[Pdns-announce] Introducing 3.7.0 blogpost + PowerDNS Recursor 3.7.0-RC2 available

bert hubert bert.hubert at powerdns.com
Wed Feb 4 11:22:04 UTC 2015

Hash: SHA1

Hi everybody,

We're pleased to announce the second release candidate for 3.7.0. RC1 has
seen a lot of production use already, which uncovered a small number of
issues which have been addressed in RC2. We are very grateful for the people
that test our RCs, it really helps us deliver very reliable and robust
formal releases. Thanks!

More information about 3.7.0 can be found in our blogpost:


3.7.0 offers significant performance improvements when using IPv6 for
outgoing queries, which is only on if query-local-address6 is set to
something.  Secondly, we spent a lot of time with very large PowerDNS
deployments to preemptively improve our resilience against difficult or
malicious traffic.  To further enhance our resilience, the Lua module has
been enhanced with new (bulk & automated) filtering abilities.

This version of the Recursor can also publish live performance graphs & and
a realtime overview of (attack) traffic per domain name.  A demo of this can
be seen on https://xs.powerdns.com/tmp/powerdns-recursor-live.gif .  This is
an early development, but to try this out, consult

Tar.gz and packages are available on:

 * https://downloads.powerdns.com/testing/ 
 * Soon: https://www.monshouwer.eu/download/3rd_party/pdns-recursor/rc2/   
   (RHEL/CentOS, with the usual huge thanks to Kees Monshouwer).

The changelog with clickable links can also be found on 

Changes new to RC2 are marked as such.

This version contains a mix of speedups and improvements, the combined
effect of which is vastly improved resilience against traffic spikes and
malicious query overloads.

Minor changes:

Removal of dead code here and there 04dc6d618
 * Per-qtype response counters are now 64 bit 297bb6acf on 64 bit systems
 * Add IPv6 addresses for b and c.root-servers.net hints efc259542
 * Add IP address to logging about terminated queries 37aa9904d
 * Improve qtype name logging fab3ed345 (Aki Tuomi)
 * Redefine 'BAD_NETS' for dont-query based on newer IANA guidance 12cd44ee0
 * (lochiiconnectivity)
 * Add documentation links to systemd unit eb154adfd (Ruben Kerkhof)


 * Upgrade embedded PolarSSL to 1.3.9: d330a2ea1
 * yahttp upgrade c29097577 c65a57e88 (Aki Tuomi)
 * Replace . in hostnames by - for Carbon so as not to confuse Metronome
 * Manpages got a lot of love and are now built from Markdown (Pieter Lexis)
 * Move to PolarSSL base64 488360551 (Kees Monshouwer)
 * The quiet=no query logging is now more informative 461df9d20
 * We can finally bind to and :: and guarantee answers from the correct
   source b71b60ee7
 * We use per-packet timestamps to drop ancient traffic in case of overload
 * Builtin webserver can be queried with the API key in the URL again c89f8cd02
 * Ringbuffers are now available via API c89f8cd02
 * Lua 5.3 compatibility 59c6fc3e3 (Kees Monshouwer)
 * No longer leave a stale UNIX domain socket around from rec_control if the
   recursor was down 524e4f4d8, ticket #2061 (RC2)
 * Running with 'quiet=no' would strangely actually prevent debug messages from
   being logged f48d7b657 (RC2)
 * Webserver now implements CORS for the API ea89a97e8 (RC2), fixing ticket
 * Houskeeping thread would sometimes run multiple times simultaneously, which
   worked, but was odd cc59bce67 (RC2)
 * Tweaked the DoS timeouts somewhat compared to RC1 c59501468 based on
   feedback (RC2)

New features:

 * Lua preoutquery filter 3457a2a0e
 * Lua IP-based filter (ipfilter) before parsing packets 4ea949413
 * iputils class for Lua, to quickly process IP addresses and netmasks in their
   native format
 * Various new ringbuffers: top-servfail-remotes, top-largeanswer-remotes,


 * Remove unneeded malloc traffic 93d4a8909 8682c32bc a903b39cf
 * Our nameserver-loop detection carried around a lot of baggage for complex
   domain names, plus did not differentiate IPv4 and IPv6 well enough 891fbf888
 * Prioritize new queries over nameserver responses, improving latency under
   query bursts bf3b0cec3
 * Remove escaping in case there was nothing to escape 83b746fd1
 * Our logging infrastructure had a lot of locking d1449e4d0
 * Reduce logging level of certain common messages, which locked up
   synchronously logging systems 854d44e31
 * Add limit on total wall-clock time spent on a query 9de3e0340
 * Packet cache is now case-insensitive, which increases hitrate 90974597a

Security relevant:

 * Check for PIE, RELRO and stack protector during configure 8d0354b18 (Aki
 * Testing for support of PIE etc was improved in b2053c28c and beyond, fixes
   #2125 (Ruben Kerkhof)
 * Max query-per-query limit (max-qperq) is now configurable 173d790ea

Bugs fixed:

 * IPv6 outgoing queries had a disproportionate effect on our query load. Fixed
   in 76f190f2a and beyond.
 * rec_control gave incorrect output on a timeout 12997e9d8
 * When using the webserver AND having an error in the Lua script, recursor
   could crash during startup 62f0ae629
 * Hugely long version strings would trip up security polling 18b733382 (Kees
 * The 'remotes' ringbuffer was sized incorrectly f8f243b01 (RC2)
 * Cache sizes had an off-by-one scaling problem, with the wrong number of
   entries allocated per thread f8f243b01 (RC2)
 * Our automatic file descriptor limit raising was attempted after setuid,
   which made it a lot less effective. Found and fixed by Aki Tuomi a6414fdce
 * Timestamps used for dropping packets were occasionaly wrong 183eb8774 and
   4c4765c10 (RC2) with thanks to Winfried for debugging.
 * In RC1, our new DoS protection measures would crash the Recursor if too many
   root sersvers were unreachable. 6a6fb05ad. Debugging and testing by Fusl.

Various other documentation changes by Christian Hofstaedtler and Ruben
Kerkhof. Lots of improvements all over the place by Kees Monshouwer.

Version: GnuPG v1.4.10 (GNU/Linux)


More information about the Pdns-announce mailing list