[Pdns-announce] PowerDNS DNSdist 1.9.0-alpha3 released
Remi Gacogne
remi.gacogne at powerdns.com
Fri Oct 20 08:29:33 UTC 2023
Hello!
We are thrilled to release the third alpha release of what will become
PowerDNS DNSdist 1.9.0!
Let's first address the elephant in the room: the second alpha was never
released due to a last-minute issue discovered in RPM packaging after
the tag was pushed, so we went to alpha3 right away.
The most exciting new feature in this third alpha is support for DNS
over QUIC [1], which combines the confidentiality and integrity
capabilities of DNS over TLS and DNS over HTTPS without the overhead of
TCP connections.
Our implementation is based on Cloudflare's Quiche [2], which has
already been battle-tested by being used on their edge network and in
Android's DNS resolver. We first selected Quiche as the building block
for QUIC because the API is both simple and powerful, but also because
it is written in Rust. Rust is a memory-safe language and significantly
reduces the risk of security issues.
One annoying drawback is that Quiche has not yet been packaged in most
Linux distributions. This is not an issue if you are using our packages,
because we ship the latest release of Quiche along DNSdist, but it might
make building DNSdist with DNS over QUIC support a bit harder if you are
doing it on your own, as you will need to first compile Quiche. We hope
that distributions will adopt Quiche in the near future.
In addition to DNS over QUIC, we also added a few new features:
- the ability to parse Extended DNS Errors present in responses and
export them via protobuf
- Denis Machard added Lua bindings to look at the selected backend from
Lua rules and actions
We also fixed a few issues:
- phonedph1 fixed a typo on the metric name for TCP client timeouts
- contrary to what we announced, h2o support was not available anymore
in our packages in the first alpha
- incoming DoH connections were not using the proper timeout value when
handled by nghttp2
- cosmetic issues in eBPF dynamic block reporting
- invalid subnet masks coming from a string were not properly normalized
- DNS header might have been misaligned in some cases, causing issues on
some architectures
- some log messages were not recorded at the proper level
Please also note that, as we did for stable releases, we switched to our
own fork of libh2o [3] in order to mitigate CVE-2023-44487 [4], also
known as HTTP/2 rapid reset [5].
We still have a few surprises left for 1.9.0 final, but more on that later!
Please see the DNSdist website [6] for the more complete changelog [7]
and the current documentation. The upgrade guide is also available there
[8].
Please send us all feedback and issues you might have via the mailing
list, or in case of a bug, via GitHub [9].
We are immensely grateful to the PowerDNS community for the reporting of
bugs, issues, feature requests, and especially to the submitters of
fixes and implementations of features.
The release tarball [10] and its signature [11] are available on the
downloads website, and packages for several distributions are available
from our repository [12].
[1]: https://www.rfc-editor.org/rfc/rfc9250.html
[2]: https://github.com/cloudflare/quiche
[3]: https://github.com/PowerDNS/h2o/tree/v2.2.6%2Bpdns
[4]: https://www.cve.org/CVERecord?id=CVE-2023-44487
[5]:
https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
[6]: https://dnsdist.org
[7]: https://dnsdist.org/changelog.html#change-1.9.0-alpha3
[8]: https://dnsdist.org/upgrade_guide.html#x-to-1-9-0-alpha3
[9]: https://github.com/PowerDNS/pdns/issues/new/choose
[10]:
https://downloads.powerdns.com/releases/dnsdist-1.9.0-alpha3.tar.bz2
[11]:
https://downloads.powerdns.com/releases/dnsdist-1.9.0-alpha3.tar.bz2.sig
[12]: https://repo.powerdns.com
Best regards,
--
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-announce/attachments/20231020/69f334da/attachment.sig>
More information about the Pdns-announce
mailing list