[Pdns-users] PowerDNS Authoritative Server 3.1 has been released
Peter van Dijk
peter.van.dijk at netherlabs.nl
Fri May 4 11:35:37 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
PowerDNS Authoritative Server 3.1 is now available!
3.1 is the best version of the PowerDNS Authoratitive Server currently
available, and we recommend upgrading to it. Please read
http://doc.powerdns.com/from3.0to3.1.html before you do, however!
If you are coming from 2.9.x, please read
http://doc.powerdns.com/upgrades.html#from2.9to3.0 in addition to the 3.0->3.1
Please see http://doc.powerdns.com/changelog.html#changelog-auth-3-1 for full
release notes and all download links.
You can get PowerDNS 3.1 from:
These files also come with GPG signatures (append .sig).
Additionaly, Kees Monshouwer has kindly provided native builds for RHEL/CentOS
5 and 6 at http://www.monshouwer.eu/download/3rd_party/pdns-server/
Please see http://doc.powerdns.com/changelog.html#changelog-auth-3-1 for full
release notes and additional download links.
Full list of changes since 3.0:
* pdnssec now honours the default-soa-name setting. Reported by Kees
Monshouder, fixed in commit 2600.
* The hidden test-algorithms command for pdnssec now has a little brother
'test-algorithm X'. Code in commit 2596, by Aki Tuomi.
* PolarSSL upgraded to 1.1.2 due to weak RSA key generation (commit 2586). If
you created RSA keys with RC1 or RC2 using PolarSSL, please replace them!
This upgrade introduced a slowdown; speedup patch in commit 2593.
* It turns out we were using libmysqlclient in a thread-unsafe manner. This
issue was reported and painstakingly debugged by Marc Haber. Presumably
fixed in commit 2591.
* Updated a bunch of internal counters to be threadsafe. Code in commit 2579.
* NSEC(3) bitmaps can now cover RRtypes above 255. Reported by Michael
Braunoeder, patch by Aki Tuomi in commit 2590.
* pdnssec check-zone now reports MBOXFW and URL records (as those are
unsupported since 3.0). Reported by Gerwin Krist of Digitalus, patch by
Ruben d'Arco. Closes ticket 446.
* The odbcbackend was removed. It only runs on Windows and Windows is
unsupported since 3.0. Removal in commit 2576.
* We used to send the chunk length and the actual chunk in two separate
writes (often resulting in two separate TCP packets) during outbound AXFR.
This confused MSDNS. We now combine those writes. Code in commit 2575.
* The bindbackend can now run without SQLite3, as previously intended. Fix in
* Some high-concurrency master setups would crash under load. Fixed in commit
* We imported the TinyDNS backend by Ruben d'Arco. Code mostly in commit 2559
. See SectionÃÂ 15, Ã¢ÂÂTinyDNS BackendÃ¢ÂÂ.
* Overriding C(XX)FLAGS is easier now. Problem pointed out by Jose Arthur
Benetasso Villanova and others, fix suggested by Sten Spans. Patch in
* TSIG fixes: skip embedded spaces in keys (commit 2536), compute signatures
correctly (by Ruben d'Arco in commit 2547),
* nproxy, dnsscan and dnsdemog did not compile at all. Fixes in commit 2538,
* We now allow unescaped tabs in TXT records. Fix in commit 2539.
* SOA records no longer disappear during incoming transfers. Fix by Ruben
d'Arco in commit 2540.
* PowerDNS compiles on OS X (and other platforms that support our auth server
but not the recursor) again, fix in commit 2566.
* Cleanups related to warnings from gcc and valgrind in commit 2561, commit
2562, commit 2565.
* Solaris compatibility fixes by Ruben d'Arco, Juraj Lutter and others in
commit 2548, commit 2552, commit 2553, commit 2560. Fixes for *BSD in
* pdns_control help would report 'version' twice, reported by Gerwin, fix in
DNSSEC related fixes:
* When slaving zones, PowerDNS now automatically detects that a zone is
presigned. Code in commit 2502, closing ticket 369, ticket 392.
