[Pdns-users] PowerDNS Authoritative Server 3.1 has been released

Peter van Dijk peter.van.dijk at netherlabs.nl
Fri May 4 11:35:37 UTC 2012

Hash: SHA1

Hi everybody,

PowerDNS Authoritative Server 3.1 is now available!

3.1 is the best version of the PowerDNS Authoratitive Server currently
available, and we recommend upgrading to it. Please read 
http://doc.powerdns.com/from3.0to3.1.html before you do, however!

If you are coming from 2.9.x, please read
http://doc.powerdns.com/upgrades.html#from2.9to3.0 in addition to the 3.0->3.1

Please see http://doc.powerdns.com/changelog.html#changelog-auth-3-1 for full
release notes and all download links.

You can get PowerDNS 3.1 from:


These files also come with GPG signatures (append .sig).

Additionaly, Kees Monshouwer has kindly provided native builds for RHEL/CentOS
5 and 6 at http://www.monshouwer.eu/download/3rd_party/pdns-server/

Please see http://doc.powerdns.com/changelog.html#changelog-auth-3-1 for full
release notes and additional download links.

Full list of changes since 3.0:

  * pdnssec now honours the default-soa-name setting. Reported by Kees
    Monshouder, fixed in commit 2600.

  * The hidden test-algorithms command for pdnssec now has a little brother
    'test-algorithm X'. Code in commit 2596, by Aki Tuomi.

  * PolarSSL upgraded to 1.1.2 due to weak RSA key generation (commit 2586). If
    you created RSA keys with RC1 or RC2 using PolarSSL, please replace them!
    This upgrade introduced a slowdown; speedup patch in commit 2593.

  * It turns out we were using libmysqlclient in a thread-unsafe manner. This
    issue was reported and painstakingly debugged by Marc Haber. Presumably
    fixed in commit 2591.

  * Updated a bunch of internal counters to be threadsafe. Code in commit 2579.

  * NSEC(3) bitmaps can now cover RRtypes above 255. Reported by Michael
    Braunoeder, patch by Aki Tuomi in commit 2590.

  * pdnssec check-zone now reports MBOXFW and URL records (as those are
    unsupported since 3.0). Reported by Gerwin Krist of Digitalus, patch by
    Ruben d'Arco. Closes ticket 446.

  * The odbcbackend was removed. It only runs on Windows and Windows is
    unsupported since 3.0. Removal in commit 2576.

  * We used to send the chunk length and the actual chunk in two separate
    writes (often resulting in two separate TCP packets) during outbound AXFR.
    This confused MSDNS. We now combine those writes. Code in commit 2575.

  * The bindbackend can now run without SQLite3, as previously intended. Fix in
    commit 2574.

  * Some high-concurrency master setups would crash under load. Fixed in commit

  * We imported the TinyDNS backend by Ruben d'Arco. Code mostly in commit 2559
    . See Section 15, “TinyDNS Backend”.

  * Overriding C(XX)FLAGS is easier now. Problem pointed out by Jose Arthur
    Benetasso Villanova and others, fix suggested by Sten Spans. Patch in
    commit 2533.

  * TSIG fixes: skip embedded spaces in keys (commit 2536), compute signatures
    correctly (by Ruben d'Arco in commit 2547),

  * nproxy, dnsscan and dnsdemog did not compile at all. Fixes in commit 2538,
    commit 2554.

  * We now allow unescaped tabs in TXT records. Fix in commit 2539.

  * SOA records no longer disappear during incoming transfers. Fix by Ruben
    d'Arco in commit 2540.

  * PowerDNS compiles on OS X (and other platforms that support our auth server
    but not the recursor) again, fix in commit 2566.

  * Cleanups related to warnings from gcc and valgrind in commit 2561, commit
    2562, commit 2565.

  * Solaris compatibility fixes by Ruben d'Arco, Juraj Lutter and others in
    commit 2548, commit 2552, commit 2553, commit 2560. Fixes for *BSD in
    commit 2546.

  * pdns_control help would report 'version' twice, reported by Gerwin, fix in
    commit 2549.

DNSSEC related fixes:

  * When slaving zones, PowerDNS now automatically detects that a zone is
    presigned. Code in commit 2502, closing ticket 369, ticket 392.

