From remi.gacogne at powerdns.com Tue May 4 09:20:21 2021 From: remi.gacogne at powerdns.com (Remi Gacogne) Date: Tue, 4 May 2021 11:20:21 +0200 Subject: [Pdns-dev] Second release candidate for dnsdist 1.6.0 Message-ID: <20210504112021.5f5c7dbd@dark.coredump.fr> Hi everyone, We are happy to announce the second release candidate of what should become dnsdist 1.6.0. This release contains very few changes since the first release candidate, and thanks to the great feedback we received on previous versions we expect to be able to release 1.6.0 final very soon. The changed bits since -rc1 are: - Only use eBPF for ?drop? actions, and clean up the eBPF rules more often - Fix missing locks in DNSCrypt certificates management - Make the backend queryLoad and dropRate values atomic Please see the dnsdist website [1] for the more complete changelog [2] and the current documentation. Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub [3]. We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features. The release tarball [4] and its signature [5] are available on the downloads website, and packages for CentOS 7 and 8, Debian Buster and Ubuntu Bionic and Focal are available from our repository [6]. With the future 1.6.0 final release, the 1.3.x releases will be EOL and the 1.4.x releases will go into critical security fixes only mode. We would also like to take this opportunity to announce that we will stop supporting systems using 32-bit time. This includes 32-bit Linux platforms like arm and i386 before kernel version 5.1. [1]: https://dnsdist.org [2]: https://dnsdist.org/changelog.html#change-1.6.0-rc2 [3]: https://github.com/PowerDNS/pdns/issues/new/choose [4]: https://downloads.powerdns.com/releases/dnsdist-1.6.0-rc2.tar.bz2 [5]: https://downloads.powerdns.com/releases/dnsdist-1.6.0-rc2.tar.bz2.sig [6]: https://repo.powerdns.com Best regards, -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From remi.gacogne at powerdns.com Mon May 10 12:15:15 2021 From: remi.gacogne at powerdns.com (Remi Gacogne) Date: Mon, 10 May 2021 14:15:15 +0200 Subject: [Pdns-dev] dnsdist 1.5.2 released Message-ID: <20210510141515.000b205e@dark.coredump.fr> Hi everyone! We are happy to release dnsdist 1.5.2 today, a maintenance release fixing a few bugs reported since 1.5.1: - A typo in prometheus metrics dnsdist_frontend_tlshandshakefailures (AppliedPrivacy) - A hang when removing a server with more than one socket - SNI availability on resumed sessions, by acknowledging the name sent by the client - A crash when a DoH responses map is updated at runtime - Dynamic Block RCode rules messing up the queries count - EDNS in ServFail generated when no server is available - A crash with DynBPF objects in client mode - Add missing getEDNSOptions and getDO bindings for DNSResponse As usual there were also other smaller enhancements and fixes, please see the dnsdist website [1] for the more complete changelog [2] and the current documentation. Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub [3]. We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features. The release tarball [4] (signature [5]) is available on the downloads website, and packages for CentOS 7 and 8, Debian Buster and Ubuntu Bionic and Focal are available from our repository [6]. [1]: https://dnsdist.org [2]: https://dnsdist.org/changelog.html#change-1.5.2 [3]: https://github.com/PowerDNS/pdns/issues/new/choose [4]: https://downloads.powerdns.com/releases/dnsdist-1.5.2.tar.bz2 [5]: https://downloads.powerdns.com/releases/dnsdist-1.5.2.tar.bz2.sig [6]: https://repo.powerdns.com Best regards, -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From remi.gacogne at powerdns.com Tue May 11 08:34:01 2021 From: remi.gacogne at powerdns.com (Remi Gacogne) Date: Tue, 11 May 2021 10:34:01 +0200 Subject: [Pdns-dev] dnsdist 1.6.0 released Message-ID: <20210511103401.16a0332b@dark.coredump.fr> Hello! We are proud to announce the final release of dnsdist 1.6.0, with no changes since the second release candidate. Compared to 1.5.x, this release contains several new exciting features, as well as improvements and bug fixes. In our view, the most exciting new feature is the support of out-of-order processing for TCP and DNS over TLS connections. Out-of-order processing makes it possible to have several