[Pdns-users] PowerDNS Recursor 3.1 released!

bert hubert bert.hubert at netherlabs.nl
Tue May 23 15:55:13 UTC 2006

Many thanks are due to the operators of some of the largest internet access
providers of the world, each having many millions of customers, who have
tested the various 3.1 pre-releases for suitability. 

They have uncovered and helped fix bugs that could impact us all, but are
only (quickly) noticeable with such vast amounts of DNS traffic.

Download it here:


Red Hat & Derived:

The release notes, with clickable links, can be found here:

As text below:

 After version 3.0.1 has proved to hold up very well under tremendous
 loads, 3.1 adds important new features.

 * Ability to serve authoritative data from 'BIND' style zone files
   (using auth-zones statement).

 * Ability to forward domains so configured to external servers (using

 * Possibility of 'serving' the contents of /etc/hosts over DNS, which is
   very well suited to simple domestic router/DNS setups. Enabled using

 * As recommended by recent standards documents, the PowerDNS recursor is
   now authoritative for RFC-1918 private IP space zones by default
   (suggested by Paul Vixie).

 * Full outgoing IPv6 support (off by default) with IPv6 servers getting
   equal treatment with IPv4, nameserver addresses are chosen based on
   average response speed, irrespective of protocol.

 * Initial Windows support, including running as a service ('NET START
   "POWERDNS RECURSOR"'). rec_channel is still missing, the rest should
   work. Performance appears to be below that of the UNIX versions, this
   situation is expected to improve.

Bug fixes:

 * No longer send out SRV and MX record priorities as zero on big-endian
   platforms (UltraSPARC). Discovered by Eric Sproul, fixed in commit

 * SRV records need additional processing, especially in an Active
   Directory setting. Reported by Kenneth Marshall, fixed in commit 774.

 * The root-records were not being refreshed, which could lead to
   problems under inconceivable conditions. Fixed in commit 780.

 * Fix resolving domain names for nameservers with multiple IP addresses,
   with one of these addresses being lame. Other nameserver
   implementations were also unable to resolve these domains, so not a
   big bug. Fixed in commit 780.

 * For a period of 5 minutes after expiring a negative cache entry, the
   domain would not be re-cached negatively, leading to a lot of
   duplicate outgoing queries for this short period. This fix has raised
   the average cache hit rate of the recursor by a few percent. Fixed in
   commit 783.

 * Query throttling was not aggressive enough and not all sorts of
   queries were throttled. Implemented in commit 786.

 * Fix possible crash during startup when parsing empty configuration
   lines (commit 807).

 * Fix possible crash when the first query after wiping a cache entry was
   for the just deleted entry. Rare in production servers. Fixed in
   commit 820.

 * Recursor would send out differing TTLs when receiving a misconfigured,
   standards violating, RRSET with different TTLs. Implement fix as
   mandated by RFC 2181, paragraph 5.2. Reported by Stephen Harker
   (commit 819).

 * The top-remotes would list remotes duplicately, once per source port.
   Discovered by Jorn Ekkelenkamp, fixed in commit 827, which is post

 * Default allow-from allowed queries from fe80::/16, corrected to
   fe80::/10. Spotted by Niels Bakker, fixed in commit 829, which is post

 * While PowerDNS blocks failing queries quickly, multiple packets could
   briefly be in flight for the same domain and nameserver. This
   situation is now explicitly detected and queries are chained to
   identical queries already in flight. Fixed in commit 833 and commit
   834, post 3.1-pre1.


 * ANY queries are now implemented as in other nameserver
   implementations, leading to a decrease in outgoing queries. The RFCs
   are not very clear on desired behaviour, what is implemented now saves
   bandwidth and CPU and brings us in line with existing practice.
   Previously ANY queries were not cached by the PowerDNS recursor.
   Implemented in commit 784.

 * rec_control was very sparse in its error reporting, and user
   unfriendly as well. Reported by Erik Bos, fixed in commit 818 and
   commit 820.

 * IPv6 addresses were printed in a non-standard way, fixed in commit

 * TTLs of records are now capped at two weeks, commit 820.

 * allow-from IPv4 netmasks now automatically work for IP4-to-IPv6 mapper
   IPv4 addresses, which appear when running on the wildcard :: IPv6
   address. Lack of feature noted by Marcus 'darix' Rueckert. Fixed in
   commit 826, which is post 3.1-pre1.

 * Errors before daemonizing are now also sent to syslog. Suggested by
   Marcus 'darix' Rueckert. Fixed in commit 825, which is post 3.1-pre1.

 * When launching without any form of configured network connectivity,
   all root-servers would be cached as 'down' for some time. Detect this
   special case and treat it as a resource-constraint, which is not
   accounted against specific nameservers. Spotted by Seth Arnold, fixed
   in commit 835, which is post 3.1-pre1.

 * The recursor now does not allow authoritative servers to keep
   supplying its own NS records into perpetuity, which causes problems
   when a domain is redelegated but the old authorative servers are not
   updated to this effect. Noticed and explained at length by Darren
   Gamble of Shaw Communications, addressed by commit 837, which is post

 * Some operators may want to follow RFC 2181 paragraph 5.2 and 5.4. This
   harms performance and does not solve any real problem, but does make
   PowerDNS more compliant. If you want this, enable auth-can-lower-ttl.
   Implemented in commit 838, which is post 3.1-pre2.

http://www.PowerDNS.com      Open source, database driven DNS Software 
http://netherlabs.nl              Open and Closed source services

More information about the Pdns-users mailing list