  * The bindbackend can now manage its own SQLite3 database to store key data,
    removing the need to run it with a gsql backend. Code in commit 2448,
    commit 2449, commit 2450, commit 2451, commit 2452, commit 2453, commit
    2455, commit 2482, commit 2496, commit 2499.

  * NSEC/NSEC3 logic for picking 'boundary' names was tricky, and got it wrong
    in some cases. Fixes in commit 2289, commit 2429, commit 2435 and commit

  * The subtle differences between 'what records get NSEC', 'what records get
    NSEC3' and 'what records should get signed' did not translate well to the
    SQL auth column. We now use 'ordername IS NULL' to map the whole spectrum.
    Code in commit 2477, commit 2480, commit 2492.

  * Pre-signed AXFR output, although correct, was different from our query
    responses. Rectified in commit 2477.

  * Spotted & fixed by Jimmy Bergman of Atomia, CNAMEs and RRSIGs could have
    bad interactions. Fix in commit 2314, further refined in commit 2318.
    Closes ticket 411.

  * Spotted & fixed by Jimmy Bergman of Atomia, we now allow direct RRSIG
    queries even when do=0.

  * Spotted by Mark Scholten and Marco Davids, we would sometimes generate
    duplicate (and wrong) RRSIGs when signing an ANY answer because of record
    jumbling. Fix in commit 2381.

  * Several fixes to handling of DS queries, in commit 2420, commit 2510,
    commit 2512.

  * We now lowercase the signer name in an RRSIG. This is not mandated by
    DNSSEC specification but it improves compatibility with some validators.
    Fix in commit 2426.

Bug fixes:

  * Winfried Angele discovered we would open an additional backend connection
    per zone in the BIND backend. This only impacted users with multiple
    simultaneous backends. Fix in commit 2253, closing ticket 383.

  * All versions of max-cache-entries setting had confusing behaviour when set
    to 0. Now clarified to mean that 0 truly means 0, and not 'infinite'.
    Change in commit 2328.

  * Wildcards in the presence of delegations were broken. Reported by a cast of
    thousands. Fix & regression test in commit 2368. Closes ticket 389.

  * Internal caches used an order of magnitude more memory than expected and
    some were not purged properly, which hindered real life deployments.
    Spotted by Winfried Angele and others. Fixed in commit 2287 and commit 2328

  * Christof Meerwald discovered our .tar file missed a file of the Lua
    backend. Change in commit 2257.

  * Paul Xek found out that the edns-subnet support did not work for subnets
    tinier than a /25 or /121. Fix in commit 2258.

  * edns-subnet aware PIPE scripts received bogus remote information on AXFR
    requests. Fixed in commit 2284.

  * Fix compilation against older versions of MySQL that do not have
    MYSQL_OPT_RECONNECT. commit 2264, closing ticket 378.

  * D. Stussy of Snarked.net discovered that PowerDNS could not parse a DNS
    packet with a trailing blob of unknown length. Fixed in commit 2267.

  * 'pdnssec' did not work for records with NULL ttls. Fixed in commit 2266,
    closing ticket 432.

  * Pipe backend had issues parsing IPv6 records in ABI version 3. Fixed in
    commit 2260.

  * We truncated the altitude in LOC records! I hope no one got lost. Fix in
    commit 2268.

  * Xander Soldaat discovered that even if the web server was not configured,
    we'd still listen on the port. Fix in commit 2269, closes ticket 402.

  * The PIPE backend issues frequent fork()s, leading to potential fd leaks if
    these are not marked as 'close on exec'. Solved in commit 2273, closing
    ticket 194.

  * Robert van der Meulen found that we messed up the interaction between
    wildcards and CNAMEs. Fixed in commit 2276, which also adds a regression
    test to prevent this issue from recurring.

  * Fred Wittekind discovered that our notification proxy 'nproxy' no longer
    built from source. Fixed in commit 2278.

  * Grant Keller found that we were inconsistent with spaces in labels, thus
    breaking DNS-SD. Fix in commit 2305.

  * Winfried Angele fixed our autoconf script for Lua detection in commit 2308.

  * BIND backend would leak an fd when including a configuration file from
    named.conf. Spotted by Hannu Ylitalo of Nebula Oy in commit 2359.

  * GSQLite3 backend could crash on a network error at the wrong moment,
    leading to a restart by the guardian. Fix in commit 2336.

