[Pdns-dev] PowerDNS Authoritative Server 3.4.0 released
Peter van Dijk
peter.van.dijk at netherlabs.nl
Tue Sep 30 12:41:27 CEST 2014
PowerDNS Authoritative Server 3.4.0 is now available!
3.4.0 is the best version of the PowerDNS Authoritative Server currently
available, and we recommend upgrading to it. Please read
http://doc.powerdns.com/html/from3.3.1to3.4.0.html before you do, however!
Please see http://doc.powerdns.com/changelog.html#changelog-auth-3.4.0 for full
release notes and all download links.
You can get PowerDNS 3.4.0 from:
These files also come with GPG signatures (append .sig).
Additionally, Kees Monshouwer has kindly provided native builds for RHEL and CentOS
This is a performance, feature, bugfix and conformity update to
3.3.1 and any earlier version. It contains a huge amount of
work by various contributors, to whom we are very grateful.
A list of changes since 3.3.1 follows.
Changes between RC2 and 3.4.0:
* gad189c9, g445d93c: also distribute the dnsdist manual page
* gb5a276d, g0b346e9, g74caf87, g642fd2e: Make sure all
backends actually work as dynamic modules
* g14b11c4: raise log level on dlerror(), fixes t1734, thanks
* g016d810: improve postgresql detection during ./configure
* gdce1e90: DNAME: don't sign the synthesised CNAME
* g25e7af3: send empty SERVFAIL after a backend throws a
DBException, instead of including useless content
Changes between RC1 and RC2:
* gbb6e54f: document udp6-queries, udp4-queries, add
rd-queries, recursion-unanswered metrics & document. Closes
* g4a23af7: init script: support DAEMON_ARGS; g7e5b3a0: init
script: ensure socket dir exists
* gdd930ed: don't import supermaster ips from other accounts
* ged3afdf: fall back to central bind if reuseport bind
fails; improves t1715
* g709ca59: GeoIP backend implementation. This is a new
backend, still experimental!
* gbf5a484: support EVERY future version of OS X, fixes t1702
* g4dbaec6: Check for __FreeBSD_kernel__ as per
fixes t1684; g74f389d: __FreeBSD_kernel__ is defined but
empty on systems with FreeBSD kernels, breaking compile.
* g882ca9d: revert setpgrp changes
* g2e6bbd8: Catch PDNSException in Signingpiper::helperWorker
to avoid abort
* g0ffd51d: improve error reporting on malformed labels
* gc48dec7: Fix forwarded TSIG message issue
* gdad70f2: skip TCP_DEFER_ACCEPT on platforms that do not
have it (like FreeBSD); fixes t1658
* gc7287b6: should fix t1662, reloading while checking for
domains that need to be notified in BIND, causing lock
* g3e67ea8: allow OPT pseudo record type in IXFR query
* ga1caa8b: webserver: htmlescape VERSION and config name
* gdf9d980: Remove "log-failed-updates" leftover
* ga1fe72a: Remove unused "soa-serial-offset" option
Changes between 3.3.1 and 3.4.0-RC1 follow.
* gbba8413: add option (max-signature-cache-entries) to limit
the maximum number of cached signatures.
* g28b66a9: limit the number of NSEC3 iterations (see RFC5155
10.3), with the max-nsec3-iterations option.
* gb50efd6: drop the 'superfluous NSEC3' option that old BIND
* The bindbackend 'hybrid' mode was reintroduced by Kees
Monshouwer. Enable it with bind-hybrid.
* Aki Tuomi contributed experimental PKCS#11 support for
DNSSEC key management with a (Soft)HSM.
* Direct RRSIG queries now return NOTIMP.
* gfa37777: add secure-all-zones command to pdnssec
* Unrectified zones can now get rectified 'on the fly' during
outgoing AXFR. This makes it possible to run a hidden
signing master without rectification.
* g82fb538: AXFR in: don't accept zones with a mixture of
Opt-Out NSEC3 RRs and non-Opt-Out NSEC3 RRs
* Various minor bugfixes, mostly from the unstoppable Kees
* g0c4c552: set non-zero exit status in pdnssec if an
exception was thrown, for easier automatic usage.
* gb8bd119: pdnssec -v show-zone: Print all keys instead of
just entry point keys.
* g52e0d78: answer direct NSEC queries without DO bit
* gca2eb01: output ZSK DNSKEY records if
experimental-direct-dnskey support is enabled
* g83609e2: SOA-EDIT: fix INCEPTION-INCREMENT handling
* gac4a2f1: AXFR-out can handle secure and insecure NSEC3
* gff47302: AXFR-in can handle secure and insecure NSEC3
* DNAME support. Enable with experimental-dname-processing.
* PowerDNS can now send stats directly to Carbon servers.
Enable with carbon-server, tweak with carbon-ourname and
* g767da1a: Add list-zone capability to pdns_control
* g51f6bca: Add delete-zone to pdnssec.
* The gsql backends now support record comments, and
* The new reuseport config option allows setting
SO_REUSEPORT, which allows for some performance
* local-address-nonexist-fail and local-ipv6-nonexist-fail
allow pdns to start up even if some addresses fail to bind.
