[Pdns-announce] Recursor 3.7.1 released
Peter van Dijk
peter.van.dijk at powerdns.com
Thu Feb 12 12:17:08 UTC 2015
Hi everybody,
We're pleased to announce the final release for 3.7.1. RC1 and RC2 have
seen a lot of production use already, which uncovered a small number of
issues which have been addressed in this release. We are very grateful for the people
that test our RCs, it really helps us deliver very reliable and robust
formal releases. Thanks!
As noted in a separate announcement earlier today (http://blog.powerdns.com/2015/02/12/new-powerdns-employee-the-importance-of-testing-rcs-skipping-3-7-0-world-hosting-days-2015/),
3.7.0 has been skipped and we are now releasing 3.7.1 instead.
More information about 3.7.1 can be found in our blogpost:
http://blog.powerdns.com/2015/01/22/an-introduction-to-powerdns-recursor-3-7-0/
3.7.1 offers significant performance improvements when using IPv6 for
outgoing queries, which is only on if query-local-address6 is set to
something. Secondly, we spent a lot of time with very large PowerDNS
deployments to preemptively improve our resilience against difficult or
malicious traffic. To further enhance our resilience, the Lua module has
been enhanced with new (bulk & automated) filtering abilities.
This version of the Recursor can also publish live performance graphs & and
a realtime overview of (attack) traffic per domain name. A demo of this can
be seen on https://xs.powerdns.com/tmp/powerdns-recursor-live.gif . This is
an early development, but to try this out, consult
https://github.com/ahupowerdns/recuweb
Tar.gz and packages are available on:
* https://downloads.powerdns.com/releases/
* Soon: https://www.monshouwer.eu/download/3rd_party/pdns-recursor/
(RHEL/CentOS, with the usual huge thanks to Kees Monshouwer).
The changelog with clickable links can also be found on
https://doc.powerdns.com/md/changelog/#powerdns-recursor-371
This version contains a mix of speedups and improvements, the combined
effect of which is vastly improved resilience against traffic spikes and
malicious query overloads.
PowerDNS Recursor 3.7.1
Released February 12th, 2015.
This version contains a mix of speedups and improvements, the combined
effect of which is vastly improved resilience against traffic spikes
and malicious query overloads.
Of further note is the massive community contribution, mostly over
Christmas. Especially Ruben Kerkhof, Pieter Lexis, Kees Monshouwer and
Aki Tuomi delivered a lot of love. Thanks!
Minor changes:
* Removal of dead code here and there [399]04dc6d618
* Per-qtype response counters are now 64 bit [400]297bb6acf on 64 bit
systems
* Add IPv6 addresses for b and c.root-servers.net hints
[401]efc259542
* Add IP address to logging about terminated queries [402]37aa9904d
* Improve qtype name logging [403]fab3ed345 (Aki Tuomi)
* Redefine 'BAD_NETS' for dont-query based on newer IANA guidance
[404]12cd44ee0 (lochiiconnectivity)
* Add documentation links to systemd unit [405]eb154adfd (Ruben
Kerkhof)
Improvements:
* Upgrade embedded PolarSSL to 1.3.9: [406]d330a2ea1
* yahttp upgrade [407]c29097577 [408]c65a57e88 (Aki Tuomi)
* Replace . in hostnames by - for Carbon so as not to confuse
Metronome [409]46541751e
* Manpages got a lot of love and are now built from Markdown (Pieter
Lexis)
* Move to PolarSSL base64 [410]488360551 (Kees Monshouwer)
* The quiet=no query logging is now more informative [411]461df9d20
* We can finally bind to 0.0.0.0 and :: and guarantee answers from
the correct source [412]b71b60ee7
* We use per-packet timestamps to drop ancient traffic in case of
overload [413]b71b60ee7, non-Linux portability in [414]d63f0d836
* Builtin webserver can be queried with the API key in the URL again
[415]c89f8cd02
* Ringbuffers are now available via API [416]c89f8cd02
* Lua 5.3 compatibility [417]59c6fc3e3 (Kees Monshouwer)
* No longer leave a stale UNIX domain socket around from rec_control
if the recursor was down [418]524e4f4d8, ticket #2061
* Running with 'quiet=no' would strangely actually prevent debug
messages from being logged [419]f48d7b657
* Webserver now implements CORS for the API [420]ea89a97e8, fixing
ticket #1984
* Houskeeping thread would sometimes run multiple times
simultaneously, which worked, but was odd [421]cc59bce67
New features:
* New root-nx-trust flag makes PowerDNS generalize NXDOMAIN responses
from the root-servers [422]01402d568
* getregisteredname() for Lua, which turns 'www.bbc.co.uk' into
'bbc.co.uk' [423]8cd4851be
* Lua preoutquery filter [424]3457a2a0e
* Lua IP-based filter (ipfilter) before parsing packets
[425]4ea949413
* iputils class for Lua, to quickly process IP addresses and netmasks
in their native format
* getregisteredname function for Lua, to find the registered domain
for a given name
* Various new ringbuffers: top-servfail-remotes,
top-largeanswer-remotes, top-servfail-queries
Speedups:
* Remove unneeded malloc traffic [426]93d4a8909 [427]8682c32bc
[428]a903b39cf
* Our nameserver-loop detection carried around a lot of baggage for
complex domain names, plus did not differentiate IPv4 and IPv6 well
enough [429]891fbf888
* Prioritize new queries over nameserver responses, improving latency
under query bursts [430]bf3b0cec3
* Remove escaping in case there was nothing to escape [431]83b746fd1
* Our logging infrastructure had a lot of locking [432]d1449e4d0
* Reduce logging level of certain common messages, which locked up
synchronously logging systems [433]854d44e31
* Add limit on total wall-clock time spent on a query [434]9de3e0340
* Packet cache is now case-insensitive, which increases hitrate
[435]90974597a
Security relevant:
* Check for PIE, RELRO and stack protector during configure
[436]8d0354b18 (Aki Tuomi)
* Testing for support of PIE etc was improved in [437]b2053c28c and
beyond, fixes #2125 (Ruben Kerkhof)
* Max query-per-query limit (max-qperq) is now configurable
[438]173d790ea
Bugs fixed:
* IPv6 outgoing queries had a disproportionate effect on our query
load. Fixed in [439]76f190f2a and beyond.
* rec_control gave incorrect output on a timeout [440]12997e9d8
* When using the webserver AND having an error in the Lua script,
recursor could crash during startup [441]62f0ae629
* Hugely long version strings would trip up security polling
[442]18b733382 (Kees Monshouwer)
* The 'remotes' ringbuffer was sized incorrectly [443]f8f243b01
* Cache sizes had an off-by-one scaling problem, with the wrong
number of entries allocated per thread [444]f8f243b01
* Our automatic file descriptor limit raising was attempted after
setuid, which made it a lot less effective. Found and fixed by Aki
Tuomi [445]a6414fdce
* Timestamps used for dropping packets were occasionaly wrong
[446]183eb8774 and [447]4c4765c10 (RC2) with thanks to Winfried for
debugging.
* In RC1, our new DoS protection measures would crash the Recursor if
too many root sersvers were unreachable. [448]6a6fb05ad. Debugging
and testing by Fusl.
Various other documentation changes by Christian Hofstaedtler and Ruben
Kerkhof. Lots of improvements all over the place by Kees Monshouwer.
More information about the Pdns-announce
mailing list