  * './configure --enable-verbose-logging' was broken, fixed in commit 2312.

  * PowerDNS would serve up old SOA data immediately after sending out a
    notification. Complicated bug documented perfectly in ticket 427, which
    also came with not one but with two different patches to fix the problem.
    Thanks to Keith Buck. Code in commit 2408.

  * Flag '--start-id' in zone2sql was not functional. Removed for now in commit
    2387, closing ticket 332.

  * Our distribution tarball did not have the SQL schemas. Fixed in commit 2459
    and commit 2460.

  * "Empty" MX records would confuse one of our parsers. Fixed in commit 2468,
    closing Debian bug 533023.

  * The pdns.conf 'wildcards'-setting did not do anything in 3.0, so it was
    removed. Change in commit 2508, commit 2509.

  * Additional processing based on records loaded by the BIND backend might
    fail because of a trailing dot mismatch. Fix in commit 2398.

New features:

  * Per-zone AXFR ACLs, based on the allow-axfr-ips zone metadata item. Code in
    commit 2274. Also, remove some remains of our previous approach to
    supporting this in commit 2326.

  * Alberto Donato and Zsolt Dollenstein implemented autoserial support for the
    Generic SQL backends. Code in commit 2290, commit 2294, commit 2296, commit
    2299, commit 2300, commit 2303. Closes ticket 52, ticket 299, ticket 301,
    ticket 336.

  * New SOA Serial Tweak mode INCEPTION-EPOCH for when operating as a 'signing
    slave', contributed by Jimmy Bergman. Code and documentation in commit 2320

  * Newlines in the 'content' field of backends are now allowed, restoring some
    DKIM setups to working condition. Update in commit 2394, closing ticket 395


  * Depending on the encoding used, MySQL could take issue with our 'tsigkeys'
    table which contained very large rows. Trimmed in commit 2400, closing
    ticket 410.

  * Various build/configure-related fixes in commit 2319, commit 2373, commit
    2386, closing ticket 380, ticket 405, ticket 420.

  * We now show the SOA serial after zone transfers. Code in commit 2385,
    closing ticket 416.

  * Ruben d'Arco submitted a full rework of our slave-side AXFR TSIG handling,
    closing ticket 393 and ticket 400 in the process. Code in commit 2506.
    Additional improvement in commit 2513.

  * The records.name-column in the gpgsql schema is now constrained to
    lowercase, as PowerDNS would be unable to find other entries anyway. Fix in
    commit 2503, closing ticket 426.

  * The gsql-backends can now handle huge records, thanks to a patch by Ruben
    d'Arco. Code in commit 2476, closing ticket 407. Additional changes in
    commit 2292, commit 2487, commit 2489. Closes ticket 218, ticket 316.

  * Some of PowerDNS' internal classes would work with uninitialized data when
    repurposed outside of the PowerDNS core logic. Fix in commit 2469,

  * pdnssec now has 'check-all-zones' and 'rectify-all-zones' commands.
    Submitted by Ruben d'Arco, code in commit 2467.

  * 'restart' in our init.d-script would not start pdns if it was down before.
    Fixed in commit 2462.

  * 'pdnssec rectify-zone' now honours --verbose and is rather quiet without
    it. Code in commit 2443.

  * Improved error messages for systems without IPv6. Changes in commit 2425.

  * The packet- and querycache now honour TTLs from backend data. Code in
    commit 2414.

  * 'pdns_control help' now shows useful usage information. Code in commit 2410
    and commit 2465.

  * Jasper Spaans improved our init.d script for compliance with Debian
    Squeeze. Patch in commit 2251. Further improvement with 'set -e' to
    initscript contributed by Marc Haber in commit 2301.

  * Klaus Darilion discovered our configuration file template and --help output
    explained the various cache TTLs wrongly, and he also added documentation
    for some missing parameters. commit 2271 and commit 2272.

  * Add support for building against Botan 1.10 (stable) and drop support for
    1.9 (development). Changes in commit 2334. This fixes several bugs when
    building against 1.9.

  * Upgrade internal PolarSSL library to their version 1.1.1. Change in commit
    2389 and beyond.

  * Compilation of several backends failed for Boost in non-standard locations.
    Fixes in commit 2316..

  * We now do additional processing for SRV records too. Code in commit 2388,
    closing ticket 423 (which also contained the patch). Regression test
    updates that flow from this in commit 2390.

