[Pdns-announce] PowerDNS Authoritative Server 3.4.2 Released

bert hubert bert.hubert at powerdns.com
Tue Feb 3 10:34:42 UTC 2015

Hash: SHA1

Warning: Version 3.4.2 of the PowerDNS Authoritative Server is a major
upgrade if you are coming from 2.9.x.  Additionally, if you are coming from
any 3.x version (including 3.3.1), there is a mandatory SQL schema upgrade. 
Please refer to the Upgrade documentation for important information on
correct and stable operation, as well as notes on performance and memory

Find the downloads on our download page, https://www.powerdns.com/downloads.html

This is a performance and bugfix update to 3.4.1 and any earlier version.
For high traffic setups, including those using DNSSEC, upgrading to 3.4.2
may show tremendous performance increases. Please let us know.

We would like to thank Patrik Wallström of IIS, Kees Monshouwer and Fredrik
Eriksson of Loopia for working with us on solving several issues that only
became apparent on a 750000 domain (!) DNSSEC installation, the last of
which we could eventually trace to memory fragmentation in the secure
allocator of our cryptography library.  This bug chase, which lasted for
over a month, led to numerous other improvements, like better statistical
metrics for plotting (actual CPU usage, uptime, key cache size,
signatures/s) and the 'sharding' of our internal caches to better support
multi-CPU operations.

A list of changes since 3.4.1 follows. Please see the full clickable changelog at 


* implement CORS for the HTTP API
* qtype is now case insensitive in API and database
* Allow (optional) PIE hardening
* json-api: remove priority from json
* backport remotebackend fixes
* Support Lua 5.3
* support single-type ZSK signing
* Potential fix for ticket #1907, we now try to trigger libgcc_s.so.1 to
  load before we chroot.  I can't reproduce the bug on my local system, but
  this "should" help. 
* update polarssl to 1.3.9

Bug fixes:

* refuse overly long labels in names

* auth: limit long version strings to 63 characters and catch exceptions in

* pdnssec: fix ttl check for RRSIG records
* fix up latency reporting for sub-millisecond latencies (would clip to 0)
* make sure we don't throw an exception on "pdns_control show" of an unknown 
* fix startup race condition with carbon thread already trying to broadcast 
  uninitialized data
* make qsize-q more robust
* Kees Monshouwer discovered we count corrupt packets and EAGAIN situations as 
  validly received packets, skewing the udp questions/answers graphs on auth.
* make latency & qsize reporting 'live'. Plus fix that we only reported the qsize
  of the first distributor.
* fix up statbag for carbon protocol and function pointers
* get priority from table in Lua axfrfilter; fixes ticket #1857
* various backends: fix records pointing at root
* remove additional layer of trailing . stripping, which broke MX records to the 
  root in the BIND backend. Should close ticket #1243.
* api: use uncached results for getKeys()
* read ALLOW-AXFR-FROM from the backend with the metadata

Minor changes:

* move manpages to section 1
* secpoll: Replace ~ with _
* only zones with an active ksk are secure
* api: show keys for zones without active ksk

New features:

* add signatures metric to auth, so we can plot signatures/second
* pdns_control: make it posible to notify all zones at once
* JSON API: provide flush-cache, notify, axfr-receive
* add 'bench-db' to do very simple database backend performance benchmark
* enable callback based metrics to statbags, and add 5 such metrics: uptime, 
  sys-msec, user-msec, key-cache-size, meta-cache-size, signature-cache-size

Performance improvements:

* better key for packetcache
* don't do time(0) under signature cache lock
* shard the packet cache, closing ticket #1910.
* with thanks to Jack Lloyd, this works around the default Botan allocator 
  slowing down for us during production use.

Version: GnuPG v1.4.10 (GNU/Linux)


More information about the Pdns-announce mailing list