* 'AXFR-SOURCE' in domainmetadata sets the source address for
an AXFR retrieval.
* g451ba51: Implement pdnssec get-meta/set-meta
* Experimental RFC2136/DNS UPDATE support from Ruben d'Arco,
with extensive testing by Kees Monshouwer.
* pdns_control bind-add-zone
* New option bind-ignore-broken-records ignores out-of-zone
records while loading zone files.
* pdnssec now has commands for TSIG key management.
* We now support other algorithms than MD5 for TSIG.
* gba7244a: implement pdns_control qtypes
* Support for += syntax for options
* We verify the algorithm used for TSIG queries, and use the
right algorithm in signing if there is possible confusion.
Plus a few minor TSIG-related fixes.
* gff99a74: making *-threads settings empty now yields a
default of one instead of zero.
* g9215e60: we had a deadly embrace in getUpdatedMasters in
bindbackend reimplementation, thanks to Winfried for
* g9245fd9: don't addSuckRequest after supermaster zone
creation to avoid one cause of simultaneous AXFR for the
* g719f902: fix dual-stack superslave when multiple
namservers share a ip
* g33966bf: avoid address truncation in doNotifications
* geac85b1: prevent duplicate slave notications caused by
different ipv6 address formatting
* g3c8a711: make notification queue ipv6 compatible
* g0c13e45: make isMaster ip check more tolerant for
different ipv6 notations
* Various fixes for possible issues reported by Coverity Scan
* g9083987: don't rely on included polarssl header files when
using system polarssl. Spotted by Oden Eriksson of
* Various users reported pdns_control hangs, especially when
using the guardian. We are confident that all causes of
these hangs are now gone.
* Decreasing the webserver ringbuffer size could cause
* g4c89cce: nproxy: Add missing chdir("/") after chroot()
* g016a0ab: actually notice timeout during AXFR retrieve,
REST API changes:
* The REST API was much improved and is nearing stability,
thanks to Christian Hofstaedtler and others.
* Mark Schouten at Tuxis contributed a zone importer.
* Our tarballs and packages now include *.sql schema files
for the SQL backends.
* The webserver (including API) now has an ACL
* Webserver (including API) is now powered by YaHTTP.
* Various autotools usage improvements from Ruben Kerkhof.
* The dist tarball is now bzip2-compressed instead of gzip.
* Various remotebackend updates, including replacing curl
with (included) yahttp.
* Dynamic module loading is now allowed on Mac OS X.
* The AXFR ACL (allow-axfr-ips) now defaults to
127.0.0.0/8,::1 instead of the whole world.
* gba91c2f: remove unused gpgsql-socket option and document
postgres socket usage
* Improved support for Lua 5.2.
* The edns-subnet option code is now fixed at 8, and the
edns-subnet-option-numbers option has been removed.
* geobackend now has very limited edns-subnet support - it
will use the 'real' remote if available.
* pipebackend ABI v4 adds the zone name to the AXFR command.
* We now avoid getaddrinfo() as much as possible.
* The packet cache now handles (forwarded) recursive answers
better, including TTL aging and respecting allow-recursion.
* gff5ba4f: pdns_server --help no longer exits with 1.
* Mark Zealey contributed an experimental LMDB backend. Kees
Monshouwer added experimental DNSSEC support to it. Thanks,
* g81859ba: No longer attempt to answer questions coming in
from port 0, reply would not reach them anyhow. Thanks to
Niels Bakker and sid3windr for insight & debugging. Closes
* RCodes are now reported in text in various places, thanks
* Kees Monshouwer set up automatic testing for the oracle and
goracle backends, and fixed various issues in them.
* Leftovers of previous support for Windows have been
removed, thanks to Kees Monshouwer, Aki Tuomi.
* Bundled PolarSSL has been upgraded to 1.3.2
* PolarSSL replaced previously bundled implementations of AES
(ge22d9b4) and SHA (g9101035)
* bindbackend is now a module
* g14a2e52: Use the inet data type for supermasters.ip on
* We now send an empty SERVFAIL when a CNAME chain is too
long, instead of including the partial chain.
* g3613a51: Show built-in features in --version output
* g4bd7d35: make domainmetadata queries case insensitive
* g088c334: output warning message when no to be notified
NS's are found
* g5631b44: gpsqlbackend: use empty defaults for dbname and
user; libpq will use the current user name for both by
* gd87ded3: implement udp-truncation-threshold to override
the previous 1680 byte maximum response datagram size - no
matter what EDNS0 said. Plus document it.
* Implement udp-truncation-threshold to override the previous
1680 byte maximum response datagram size - no matter what
* On shutdown, PowerDNS now attempts to stop all processes in
its process group, especially useful for pipe/remotebackend
users. Feature donated by Spotify.
* Removed settings related to fancy records, as we haven't
supported those since version 3.0
* Based on earlier work by Mark Zealey, Kees Monshouwer
increased our packet cache performance between 200% and
500% depending on the situation, by simplifying some code
in g801812e and g8403ade.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the Pdns-dev