[Pdns-dev] PowerDNS Authoritative Server 3.4.0 released

Peter van Dijk peter.van.dijk at netherlabs.nl
Tue Sep 30 12:41:27 CEST 2014

Hi everybody,

PowerDNS Authoritative Server 3.4.0 is now available!

3.4.0 is the best version of the PowerDNS Authoritative Server currently
available, and we recommend upgrading to it. Please read 
http://doc.powerdns.com/html/from3.3.1to3.4.0.html before you do, however!

Please see http://doc.powerdns.com/changelog.html#changelog-auth-3.4.0 for full
release notes and all download links.

You can get PowerDNS 3.4.0 from:


These files also come with GPG signatures (append .sig).

Additionally, Kees Monshouwer has kindly provided native builds for RHEL and CentOS
at https://www.monshouwer.eu/download/3rd_party/pdns/

This is a performance, feature, bugfix and conformity update to
3.3.1 and any earlier version. It contains a huge amount of
work by various contributors, to whom we are very grateful.

A list of changes since 3.3.1 follows.

Changes between RC2 and 3.4.0:
 * gad189c9, g445d93c: also distribute the dnsdist manual page
 * gb5a276d, g0b346e9, g74caf87, g642fd2e: Make sure all
   backends actually work as dynamic modules
 * g14b11c4: raise log level on dlerror(), fixes t1734, thanks
 * g016d810: improve postgresql detection during ./configure
 * gdce1e90: DNAME: don't sign the synthesised CNAME
 * g25e7af3: send empty SERVFAIL after a backend throws a
   DBException, instead of including useless content

Changes between RC1 and RC2:
 * gbb6e54f: document udp6-queries, udp4-queries, add
   rd-queries, recursion-unanswered metrics & document. Closes
 * g4a23af7: init script: support DAEMON_ARGS; g7e5b3a0: init
   script: ensure socket dir exists
 * gdd930ed: don't import supermaster ips from other accounts
 * ged3afdf: fall back to central bind if reuseport bind
   fails; improves t1715
 * g709ca59: GeoIP backend implementation. This is a new
   backend, still experimental!
 * gbf5a484: support EVERY future version of OS X, fixes t1702
 * g4dbaec6: Check for __FreeBSD_kernel__ as per
   fixes t1684; g74f389d: __FreeBSD_kernel__ is defined but
   empty on systems with FreeBSD kernels, breaking compile.
   Thanks pawal
 * g882ca9d: revert setpgrp changes
 * g2e6bbd8: Catch PDNSException in Signingpiper::helperWorker
   to avoid abort
 * g0ffd51d: improve error reporting on malformed labels
 * gc48dec7: Fix forwarded TSIG message issue
 * gdad70f2: skip TCP_DEFER_ACCEPT on platforms that do not
   have it (like FreeBSD); fixes t1658
 * gc7287b6: should fix t1662, reloading while checking for
   domains that need to be notified in BIND, causing lock
 * g3e67ea8: allow OPT pseudo record type in IXFR query
 * ga1caa8b: webserver: htmlescape VERSION and config name
 * gdf9d980: Remove "log-failed-updates" leftover
 * ga1fe72a: Remove unused "soa-serial-offset" option

Changes between 3.3.1 and 3.4.0-RC1 follow.

DNSSEC changes:
 * gbba8413: add option (max-signature-cache-entries) to limit
   the maximum number of cached signatures.
 * g28b66a9: limit the number of NSEC3 iterations (see RFC5155
   10.3), with the max-nsec3-iterations option.
 * gb50efd6: drop the 'superfluous NSEC3' option that old BIND
   validators need.
 * The bindbackend 'hybrid' mode was reintroduced by Kees
   Monshouwer. Enable it with bind-hybrid.
 * Aki Tuomi contributed experimental PKCS#11 support for
   DNSSEC key management with a (Soft)HSM.
 * Direct RRSIG queries now return NOTIMP.
 * gfa37777: add secure-all-zones command to pdnssec
 * Unrectified zones can now get rectified 'on the fly' during
   outgoing AXFR. This makes it possible to run a hidden
   signing master without rectification.
 * g82fb538: AXFR in: don't accept zones with a mixture of
   Opt-Out NSEC3 RRs and non-Opt-Out NSEC3 RRs
 * Various minor bugfixes, mostly from the unstoppable Kees
 * g0c4c552: set non-zero exit status in pdnssec if an
   exception was thrown, for easier automatic usage.
 * gb8bd119: pdnssec -v show-zone: Print all keys instead of
   just entry point keys.
 * g52e0d78: answer direct NSEC queries without DO bit
 * gca2eb01: output ZSK DNSKEY records if
   experimental-direct-dnskey support is enabled
 * g83609e2: SOA-EDIT: fix INCEPTION-INCREMENT handling
 * gac4a2f1: AXFR-out can handle secure and insecure NSEC3
   optout delegations
 * gff47302: AXFR-in can handle secure and insecure NSEC3
   optout delegations