* The bindbackend can now manage its own SQLite3 database to store key data,
removing the need to run it with a gsql backend. Code in commit 2448,
commit 2449, commit 2450, commit 2451, commit 2452, commit 2453, commit
2455, commit 2482, commit 2496, commit 2499.
* NSEC/NSEC3 logic for picking 'boundary' names was tricky, and got it wrong
in some cases. Fixes in commit 2289, commit 2429, commit 2435 and commit
* The subtle differences between 'what records get NSEC', 'what records get
NSEC3' and 'what records should get signed' did not translate well to the
SQL auth column. We now use 'ordername IS NULL' to map the whole spectrum.
Code in commit 2477, commit 2480, commit 2492.
* Pre-signed AXFR output, although correct, was different from our query
responses. Rectified in commit 2477.
* Spotted & fixed by Jimmy Bergman of Atomia, CNAMEs and RRSIGs could have
bad interactions. Fix in commit 2314, further refined in commit 2318.
Closes ticket 411.
* Spotted & fixed by Jimmy Bergman of Atomia, we now allow direct RRSIG
queries even when do=0.
* Spotted by Mark Scholten and Marco Davids, we would sometimes generate
duplicate (and wrong) RRSIGs when signing an ANY answer because of record
jumbling. Fix in commit 2381.
* Several fixes to handling of DS queries, in commit 2420, commit 2510,
* We now lowercase the signer name in an RRSIG. This is not mandated by
DNSSEC specification but it improves compatibility with some validators.
Fix in commit 2426.
* Winfried Angele discovered we would open an additional backend connection
per zone in the BIND backend. This only impacted users with multiple
simultaneous backends. Fix in commit 2253, closing ticket 383.
* All versions of max-cache-entries setting had confusing behaviour when set
to 0. Now clarified to mean that 0 truly means 0, and not 'infinite'.
Change in commit 2328.
* Wildcards in the presence of delegations were broken. Reported by a cast of
thousands. Fix & regression test in commit 2368. Closes ticket 389.
* Internal caches used an order of magnitude more memory than expected and
some were not purged properly, which hindered real life deployments.
Spotted by Winfried Angele and others. Fixed in commit 2287 and commit 2328
* Christof Meerwald discovered our .tar file missed a file of the Lua
backend. Change in commit 2257.
* Paul Xek found out that the edns-subnet support did not work for subnets
tinier than a /25 or /121. Fix in commit 2258.
* edns-subnet aware PIPE scripts received bogus remote information on AXFR
requests. Fixed in commit 2284.
* Fix compilation against older versions of MySQL that do not have
MYSQL_OPT_RECONNECT. commit 2264, closing ticket 378.
* D. Stussy of Snarked.net discovered that PowerDNS could not parse a DNS
packet with a trailing blob of unknown length. Fixed in commit 2267.
* 'pdnssec' did not work for records with NULL ttls. Fixed in commit 2266,
closing ticket 432.
* Pipe backend had issues parsing IPv6 records in ABI version 3. Fixed in
* We truncated the altitude in LOC records! I hope no one got lost. Fix in
* Xander Soldaat discovered that even if the web server was not configured,
we'd still listen on the port. Fix in commit 2269, closes ticket 402.
* The PIPE backend issues frequent fork()s, leading to potential fd leaks if
these are not marked as 'close on exec'. Solved in commit 2273, closing
* Robert van der Meulen found that we messed up the interaction between
wildcards and CNAMEs. Fixed in commit 2276, which also adds a regression
test to prevent this issue from recurring.
* Fred Wittekind discovered that our notification proxy 'nproxy' no longer
built from source. Fixed in commit 2278.
* Grant Keller found that we were inconsistent with spaces in labels, thus
breaking DNS-SD. Fix in commit 2305.
* Winfried Angele fixed our autoconf script for Lua detection in commit 2308.
* BIND backend would leak an fd when including a configuration file from
named.conf. Spotted by Hannu Ylitalo of Nebula Oy in commit 2359.
* GSQLite3 backend could crash on a network error at the wrong moment,
leading to a restart by the guardian. Fix in commit 2336.
* './configure --enable-verbose-logging' was broken, fixed in commit 2312.
