[Pdns-dev] New PowerDNS Authoritative Server snapshot with DNSSEC + Release Notes
bert.hubert at netherlabs.nl
Thu Jan 27 23:37:01 CET 2011
(the short version, there is a snapshot worth looking at, packages on
http://powerdnssec.org/downloads - documentation on http://powerdnssec.org )
Since our previous 'PowerDNSSEC' announcement, a lot has happened.
PowerDNSSEC now offers support for almost all DNSSEC algorithms standardised
(RSASHA1, RSASHA256, RSASHA512, GOST), and even for some that aren't yet
In addition, we've added support for pre-signed zones, so you can now slave
signed zones from non-PowerDNS installations, and serve them. The other way
around works too, you can slave unsigned zones and serve them with DNSSEC
added to it, as a front-proxy.
Finally, there is now a lot of documentation, a good place to start reading
is still http://powerdnssec.org.
Today, we've released snapshot 20110127.1921 which is in reasonably wide
production. It powers every single access to the PowerDNS Wiki and the
PowerDNS Subversion repository.
Packages for 32 bit and 64 bit Linux distributions, plus source, can be
found on http://powerdnssec.org/downloads
We urge everybody with an interest in DNSSEC to give this snapshot and its
associated documentation a go, if only to find out if it would 'work for
Releases notes follow:
Version 3.0 of the PowerDNS Authoritative Server brings a number of important
features, as well as over two years of accumulated bug fixing.
The largest news in 3.0 is of course the advent of DNSSEC. Not only does
PowerDNS now (finally) support DNSSEC, we think that our support of this
important protocol is among the best available.
Complete detail can be found in Chapter 11, Serving authoritative DNSSEC data.
The goal of 'PowerDNSSEC' is to allow existing PowerDNS installations to start
serving DNSSEC with as little hassle as possible, while maintaining performance
and achieving high levels of security.
This release has received exceptional levels of community support, and we'd
like to thank the following people in addition to those mentioned explicitly
below: Peter Koch (DENIC), Olaf Kolkman (NLNetLabs), Wouter Wijngaards
(NLNetLabs), Marco Davids (SIDN), Markus Travaille (SIDN), Antoin Verschuren
(SIDN), Olafur Gudmundsson (IETF), Dan Kaminsky (Recursion Ventures), Roy
Arends (Nominet), Miek Gieben (SIDN), Stephane Bortzmeyer (AFNIC), Michael
Braunoeder (nic.at), Peter van Dijk, Maik Zumstrull, Jose Arthur Benetasso
Villanova (Locaweb), Stefan Schmidt, Roland van Rijswijk (Surfnet), Paul Bakker
(Brainspark/Fox-IT), Mathew Hennessy, Johannes Kuehrer (Austrian World4You
GmbH), Marc van de Geijn (bHosted.nl), Stefan Arentz and Martin van Hensbergen
On to the release notes. A hyperlinked version is available on
Next to DNSSEC, other major new features include:
● Long TXT records are now split into 255-byte components automatically.
Implemented in commit 1340, reported by Darren Gamble in ticket 188.
● Per zone AXFR ACLs, implemented in commit 1360.
● "Also-notify" support, implemented by Aki Tuomi in commit 1400. Support for
Generic SQL backends and for the BIND backend.
● Support for binding to thousands of IP addresses, code in commit 1443.
● Massively parallel slaving infrastructure, able to check the freshness of
thousands of remote zones per second, plus perform many incoming zone
transfers simultaneously. Sponsored by Tyler Hall, code in 1449, 1500, 1859
● Core DNS logic replaced completely to deal with the brave new world of
● sqlite2 and sqlite3 backends used MySQL-style escaping, leading to SQL
errors in some cases. Discovered by Sten Spans. Fixed in commit 1342.
● Internal webserver no longer prints '1e2%'. Bug rediscovered by Jeff Sipek.
Fixed in commit 1342.
● In some cases, we would include duplicate CNAMEs. In addition, we would
hand out a full root-referral when not configured to in some cases (t223).
Discovered by Andreas Jakum, fixed in commit 1344.
