[Pdns-dev] [Pdns-users] PowerDNS Authoritative Server 3.4.0 released
bert.hubert at netherlabs.nl
Tue Sep 30 13:12:06 CEST 2014
As an aside to these giant & impressive release notes, I would like to thank
the PowerDNS open source community for the tremendous amount of work
invested in 3.4.0. It is astounding.
For a small overview, check for example:
Thank you very much everybody for your efforts in coding, packaging,
testing, suggesting and sometimes even documenting ;-)
On Tue, Sep 30, 2014 at 12:41:27PM +0200, Peter van Dijk wrote:
> Hi everybody,
> PowerDNS Authoritative Server 3.4.0 is now available!
> 3.4.0 is the best version of the PowerDNS Authoritative Server currently
> available, and we recommend upgrading to it. Please read
> http://doc.powerdns.com/html/from3.3.1to3.4.0.html before you do, however!
> Please see http://doc.powerdns.com/changelog.html#changelog-auth-3.4.0 for full
> release notes and all download links.
> You can get PowerDNS 3.4.0 from:
> These files also come with GPG signatures (append .sig).
> Additionally, Kees Monshouwer has kindly provided native builds for RHEL and CentOS
> at https://www.monshouwer.eu/download/3rd_party/pdns/
> This is a performance, feature, bugfix and conformity update to
> 3.3.1 and any earlier version. It contains a huge amount of
> work by various contributors, to whom we are very grateful.
> A list of changes since 3.3.1 follows.
> Changes between RC2 and 3.4.0:
> * gad189c9, g445d93c: also distribute the dnsdist manual page
> * gb5a276d, g0b346e9, g74caf87, g642fd2e: Make sure all
> backends actually work as dynamic modules
> * g14b11c4: raise log level on dlerror(), fixes t1734, thanks
> * g016d810: improve postgresql detection during ./configure
> * gdce1e90: DNAME: don't sign the synthesised CNAME
> * g25e7af3: send empty SERVFAIL after a backend throws a
> DBException, instead of including useless content
> Changes between RC1 and RC2:
> * gbb6e54f: document udp6-queries, udp4-queries, add
> rd-queries, recursion-unanswered metrics & document. Closes
> * g4a23af7: init script: support DAEMON_ARGS; g7e5b3a0: init
> script: ensure socket dir exists
> * gdd930ed: don't import supermaster ips from other accounts
> * ged3afdf: fall back to central bind if reuseport bind
> fails; improves t1715
> * g709ca59: GeoIP backend implementation. This is a new
> backend, still experimental!
> * gbf5a484: support EVERY future version of OS X, fixes t1702
> * g4dbaec6: Check for __FreeBSD_kernel__ as per
> fixes t1684; g74f389d: __FreeBSD_kernel__ is defined but
> empty on systems with FreeBSD kernels, breaking compile.
> Thanks pawal
> * g882ca9d: revert setpgrp changes
> * g2e6bbd8: Catch PDNSException in Signingpiper::helperWorker
> to avoid abort
> * g0ffd51d: improve error reporting on malformed labels
> * gc48dec7: Fix forwarded TSIG message issue
> * gdad70f2: skip TCP_DEFER_ACCEPT on platforms that do not
> have it (like FreeBSD); fixes t1658
> * gc7287b6: should fix t1662, reloading while checking for
> domains that need to be notified in BIND, causing lock
> * g3e67ea8: allow OPT pseudo record type in IXFR query
> * ga1caa8b: webserver: htmlescape VERSION and config name
> * gdf9d980: Remove "log-failed-updates" leftover
> * ga1fe72a: Remove unused "soa-serial-offset" option
> Changes between 3.3.1 and 3.4.0-RC1 follow.
> DNSSEC changes:
> * gbba8413: add option (max-signature-cache-entries) to limit
> the maximum number of cached signatures.
> * g28b66a9: limit the number of NSEC3 iterations (see RFC5155
> 10.3), with the max-nsec3-iterations option.
> * gb50efd6: drop the 'superfluous NSEC3' option that old BIND
> validators need.
> * The bindbackend 'hybrid' mode was reintroduced by Kees
> Monshouwer. Enable it with bind-hybrid.
> * Aki Tuomi contributed experimental PKCS#11 support for
> DNSSEC key management with a (Soft)HSM.
> * Direct RRSIG queries now return NOTIMP.
> * gfa37777: add secure-all-zones command to pdnssec
> * Unrectified zones can now get rectified 'on the fly' during
> outgoing AXFR. This makes it possible to run a hidden
> signing master without rectification.
> * g82fb538: AXFR in: don't accept zones with a mixture of
> Opt-Out NSEC3 RRs and non-Opt-Out NSEC3 RRs
> * Various minor bugfixes, mostly from the unstoppable Kees
> * g0c4c552: set non-zero exit status in pdnssec if an
> exception was thrown, for easier automatic usage.
> * gb8bd119: pdnssec -v show-zone: Print all keys instead of
> just entry point keys.
> * g52e0d78: answer direct NSEC queries without DO bit
> * gca2eb01: output ZSK DNSKEY records if
> experimental-direct-dnskey support is enabled
> * g83609e2: SOA-EDIT: fix INCEPTION-INCREMENT handling
> * gac4a2f1: AXFR-out can handle secure and insecure NSEC3
> optout delegations
> * gff47302: AXFR-in can handle secure and insecure NSEC3
> optout delegations
> New features:
> * DNAME support. Enable with experimental-dname-processing.
> * PowerDNS can now send stats directly to Carbon servers.
> Enable with carbon-server, tweak with carbon-ourname and
> * g767da1a: Add list-zone capability to pdns_control
> * g51f6bca: Add delete-zone to pdnssec.
