fixed in commit 2867, commit 2868, closing
    ticket 614.

  * Direct RRSIG queries for zones with auto-completed SOA records would cause
    trouble. Reported by Kees Monshouwer and fixed by him in r2869.

  * When a name is matched only by a wildcard, but the type in the query is not
    present, we would be lacking one NSEC(3) record to prove the existence of
    the wildcard. Fixed by Kees Monshouwer in r2872 and r2873.

  * Luuk Hendriks spotted that our PolarSSL RSA key generation code was using
    inferior entropy. This can be important on virtual machines with badly
    implemented clocks. Fixed in commit 2876, closing ticket 615.

Non-DNSSEC improvements/changes in 3.2:

  * Bindbackend would sometimes crash on startup, due to a sync_with_stdio
    call. This call has been moved to pdns_server proper to occur before any
    threads are spawned, avoiding race conditions in this call. Note that this
    crash has only been observed twice in thousands of regression test runs and
    has never been reported in the real world. Change in commit 2882.

  * Leen Besselink submitted query logging support for the SQLite3 parts in the
    bindbackend. Code in commit 2874.

  * Multi-backend operation would sometimes cause garbage domain IDs to be
    passed to backends. Reported by Kees Monshouwer and fixed by him in r2871.

  * Bindbackend would sometimes crash during reloads/rediscovers. The changes
    in commit 2837 get rid of the crash, at the cost of returning SERVFAIL
    during reloads. Closes ticket 564.

  * Our label decompression code was naive, causing troubles for slaving of
    very specifically formatted zones. Fix in ticket 2822, closes ticket 599.

  * Bindbackend slaves would choke on unknown RR types and do silly things with
    RP and SRV records. Fixed in commit 2811 and commit 2812.

  * The luabackend can now compile against Lua 5.2. Patch by Fredrik Danerklint
    in commit 2794, additional luabackend compile fixes in commit 2854.

  * A new backend, the 'Remote backend' Section 16, “Remote Backend” was
    submitted by Aki Tuomi. It aims to replace the pipebackend with a better
    protocol and support for more connection methods, including HTTP. Code in
    commit 2755, commit 2756, commit 2757, commit 2758, commit 2759, commit
    2824, closing ticket 529, ticket 597.

  * The gsqlite (SQLite 2) backend was removed. We were not aware of any users
    and it was not actually working anyway. Changes in commits 2773-2777,
    closing ticket 565.

  * Various tinydnsbackend improvements: ignore-bogus-records option; TAI
    offset updated; strip dots on names where suitable; various internal
    improvements. Code in commit 2762.

  * gpgsql no longer logs the database password in connection errors. Code in
    commit 2609, commit 2612, closing ticket 459.

  * You can now finally specify 0.0.0.0 or :: as local-address/local-ipv6
    without getting replies from the wrong address. This much-requested feature
    is implemented in commit 2763, commit 2766, commit 2779 and commit 2781.
    Tested on Linux, FreeBSD and Mac OS X.

  * 3.2 can be reliably built with or without Lua. This and many other
    configure/compile-related fixes in commit 2610, commit 2611 / ticket 461,
    commit 2666, commit 2671, commit 2672 / ticket 522, commit 2673 / ticket
    522, commit 2696 / ticket 555, commit 2697 / ticket 457, commit 2698,
    commit 2708, commit 2742 / ticket 462), commit 2752 / ticket 437, commit
    2764, commit 2809, commit 2844, commit 2845, commit 2846, commit 2881.

  * Juraj Lutter contributed AXFR-SOURCE per zone metadata settings. Code in
    commit 2616.

  * Initscripts now have exit codes, submitted by Sander Hoentjen. Code in
    commit 2728. Guardian now returns 0 instead of 1 when receiving SIGTERM,
    requested by Morten Stevens of Fedora. Code in commit 2717.

  * Mark Zealey submitted various performance improvement patches and
    suggestions. Accepted as commit 2729 / ticket 579, commit 2730 / ticket 584
    ), commit 2731 / ticket 583), commit 2768 / ticket 578). Please see commit
    messages for more details.

  * pdnssec check-all-zones now reuses database connections, avoiding a socket
    exhaustion issue in some situations. Code in commit 2749, closes ticket 519
    .