● Shane Kerr discovered we would corrupt DNS transaction IDs from the packet
cache on big endian systems. Fix in commit 1346, closing ticket 222.
● BIND backend got confused of a zone's filename changed after a
configuration reload. Fix in commit 1347, closing ticket 228.
● When restarted by the Guardian, PowerDNS will perform a full multi-threaded
cache cleanup, which took a long time and could crash. Fix in commit 1364.
● Under artificial circumstances, PowerDNS would never clean its packet
cache. Found by Marcus Goller, fix in commit 1399 and commit 1408. This
update also retunes the cleanup frequency.
● Packetcache would cache things it should not have been caching. Fixes in
commits 1407, 1488, 1869, 1880
● When processing incoming notifications, the BIND backend was
case-sensitive, and would disregard notifications in the wrong case.
Discovered by 'Dolphin', fix in commit 1420.
● The init.d script did not mention the 'reload' command. Code in commit 1463
, closes ticket 233.
● PowerDNS would be confused by embedded NULs in domain names, and would also
mess up the escaping of some characters. Fix in commit 1468, commit 1469,
commit 1478, commit 1480,
● SOA queries for the name of a delegation point were not referred. Fix in
commit 1466, closing ticket 224. In addition, queries for AAAA for a CNAMEd
record pointing to a name with no AAAA would deliver a direct SOA, without
the CNAME in between. Fix in commit 1542, commit 1607. Also, wildcard
CNAMEs pointing to a record without the type requested suffered from the
same issue, fix in commit 1543.
● On processing an incoming AXFR, once an MX or SRV record had been seen, all
future fields got a 'priority' entry as well. This had no operational
impact, but looked messy. Fixed in commit 1437.
● Aki Tuomi discovered that the BIND zonefile parser would misrepresent
'something IN MX 15 @'. Fix in commit 1621.
● Marco Davids discovered the BIND zonefile parser would trip over really
long lines. Fix in commit 1624, commit 1625.
● Thomas Mieslinger discovered that our webserver would only be started after
dropping privileges, which could cause problems. Fix in commit 1629.
● An Ubuntu user discovered in Launchpad bug 600479 that restarting database
threads cost a lot of memory. Normally this is rare, except in case of
problems. Addressed in commit 1676.
● BIND backend could crash under (very) high load with very large numbers of
zones (hundreds of thousands). Fixed in commit 1690.
● Miek Gieben and Marco Davids spotted that PowerDNS would answer the
version.bind query in the IN class too. Bug reported via twitter! Fix in
● Marcus Lauer and the OpenDNSSEC project discovered that outgoing
notifications did not carry the 'aa' flag. Fixed in commit 1746.
● Debugging PowerDNS, or backgrounding it, could cause crashes. Fixed by
Anders Kaseorg in commit 1747.
● Fixed a bug that could cause crashes on launching thousands of backend
connections. Never observed to occur, but who knows. Fix in commit 1792.
● Under some circumstances, large answers could be truncated in mid-record.
While technically legal, this upset a number of resolver implementations
(including the PowerDNS Recursor!). Fixed in commit 1830, re-closes ticket
● Fixed compilation on newer compilers and newer versions of Boost. Changes
in 1345 (t227), 1391, 1394, 1425, 1427, 1428, 1429, 1440, 1653, thanks to
Ruben Kerkhof and others.
● Compilation fixes for Mac OS X 10.5.7 in commit 1389, thanks to Tobias
● Allow for timestamps to explicitly be specified in (s)econds. Code in
commit 1398, closing ticket 250.
● Internal support for TSIG, not yet hooked up. Commits 1417, 1485 and
● Zones with URL and MBOXFW records can be transferred over AXFR, code in
● Maik Zumstrull cleaned up the BIND Backend makefile, plus taught our init.d
script to read /etc/default/pdns. Code in commit 1601, commit 1602.
● Generic SQL backends now support multiple masters in the domains table.
Code in commit 1857. Additionally, masters can also have :port numbers.
Code in commit 1858.
More information about the Pdns-dev