concurrent queries on the same TCP connection, and to receive the answers to these queries as soon as they are ready. Along with connection reuse, this reduces the overhead of TCP by a huge factor. Starting with 1.6.0, dnsdist will accept up to 65536 concurrent queries on the same incoming TCP connection, and will pass all of these to the backend over a single connection as well, provided that the backend supports it. This feature is not enabled by default, and can be enabled via the maxInFlight parameter of the addLocal/addTLSLocal (client-side) and the newServer (backend-side) commands. This new version also brings support for accepting a Proxy Protocol header on incoming connections, making it possible for a frontend to provide dnsdist with the initial source and destination ports and addresses, as well as custom values. dnsdist can then process, add and remove values before passing the information to the backend. Chaining two dnsdist instances has never been this easy! Other new features include the ability to define custom web endpoints in Lua, to extend the existing API, as well as the ability to create blazing-fast, lock-less per-thread custom load-balancing policies using the Lua foreign function interface (FFI). Among the many improvements, dnsdist?s packet cache no longer hashes EDNS Cookies by default, which means that two queries that are identical except for the content of their cookies will now be served the same answer. Note that it might be necessary to restore the existing behaviour when dnsdist is in front of a backend actually using EDNS Cookies, which can be done via the cookieHashing parameter to newPacketCache. Users of our own protocol buffer logging mechanism, or of dnstap, will be happy to learn that we replaced our implementation based on Google?s protocol buffer library by a tremendously faster one, based on the protozero library. This change results in much lower CPU utilization and increased scalability in a transparent way. The memory usage of idle DNS over HTTPS and DNS over TLS connections has also been significantly reduced when the OpenSSL provider is used. If you are upgrading from a previous version, please be aware that a few actions and commands have been renamed to clear some ambiguities. Almost all actions that allow further processing of rules now start with ?Set?, to prevent mistakes: - "DisableECSAction" to "SetDisableECSAction" - "DisableValidationAction" to "SetDisableValidationAction" - "ECSOverrideAction" to "SetECSOverrideAction" - "ECSPrefixLengthAction" to "SetECSPrefixLengthAction" - "MacAddrAction" to "SetMacAddrAction" - "NoRecurseAction" to "SetNoRecurseAction" - "SkipCacheAction" to "SetSkipCacheAction" - "TagAction" to "SetTagAction" - "TagResponseAction" to "SetTagResponseAction" - "TempFailureCacheTTLAction" to "SetAdditionalProxyProtocolValueAction" - "SetNegativeAndSOAAction" to "NegativeAndSOAAction" Some commands changing the order of the rules could have easily been confused with the ones providing insight into the current traffic, and have therefore also been renamed: - "topCacheHitResponseRule" to "mvCacheHitResponseRuleToTop" - "topResponseRule" to "mvResponseRuleToTop" - "topRule" to "mvRuleToTop" - "topSelfAnsweredResponseRule" to "mvSelfAnsweredResponseRuleToTop" Please also note that the use of additional parameters on the webserver command has been deprecated in favor of using setWebserverConfig. Regular users should not be impacted by this change, but packagers should be aware that since 1.6.0 dnsdist now uses the C++17 standard instead of the C++11 one it was previously using. Please see the dnsdist website [1] for the more complete changelog [2] and the current documentation. Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub [3]. The release tarball [4] and its signature [5] are available on the downloads website, and packages for CentOS 7 and 8, Debian Buster and Ubuntu Bionic and Focal are available from our repository [6]. With this release, the 1.3.x releases are EOL and the 1.4.x releases go into critical security fixes only mode. We would also like to take this opportunity to announce that we will stop supporting systems using 32-bit time. This includes 32-bit Linux platforms like arm and i386 before kernel version 5.1. Finally, we would like to thank the PowerDNS community and all external contributors for their great work in this release, and in particular Stephane Bakhos, St?phane Bortzmeyer, Georgeto, Matti Hiljanen, Avatar Andreas Jakum, Nuitari, Oli Schacher, Sukhbir Singh, Thibmac and Mischan Toosarani-Hausberger! [1]: https://dnsdist.org [2]: https://dnsdist.org/changelog.html#change-1.6.0 [3]: https://github.com/PowerDNS/pdns/issues/new/choose [4]: https://downloads.powerdns.com/releases/dnsdist-1.6.0.tar.bz2 [5]: https://downloads.powerdns.com/releases/dnsdist-1.6.0.tar.bz2.sig [6]: https://repo.powerdns.com Best regards, -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From otto.moerbeek at open-xchange.com Tue May 11 09:49:26 2021 From: otto.moerbeek at open-xchange.com (Otto Moerbeek) Date: Tue, 11 May 2021 11:49:26 +0200 (CEST) Subject: [Pdns-dev] PowerDNS Recursor 4.5.1 Released Message-ID: <1854276580.24751.1620726566280@appsuite-guard.open-xchange.com> Hello! We are proud to announce the release of PowerDNS Recursor 4.5.1. Compared to the release candidate, this release contains two bug fixes. Note that 4.5.0 was never released publicly, since an issue was found during QA. Compared to the previous major (4.4) release of PowerDNS Recursor, this release contains a rewrite of the way zone cuts are determined, reducing the number of outgoing queries by up to 17% when doing DNSSEC validation while reducing the CPU usage more than 20% . Another notable feature is the implementation of EDNS0 padding (RFC 7830[1]) for answers sent to clients. This 4.5.1 release includes an important addition: the implementation of RFC 8198[2]: Aggressive use of DNSSEC-Validated Cache. This enables the Recursor to answer queries for non-existing names with less effort in many cases. This feature uses both NSEC and NSEC3 records. Additionally the DNSSEC default mode[3] is now "process", while it was "process-no-validate" before. This means that clients asking for it will get DNSSEC validated answers by default. We also added a cache of non-resolving nameservers. This enhances performance when the Recursor encounters domains that list nameservers that do not resolve and further mitigates the TsuNAME[4] vulnerability. This release also features a re-worked negative cache that is shared between threads, allowing more efficient use of the cache and reduced memory consumption. Support for Extended DNS Errors (RFC 8914[5]) has been added. These can be enabled by setting the extended-resolution-errors[6] setting to 'yes', this will send DNSSEC and resolution related errors to clients. Extended Errors are also hooked up to the Lua scripting engine[7], allowing fine-grained setting of both the error code and extra information in the response. A "refresh almost expired records" (also called "refetch") mechanism[8] has been introduced to keep the record cache warm. In short, if a query comes in and the cached record's TTL is almost expired (within N percent of its original value) the cached record is served to the client and the record queried for in the background, ensuring that new queries for that record are fresh and served from the cache. Other new features and improvements are: * The complete protobuf and dnstap logging code has been rewritten to have much smaller performance impact. * We have introduced non-offensive synonyms for words used in settings. See the upgrade[9] guide. * The default minimum TTL[10] override has been changed from 0 to 1. * The spoof-nearmiss-max setting[11]'s default has been changed to 1. This has the consequence that the Recursor will switch to do TCP queries to authoritative nameservers sooner as an effective measure against many spoofing attacks. * Incoming queries over TCP now also use the packet cache, providing another performance increase. * File written to by the rec_control command are new opened by the command itself. It is also possible to write the content to the standard output stream by using a hyphen as file name. * TCP FastOpen (RFC 7413[12]) support for outgoing TCP connections to authoritative servers and forwarders. Please refer to the changelog[13] for additional details. Please send us all feedback and issues you might have via the mailing list[14], or in case of a bug, via GitHub[15]. The tarball[16] (signature[17]) is available