[Pdns-users] PowerDNS Recursor 3.1 released!
bert.hubert at netherlabs.nl
Tue May 23 15:55:13 UTC 2006
Many thanks are due to the operators of some of the largest internet access
providers of the world, each having many millions of customers, who have
tested the various 3.1 pre-releases for suitability.
They have uncovered and helped fix bugs that could impact us all, but are
only (quickly) noticeable with such vast amounts of DNS traffic.
Download it here:
Red Hat & Derived:
The release notes, with clickable links, can be found here:
As text below:
After version 3.0.1 has proved to hold up very well under tremendous
loads, 3.1 adds important new features.
* Ability to serve authoritative data from 'BIND' style zone files
(using auth-zones statement).
* Ability to forward domains so configured to external servers (using
* Possibility of 'serving' the contents of /etc/hosts over DNS, which is
very well suited to simple domestic router/DNS setups. Enabled using
* As recommended by recent standards documents, the PowerDNS recursor is
now authoritative for RFC-1918 private IP space zones by default
(suggested by Paul Vixie).
* Full outgoing IPv6 support (off by default) with IPv6 servers getting
equal treatment with IPv4, nameserver addresses are chosen based on
average response speed, irrespective of protocol.
* Initial Windows support, including running as a service ('NET START
"POWERDNS RECURSOR"'). rec_channel is still missing, the rest should
work. Performance appears to be below that of the UNIX versions, this
situation is expected to improve.
* No longer send out SRV and MX record priorities as zero on big-endian
platforms (UltraSPARC). Discovered by Eric Sproul, fixed in commit
* SRV records need additional processing, especially in an Active
Directory setting. Reported by Kenneth Marshall, fixed in commit 774.
* The root-records were not being refreshed, which could lead to
problems under inconceivable conditions. Fixed in commit 780.
* Fix resolving domain names for nameservers with multiple IP addresses,
with one of these addresses being lame. Other nameserver
implementations were also unable to resolve these domains, so not a
big bug. Fixed in commit 780.
* For a period of 5 minutes after expiring a negative cache entry, the
domain would not be re-cached negatively, leading to a lot of
duplicate outgoing queries for this short period. This fix has raised
the average cache hit rate of the recursor by a few percent. Fixed in
* Query throttling was not aggressive enough and not all sorts of
queries were throttled. Implemented in commit 786.
* Fix possible crash during startup when parsing empty configuration
lines (commit 807).
* Fix possible crash when the first query after wiping a cache entry was
for the just deleted entry. Rare in production servers. Fixed in
* Recursor would send out differing TTLs when receiving a misconfigured,
standards violating, RRSET with different TTLs. Implement fix as
mandated by RFC 2181, paragraph 5.2. Reported by Stephen Harker
* The top-remotes would list remotes duplicately, once per source port.
Discovered by Jorn Ekkelenkamp, fixed in commit 827, which is post
* Default allow-from allowed queries from fe80::/16, corrected to
fe80::/10. Spotted by Niels Bakker, fixed in commit 829, which is post
* While PowerDNS blocks failing queries quickly, multiple packets could
briefly be in flight for the same domain and nameserver. This
situation is now explicitly detected and queries are chained to
identical queries already in flight. Fixed in commit 833 and commit
834, post 3.1-pre1.
* ANY queries are now implemented as in other nameserver
implementations, leading to a decrease in outgoing queries. The RFCs
are not very clear on desired behaviour, what is implemented now saves
bandwidth and CPU and brings us in line with existing practice.
Previously ANY queries were not cached by the PowerDNS recursor.
Implemented in commit 784.
* rec_control was very sparse in its error reporting, and user
unfriendly as well. Reported by Erik Bos, fixed in commit 818 and
* IPv6 addresses were printed in a non-standard way, fixed in commit
* TTLs of records are now capped at two weeks, commit 820.
* allow-from IPv4 netmasks now automatically work for IP4-to-IPv6 mapper
IPv4 addresses, which appear when running on the wildcard :: IPv6
address. Lack of feature noted by Marcus 'darix' Rueckert. Fixed in
commit 826, which is post 3.1-pre1.
* Errors before daemonizing are now also sent to syslog. Suggested by
Marcus 'darix' Rueckert. Fixed in commit 825, which is post 3.1-pre1.
* When launching without any form of configured network connectivity,
all root-servers would be cached as 'down' for some time. Detect this
special case and treat it as a resource-constraint, which is not
accounted against specific nameservers. Spotted by Seth Arnold, fixed
in commit 835, which is post 3.1-pre1.
* The recursor now does not allow authoritative servers to keep
supplying its own NS records into perpetuity, which causes problems
when a domain is redelegated but the old authorative servers are not
updated to this effect. Noticed and explained at length by Darren
Gamble of Shaw Communications, addressed by commit 837, which is post
* Some operators may want to follow RFC 2181 paragraph 5.2 and 5.4. This
harms performance and does not solve any real problem, but does make
PowerDNS more compliant. If you want this, enable auth-can-lower-ttl.
Implemented in commit 838, which is post 3.1-pre2.
http://www.PowerDNS.com Open source, database driven DNS Software
http://netherlabs.nl Open and Closed source services
More information about the Pdns-users