[Pdns-dev] PowerDNS Authoritative Server 3.0 has been released
bert hubert
bert.hubert at netherlabs.nl
Fri Jul 22 14:07:12 CEST 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
PowerDNS Authoritative Server 3.0 has been released!
Version 3.0 of the PowerDNS Authoritative Server brings a number of
important features(like DNSSEC), as well as over two years of accumulated
bug fixing.
Available from:
* http://downloads.powerdns.com/releases/pdns-3.0.tar.gz
* http://downloads.powerdns.com/releases/rpm/pdns-static-3.0-1.x86_64.rpm
* http://downloads.powerdns.com/releases/deb/pdns-static_3.0-1_amd64.deb
* http://downloads.powerdns.com/releases/rpm/pdns-static-3.0-1.i386.rpm
* http://downloads.powerdns.com/releases/deb/pdns-static_3.0-1_i386.deb
These files also come with GPG signatures (append .sig).
RHEL/CentOS "native" RPMs are usually contributed by Kees Monshouwer
(thanks!) pretty quickly after a release on:
http://www.monshouwer.eu/download/3th_party/pdns-server/
The release notes are also available, with clickable links, on
http://doc.powerdns.com/changelog.html#changelog-auth-3-0
Warning
Version 3.0 of the PowerDNS Authoritative Server is a major upgrade.
Please refer to Section 1, “From PowerDNS Authoritative Server 2.9.x
to 3.0” for important information on correct and stable operation, as
well as notes on performance and memory use.
Known issues as of RC3 include:
* Not all new features are fully documented yet
Note
Released on the 22nd of July 2011
The largest news in 3.0 is of course the advent of DNSSEC. Not only does
PowerDNS now (finally) support DNSSEC, we think that our support of this
important protocol is among the easiest to use available. In addition, all
important algorithms are supported.
Complete detail can be found in Chapter 12, Serving authoritative DNSSEC data.
The goal of 'PowerDNSSEC' is to allow existing PowerDNS installations to start
serving DNSSEC with as little hassle as possible, while maintaining performance
and achieving high levels of security.
Tutorials and examples of how to use DNSSEC in PowerDNS can be found linked
from http://powerdnssec.org.
PowerDNS Authoritative Server 3.0 development has been made possible by the
financial and moral support of:
* AFNIC, the French registry
* IPCom's RcodeZero Anycast DNS, a subsidiary of NIC.AT, the Austrian
registry
* SIDN, the Dutch registry
This release has received exceptional levels of community support, and we'd
like to thank the following people in addition to those mentioned explicitly
below: Peter Koch (DENIC), Olaf Kolkman (NLNetLabs), Wouter Wijngaards
(NLNetLabs), Marco Davids (SIDN), Markus Travaille (SIDN), Leen Besselink,
Antoin Verschuren (SIDN), Olafur Gudmundsson (IETF), Dan Kaminsky (Recursion
Ventures), Roy Arends (Nominet), Miek Gieben (SIDN), Stephane Bortzmeyer
(AFNIC), Michael Braunoeder (nic.at), Peter van Dijk, Maik Zumstrull, Jose
Arthur Benetasso Villanova (Locaweb), Stefan Schmidt, Roland van Rijswijk
(Surfnet), Paul Bakker (Brainspark/Fox-IT), Mathew Hennessy, Johannes Kuehrer
(Austrian World4You GmbH), Marc van de Geijn (bHosted.nl), Stefan Arentz and
Martin van Hensbergen (Fox-IT), Christof Meerwald, Detlef Peeters, Jack Lloyd,
Frank Altpeter, frederik danerklint, Vasiliy G Tolstov, Brielle Bruns, Evan
Hunt, Ralf van der Enden, Marc Laros, Serge Belyshev, Christian Hofstaedtler,
Charlie Smurthwaite, Nikolaos Milas, ..
Changes between RC3 and final:
* Slight tweak to the pipebackend to ease DNSSEC operations (commit 2239,
commit 2247). Also fix pipebackend support in pdnssec tool (commit 2244).
* Upgrade the experimental native Lua backend to the latest version from
Frederik Danerklint (commit 2240) and include this backend in the .deb
packages (commit 2242)
* Remove IPv6 dependency, it was only possible to run master/slave operations
on a server with at least one IPv6 address. Some very old virtualized
setups turned out to have no IPv6 at all. Fix in commit 2246.
Changes between RC2 and RC3:
* PowerDNS Authoritative Server could not be configured to use an IPv6 based
resolving backend. Solved in commit 2191.
* LDAP backend reconfigured the timezone (TZ) setting of the daemon, leading
to confusing logfile entries. Fixed by Christian Hofstaedtler in commit
2913, closing ticket 313.
