[Pdns-announce] Recursor 3.7.1 released

Peter van Dijk peter.van.dijk at powerdns.com
Thu Feb 12 12:17:08 UTC 2015

Hi everybody,

We're pleased to announce the final release for 3.7.1. RC1 and RC2 have
seen a lot of production use already, which uncovered a small number of
issues which have been addressed in this release. We are very grateful for the people
that test our RCs, it really helps us deliver very reliable and robust
formal releases. Thanks!

As noted in a separate announcement earlier today (http://blog.powerdns.com/2015/02/12/new-powerdns-employee-the-importance-of-testing-rcs-skipping-3-7-0-world-hosting-days-2015/),
3.7.0 has been skipped and we are now releasing 3.7.1 instead.

More information about 3.7.1 can be found in our blogpost:


3.7.1 offers significant performance improvements when using IPv6 for
outgoing queries, which is only on if query-local-address6 is set to
something.  Secondly, we spent a lot of time with very large PowerDNS
deployments to preemptively improve our resilience against difficult or
malicious traffic.  To further enhance our resilience, the Lua module has
been enhanced with new (bulk & automated) filtering abilities.

This version of the Recursor can also publish live performance graphs & and
a realtime overview of (attack) traffic per domain name.  A demo of this can
be seen on https://xs.powerdns.com/tmp/powerdns-recursor-live.gif .  This is
an early development, but to try this out, consult

Tar.gz and packages are available on:

* https://downloads.powerdns.com/releases/
* Soon: https://www.monshouwer.eu/download/3rd_party/pdns-recursor/
   (RHEL/CentOS, with the usual huge thanks to Kees Monshouwer).

The changelog with clickable links can also be found on

This version contains a mix of speedups and improvements, the combined
effect of which is vastly improved resilience against traffic spikes and
malicious query overloads.

PowerDNS Recursor 3.7.1

   Released February 12th, 2015.

   This version contains a mix of speedups and improvements, the combined
   effect of which is vastly improved resilience against traffic spikes
   and malicious query overloads.

   Of further note is the massive community contribution, mostly over
   Christmas. Especially Ruben Kerkhof, Pieter Lexis, Kees Monshouwer and
   Aki Tuomi delivered a lot of love. Thanks!

   Minor changes:
     * Removal of dead code here and there [399]04dc6d618
     * Per-qtype response counters are now 64 bit [400]297bb6acf on 64 bit
     * Add IPv6 addresses for b and c.root-servers.net hints
     * Add IP address to logging about terminated queries [402]37aa9904d
     * Improve qtype name logging [403]fab3ed345 (Aki Tuomi)
     * Redefine 'BAD_NETS' for dont-query based on newer IANA guidance
       [404]12cd44ee0 (lochiiconnectivity)
     * Add documentation links to systemd unit [405]eb154adfd (Ruben

     * Upgrade embedded PolarSSL to 1.3.9: [406]d330a2ea1
     * yahttp upgrade [407]c29097577 [408]c65a57e88 (Aki Tuomi)
     * Replace . in hostnames by - for Carbon so as not to confuse
       Metronome [409]46541751e
     * Manpages got a lot of love and are now built from Markdown (Pieter
     * Move to PolarSSL base64 [410]488360551 (Kees Monshouwer)
     * The quiet=no query logging is now more informative [411]461df9d20
     * We can finally bind to and :: and guarantee answers from
       the correct source [412]b71b60ee7
     * We use per-packet timestamps to drop ancient traffic in case of
       overload [413]b71b60ee7, non-Linux portability in [414]d63f0d836
     * Builtin webserver can be queried with the API key in the URL again
     * Ringbuffers are now available via API [416]c89f8cd02
     * Lua 5.3 compatibility [417]59c6fc3e3 (Kees Monshouwer)
     * No longer leave a stale UNIX domain socket around from rec_control
       if the recursor was down [418]524e4f4d8, ticket #2061
     * Running with 'quiet=no' would strangely actually prevent debug
       messages from being logged [419]f48d7b657
     * Webserver now implements CORS for the API [420]ea89a97e8, fixing
       ticket #1984
     * Houskeeping thread would sometimes run multiple times
       simultaneously, which worked, but was odd [421]cc59bce67

   New features:
     * New root-nx-trust flag makes PowerDNS generalize NXDOMAIN responses
       from the root-servers [422]01402d568
     * getregisteredname() for Lua, which turns 'www.bbc.co.uk' into
       'bbc.co.uk' [423]8cd4851be
     * Lua preoutquery filter [424]3457a2a0e
     * Lua IP-based filter (ipfilter) before parsing packets
     * iputils class for Lua, to quickly process IP addresses and netmasks
       in their native format
     * getregisteredname function for Lua, to find the registered domain
       for a given name
     * Various new ringbuffers: top-servfail-remotes,
       top-largeanswer-remotes, top-servfail-queries

     * Remove unneeded malloc traffic [426]93d4a8909 [427]8682c32bc
     * Our nameserver-loop detection carried around a lot of baggage for
       complex domain names, plus did not differentiate IPv4 and IPv6 well
       enough [429]891fbf888
     * Prioritize new queries over nameserver responses, improving latency
       under query bursts [430]bf3b0cec3
     * Remove escaping in case there was nothing to escape [431]83b746fd1
     * Our logging infrastructure had a lot of locking [432]d1449e4d0
     * Reduce logging level of certain common messages, which locked up
       synchronously logging systems [433]854d44e31
     * Add limit on total wall-clock time spent on a query [434]9de3e0340
     * Packet cache is now case-insensitive, which increases hitrate

   Security relevant:
     * Check for PIE, RELRO and stack protector during configure
       [436]8d0354b18 (Aki Tuomi)
     * Testing for support of PIE etc was improved in [437]b2053c28c and
       beyond, fixes #2125 (Ruben Kerkhof)
     * Max query-per-query limit (max-qperq) is now configurable

   Bugs fixed:
     * IPv6 outgoing queries had a disproportionate effect on our query
       load. Fixed in [439]76f190f2a and beyond.
     * rec_control gave incorrect output on a timeout [440]12997e9d8
     * When using the webserver AND having an error in the Lua script,
       recursor could crash during startup [441]62f0ae629
     * Hugely long version strings would trip up security polling
       [442]18b733382 (Kees Monshouwer)
     * The 'remotes' ringbuffer was sized incorrectly [443]f8f243b01
     * Cache sizes had an off-by-one scaling problem, with the wrong
       number of entries allocated per thread [444]f8f243b01
     * Our automatic file descriptor limit raising was attempted after
       setuid, which made it a lot less effective. Found and fixed by Aki
       Tuomi [445]a6414fdce
     * Timestamps used for dropping packets were occasionaly wrong
       [446]183eb8774 and [447]4c4765c10 (RC2) with thanks to Winfried for
     * In RC1, our new DoS protection measures would crash the Recursor if
       too many root sersvers were unreachable. [448]6a6fb05ad. Debugging
       and testing by Fusl.

   Various other documentation changes by Christian Hofstaedtler and Ruben
   Kerkhof. Lots of improvements all over the place by Kees Monshouwer.

More information about the Pdns-announce mailing list