[Pdns-announce] PowerDNS Recursor Alpha3 Released

Otto Moerbeek otto.moerbeek at open-xchange.com
Tue Mar 9 10:15:15 UTC 2021


   We are proud to announce the third alpha release of what should
   become PowerDNS Recursor 4.5.0. This release contains various bug
   fixes, improvements and new features. The second alpha was an
   internal release only and never went public.

   The upcoming 4.5.0 release includes an important addition: the
   implementation of RFC 8198: Aggressive use of DNSSEC-Validated
   Cache.  This enables the Recursor to answer queries for
   non-existing names with less effort in many cases. This feature
   uses both NSEC and NSEC3 records. Additionally the DNSSEC default
   mode[1] is now "process", while it was "process-no-validate"
   before. This means that clients asking for it will get DNSSEC
   validated answers by default.

   We also added a cache of non-resolving nameservers. This enhances
   performance when the Recursor encounters domains that have
   nameservers that do not resolve.

   This release also features a re-worked negative cache that is
   shared between threads, allowing more efficient use of the cache
   and reduced memory consumption.

   Support for Extended DNS Errors (RFC 8914[2]) has been added. These
   can be enabled by setting the extended-resolution-errors[3] setting
   to 'yes', this will send DNSSEC and resolution related errors to
   clients.  Extended Errors are also hooked up to the Lua scripting
   engine[4], allowing fine-grained setting of both the error code and
   extra information in the response.

   A "refresh almost expired records" (also called "refetch")
   mechanism[5] has been introduced to keep the record cache warm. In
   short, if a query comes in and the cached record's TTL is almost
   expired (within N percent of its original value) the cached record
   is served to the client and the record queried for in the
   background, ensuring that new queries for that record are fresh and
   served from the cache.

   Other new features and improvements are:

     * The complete protobuf and dnstap logging code has been
       rewritten to have much smaller performance impact.
     * We have introduced non-offensive synonyms for words used in
       settings. See the upgrade[6] guide.
     * The default minimum TTL[7] override has been changed from 0 to
     * The spoof-nearmiss-max setting[8]'s default has been changed to 1.
       This has the consequence that the Recursor will switch to
       do TCP queries to authoritative nameservers sooner as an
       effective measure against many spoofing attacks.
     * Incoming queries over TCP now also use the packet cache,
       providing another performance increase.
     * File written to by the rec_control command are new opened by
       the command itself. It is also possible to write the content to
       the standard output stream by using a hyphen as file name.

   Please refer to the changelog[9] for additional details.

   Please send us all feedback and issues you might have via the
   mailing list[10], or in case of a bug, via GitHub[11].

   The tarball[12] (signature[13]) is available from our download
   server[14] and packages for CentOS 7 and 8, Debian Buster and
   Ubuntu Bionic and Focal are available from our repository[15].

   With the future 4.5.0 final release, the 4.2.x releases will be EOL
   and the 4.3.x releases will go into critical security fixes only
   mode.  Consult the EOL policy[16] for more details.

   We would also like to announce that with this release we will stop
   supporting systems using 32-bit time. This includes 32-bit Linux
   platforms like arm and i386 before kernel version 5.1.

   We are grateful to the PowerDNS community for the reporting of
   bugs, issues, feature requests, and especially to the submitters of
   fixes and features.

 -Otto and the PowerDNS Team.


   1. https://docs.powerdns.com/recursor/settings.html#dnssec
   2. https://tools.ietf.org/html/rfc8914.html
   3. https://docs.powerdns.com/recursor/settings.html#extended-resolution-errors
   4. https://docs.powerdns.com/recursor/lua-scripting/dq.html#DNSQuestion.extendedErrorCode
   5. https://docs.powerdns.com/recursor/settings.html#refresh-on-ttl-perc
   6. https://docs.powerdns.com/recursor/upgrade.html#x-to-4-5-0-or-master
   7. https://docs.powerdns.com/recursor/settings.html#minimum-ttl-override
   8. https://docs.powerdns.com/recursor/settings.html#spoof-nearmiss-max
   9. https://doc.powerdns.com/recursor/changelog/4.5.html#change-4.5.0-alpha3
  10. https://mailman.powerdns.com/mailman/listinfo/pdns-users
  11. https://github.com/PowerDNS/pdns/issues/new/choose
  12. https://downloads.powerdns.com/releases/pdns-recursor-4.5.0-alpha3.tar.bz2
  13. https://downloads.powerdns.com/releases/pdns-recursor-4.5.0-alpha3.tar.bz2.sig
  14. https://downloads.powerdns.com/releases/
  15. https://repo.powerdns.com/
  16. https://docs.powerdns.com/recursor/appendices/EOL.html


kind regards,
Otto Moerbeek
PowerDNS Developer

Email: otto.moerbeek at open-xchange.com

Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District Court Cologne HRB 95366
Managing Board: Andreas Gauger, Carsten Dirks, Dirk Valbert, Frank Hoberg, Stephan Martin
Chairman of the Board: Richard Seibt

PowerDNS.COM BV, Koninginnegracht 14L, 2514 AA Den Haag, The Netherlands
Managing Director: Robert Brandt, Carsten Dirks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 475 bytes
Desc: not available
URL: <http://mailman.powerdns.com/pipermail/pdns-announce/attachments/20210309/b2b31f09/attachment.sig>

More information about the Pdns-announce mailing list