* Non-DNSSEC capable backends could crash on DNSSEC queries. Fixed in commit
2194 and commit 2196 (thanks to Charlie Smurthwaite) closing ticket 360.
* Errors looking up a UID or GID were reported confusingly ('Success'), fixed
in commit 2195, closing ticket 359.
* Fix compilation against older MySQL, client libraries (commit 2198, commit
2199, commit 2204), especially for older RHEL/CentOS. Also addresses the
failure to look in lib64 directory for PostgreSQL.
* Sqlite3 needs write access not just to its database file, but also to the
directory it is in. If this wasn't the case, no useful error message was
provided. Improvement in commit 2202.
* Update of MongoDB backend (commit 2203, commit 2212).
* 'pdnssec hash-zone-record' emitted an inverted warning about narrow NSEC3
hashes. Spotted by Jan-Piet Mens, fix in commit 2205.
* PowerDNS can fill out default fields for SOA records, but neglected to do
so if the SOA record was matched by an incoming ANY question. Spotted by
Marc Laros & others. Fixes ticket 357, code in commit 2206.
* PowerDNS would mistreat binary data in TXT records. Fix in commit 2207.
Again spotted by Jan-Piet Mens. Closes ticket 356.
* Add experimental Lua backend by our star contributor Fredrik Danerklint.
commit 2208.
* Christoph Meerwald discovered our RRSIG freshness checking checked more
than the intended RRSIG (on the SOA record). Fix in commit 2209.
* Christoph Meerwald discovered we got confused by TSIG signed EDNS-adorned
queries, since we expected the EDNS OPT pseudorecord to be the very last
record. Fix in commit 2214.
* Christoph Meerwald discovered that when using SOA outgoing editing we would
sign and THEN edit. This was not productive. Fixed in commit 2215.
* Add missing-but-documented pdnssec command 'disable-dnssec'. Spotted by
Craig Whitmore. Plus fixed misleading --help output. Code in commit 2216.
* By popular demand, a tweak which makes an overloaded database no longer
restart PowerDNS but to drop queries until the database is available again.
Code in commit 2217, lightly tested. Enable by setting
'overload-queue-lengh=100' (for example).
* By suggestion of Miek Gieben of SIDN, add SOA-EDIT mode 'EPOCH' which sets
the SOA serial number to the 'UNIX time'. Implemented in commit 2218.
* Added some US export control & ECCN to documentation, needed because of
DNSSEC content. Update in commit 2219.
* Fix up various spelling mistakes and badly formatted messages (commit 2220
and commit 2221) by Maik Zumstrull and 'anonymous'.
* After a lot of thought, we now handle CNAMEs to names outside our knowledge
('bailiwick') exactly as in BIND 9.8.0, even though our way was standards
compliant too. It confused things. Update in commit 2222 and commit 2224.
* Tweak sqlite3 library location detection for newer Ubuntu versions. Change
in commit 2223.
* DNSSEC SQL schema improvements allowing for the use of constraints and
foreign keys in commit 2225, by Gerald Gruenberg, closing ticket 371.
* Add support for EDNS option 'edns-subnet', based on
draft-vandergaast-edns-client-subnet (commit 2226, commit 2228, commit 2229
, commit 2230, commit 2231, commit 2233).
* Silence SIGCHLD warning from Perl when used to power 'pipe' backends (
commit 2232).
* Add experimental support, off by default, for draft-edns-subnet. See commit
2233 and commit 2239 for details how to use this feature.
* PostgreSQL and LDAP backends can now deal with a restart of their
respective servers. Many thanks to Peter van Dijk for debugging and
Nikolaos Milas for supplying a reproduction path of the problem (& much
nagging). Fixes in commit 2233 and commit 2235.
* Jan-Piet Mens discovered that records inserted by Lua on zone retrieval did
not get correct 'ordername' and 'auth' fields for DNSSEC. Fixed in commit
2174.
* Silenced various relevant and less relevant compilation warnings (commit
2175). Thanks to Serge Belyshev for pointing out the error in our ways.
* Steve Bauer discovered we would cache empty recursive answers in some
cases. Addressed in commit 2176.
* James Cloos reported that 'pdnssec check-zone' tripped over SRV records.
Fixed this, and added check-zone to the regression tests. Code in commit
2177.
* DNSSEC regression tests were added in commits 2178, 2179, 2182, 2186 We
test against the fine tools from NLNetLabs.
* Secure DNSSEC delegations to ourselves picked wrong zone to serve the DS
record from. Fixed in commit 2180, commit 2181, commit 2183. reported by
Niek Willems of InterNLnet.