* PowerDNS would serve up old SOA data immediately after sending out a
notification. Complicated bug documented perfectly in ticket 427, which
also came with not one but with two different patches to fix the problem.
Thanks to Keith Buck. Code in commit 2408.
* Flag '--start-id' in zone2sql was not functional. Removed for now in commit
2387, closing ticket 332.
* Our distribution tarball did not have the SQL schemas. Fixed in commit 2459
and commit 2460.
* "Empty" MX records would confuse one of our parsers. Fixed in commit 2468,
closing Debian bug 533023.
* The pdns.conf 'wildcards'-setting did not do anything in 3.0, so it was
removed. Change in commit 2508, commit 2509.
* Additional processing based on records loaded by the BIND backend might
fail because of a trailing dot mismatch. Fix in commit 2398.
* Per-zone AXFR ACLs, based on the allow-axfr-ips zone metadata item. Code in
commit 2274. Also, remove some remains of our previous approach to
supporting this in commit 2326.
* Alberto Donato and Zsolt Dollenstein implemented autoserial support for the
Generic SQL backends. Code in commit 2290, commit 2294, commit 2296, commit
2299, commit 2300, commit 2303. Closes ticket 52, ticket 299, ticket 301,
* New SOA Serial Tweak mode INCEPTION-EPOCH for when operating as a 'signing
slave', contributed by Jimmy Bergman. Code and documentation in commit 2320
* Newlines in the 'content' field of backends are now allowed, restoring some
DKIM setups to working condition. Update in commit 2394, closing ticket 395
* Depending on the encoding used, MySQL could take issue with our 'tsigkeys'
table which contained very large rows. Trimmed in commit 2400, closing
* Various build/configure-related fixes in commit 2319, commit 2373, commit
2386, closing ticket 380, ticket 405, ticket 420.
* We now show the SOA serial after zone transfers. Code in commit 2385,
closing ticket 416.
* Ruben d'Arco submitted a full rework of our slave-side AXFR TSIG handling,
closing ticket 393 and ticket 400 in the process. Code in commit 2506.
Additional improvement in commit 2513.
* The records.name-column in the gpgsql schema is now constrained to
lowercase, as PowerDNS would be unable to find other entries anyway. Fix in
commit 2503, closing ticket 426.
* The gsql-backends can now handle huge records, thanks to a patch by Ruben
d'Arco. Code in commit 2476, closing ticket 407. Additional changes in
commit 2292, commit 2487, commit 2489. Closes ticket 218, ticket 316.
* Some of PowerDNS' internal classes would work with uninitialized data when
repurposed outside of the PowerDNS core logic. Fix in commit 2469,
* pdnssec now has 'check-all-zones' and 'rectify-all-zones' commands.
Submitted by Ruben d'Arco, code in commit 2467.
* 'restart' in our init.d-script would not start pdns if it was down before.
Fixed in commit 2462.
* 'pdnssec rectify-zone' now honours --verbose and is rather quiet without
it. Code in commit 2443.
* Improved error messages for systems without IPv6. Changes in commit 2425.
* The packet- and querycache now honour TTLs from backend data. Code in
* 'pdns_control help' now shows useful usage information. Code in commit 2410
and commit 2465.
* Jasper Spaans improved our init.d script for compliance with Debian
Squeeze. Patch in commit 2251. Further improvement with 'set -e' to
initscript contributed by Marc Haber in commit 2301.
* Klaus Darilion discovered our configuration file template and --help output
explained the various cache TTLs wrongly, and he also added documentation
for some missing parameters. commit 2271 and commit 2272.
* Add support for building against Botan 1.10 (stable) and drop support for
1.9 (development). Changes in commit 2334. This fixes several bugs when
building against 1.9.
* Upgrade internal PolarSSL library to their version 1.1.1. Change in commit
2389 and beyond.
* Compilation of several backends failed for Boost in non-standard locations.
Fixes in commit 2316..
* We now do additional processing for SRV records too. Code in commit 2388,
closing ticket 423 (which also contained the patch). Regression test
updates that flow from this in commit 2390.
* Fix compilation on OSX. commit 2316.
* Fix pdnssec crash when asked to do DNSSEC without a DNSSEC capable backend.
Code in commit 2369.
* If PowerDNS was not configured to operate as a DNS master, it would still
accept 'pdns_control notify' commands, but then not do it. Spotted by David
Gavarret, patch by Jose Arthur Benetasso Villanova in commit 2379.
* In various places we would only accept UPPERCASE DNS typenames. Fixed in
commit 2370, closing ticket 390.
* We would not always drop supplemental groups correctly. Reported by David
Black of Atlassian.
* Our regression tests have been strengthened a lot, and now cover way more
features. Commits in 2280, 2281, 2282, 2317, 2348, 2349, 2350, 2351 and
* Update to support the latest draft of DANE/TLSA. Spotted by James Cloos (
commit 2338). Further improvements by Pieter Lexis in commit 2347, commit
* Compilation on OpenBSD was eased by patches from Brad Smith, which can be
found in commit 2288 and commit 2291, closing ticket 95.
* 'make check' failed on the internal PolarSSL. Spotted by Daniel Briley, fix
in commit 2283.
* The default SQL schemas were expanded to contain far longer content fields.
commit 2292, commit 2293.
* Documentation typos, Jake Spencer (commit 2304), Jose Arthur Benetasso
Villanova (commit 2337). Code typos in commit 2324 (closes ticket 296).
* Manpage updates from Debian, provided by Matthijs MÃÂ¶hlmann. Content in
* pdnssec rectify-zone can now accept multiple zones at the same time. Code
in commit 2383.
* As suggested in ticket 416, we now log the SOA serial number after
committing an AXFRed zone to the backend. Code in commit 2385.
* Pick up location of sqlite3 libraries using pkg-config. Implemented using a
variation of the patch found in the, now closed, ticket 380. Code in commit
* Documented 'pdnssec --verbose' flag is now accepted. Code in commit 2384,
closing ticket 404.
* 'pdnssec --help' now lists all supported signing algorithms. Suggested by
Jose Arthur Benetasso Villanova.
* PIPE backend example script with edns-subnet support was improved to
actually use edns-subnet field. Plus update PIPE backend documentation.
Code in commit 2285, more documentation regarding MX and SRV in commit 2313
* edns-subnet fields now also output in logfile when available (commit 2321).
* When running with virtualized configuration files, we now allow dashes in
the configuration name. Suggested by Marc Haber, code in commit 2295.
Further fixes by Brielle Bruns in commit 2327.
* Compilation fixes for GNU/Hurd in commit 2307 via Matthijs MÃÂ¶hlmann.
* Marc Haber improved our Debian packaging scripts for smoother upgrades.
Code in commit 2315.
* When failing to bind to an IP address, report to which one it failed.
* Supermaster checks were performed synchronously, leading to the
possibilities of slowdowns. Fixed in commit 2402.
* Removed the deprecated non-generic mysqlbackend, in commit 2488, commit
2514, commit 2515.
* Removed the deprecated 'pdnsbackend', in commit 2490, commit 2516.
* Removed GRANT statements from the gpgsql schema, as we can't assume they
will work for everyone. Change in commit 2493.
Tickets closed but not associated with a commit:
* ticket 125: "PowerDNS offers wild card info. when it is not queried for."
* ticket 219: "Accept NOTIFY from masters on non-standard port"
* ticket 247: "pdns caching weirdness with recursion-desired flag"
* ticket 253: "bind backend crashes on long comment line in included file"
* ticket 271: "PowerDNS Server responding with out-of-zone authority section
in case there is a cname"
* ticket 304: "also-notify option for pdns, also gives also-notify for
* ticket 311: "PowerDNSSEC responding with SERVFAIL upon IN A query for a
* ticket 325: "CNAME working strange!"
* ticket 376: "Unable to create long TXT records"
* ticket 412: "--without-lua doesn't disable lua"
* ticket 415: "Signing thread died during AXFR of signed domain"
* ticket 422: "ecdsa256 keys bug"
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
-----END PGP SIGNATURE-----
More information about the Pdns-users