From erik.winkels at open-xchange.com Fri Feb 1 13:34:22 2019 From: erik.winkels at open-xchange.com (Erik Winkels) Date: Fri, 1 Feb 2019 14:34:22 +0100 (CET) Subject: [Pdns-announce] PowerDNS Recursor 4.1.11 Released Message-ID: <1439436480.3588.1549028063003@appsuite-guard.open-xchange.com> Hi, We just released PowerDNS Recursor 4.1.11. Since Spectre / Meltdown, system calls have become more expensive. In addition, relevant versions of glibc turn out to implement `pthread_cond_wait` and `pthread_cond_signal` in such a way that they use multiple system calls always. There is an optimization in glibc to improve this but it is disabled. This new setup changes our protobuf logging so it amortizes system calls so we perform far less than one call per message. Note that our previous `RemoteLogger` was configured in terms of how many messages it would buffer. Our new code is configured in terms of how many bytes. I have multiplied the configured numbers by 100 elsewhere (recursor config, dnsdist config) to sort of maintain parity. In addition, the old `RemoteLogger` would buffer messages while there was no connection available. We no longer do this. Finally new, every `reconnectTimeout` seconds we will flush our buffers opportunistically to not keep people waiting. The changelog[1]: - #7434: Add an option to export only responses over protobuf - #7430: Reduce systemcall usage in protobuf logging The tarball[2] (signature[3]) is available at https://downloads.powerdns.com/releases/ and packages for CentOS 6 and 7, Debian Jessie and Stretch, Ubuntu Bionic, Trusty and Xenial are available from https://repo.powerdns.com/ . Please send us all feedback and issues you might have via the mailing list[4], or in case of a bug, via GitHub[5]. [1] https://doc.powerdns.com/recursor/changelog/4.1.html#change-4.1.11 [2] https://downloads.powerdns.com/releases/pdns-recursor-4.1.11.tar.bz2 [3] https://downloads.powerdns.com/releases/pdns-recursor-4.1.11.tar.bz2.sig [4] https://mailman.powerdns.com/mailman/listinfo/pdns-users [5] https://github.com/PowerDNS/pdns/issues/new -- Erik Winkels PowerDNS.COM BV -- https://www.powerdns.com -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 475 bytes Desc: not available URL: From erik.winkels at open-xchange.com Fri Feb 1 15:52:25 2019 From: erik.winkels at open-xchange.com (Erik Winkels) Date: Fri, 1 Feb 2019 16:52:25 +0100 (CET) Subject: [Pdns-announce] PowerDNS Recursor v4.2.0-alpha1 Available! Message-ID: <1308526155.3690.1549036345699@appsuite-guard.open-xchange.com> (From: https://blog.powerdns.com/2019/02/01/changes-in-the-powerdns-recursor-4-2-0/ ) The 4.2.0 release of the PowerDNS Recursor brings a lot of small, incremental changes over the 4.1.x releases. We expect little operational impact when upgrading from 4.1.x. However, several new features have been implemented and some features have changed. This release was made possible by contributions from: Gibheer, cclauss, Aki Tuomi, Ruben, Doug Freed, Richard Gibson, Peter Gervai, Oli, Josh Soref, Rens Houben, Kirill Ponomarev, Kees Monshouwer, Matt Nordhoff, OSSO B.V., phonedph1, Rafael Buchbinder, Ruben Kerkhof, spirillen, Tom Ivar Helbekkmo and Chris Hofstaedtler. Thanks! DNS FLAG DAY The 4.2.0 release of the PowerDNS Recursor removes several workarounds for authoritative servers that respond badly to EDNS(0) queries. This is part of a multi-vendor[1] effort known as DNS Flag Day[2] to move the DNS ecosystem forward by being less lenient on non-conforming implementations. XPF SUPPORT This release adds support for DNS `X-Proxied-For` (draft-bellis-dnsop-xpf-04[3]). This technique is roughly equivalent to HTTP's `X-Forwarded-For header`, it can communicate the IP address and port of the original requestor from a loadbalancer / frontend (like dnsdist) to the backend server. This can allow the backend server to make decisions regarding that specific client. XPF is disabled by default and can be enabled by setting the `xpf-allow-from` setting to the source IP address of the front-end proxy and setting `xpf-rr-code` to the code of the resource record used by the frontend. EDNS CLIENT SUBNET IMPROVEMENTS More granularity has been added for the users of EDNS Client Subnet[4]. The new `ecs-add-for` setting can be set to a list of netmasks for which the requestor’s IP address should be used as the EDNS Client Subnet for outgoing queries. For IP addresses not on this list, the PowerDNS Recursor will use the `ecs-scope-zero-address` instead, which matches the behavior of 4.1.x. Valid incoming ECS values from `use-incoming-edns-subnet` are not replaced. NEW AND UPDATED SETTINGS Sites that process large numbers of queries per second (100k+), may benefit from the new `distributor-threads` setting. This can be used in combination with `pdns-distributes-queries=yes` to spawn multiple threads that will pick up incoming queries and distribute them over the worker threads. For several statistics, the PowerDNS Recursor uses a public suffix list[5] to group queries. Before, this list was built into the binary and only updated for every release. This release adds the `public-suffix-list-file` setting that allows operators to supply their own public suffix list. This option is unset by default, which means the built-in list is used. Over the last years it has become clear that many networks on the internet lose large UDP packets, leading to authoritative servers being seen as dead from the recursor’s perspective. To ensure return packets from authoritative servers have a better chance of reaching the recursor, the `edns-outgoing-bufsize` setting’s default has changed from 1680 to 1232. 1232 was chosen because it is the largest DNS response that can be carried on an IPv6 link with the IPv6 minimal MTU (1280). In tandem with this change, the `udp-truncation-threshold` that decides when to truncate responses to clients has also been changed from 1680 to 1232. LOOKING FORWARD After the release of 4.2.0, the regular bugfix and improvement processes will happen. At the same time, we will be working on the next major release of the PowerDNS Recursor (probably numbered 5.0) for which we are planning several new and exciting features aimed at moving the DNS ecosystem to a more privacy-centric and secure place. To do this, we would like to implement QNAME Minimisation[6] and support for (longlived) TLS connections to authoritatives[7]. Other improvements we’d like to implement is an experimental feature where the cache is shared between the worker threads. If you have any ideas that should be in the PowerDNS Recursor in the future, you’re welcome to open a feature request on GitHub[8]. And if you would want to help write these features, we are still looking for people! Have a look at our careers page[9] or send you CV and motivation to powerdns.careers at powerdns.com. [1] https://blog.powerdns.com/2018/03/22/removing-edns-workarounds/ [2] https://dnsflagday.net/ [3] https://tools.ietf.org/html/draft-bellis-dnsop-xpf-04 [4] https://tools.ietf.org/html/rfc7871.html [5] https://publicsuffix.org/ [6] https://datatracker.ietf.org/doc/rfc7816/ [7] https://code.fb.com/security/dns-over-tls/ [8] https://github.com/PowerDNS/pdns/issues [9] https://www.powerdns.com/careers.html -- Erik Winkels PowerDNS.COM BV -- https://www.powerdns.com -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 475 bytes Desc: not available URL: