[Pdns-dev] New PowerDNS Authoritative Server snapshot with DNSSEC + Release Notes

bert hubert bert.hubert at netherlabs.nl
Thu Jan 27 23:37:01 CET 2011

Hi everybody,

(the short version, there is a snapshot worth looking at, packages on
http://powerdnssec.org/downloads - documentation on http://powerdnssec.org )

Since our previous 'PowerDNSSEC' announcement, a lot has happened. 
PowerDNSSEC now offers support for almost all DNSSEC algorithms standardised
(RSASHA1, RSASHA256, RSASHA512, GOST), and even for some that aren't yet

In addition, we've added support for pre-signed zones, so you can now slave
signed zones from non-PowerDNS installations, and serve them. The other way
around works too, you can slave unsigned zones and serve them with DNSSEC
added to it, as a front-proxy.

Finally, there is now a lot of documentation, a good place to start reading
is still http://powerdnssec.org.

Today, we've released snapshot 20110127.1921 which is in reasonably wide
production. It powers every single access to the PowerDNS Wiki and the
PowerDNS Subversion repository. 

Packages for 32 bit and 64 bit Linux distributions, plus source, can be
found on http://powerdnssec.org/downloads

We urge everybody with an interest in DNSSEC to give this snapshot and its
associated documentation a go, if only to find out if it would 'work for

Releases notes follow:

Version 3.0 of the PowerDNS Authoritative Server brings a number of important
features, as well as over two years of accumulated bug fixing.

The largest news in 3.0 is of course the advent of DNSSEC. Not only does
PowerDNS now (finally) support DNSSEC, we think that our support of this
important protocol is among the best available.

Complete detail can be found in Chapter 11, Serving authoritative DNSSEC data.
The goal of 'PowerDNSSEC' is to allow existing PowerDNS installations to start
serving DNSSEC with as little hassle as possible, while maintaining performance
and achieving high levels of security.

This release has received exceptional levels of community support, and we'd
like to thank the following people in addition to those mentioned explicitly
below: Peter Koch (DENIC), Olaf Kolkman (NLNetLabs), Wouter Wijngaards
(NLNetLabs), Marco Davids (SIDN), Markus Travaille (SIDN), Antoin Verschuren
(SIDN), Olafur Gudmundsson (IETF), Dan Kaminsky (Recursion Ventures), Roy
Arends (Nominet), Miek Gieben (SIDN), Stephane Bortzmeyer (AFNIC), Michael
Braunoeder (nic.at), Peter van Dijk, Maik Zumstrull, Jose Arthur Benetasso
Villanova (Locaweb), Stefan Schmidt, Roland van Rijswijk (Surfnet), Paul Bakker
(Brainspark/Fox-IT), Mathew Hennessy, Johannes Kuehrer (Austrian World4You
GmbH), Marc van de Geijn (bHosted.nl), Stefan Arentz and Martin van Hensbergen

On to the release notes. A hyperlinked version is available on 

Next to DNSSEC, other major new features include:

  ● Long TXT records are now split into 255-byte components automatically.
    Implemented in commit 1340, reported by Darren Gamble in ticket 188.

  ● Per zone AXFR ACLs, implemented in commit 1360.

  ● "Also-notify" support, implemented by Aki Tuomi in commit 1400. Support for
    Generic SQL backends and for the BIND backend.

  ● Support for binding to thousands of IP addresses, code in commit 1443.

  ● Massively parallel slaving infrastructure, able to check the freshness of
    thousands of remote zones per second, plus perform many incoming zone
    transfers simultaneously. Sponsored by Tyler Hall, code in 1449, 1500, 1859

  ● Core DNS logic replaced completely to deal with the brave new world of

Bugs fixed:

  ● sqlite2 and sqlite3 backends used MySQL-style escaping, leading to SQL
    errors in some cases. Discovered by Sten Spans. Fixed in commit 1342.

  ● Internal webserver no longer prints '1e2%'. Bug rediscovered by Jeff Sipek.
    Fixed in commit 1342.

  ● In some cases, we would include duplicate CNAMEs. In addition, we would
    hand out a full root-referral when not configured to in some cases (t223).
    Discovered by Andreas Jakum, fixed in commit 1344.