  * Fix compilation on OSX. commit 2316.

  * Fix pdnssec crash when asked to do DNSSEC without a DNSSEC capable backend.
    Code in commit 2369.

  * If PowerDNS was not configured to operate as a DNS master, it would still
    accept 'pdns_control notify' commands, but then not do it. Spotted by David
    Gavarret, patch by Jose Arthur Benetasso Villanova in commit 2379.

  * In various places we would only accept UPPERCASE DNS typenames. Fixed in
    commit 2370, closing ticket 390.

  * We would not always drop supplemental groups correctly. Reported by David
    Black of Atlassian.

  * Our regression tests have been strengthened a lot, and now cover way more
    features. Commits in 2280, 2281, 2282, 2317, 2348, 2349, 2350, 2351 and

  * Update to support the latest draft of DANE/TLSA. Spotted by James Cloos (
    commit 2338). Further improvements by Pieter Lexis in commit 2347, commit

  * Compilation on OpenBSD was eased by patches from Brad Smith, which can be
    found in commit 2288 and commit 2291, closing ticket 95.

  * 'make check' failed on the internal PolarSSL. Spotted by Daniel Briley, fix
    in commit 2283.

  * The default SQL schemas were expanded to contain far longer content fields.
    commit 2292, commit 2293.

  * Documentation typos, Jake Spencer (commit 2304), Jose Arthur Benetasso
    Villanova (commit 2337). Code typos in commit 2324 (closes ticket 296).

  * Manpage updates from Debian, provided by Matthijs Möhlmann. Content in
    commit 2306.

  * pdnssec rectify-zone can now accept multiple zones at the same time. Code
    in commit 2383.

  * As suggested in ticket 416, we now log the SOA serial number after
    committing an AXFRed zone to the backend. Code in commit 2385.

  * Pick up location of sqlite3 libraries using pkg-config. Implemented using a
    variation of the patch found in the, now closed, ticket 380. Code in commit

  * Documented 'pdnssec --verbose' flag is now accepted. Code in commit 2384,
    closing ticket 404.

  * 'pdnssec --help' now lists all supported signing algorithms. Suggested by
    Jose Arthur Benetasso Villanova.

  * PIPE backend example script with edns-subnet support was improved to
    actually use edns-subnet field. Plus update PIPE backend documentation.
    Code in commit 2285, more documentation regarding MX and SRV in commit 2313

  * edns-subnet fields now also output in logfile when available (commit 2321).

  * When running with virtualized configuration files, we now allow dashes in
    the configuration name. Suggested by Marc Haber, code in commit 2295.
    Further fixes by Brielle Bruns in commit 2327.

  * Compilation fixes for GNU/Hurd in commit 2307 via Matthijs Möhlmann.

  * Marc Haber improved our Debian packaging scripts for smoother upgrades.
    Code in commit 2315.

  * When failing to bind to an IP address, report to which one it failed.
    commit 2325.

  * Supermaster checks were performed synchronously, leading to the
    possibilities of slowdowns. Fixed in commit 2402.

Other changes:

  * Removed the deprecated non-generic mysqlbackend, in commit 2488, commit
    2514, commit 2515.

  * Removed the deprecated 'pdnsbackend', in commit 2490, commit 2516.

  * Removed GRANT statements from the gpgsql schema, as we can't assume they
    will work for everyone. Change in commit 2493.

Tickets closed but not associated with a commit:

  * ticket 125: "PowerDNS offers wild card info. when it is not queried for."

  * ticket 219: "Accept NOTIFY from masters on non-standard port"

  * ticket 247: "pdns caching weirdness with recursion-desired flag"

  * ticket 253: "bind backend crashes on long comment line in included file"

  * ticket 271: "PowerDNS Server responding with out-of-zone authority section
    in case there is a cname"

  * ticket 304: "also-notify option for pdns, also gives also-notify for

  * ticket 311: "PowerDNSSEC responding with SERVFAIL upon IN A query for a

  * ticket 325: "CNAME working strange!"

  * ticket 376: "Unable to create long TXT records"

  * ticket 412: "--without-lua doesn't disable lua"

  * ticket 415: "Signing thread died during AXFR of signed domain"

  * ticket 422: "ecdsa256 keys bug"

Kind regards,
- -- 
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org


More information about the Pdns-users mailing list