* Stef Van Dessel suggested we made our RPMs state explicitly that they need
glibc 2.4 on Linux. Code in commit 2184.
* John Leach discovered our MySQL based backends would wait for ages on a
failing MySQL server. The patch merged in commit 2189 reduces the timeout
significantly, which is especially useful with haproxy and mysqlproxy.
* commit 2190 fixes a crash reported by Marc Laros when using a non-DNSSEC
capable backend. Should also improve non-DNSSEC performance.
Changes between RC1 and RC2:
* Zone2sql sent out the wrong 'COMMIT' statement in sqlite mode. In addition,
in this mode, zone2sql would not emit statements to update the domains
table unless the 'slave' setting was chosen. Code in commit 2167.
* We dropped the Authoritative Answer flag on an out-of-bailiwick CNAME
referral, which was unneccessary. Code in commit 2170.
* Kees Monshouwer discovered that we failed to detect the location of
PostgreSQL on RHEL/CentOS. Fix in commit 2144. In addition, commit 2162
eases detection of MySQL on RHEL/CentOS 64 bits systems.
* Marc Laros re-reported an old bug in the internally used 'pdns' backend
where details of the SOA record were not filled out correctly. Resolved in
commit 2145.
* Jan-Piet Mens found that our TSIG signed SOA zone fresheness check was
signed incorrectly. Fixed in commit 2147. Improved error messages that
helped debug this issue in commit 2148, commit 2149.
* Jan-Piet Mens helped debug an issue where some servers were "almost always"
unable to transfer a TSIG signed zone correctly. Turns out that the TSIG
signing code used an internal timestamp and not the remote timestamp.
Because of good NTP synchronization this quite often was not a problem. Fix
in commit 2159.
* Thor Spruyt of Telenet discovered that the PowerDNS code would try to emit
DNS answers over TCP of over 65535 bytes long, which failed. We now
truncate such answers properly. Code in commit 2150.
* The Slave engine now reuses an existing database connection, removing the
need to create a new database connection every minute (and worse, log about
it). Code in commit 2153.
* Fix a potential Year 2106 bug in the TSIG signing code. Because we care (
commit 2156).
* Added experimental support for the 'DANE' TLSA record which is used to
authenticate SSL certificates via DNSSEC. commit 2161.
* Added experimental support for the MongoDB 'NoSQL' backend, contributed by
fredrik danerklint in commit 2162.
On to the release notes. Next to DNSSEC, other major new features include:
* TSIG for authorizing and authenticating AXFR requests & incoming zone
transfers (Code in 2024, 2025, 2033, 2034). This allows for retrieving TSIG
protected content, as well as serving it.
* Per zone also-notify.
* MyDNS compatible backend, allowing for 'instantaneous' migration from this
authoritative nameserver. Code in commit 1418, contributed by Jonathan
Oddy.
* PowerDNS can now slave zones over IPv6 and notify IPv6 remotes of updates.
Already. Code in commit 2009 and beyond.
* Lua based incoming zone editing, allowing masters or signing slaves to add
information to the zone they will (re-)serve. Implemented in commit 2065.
To enable, use LUA-AXFR-SCRIPT zone metadata setting.
* Native Oracle backend with full DNSSEC support. Contributed by Maik
Zumstrull, then at the Steinbuch Centre for Computing at the Karlsruhe
Institute of Technology.
* "Also-notify" support, implemented by Aki Tuomi in commit 1400. Support for
Generic SQL backends and for the BIND backend. Further code in commit 1360.
* Support for binding to thousands of IP as of remote zones per second, plus perform many incoming zone
transfers simultaneously. Sponsored by Tyler Hall, code in 1449, 1500, 1859
* Core DNS logic replaced completely to deal with the brave new world of
DNSSEC.
Bugs fixed:
* sqlite2 and sqlite3 backends used MySQL-style escaping, leading to SQL
errors in some cases. Discovered by Sten Spans. Fixed in commit 1342.
* Internal webserver no longer prints '1e2%'. Bug rediscovered by Jeff Sipek.
Fixed in commit 1342.
* PowerDNS would refuse to serve domain names with spaces in them, or
otherwise non-printable characters. Addressed in commit 2081.
* PowerDNS can now serve escaped labels, as described by RFC 4343. Data
should be present in backends in that escaped form. Code in commit 2089.
* In some cases, we would include duplicate CNAMEs. In addition, we would
hand out a full root-referral when not configured to in some cases (ticket
ticket 223). Discovered by Andreas Jakum, fixed in commit 1344.