from our download server[18] and packages for several distributions are available from our repository[19]. With this 4.5.1 release, the 4.2.x releases will be EOL and the 4.3.x and 4.4.x releases will go into critical fixes only mode. Consult the EOL policy[20] for more details. We would also like to announce that with this release we will stop supporting systems using 32-bit time. This includes 32-bit Linux platforms like arm6, arm7, and i386. We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features. -Otto and the PowerDNS Team References 1. https://tools.ietf.org/html/rfc7830.html 2. https://tools.ietf.org/html/rfc8198 3. https://docs.powerdns.com/recursor/settings.html#dnssec 4. https://blog.powerdns.com/2021/05/10/tsuname-vulnerability-and-powerdns-recursor/ 5. https://tools.ietf.org/html/rfc8914.html 6. https://docs.powerdns.com/recursor/settings.html#extended-resolution-errors 7. https://docs.powerdns.com/recursor/lua-scripting/dq.html#DNSQuestion.extendedErrorCode 8. https://docs.powerdns.com/recursor/settings.html#refresh-on-ttl-perc 9. https://docs.powerdns.com/recursor/upgrade.html#x-to-4-5-0-or-master 10. https://docs.powerdns.com/recursor/settings.html#minimum-ttl-override 11. https://docs.powerdns.com/recursor/settings.html#spoof-nearmiss-max 12. https://tools.ietf.org/html/rfc7413.html 13. https://doc.powerdns.com/recursor/changelog/4.5.html#change-4.5.1 14. https://mailman.powerdns.com/mailman/listinfo/pdns-users 15. https://github.com/PowerDNS/pdns/issues/new/choose 16. https://downloads.powerdns.com/releases/pdns-recursor-4.5.1.tar.bz2 17. https://downloads.powerdns.com/releases/pdns-recursor-4.5.1.tar.bz2.sig 18. https://downloads.powerdns.com/releases/ 19. https://repo.powerdns.com/ 20. https://docs.powerdns.com/recursor/appendices/EOL.html -- kind regards, Otto Moerbeek PowerDNS Developer Email: otto.moerbeek at open-xchange.com ------------------------------------------------------------------------------------- Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District Court Cologne HRB 95366 Managing Board: Andreas Gauger, Carsten Dirks, Dirk Valbert, Frank Hoberg, Stephan Martin Chairman of the Board: Richard Seibt PowerDNS.COM BV, Koninginnegracht 14L, 2514 AA Den Haag, The Netherlands Managing Director: Robert Brandt, Carsten Dirks ------------------------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 475 bytes Desc: not available URL: From peter.van.dijk at powerdns.com Thu May 27 10:10:16 2021 From: peter.van.dijk at powerdns.com (Peter van Dijk) Date: Thu, 27 May 2021 12:10:16 +0200 Subject: [Pdns-dev] PowerDNS Authoritative Server 4.5.0-alpha1 Message-ID: <557493fbf0258e9ca470d1bce8596797eff1bc4b.camel@powerdns.com> Hello! Today we released the first Alpha version for Authoritative Server version 4.5.0. Version 4.5.0 mostly brings small improvements and fixes, but there is one notable new feature: the zone cache. The zone cache allows PowerDNS to keep a list of zones in memory, updated periodically. With this cache, PowerDNS can avoid hitting the database with queries for unknown domains. In some setups, and some attack scenarios, this can make a serious performance difference. A full list of changes can be found in the [1]changelog. Please make sure to read the [2]Upgrade Notes before upgrading. With version 4.5.0, support for platforms with a time_t type smaller than 64 bits is dropped. This means that we do not build packages for Raspberry Pi OS. The [3]tarball ([4]signature) is available at [5]downloads.powerdns.com. Packages for various distributions are available from [6]repo.powerdns.com. Please send us all feedback and issues you might have via the [7]mailing list, or in case of a bug, via [8]GitHub. 1. https://doc.powerdns.com/authoritative/changelog/4.5.html#change-4.5.0-alpha1 2. https://doc.powerdns.com/authoritative/upgrading.html 3. https://downloads.powerdns.com/releases/pdns-4.5.0-alpha1.tar.bz2 4. https://downloads.powerdns.com/releases/pdns-4.5.0-alpha1.tar.bz2.sig 5. https://downloads.powerdns.com/releases/ 6. https://repo.powerdns.com/ 7. https://mailman.powerdns.com/mailman/listinfo/pdns-users 8. https://github.com/PowerDNS/pdns/issues/new/choose Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 914 bytes Desc: This is a digitally signed message part URL: