[Pdns-announce] PowerDNS DNSdist 1.9.0-alpha3 released

Remi Gacogne remi.gacogne at powerdns.com
Fri Oct 20 08:29:33 UTC 2023


Hello!

We are thrilled to release the third alpha release of what will become 
PowerDNS DNSdist 1.9.0!

Let's first address the elephant in the room: the second alpha was never 
released due to a last-minute issue discovered in RPM packaging after 
the tag was pushed, so we went to alpha3 right away.

The most exciting new feature in this third alpha is support for DNS 
over QUIC [1], which combines the confidentiality and integrity 
capabilities of DNS over TLS and DNS over HTTPS without the overhead of 
TCP connections.
Our implementation is based on Cloudflare's Quiche [2], which has 
already been battle-tested by being used on their edge network and in 
Android's DNS resolver. We first selected Quiche as the building block 
for QUIC because the API is both simple and powerful, but also because 
it is written in Rust. Rust is a memory-safe language and significantly 
reduces the risk of security issues.
One annoying drawback is that Quiche has not yet been packaged in most 
Linux distributions. This is not an issue if you are using our packages, 
because we ship the latest release of Quiche along DNSdist, but it might 
make building DNSdist with DNS over QUIC support a bit harder if you are 
doing it on your own, as you will need to first compile Quiche. We hope 
that distributions will adopt Quiche in the near future.

In addition to DNS over QUIC, we also added a few new features:
- the ability to parse Extended DNS Errors present in responses and 
export them via protobuf
- Denis Machard added Lua bindings to look at the selected backend from 
Lua rules and actions

We also fixed a few issues:
- phonedph1 fixed a typo on the metric name for TCP client timeouts
- contrary to what we announced, h2o support was not available anymore 
in our packages in the first alpha
- incoming DoH connections were not using the proper timeout value when 
handled by nghttp2
- cosmetic issues in eBPF dynamic block reporting
- invalid subnet masks coming from a string were not properly normalized
- DNS header might have been misaligned in some cases, causing issues on 
some architectures
- some log messages were not recorded at the proper level

Please also note that, as we did for stable releases, we switched to our 
own fork of libh2o [3] in order to mitigate CVE-2023-44487 [4], also 
known as HTTP/2 rapid reset [5].

We still have a few surprises left for 1.9.0 final, but more on that later!

Please see the DNSdist website [6] for the more complete changelog [7] 
and the current documentation. The upgrade guide is also available there 
[8].

Please send us all feedback and issues you might have via the mailing 
list, or in case of a bug, via GitHub [9].

We are immensely grateful to the PowerDNS community for the reporting of 
bugs, issues, feature requests, and especially to the submitters of 
fixes and implementations of features.

The release tarball [10] and its signature [11] are available on the 
downloads website, and packages for several distributions are available 
from our repository [12].

[1]: https://www.rfc-editor.org/rfc/rfc9250.html
[2]: https://github.com/cloudflare/quiche
[3]: https://github.com/PowerDNS/h2o/tree/v2.2.6%2Bpdns
[4]: https://www.cve.org/CVERecord?id=CVE-2023-44487
[5]: 
https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
[6]: https://dnsdist.org
[7]: https://dnsdist.org/changelog.html#change-1.9.0-alpha3
[8]: https://dnsdist.org/upgrade_guide.html#x-to-1-9-0-alpha3
[9]: https://github.com/PowerDNS/pdns/issues/new/choose
[10]:
https://downloads.powerdns.com/releases/dnsdist-1.9.0-alpha3.tar.bz2
[11]:
https://downloads.powerdns.com/releases/dnsdist-1.9.0-alpha3.tar.bz2.sig
[12]: https://repo.powerdns.com

Best regards,
-- 
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-announce/attachments/20231020/69f334da/attachment.sig>


More information about the Pdns-announce mailing list