* Shane Kerr discovered we would corrupt DNS transaction IDs from the packet
cache on big endian systems. Fix in commit 1346, closing ticket 222.
* PowerDNS did not use RFC 1982 serial arithmetic, leading to a SOA serial
number of 1 to be regarded as older than 4400000000, when in fact it is
'newer'. Issue (re-)discovered by Jan-Piet Mens.
* BIND backend got confused of a zone's filename changed after a
configuration reload. Fix in commit 1347, closing ticket 228.
* When restarted by the Guardian, PowerDNS will perform a full multi-threaded
cache cleanup, which took a long time and could crash. Fix in commit 1364.
* Under artificial circumstances, PowerDNS would never clean its packet
cache. Found by Marcus Goller, fix in commit 1399 and commit 1408. This
update also retunes the cleanup frequency.
* Packetcache would cache things it should not have been caching. Fixes in
commits 1407, 1488, 1869, 1880
* When processing incoming notifications, the BIND backend was
case-sensitive, and would disregard notifications in the wrong case.
Discovered by 'Dolphin', fix in commit 1420.
* The init.d script did not mention the 'reload' command. Code in commit 1463
, closes ticket 233.
* Generic SQL Backends would sometimes emit obscure error messages. Fix in
commit 2049.
* PowerDNS would be confused by embedded NULs in domain names, and would also
mess up the escaping of some characters. Fix in commit 1468, commit 1469,
commit 1478, commit 1480,
* SOA queries for the name of a delegation point were not referred. Fix in
commit 1466, closing ticket 224. In addition, queries for AAAA for a CNAMEd
record pointing to a name with no AAAA would deliver a direct SOA, without
the CNAME in between. Fix in commit 1542, commit 1607. Also, wildcard
CNAMEs pointing to a record without the type requested suffered from the
same issue, fix in commit 1543.
* On processing an incoming AXFR, once an MX or SRV record had been seen, all
future fields got a 'priority' entry as well. This had no operational
impact, but looked messy. Fixed in commit 1437.
* Aki Tuomi discovered that the BIND zonefile parser would misrepresent
'something IN MX 15 @'. Fix in commit 1621.
* Marco Davids discovered the BIND zonefile parser would trip over really
long lines. Fix in commit 1624, commit 1625.
* Thomas Mieslinger discovered that our webserver would only be started after
dropping privileges, which could cause problems. Fix in commit 1629.
* Zone2sql did quite often not do exactly what was required, which users
fixed by editing the SQL output. Revamped in commit 2032.
* An Ubuntu user discovered in Launchpad bug 600479 that restarting database
threads cost a lot of memory. Normally this is rare, except in case of
problems. Addressed in commit 1676.
* BIND backend could crash under (very) high load with very large numbers of
zones (hundreds of thousands). Fixed into a slowdown for other services. Fixed in commit
2058, problem diagnosed by Richard Poole of Heart Internet.
* Fixed compilation on newer compilers and newer versions of Boost. Changes
in 1345 (closes ticket 227), 1391, 1394, 1425, 1427, 1428, 1429, 1440, 1653
, thanks to Ruben Kerkhof and others.
* Moved Generic PostgreSQL backend over to the newer E'' style escapes.
commit 2094.
* Compilation fixes for Mac OS X 10.5.7 in commit 1389, thanks to Tobias
Markmann.
* We can now bind to scoped IPv6 addresses, lack spotted by Darren Gamble.
Part of the fix is in commit 2018.
* Built-in query cache can now also cache queries which lead to multiple
answers. Code in commit 2069.
* Prodded on by Jan Piet Mens, we now support 'unknown types' (which look
like TYPE65534).
* Add 'slave-renotify' to retransmit notifies for slaved zones, which is
helpful when acting as a 'signing slave' for a hidden master. Code in
commit 1950.
* No longer let zone2sql and zone2ldap import BIND 'hint' zones. commit 1998.
* Allow for timestamps to explicitly be specified in (s)econds. Code in
commit 1398, closing ticket 250.
* Zones with URL and MBOXFW records can be transferred over AXFR, code in
commit 1464.
* Maik Zumstrull cleaned up the BIND Backend makefile, plus taught our init.d
script to read /etc/default/pdns. Code in commit 1601, commit 1602.
* Generic SQL backends now support multiple masters in the domains table.
Code in commit 1857. Additionally, masters can also have :port numbers.
Code in commit 1858.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAk4pZ/AACgkQHF7pkNLnFXXXyACgrYO5kmiX1J78bn+AjVk60Eht
9VQAoOhAztLfn90QwJTmRRhge2z8yHTO
=g64i
-----END PGP SIGNATURE-----
More information about the Pdns-dev
mailing list