  * Ruben d'Arco submitted various improvements regarding trailing dots.
    Additional lookups now try harder, pdnssec errors about trailing dots in
    names, pdnssec warns about trailing dots in names inside content fields,
    AXFR now strips the dot from SRV hostnames. Code in commit 2748, fixes
    ticket 289.

  * Pre-3.0, backends would get cycled if they threw the right error. 3.2
    reinstates this behaviour, as it is more robust. Change in commit 2734
    (reverting commit 2100), fixes ticket 386.

  * PowerDNS auth does not use the select() kernel/library call anymore. This
    means fd-numbers over 1023 (and, in general, more than 1024 sockets,
    including more than 1024 listening sockets) should now work reliably. Code
    in commit 2739, commit 2740, fixes ticket 408.

  * gmysql users can now specify the 'group' we connect as, using the
    gmysql-group setting. Submitted by Kees Monshouwer, code in commit 2770,
    commit 2771, commit 2778, commit 2780, closing ticket 463.

  * The Linux-only traceback handler is now optional (use traceback-handler=off
    to disable it). Suggested by Marc Haber. Change in commit 2798, closes
    ticket 497.

  * We now use IPV6_V6ONLY to bind IPv6 sockets. This ensures consistent
    behaviour between different operating systems. Change in commit 2799.

  * MySQL connections are now logged at a higher loglevel, reducing log
    clutter. Change in commit 2800.

  * We now ship a systemd unit file in contrib/. Added in commit 2847 and
    commit 2848, submitted by Morten Stevens.

Assorted bugfixes:

  * If a slave domain is removed while a transfer for it is queued, we no
    longer try the transfer. This also avoids a rare crash in similar
    circumstances. Code in commit 2802, closes ticket 596.

  * When using pdnssec with gsql backends, sometimes an SSqlException would pop
    up without any useful information. This no longer happens and errors are
    now in general more meaningful. Fix in commit 2803.

  * zone2sql now uses correct string syntax for PostgreSQL. This is needed for
    importing with the changed default settings in PostgreSQL 9.2 and up. Code
    in commit 2797, closes ticket 471.

  * We no longer send v6 notifications if v6 is not available. Same for IPv4.
    Code in commit 2772, fixes ticket 515.

  * We would sometimes serve stale data after an incoming AXFR. Reported by
    Martin Draschl, fixed by Ruben d'Arco in commit 2699, closing ticket 525.

  * Duplicate incoming NOTIFYs could cause PowerDNS to try to insert the same
    domain name into a database twice. Fixed in commit 2703, closing ticket 453
    .

  * pdnssec show-zone now works on a zone that has any number of keys, instead
    of requiring active keys. Reported by Jeroen Tushuizen of myH2Oservers,
    code in commit 2769, closes ticket 586.

  * pdns-control notify-host now accepts v6 literals. Reported by Christof
    Meerwald, fixed in commit 2704.

  * The tinydnsbackend no longer chokes on questions longer than 64 bytes. Code
    in commit 2622.

  * *-all-domains commands in pdnssec now work with Postgres (gpgsql) too. Code
    in commit 2645, closing ticket 472.

  * We would sometimes leave the opcode of an outgoing packet uninitialized.
    Fixed in commit 2680, closing ticket 532.

  * nproxy can now listen on a configurable port. Code in commit 2684, fixes
    ticket 534.

  * Improve mydnsbackend for SOA queries. Code in commit 2751, fixes ticket 439
    , by Ruben d'Arco.

  * Various non-functional fixes that make Valgrind happy (note that Valgrind
    was right to complain in all of these situations), in commit 2715, commit
    2716, commit 2718.

- -- 
PowerDNS Website: http://www.powerdns.com/
PowerDNS Community Website: http://wiki.powerdns.com/
PowerDNS is supported and developed by Netherlabs: http://www.netherlabs.nl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAlDW81IACgkQHF7pkNLnFXVOZQCfVwMybNNk8PQw2KfwyMKitt71
7kgAn0AFD5MUmU4Hhroc6zh2rUVrXgTR
=K845
-----END PGP SIGNATURE-----



More information about the Pdns-announce mailing list