[Pdns-users] PowerDNS Authoritative Server 3.1 Release Candidate 1 available
Peter van Dijk
peter.van.dijk at netherlabs.nl
Fri Mar 23 12:29:32 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Release Candidate 1 of the PowerDNS Authoritative Server 3.1 is available from:
You are cordially invited to (carefully) test this Release Candidate for
Full release notes, with clickable links, are available from:
Here is a text-only version:
Version 3.1 of the PowerDNS Authoritative Server represents the 'coming of
age' of our DNSSEC implementation. In addition, 3.1 solves a lot of '.0'
issues typically associated with a major new release.
As usual, we are very grateful for the involvement of the PowerDNS
community. The uptake of 3.0 was rapid, and many users were very helpful
in shaking out the bugs, and willing to test the fixes we provided or, in
many cases, provided the fixes themselves.
Of specific note is the giant PowerDNS DNSSEC deployment in Sweden by
Atomia and Binero. PowerDNS 3.0 now powers over 150000 DNSSEC domains in
Sweden, around 95% of all DNSSEC domains, in a country were most internet
service providers actually validate all .SE domains.
Finally, this release has benefited a lot from Peter van Dijk joining us,
as he has merged a tremendous amount of patches, cleaned up years of
accumulated dust in the code, and massively improved our regression
testing into a full blown continuous integration setup with full DNSSEC
Version 3.1 of the PowerDNS Authoritative Server contains a number of major fixes
in the DNSSEC department, and a few new features.
Of specific note is the giant PowerDNS DNSSEC deployment in Sweden by Atomia
and Binero. PowerDNS 3.0 now powers over 150000 DNSSEC domains in Sweden,
around 95% of all DNSSEC domains, in a country were most internet service
providers actually validate all .SE domains.
Finally, this release has benefited a lot from Peter van Dijk joining us, as he
has merged a tremendous amount of patches, cleaned up years of accumulated dust
in the code, and massively improved our regression testing into a full blown
continuous integration setup with full DNSSEC tests!
Please find the full release notes below.
DNSSEC related fixes:
* When slaving zones, PowerDNS now automatically detects that a zone is
presigned. Code in commit 2502, closing ticket 369, ticket 392.
* The bindbackend can now manage its own SQLite3 database to store key data,
removing the need to run it with a gsql backend. Code in commit 2448,
commit 2449, commit 2450, commit 2451, commit 2452, commit 2453, commit
2455, commit 2482, commit 2496, commit 2499.
* NSEC/NSEC3 logic for picking 'boundary' names was tricky, and got it wrong
in some cases. Fixes in commit 2289, commit 2429, commit 2435 and commit
* The subtle differences between 'what records get NSEC', 'what records get
NSEC3' and 'what records should get signed' did not translate well to the
SQL auth column. We now use 'ordername IS NULL' to map the whole spectrum.
Code in commit 2477, commit 2480, commit 2492.
* Pre-signed AXFR output, although correct, was different from our query
responses. Rectified in commit 2477.
* Spotted & fixed by Jimmy Bergman of Atomia, CNAMEs and RRSIGs could have
bad interactions. Fix in commit 2314, further refined in commit 2318.
Closes ticket 411.
* Spotted & fixed by Jimmy Bergman of Atomia, we now allow direct RRSIG
queries even when do=0.
* Spotted by Mark Scholten and Marco Davids, we would sometimes generate
duplicate (and wrong) RRSIGs when signing an ANY answer because of record
jumbling. Fix in commit 2381.
* Several fixes to handling of DS queries, in commit 2420, commit 2510,
* We now lowercase the signer name in an RRSIG. This is not mandated by
DNSSEC specification but it improves compatibility with some validators.
Fix in commit 2426.
* Winfried Angele discovered we would open an additional backend connection
per zone in the BIND backend. This only impacted users with multiple
simultaneous backends. Fix in commit 2253, closing ticket 383.
* All versions of max-cache-entries setting had confusing behaviour when set
to 0. Now clarified to mean that 0 truly means 0, and not 'infinite'.
Change in commit 2328.
* Wildcards in the presence of delegations were broken. Reported by a cast of
thousands. Fix & regression test in commit 2368. Closes ticket 389.
* Internal caches used an order of magnitude more memory than expected and
some were not purged properly, which hindered real life deployments.
Spotted by Winfried Angele and others. Fixed in commit 2287 and commit 2328
* Christof Meerwald discovered our .tar file missed a file of the Lua
backend. Change in commit 2257.
* Paul Xek found out that the edns-subnet support did not work for subnets
tinier than a /25 or /121. Fix in commit 2258.
* edns-subnet aware PIPE scripts received bogus remote information on AXFR
requests. Fixed in commit 2284.
* Fix compilation against older versions of MySQL that do not have
MYSQL_OPT_RECONNECT. commit 2264, closing ticket 378.
* D. Stussy of Snarked.net discovered that PowerDNS could not parse a DNS
packet with a trailing blob of unknown length. Fixed in commit 2267.
* 'pdnssec' did not work for records with NULL ttls. Fixed in commit 2266,
closing ticket 432.
* Pipe backend had issues parsing IPv6 records in ABI version 3. Fixed in
* We truncated the altitude in LOC records! I hope no one got lost. Fix in
* Xander Soldaat discovered that even if the web server was not configured,
we'd still listen on the port. Fix in commit 2269, closes ticket 402.
* The PIPE backend issues frequent fork()s, leading to potential fd leaks if
these are not marked as 'close on exec'. Solved in commit 2273, closing
* Robert van der Meulen found that we messed up the interaction between
wildcards and CNAMES. Fixed in commit 2276, which also adds a regression
test to prevent this issue from recurring.
* Fred Wittekind discovered that our notification proxy 'nproxy' no longer
built from source. Fixed in commit 2278.
* Grant Keller found that we were inconsistent with spaces in labels, thus
breaking DNS-SD. Fix in commit 2305.
* Winfried Angele fixed our autoconf script for Lua detection in commit 2308.
* BIND backend would leak an fd when including a configuration file from
named.conf. Spotted by Hannu Ylitalo of Nebula Oy in commit 2359.
* GSQLite3 backend could crash on a network error at the wrong moment,
leading to a restart by the guardian. Fix in commit 2336.
* './configure --enable-verbose-logging' was broken, fixed in commit 2312.
* PowerDNS would serve up old SOA data immediately after sending out a
notification. Complicated bug documented perfectly in ticket 427, which
also came with not one but with two different patches to fix the problem.
Thanks to Keith Buck. Code in commit 2408.
* Flag '--start-id' in zone2sql was not functional. Removed for now in commit
2387, closing ticket 332.
* Our distribution tarball did not have the SQL schemas. Fixed in commit 2459
and commit 2460.
* "Empty" MX records would confuse one of our parsers. Fixed in commit 2468,
closing Debian bug 533023.
* The pdns.conf 'wildcards'-setting did not do anything in 3.0, so it was
removed. Change in commit 2508, commit 2509.
* Additional processing based on records loaded by the BIND backend might
fail because of a trailing dot mismatch. Fix in commit 2398.
* Per-zone AXFR ACLs, based on the allow-axfr-ips zone metadata item. Code in
commit 2274. Also, remove some remains of our previous approach to
supporting this in commit 2326.
* Alberto Donato and Zsolt Dollenstein implemented autoserial support for the
Generic SQL backends. Code in commit 2290, commit 2294, commit 2296, commit
2299, commit 2300, commit 2303. Closes ticket 52, ticket 299, ticket 301,
* New SOA Serial Tweak mode INCEPTION-EPOCH for when operating as a 'signing
slave', contributed by Jimmy Bergman. Code and documentation in commit 2320
* Newlines in the 'content' field of backends are now allowed, restoring some
DKIM setups to working condition. Update in commit 2394, closing ticket 395
* Depending on the encoding used, MySQL could take issue with our 'tsigkeys'
table which contained very large rows. Trimmed in commit 2400, closing
* Various build/configure-related fixes in commit 2319, commit 2373, commit
2386, closing ticket 380, ticket 405, ticket 420.
* We now show the SOA serial after zone transfers. Code in commit 2385,
closing ticket 416.
* Ruben d'Arco submitted a full rework of our slave-side AXFR TSIG handling,
closing ticket 393 and ticket 400 in the process. Code in commit 2506.
Additional improvement in commit 2513.
* The records.name-column in the gpgsql schema is now constrained to
lowercase, as PowerDNS would be unable to find other entries anyway. Fix in
commit 2503, closing ticket 426.
* The gsql-backends can now handle huge records, thanks to a patch by Ruben
d'Arco. Code in commit 2476, closing ticket 407. Additional changes in
commit 2292, commit 2487, commit 2489. Closes ticket 218, ticket 316.
* Some of PowerDNS' internal classes would work with uninitialized data when
repurposed outside of the PowerDNS core logic. Fix in commit 2469,
* pdnssec now has 'check-all-zones' and 'rectify-all-zones' commands.
Submitted by Ruben d'Arco, code in commit 2467.
* 'restart' in our init.d-script would not start pdns if it was down before.
Fixed in commit 2462.
* 'pdnssec rectify-zone' now honours --verbose and is rather quiet without
it. Code in commit 2443.
* Improved error messages for systems without IPv6. Changes in commit 2425.
* The packet- and querycache now honour TTLs from backend data. Code in
* 'pdns_control help' now shows useful usage information. Code in commit 2410
and commit 2465.
