[Pdns-users] PowerDNS Authoritative Server 3.1 Release Candidate 1 available
Peter van Dijk
peter.van.dijk at netherlabs.nl
Mon Nov 12 13:51:46 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Release Candidate 1 of the PowerDNS Authoritative Server 3.2 is available from:
You are cordially invited to (carefully) test this Release Candidate for
Full release notes, with clickable links, are available from:
Here is a text-only version:
This is a stability and confirmity update to 3.1. It mostly makes our DNSSEC
implementation more robust, and improves interoperability with various
validators. 3.2 has received very extensive testing on a lot of edge cases,
verifying output both against common validators and compared against other
In addition to all the changes below, we now auto-build semi-static packages.
Relevant changes to make that possible are in commit 2849, commit 2853, 2858,
commit 2859, commit 2860.
DNSSEC changes in 3.2:
* Kees Monshouwer did a tremendous amount of work to improve and perfect our
DNSSEC implementation, mostly in the NSEC3 area. Code in commit 2687,
commit 2689, commit 2691, fixing ticket 486, ticket 537, ticket 540. He
also implemented support for Empty Non-Terminals, code in commit 2721,
commit 2732, commit 2745, fixing ticket 127 and ticket 558.
* Presigned wildcard operation was improved with the help of many parties
(see commit message for commit 2676). Presigned operation was also changed
to be more consistent with master/live-signing operation. Code and a full
test suite in commit 2709, which also improves TTL behaviour for various
situations. Fixes ticket 460, ticket 533, ticket 559.
* Depending on database & locale settings, names starting with underscore
would sometimes cause broken records. commit 2710 contains schema and code
changes for the gpgsql and gmysql backends to sort this (no pun intended)
definitively, closing ticket 550. In addition, a pdnssec test-schema
command was added (experimental and incomplete). It can be used to verify
underscore sorting and a few other parameters of the database. Code in
* We now always include an EDNS section in responses to queries that also had
an EDNS section. This was thought to improve BIND interoperability, but
this turned out to be false. In any case, this change improves standards
compliance. Spotted by Mats Dufberg, code in commit 2649.
* It turns out we were storing Botan keys the wrong way. Botan did not care
but Polar did, causing interoperability problems. Fixed in commit 2720,
with the kind help of Paul Bakker of PolarSSL. Fixes ticket 492 as reported
by Florian Obser via Debian.
* pdnssec add-zone-key now defaults to RSASHA256, like secure-zone already
did. Code in commit 2692.
* pdns_control purge now also purges DNSSEC-related caches (keys and
metadata). Code in commit 2694, by Ruben d'Arco. Fixes ticket 530.
* The signer thread would die in specific situations, leaving you with a
non-working but very busy system. Fixed in commit 2668, commit 2670,
closing ticket 517.
* pdnssec secure-zone now warns when you just signed a slave zone. Suggested
by Mark Scholten, code in commit 2795, closes ticket 592.
* pdnssec check-zone now warns about out-of-zone data. Patch by Kees
Monshouwer in commit 2826, closing ticket 604.
* pdnssec now honours --no-config. Patch by Kees Monshouwer in commit 2810.
* Various fixes for bindbackend presigned operation, mostly by Kees
Monshouwer. Code in commit 2815, closing ticket 600.
* Bindbackend could get confused about domain metadata, sometimes even
causing hangs. Fixes by Kees Monshouwer in commit 2819 and commit 2834,
closing ticket 600 and ticket 603.
* SQL queries in gsql backends that reference the domain_id column have been
made explicit about from what table they want this column. This makes it
easier to operate custom schemas without changing the queries. Fix by Nicky
Gerritsen in commit 2821.
* In various situations involving CNAMEs and wildcards, and for ANY queries
involving CNAMEs, we would sometimes return bogus results. Fixed in commit
2825 by Kees Monshouwer.
* rectify-zone accidentally set auth=1 on NS records of secure delegations.
Reported by George Notaras, fixed by Kees Monshouwer in r2831, closing
* The DNSSEC signature cache now actually gets cleaned up, avoiding lasting
spikes in memory usage every thursday. Code in commit 2836 and commit 2843,
closing ticket 594.
* Signatures roll at midnight on thursday. We now set their inception to be
one hour before midnight, to allow for some variations in clock quality on
resolvers. Code in commit 2857.