New features:
 * DNAME support. Enable with experimental-dname-processing.
 * PowerDNS can now send stats directly to Carbon servers.
   Enable with carbon-server, tweak with carbon-ourname and
 * g767da1a: Add list-zone capability to pdns_control
 * g51f6bca: Add delete-zone to pdnssec.
 * The gsql backends now support record comments, and
   disabling records.
 * The new reuseport config option allows setting
   SO_REUSEPORT, which allows for some performance
 * local-address-nonexist-fail and local-ipv6-nonexist-fail
   allow pdns to start up even if some addresses fail to bind.
 * 'AXFR-SOURCE' in domainmetadata sets the source address for
   an AXFR retrieval.
 * g451ba51: Implement pdnssec get-meta/set-meta
 * Experimental RFC2136/DNS UPDATE support from Ruben d'Arco,
   with extensive testing by Kees Monshouwer.
 * pdns_control bind-add-zone
 * New option bind-ignore-broken-records ignores out-of-zone
   records while loading zone files.
 * pdnssec now has commands for TSIG key management.
 * We now support other algorithms than MD5 for TSIG.
 * gba7244a: implement pdns_control qtypes
 * Support for += syntax for options

 * We verify the algorithm used for TSIG queries, and use the
   right algorithm in signing if there is possible confusion.
   Plus a few minor TSIG-related fixes.
 * gff99a74: making *-threads settings empty now yields a
   default of one instead of zero.
 * g9215e60: we had a deadly embrace in getUpdatedMasters in
   bindbackend reimplementation, thanks to Winfried for
   detailed debugging!
 * g9245fd9: don't addSuckRequest after supermaster zone
   creation to avoid one cause of simultaneous AXFR for the
   same zone
 * g719f902: fix dual-stack superslave when multiple
   namservers share a ip
 * g33966bf: avoid address truncation in doNotifications
 * geac85b1: prevent duplicate slave notications caused by
   different ipv6 address formatting
 * g3c8a711: make notification queue ipv6 compatible
 * g0c13e45: make isMaster ip check more tolerant for
   different ipv6 notations
 * Various fixes for possible issues reported by Coverity Scan
   (gf17c93b, )
 * g9083987: don't rely on included polarssl header files when
   using system polarssl. Spotted by Oden Eriksson of
   Mandriva, thanks!
 * Various users reported pdns_control hangs, especially when
   using the guardian. We are confident that all causes of
   these hangs are now gone.
 * Decreasing the webserver ringbuffer size could cause
 * g4c89cce: nproxy: Add missing chdir("/") after chroot()
 * g016a0ab: actually notice timeout during AXFR retrieve,
   thanks hkraal

REST API changes:
 * The REST API was much improved and is nearing stability,
   thanks to Christian Hofstaedtler and others.
 * Mark Schouten at Tuxis contributed a zone importer.

Other changes:
 * Our tarballs and packages now include *.sql schema files
   for the SQL backends.
 * The webserver (including API) now has an ACL
 * Webserver (including API) is now powered by YaHTTP.
 * Various autotools usage improvements from Ruben Kerkhof.
 * The dist tarball is now bzip2-compressed instead of gzip.
 * Various remotebackend updates, including replacing curl
   with (included) yahttp.
 * Dynamic module loading is now allowed on Mac OS X.
 * The AXFR ACL (allow-axfr-ips) now defaults to,::1 instead of the whole world.
 * gba91c2f: remove unused gpgsql-socket option and document
   postgres socket usage
 * Improved support for Lua 5.2.
 * The edns-subnet option code is now fixed at 8, and the
   edns-subnet-option-numbers option has been removed.
 * geobackend now has very limited edns-subnet support - it
   will use the 'real' remote if available.
 * pipebackend ABI v4 adds the zone name to the AXFR command.
 * We now avoid getaddrinfo() as much as possible.
 * The packet cache now handles (forwarded) recursive answers
   better, including TTL aging and respecting allow-recursion.
 * gff5ba4f: pdns_server --help no longer exits with 1.
 * Mark Zealey contributed an experimental LMDB backend. Kees
   Monshouwer added experimental DNSSEC support to it. Thanks,
 * g81859ba: No longer attempt to answer questions coming in
   from port 0, reply would not reach them anyhow. Thanks to
   Niels Bakker and sid3windr for insight & debugging. Closes
 * RCodes are now reported in text in various places, thanks
 * Kees Monshouwer set up automatic testing for the oracle and
   goracle backends, and fixed various issues in them.
 * Leftovers of previous support for Windows have been
   removed, thanks to Kees Monshouwer, Aki Tuomi.
 * Bundled PolarSSL has been upgraded to 1.3.2
 * PolarSSL replaced previously bundled implementations of AES
   (ge22d9b4) and SHA (g9101035)
 * bindbackend is now a module
 * g14a2e52: Use the inet data type for supermasters.ip on
 * We now send an empty SERVFAIL when a CNAME chain is too
   long, instead of including the partial chain.
 * g3613a51: Show built-in features in --version output
 * g4bd7d35: make domainmetadata queries case insensitive
 * g088c334: output warning message when no to be notified
   NS's are found
 * g5631b44: gpsqlbackend: use empty defaults for dbname and
   user; libpq will use the current user name for both by
 * gd87ded3: implement udp-truncation-threshold to override
   the previous 1680 byte maximum response datagram size - no
   matter what EDNS0 said. Plus document it.
 * Implement udp-truncation-threshold to override the previous
   1680 byte maximum response datagram size - no matter what
   EDNS0 said.
 * On shutdown, PowerDNS now attempts to stop all processes in
   its process group, especially useful for pipe/remotebackend
   users. Feature donated by Spotify.
 * Removed settings related to fancy records, as we haven't
   supported those since version 3.0
 * Based on earlier work by Mark Zealey, Kees Monshouwer
   increased our packet cache performance between 200% and
   500% depending on the situation, by simplifying some code
   in g801812e and g8403ade.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mailman.powerdns.com/pipermail/pdns-dev/attachments/20140930/2d2816f7/attachment.pgp>

More information about the Pdns-dev mailing list