[Pdns-dev] PowerDNS Recursor 4.2.0 Released

Otto Moerbeek otto.moerbeek at open-xchange.com
Mon Jul 15 14:01:36 UTC 2019

July 15, 2019

PowerDNS Recursor 4.2.0 Released

We’re proud to announce version 4.2.0 for the PowerDNS Recursor 4.2
release train.

The 4.2.0 release of the PowerDNS Recursor brings a lot of small,
incremental changes over the 4.1.x releases. We expect little
operational impact when upgrading from 4.1.x. However, several new
features have been implemented and some features have changed.

This release was made possible by contributions from: Gibheer, cclauss,
Aki Tuomi, Ruben, Doug Freed, Richard Gibson, Peter Gervai, Oli, Josh
Soref, Rens Houben, Kirill Ponomarev, Kees Monshouwer, Matt Nordhoff,
OSSO B.V., phonedph1, Rafael Buchbinder, Ruben Kerkhof, spirillen, Tom
Ivar Helbekkmo and Chris Hofstaedtler.  Thanks!
DNS Flag Day

The 4.2.0 release of the PowerDNS Recursor removes several workarounds
for authoritative servers that respond badly to EDNS(0) queries. This is
part of a multi-vendor effort known as DNS flag day to move the DNS
ecosystem forward by being less lenient on non-conforming implementations.

XPF Support

This release adds support for DNS X-Proxied-For
(draft-bellis-dnsop-xpf-04). This technique is roughly equivalent to
HTTP’s X-Forwarded-For header, it can communicate the IP address and
port of the original requestor from a loadbalancer/frontend (like
dnsdist) to the backend server. This can allow the backend server to
make decisions regarding that specific client. XPF is disabled by
default and can be enabled by setting the xpf-allow-from setting to the
source IP address of the front-end proxy and setting xpf-rr-code to the
code of the resource record used by the frontend.

EDNS Client Subnet Improvements

More granularity has been added for the users of EDNS Client Subnet. The
new ecs-add-for setting can be set to a list of netmasks for which the
requestor’s IP address should be used as the EDNS Client Subnet for
outgoing queries. For IP addresses not on this list, the PowerDNS
Recursor will use the ecs-scope-zero-address instead, which matches the
behavior of 4.1.x. Valid incoming ECS values from
use-incoming-edns-subnet are not replaced.

New and Updated Settings

Sites that process large numbers of queries per second (100k+), may
benefit from the new distributor-threads setting. This can be used in
combination with pdns-distributes-queries=yes to spawn multiple threads
that will pick up incoming queries and distribute them over the worker

For several statistics, the PowerDNS Recursor uses a public suffix list
to group queries. Before, this list was built into the binary and only
updated for every release. This release adds the public-suffix-list-file
setting that allows operators to supply their own public suffix list.
This option is unset by default, which means the built-in list is used.

Over the last years it has become clear that many networks on the
internet lose large UDP packets, leading to authoritative servers being
seen as dead from the recursor’s perspective. To ensure return packets
from authoritative servers have a better chance of reaching the
recursor, the edns-outgoing-bufsize setting’s default has changed from
1680 to 1232. 1232 was chosen because it is the largest DNS response
that can be carried on an IPv6 link with the IPv6 minimal MTU (1280). In
tandem with this change, the udp-truncation-threshold that decides when
to truncate responses to clients has also been changed from 1680 to 1232.
Changes since release candidate 2

There have been some minor changes since release candidate 2:

    #8074: Make sure we always compile with BOOST_CB_ENABLE_DEBUG set to 0
    #8052: Limit compression pointers to 14 bits
    #8009: Fix the export of only outgoing queries or incoming responses
    #8005: Clear CMSG_SPACE(sizeof(data)) in cmsghdr to appease valgrind

Please see the changelog[1] for details.

Release cycles

Starting with this release, we intend to move to 6 month release cycles.
This means the next release of PowerDNS recursor (4.3) is scheduled for
January 2020. We will support a release for two cycles (one year). After
that, a release will only get security fixes for one more cycle and then
move to end of life status. Starting with the upcoming releases, our
other two open source products dnsdist and the authoritative server will
also move to a 6 month cycle with the same support periods.

Specific information can be found in the end of life statement.


The tarball[2] (signature[3]) is available at downloads.powerdns.com and
packages for CentOS 6 and 7, Debian Stretch and Buster, Ubuntu Xenial
and Bionic are available from repo.powerdns.com. We no longer build
Debian Jessie and Trusty packages.

We would like the PowerDNS community for continued support, feedback,
bug fixes and submitted features.

Please send us all feedback and issues you might have via the mailing
list[4], or in case of a bug, via GitHub[5].

[1] https://doc.powerdns.com/recursor/changelog/4.2.html#change-4.2.0
[2] https://downloads.powerdns.com/releases/pdns-recursor-4.2.0.tar.bz2
[3] https://downloads.powerdns.com/releases/pdns-recursor-4.2.0.tar.bz2.sig
[4] https://mailman.powerdns.com/mailman/listinfo/pdns-users
[5] https://github.com/PowerDNS/pdns/issues/new

kind regards,
Otto Moerbeek
PowerDNS -- https://www.powerdns.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-dev/attachments/20190715/b8bea55d/attachment.sig>

More information about the Pdns-dev mailing list