  ● Shane Kerr discovered we would corrupt DNS transaction IDs from the packet
    cache on big endian systems. Fix in commit 1346, closing ticket 222.

  ● BIND backend got confused of a zone's filename changed after a
    configuration reload. Fix in commit 1347, closing ticket 228.

  ● When restarted by the Guardian, PowerDNS will perform a full multi-threaded
    cache cleanup, which took a long time and could crash. Fix in commit 1364.

  ● Under artificial circumstances, PowerDNS would never clean its packet
    cache. Found by Marcus Goller, fix in commit 1399 and commit 1408. This
    update also retunes the cleanup frequency.

  ● Packetcache would cache things it should not have been caching. Fixes in
    commits 1407, 1488, 1869, 1880

  ● When processing incoming notifications, the BIND backend was
    case-sensitive, and would disregard notifications in the wrong case.
    Discovered by 'Dolphin', fix in commit 1420.

  ● The init.d script did not mention the 'reload' command. Code in commit 1463
    , closes ticket 233.

  ● PowerDNS would be confused by embedded NULs in domain names, and would also
    mess up the escaping of some characters. Fix in commit 1468, commit 1469,
    commit 1478, commit 1480,

  ● SOA queries for the name of a delegation point were not referred. Fix in
    commit 1466, closing ticket 224. In addition, queries for AAAA for a CNAMEd
    record pointing to a name with no AAAA would deliver a direct SOA, without
    the CNAME in between. Fix in commit 1542, commit 1607. Also, wildcard
    CNAMEs pointing to a record without the type requested suffered from the
    same issue, fix in commit 1543.

  ● On processing an incoming AXFR, once an MX or SRV record had been seen, all
    future fields got a 'priority' entry as well. This had no operational
    impact, but looked messy. Fixed in commit 1437.

  ● Aki Tuomi discovered that the BIND zonefile parser would misrepresent
    'something IN MX 15 @'. Fix in commit 1621.

  ● Marco Davids discovered the BIND zonefile parser would trip over really
    long lines. Fix in commit 1624, commit 1625.

  ● Thomas Mieslinger discovered that our webserver would only be started after
    dropping privileges, which could cause problems. Fix in commit 1629.

  ● An Ubuntu user discovered in Launchpad bug 600479 that restarting database
    threads cost a lot of memory. Normally this is rare, except in case of
    problems. Addressed in commit 1676.

  ● BIND backend could crash under (very) high load with very large numbers of
    zones (hundreds of thousands). Fixed in commit 1690.

  ● Miek Gieben and Marco Davids spotted that PowerDNS would answer the
    version.bind query in the IN class too. Bug reported via twitter! Fix in
    commit 1709.

  ● Marcus Lauer and the OpenDNSSEC project discovered that outgoing
    notifications did not carry the 'aa' flag. Fixed in commit 1746.

  ● Debugging PowerDNS, or backgrounding it, could cause crashes. Fixed by
    Anders Kaseorg in commit 1747.

  ● Fixed a bug that could cause crashes on launching thousands of backend
    connections. Never observed to occur, but who knows. Fix in commit 1792.

  ● Under some circumstances, large answers could be truncated in mid-record.
    While technically legal, this upset a number of resolver implementations
    (including the PowerDNS Recursor!). Fixed in commit 1830, re-closes ticket


  ● Fixed compilation on newer compilers and newer versions of Boost. Changes
    in 1345 (t227), 1391, 1394, 1425, 1427, 1428, 1429, 1440, 1653, thanks to
    Ruben Kerkhof and others.

  ● Compilation fixes for Mac OS X 10.5.7 in commit 1389, thanks to Tobias

  ● Allow for timestamps to explicitly be specified in (s)econds. Code in
    commit 1398, closing ticket 250.

  ● Internal support for TSIG, not yet hooked up. Commits 1417, 1485 and

  ● Zones with URL and MBOXFW records can be transferred over AXFR, code in
    commit 1464.

  ● Maik Zumstrull cleaned up the BIND Backend makefile, plus taught our init.d
    script to read /etc/default/pdns. Code in commit 1601, commit 1602.

  ● Generic SQL backends now support multiple masters in the domains table.
    Code in commit 1857. Additionally, masters can also have :port numbers.
    Code in commit 1858.

More information about the Pdns-dev mailing list