> * The gsql backends now support record comments, and
> disabling records.
> * The new reuseport config option allows setting
> SO_REUSEPORT, which allows for some performance
> * local-address-nonexist-fail and local-ipv6-nonexist-fail
> allow pdns to start up even if some addresses fail to bind.
> * 'AXFR-SOURCE' in domainmetadata sets the source address for
> an AXFR retrieval.
> * g451ba51: Implement pdnssec get-meta/set-meta
> * Experimental RFC2136/DNS UPDATE support from Ruben d'Arco,
> with extensive testing by Kees Monshouwer.
> * pdns_control bind-add-zone
> * New option bind-ignore-broken-records ignores out-of-zone
> records while loading zone files.
> * pdnssec now has commands for TSIG key management.
> * We now support other algorithms than MD5 for TSIG.
> * gba7244a: implement pdns_control qtypes
> * Support for += syntax for options
> * We verify the algorithm used for TSIG queries, and use the
> right algorithm in signing if there is possible confusion.
> Plus a few minor TSIG-related fixes.
> * gff99a74: making *-threads settings empty now yields a
> default of one instead of zero.
> * g9215e60: we had a deadly embrace in getUpdatedMasters in
> bindbackend reimplementation, thanks to Winfried for
> detailed debugging!
> * g9245fd9: don't addSuckRequest after supermaster zone
> creation to avoid one cause of simultaneous AXFR for the
> same zone
> * g719f902: fix dual-stack superslave when multiple
> namservers share a ip
> * g33966bf: avoid address truncation in doNotifications
> * geac85b1: prevent duplicate slave notications caused by
> different ipv6 address formatting
> * g3c8a711: make notification queue ipv6 compatible
> * g0c13e45: make isMaster ip check more tolerant for
> different ipv6 notations
> * Various fixes for possible issues reported by Coverity Scan
> (gf17c93b, )
> * g9083987: don't rely on included polarssl header files when
> using system polarssl. Spotted by Oden Eriksson of
> Mandriva, thanks!
> * Various users reported pdns_control hangs, especially when
> using the guardian. We are confident that all causes of
> these hangs are now gone.
> * Decreasing the webserver ringbuffer size could cause
> * g4c89cce: nproxy: Add missing chdir("/") after chroot()
> * g016a0ab: actually notice timeout during AXFR retrieve,
> thanks hkraal
> REST API changes:
> * The REST API was much improved and is nearing stability,
> thanks to Christian Hofstaedtler and others.
> * Mark Schouten at Tuxis contributed a zone importer.
> Other changes:
> * Our tarballs and packages now include *.sql schema files
> for the SQL backends.
> * The webserver (including API) now has an ACL
> * Webserver (including API) is now powered by YaHTTP.
> * Various autotools usage improvements from Ruben Kerkhof.
> * The dist tarball is now bzip2-compressed instead of gzip.
> * Various remotebackend updates, including replacing curl
> with (included) yahttp.
> * Dynamic module loading is now allowed on Mac OS X.
> * The AXFR ACL (allow-axfr-ips) now defaults to
> 127.0.0.0/8,::1 instead of the whole world.
> * gba91c2f: remove unused gpgsql-socket option and document
> postgres socket usage
> * Improved support for Lua 5.2.
> * The edns-subnet option code is now fixed at 8, and the
> edns-subnet-option-numbers option has been removed.
> * geobackend now has very limited edns-subnet support - it
> will use the 'real' remote if available.
> * pipebackend ABI v4 adds the zone name to the AXFR command.
> * We now avoid getaddrinfo() as much as possible.
> * The packet cache now handles (forwarded) recursive answers
> better, including TTL aging and respecting allow-recursion.
> * gff5ba4f: pdns_server --help no longer exits with 1.
> * Mark Zealey contributed an experimental LMDB backend. Kees
> Monshouwer added experimental DNSSEC support to it. Thanks,
> * g81859ba: No longer attempt to answer questions coming in
> from port 0, reply would not reach them anyhow. Thanks to
> Niels Bakker and sid3windr for insight & debugging. Closes
> * RCodes are now reported in text in various places, thanks
> * Kees Monshouwer set up automatic testing for the oracle and
> goracle backends, and fixed various issues in them.
> * Leftovers of previous support for Windows have been
> removed, thanks to Kees Monshouwer, Aki Tuomi.
> * Bundled PolarSSL has been upgraded to 1.3.2
> * PolarSSL replaced previously bundled implementations of AES
> (ge22d9b4) and SHA (g9101035)
> * bindbackend is now a module
> * g14a2e52: Use the inet data type for supermasters.ip on
> * We now send an empty SERVFAIL when a CNAME chain is too
> long, instead of including the partial chain.
> * g3613a51: Show built-in features in --version output
> * g4bd7d35: make domainmetadata queries case insensitive
> * g088c334: output warning message when no to be notified
> NS's are found
> * g5631b44: gpsqlbackend: use empty defaults for dbname and
> user; libpq will use the current user name for both by
> * gd87ded3: implement udp-truncation-threshold to override
> the previous 1680 byte maximum response datagram size - no
> matter what EDNS0 said. Plus document it.
> * Implement udp-truncation-threshold to override the previous
> 1680 byte maximum response datagram size - no matter what
> EDNS0 said.
> * On shutdown, PowerDNS now attempts to stop all processes in
> its process group, especially useful for pipe/remotebackend
> users. Feature donated by Spotify.
> * Removed settings related to fancy records, as we haven't
> supported those since version 3.0
> * Based on earlier work by Mark Zealey, Kees Monshouwer
> increased our packet cache performance between 200% and
> 500% depending on the situation, by simplifying some code
> in g801812e and g8403ade.
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
More information about the Pdns-dev