* Jasper Spaans improved our init.d script for compliance with Debian
Squeeze. Patch in commit 2251. Further improvement with 'set -e' to
initscript contributed by Marc Haber in commit 2301.
* Klaus Darilion discovered our configuration file template and --help output
explained the various cache TTLs wrongly, and he also added documentation
for some missing parameters. commit 2271 and commit 2272.
* Add support for building against Botan 1.10 (stable) and drop support for
1.9 (development). Changes in commit 2334. This fixes several bugs when
building against 1.9.
* Upgrade internal PolarSSL library to their version 1.1.1. Change in commit
2389 and beyond.
* Compilation of several backends failed for Boost in non-standard locations.
Fixes in commit 2316..
* We now do additional processing for SRV records too. Code in commit 2388,
closing ticket 423 (which also contained the patch). Regression test
updates that flow from this in commit 2390.
* Fix compilation on OSX. commit 2316.
* Fix pdnssec crash when asked to do DNSSEC without a DNSSEC capable backend.
Code in commit 2369.
* If PowerDNS was not configured to operate as a DNS master, it would still
accept 'pdns_control notify' commands, but then not do it. Spotted by David
Gavarret, patch by Jose Arthur Benetasso Villanova in commit 2379.
* In various places we would only accept UPPERCASE DNS typenames. Fixed in
commit 2370, closing ticket 390.
* We would not always drop supplemental groups correctly. Reported by David
* Our regression tests have been strenghtened a lot, and now cover way more
features. Commits in 2280, 2281, 2282, 2317, 2348, 2349, 2350, 2351 and
* Update to support the latest draft of DANE/TLSA. Spotted by James Cloos (
commit 2338). Futher improvements by Pieter Lexis in commit 2347, commit
* Compilation on OpenBSD was eased by patches from Brad Smith, which can be
found in commit 2288 and commit 2291, closing ticket 95.
* 'make check' failed on the internal PolarSSL. Spotted by Daniel Briley, fix
in commit 2283.
* The default SQL schemas were expanded to contain far longer content fields.
commit 2292, commit 2293.
* Documentation typos, Jake Spencer (commit 2304), Jose Arthur Benetasso
Villanova (commit 2337). Code typos in commit 2324 (closes ticket 296).
* Manpage updates from Debian, provided by Matthijs Möhlmann. Content in
* pdnssec rectify-zone can now accept multiple zones at the same time. Code
in commit 2383.
* As suggested in ticket 416, we now log the SOA serial number after
commiting an AXFRed zone to the backend. Code in commit 2385.
* Pick up location of sqlite3 libraries using pkg-config. Implemented using a
variation of the patch found in the, now closed, ticket 380. Code in commit
* Documented 'pdnssec --verbose' flag is now accepted. Code in commit 2384,
closing ticket 404.
* 'pdnssec --help' now lists all supported signing algorithms. Suggested by
Jose Arthur Benetasso Villanova.
* PIPE backend example script with edns-subnet support was improved to
actually use edns-subnet field. Plus update PIPE backend documentation.
Code in commit 2285, more documentation regarding MX and SRV in commit 2313
* edns-subnet fields now also output in logfile when available (commit 2321).
* When running with virtualized configuration files, we now allow dashes in
the configuration name. Suggested by Marc Haber, code in commit 2295.
Further fixes by Brielle Bruns in commit 2327.
* Compilation fixes for GNU/Hurd in commit 2307 via Matthijs Möhlmann.
* Marc Haber improved our Debian packaging scripts for smoother upgrades.
Code in commit 2315.
* When failing to bind to an IP address, report to which one it failed.
* Supermaster checks were performed synchronously, leading to the
possibilities of slowdowns. Fixed in commit 2402.
* Removed the deprecated non-generic mysqlbackend, in commit 2488, commit
2514, commit 2515.
* Removed the deprecated 'pdnsbackend', in commit 2490, commit 2516.
* Removed GRANT statements from the gpgsql schema, as we can't assume they
will work for everyone. Change in commit 2493.
Tickets closed but not associated with a commit:
* ticket 125: "PowerDNS offers wild card info. when it is not queried for."
* ticket 219: "Accept NOTIFY from masters on non-standard port"
* ticket 247: "pdns caching weirdness with recursion-desired flag"
* ticket 253: "bind backend crashes on long comment line in included file"
* ticket 271: "PowerDNS Server responding with out-of-zone authority section
in case there is a cname"
* ticket 304: "also-notify option for pdns, also gives also-notify for
* ticket 311: "PowerDNSSEC responding with SERVFAIL upon IN A query for a
* ticket 325: "CNAME working strange!"
* ticket 376: "Unable to create long TXT records"
* ticket 412: "--without-lua doesn't disable lua"
* ticket 415: "Signing thread died during AXFR of signed domain"
* ticket 422: "ecdsa256 keys bug"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
-----END PGP SIGNATURE-----
More information about the Pdns-users