[Pdns-dev] dnsdist 1.6.0 released

Remi Gacogne remi.gacogne at powerdns.com
Tue May 11 08:34:01 UTC 2021


We are proud to announce the final release of dnsdist 1.6.0, with no
changes since the second release candidate. Compared to 1.5.x, this
release contains several new exciting features, as well as improvements
and bug fixes.

In our view, the most exciting new feature is the support of
out-of-order processing for TCP and DNS over TLS connections.
Out-of-order processing makes it possible to have several concurrent
queries on the same TCP connection, and to receive the answers to these
queries as soon as they are ready. Along with connection reuse, this
reduces the overhead of TCP by a huge factor. Starting with 1.6.0,
dnsdist will accept up to 65536 concurrent queries on the same incoming
TCP connection, and will pass all of these to the backend over a single
connection as well, provided that the backend supports it. This feature
is not enabled by default, and can be enabled via the maxInFlight
parameter of the addLocal/addTLSLocal (client-side) and the newServer
(backend-side) commands.

This new version also brings support for accepting a Proxy Protocol
header on incoming connections, making it possible for a frontend to
provide dnsdist with the initial source and destination ports and
addresses, as well as custom values. dnsdist can then process, add and
remove values before passing the information to the backend. Chaining
two dnsdist instances has never been this easy!

Other new features include the ability to define custom web endpoints
in Lua, to extend the existing API, as well as the ability to create
blazing-fast, lock-less per-thread custom load-balancing policies using
the Lua foreign function interface (FFI).

Among the many improvements, dnsdist’s packet cache no longer hashes
EDNS Cookies by default, which means that two queries that are
identical except for the content of their cookies will now be served
the same answer. Note that it might be necessary to restore the
existing behaviour when dnsdist is in front of a backend actually using
EDNS Cookies, which can be done via the cookieHashing parameter to

Users of our own protocol buffer logging mechanism, or of dnstap, will
be happy to learn that we replaced our implementation based on Google’s
protocol buffer library by a tremendously faster one, based on the
protozero library. This change results in much lower CPU utilization
and increased scalability in a transparent way.

The memory usage of idle DNS over HTTPS and DNS over TLS connections
has also been significantly reduced when the OpenSSL provider is used.

If you are upgrading from a previous version, please be aware that a
few actions and commands have been renamed to clear some ambiguities.
Almost all actions that allow further processing of rules now start
with ‘Set’, to prevent mistakes:

- "DisableECSAction" to "SetDisableECSAction"
- "DisableValidationAction" to "SetDisableValidationAction"
- "ECSOverrideAction" to "SetECSOverrideAction"
- "ECSPrefixLengthAction" to "SetECSPrefixLengthAction"
- "MacAddrAction" to "SetMacAddrAction"
- "NoRecurseAction" to "SetNoRecurseAction"
- "SkipCacheAction" to "SetSkipCacheAction"
- "TagAction" to "SetTagAction"
- "TagResponseAction" to "SetTagResponseAction"
- "TempFailureCacheTTLAction" to "SetAdditionalProxyProtocolValueAction"
- "SetNegativeAndSOAAction" to "NegativeAndSOAAction"

Some commands changing the order of the rules could have easily been
confused with the ones providing insight into the current traffic, and
have therefore also been renamed:

- "topCacheHitResponseRule" to "mvCacheHitResponseRuleToTop"
- "topResponseRule" to "mvResponseRuleToTop"
- "topRule" to "mvRuleToTop"
- "topSelfAnsweredResponseRule" to "mvSelfAnsweredResponseRuleToTop"

Please also note that the use of additional parameters on the webserver
command has been deprecated in favor of using setWebserverConfig.

Regular users should not be impacted by this change, but packagers
should be aware that since 1.6.0 dnsdist now uses the C++17 standard
instead of the C++11 one it was previously using.

Please see the dnsdist website [1] for the more complete changelog [2]
and the current documentation.

Please send us all feedback and issues you might have via the mailing
list, or in case of a bug, via GitHub [3].

The release tarball [4] and its signature [5] are available on the
downloads website, and packages for CentOS 7 and 8, Debian Buster
and Ubuntu Bionic and Focal are available from our repository [6].

With this release, the 1.3.x releases are EOL and the 1.4.x releases go
into critical security fixes only mode.

We would also like to take this opportunity to announce that we will
stop supporting systems using 32-bit time. This includes 32-bit Linux
platforms like arm and i386 before kernel version 5.1.

Finally, we would like to thank the PowerDNS community and all external
contributors for their great work in this release, and in particular
Stephane Bakhos, Stéphane Bortzmeyer, Georgeto, Matti Hiljanen, Avatar
Andreas Jakum, Nuitari, Oli Schacher, Sukhbir Singh, Thibmac and
Mischan Toosarani-Hausberger!

[1]: https://dnsdist.org
[2]: https://dnsdist.org/changelog.html#change-1.6.0
[3]: https://github.com/PowerDNS/pdns/issues/new/choose
[6]: https://repo.powerdns.com

Best regards,
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-dev/attachments/20210511/a44c5f87/attachment.sig>

More information about the Pdns-dev mailing list