* Duplicate records (same name/type/content/priority) would sometimes get
broken RRSIGs during outgoing AXFR. Fixed in commit 2856.
* A root zone (name="") with DNSSEC would cause crashes in some situations.
Reported by Luuk Hendriks. Fixed in commit 2867, commit 2868, closing
* Direct RRSIG queries for zones with auto-completed SOA records would cause
trouble. Reported by Kees Monshouwer and fixed by him in r2869.
* When a name is matched only by a wildcard, but the type in the query is not
present, we would be lacking one NSEC(3) record to prove the existence of
the wildcard. Fixed by Kees Monshouwer in r2872 and r2873.
* Luuk Hendriks spotted that our PolarSSL RSA key generation code was using
inferior entropy. This can be important on virtual machines with badly
implemented clocks. Fixed in commit 2876, closing ticket 615.
Non-DNSSEC improvements/changes in 3.2:
* Bindbackend would sometimes crash on startup, due to a sync_with_stdio
call. This call has been moved to pdns_server proper to occur before any
threads are spawned, avoiding race conditions in this call. Note that this
crash has only been observed twice in thousands of regression test runs and
has never been reported in the real world. Change in commit 2882.
* Leen Besselink submitted query logging support for the SQLite3 parts in the
bindbackend. Code in commit 2874.
* Multi-backend operation would sometimes cause garbage domain IDs to be
passed to backends. Reported by Kees Monshouwer and fixed by him in r2871.
* Bindbackend would sometimes crash during reloads/rediscovers. The changes
in commit 2837 get rid of the crash, at the cost of returning SERVFAIL
during reloads. Closes ticket 564.
* Our label decompression code was naive, causing troubles for slaving of
very specifically formatted zones. Fix in ticket 2822, closes ticket 599.
* Bindbackend slaves would choke on unknown RR types and do silly things with
RP and SRV records. Fixed in commit 2811 and commit 2812.
* The luabackend can now compile against Lua 5.2. Patch by Fredrik Danerklint
in commit 2794, additional luabackend compile fixes in commit 2854.
* A new backend, the 'Remote backend' SectionÃÂ 16, Ã¢ÂÂRemote BackendÃ¢ÂÂ was
submitted by Aki Tuomi. It aims to replace the pipebackend with a better
protocol and support for more connection methods, including HTTP. Code in
commit 2755, commit 2756, commit 2757, commit 2758, commit 2759, commit
2824, closing ticket 529, ticket 597.
* The gsqlite (SQLite 2) backend was removed. We were not aware of any users
and it was not actually working anyway. Changes in commits 2773-2777,
closing ticket 565.
* Various tinydnsbackend improvements: ignore-bogus-records option; TAI
offset updated; strip dots on names where suitable; various internal
improvements. Code in commit 2762.
* gpgsql no longer logs the database password in connection errors. Code in
commit 2609, commit 2612, closing ticket 459.
* You can now finally specify 0.0.0.0 or :: as local-address/local-ipv6
without getting replies from the wrong address. This much-requested feature
is implemented in commit 2763, commit 2766, commit 2779 and commit 2781.
Tested on Linux, FreeBSD and Mac OS X.
* 3.2 can be reliably built with or without Lua. This and many other
configure/compile-related fixes in commit 2610, commit 2611 / ticket 461,
commit 2666, commit 2671, commit 2672 / ticket 522, commit 2673 / ticket
522, commit 2696 / ticket 555, commit 2697 / ticket 457, commit 2698,
commit 2708, commit 2742 / ticket 462), commit 2752 / ticket 437, commit
2764, commit 2809, commit 2844, commit 2845, commit 2846, commit 2881.
* Juraj Lutter contributed AXFR-SOURCE per zone metadata settings. Code in
* Initscripts now have exit codes, submitted by Sander Hoentjes. Code in
commit 2728. Guardian now returns 0 instead of 1 when receiving SIGTERM,
requested by Morten Stevens of Fedora. Code in commit 2717.
* Mark Zealey submitted various performance improvement patches and
suggestions. Accepted as commit 2729 / ticket 579, commit 2730 / ticket 584
), commit 2731 / ticket 583), commit 2768 / ticket 578). Please see commit
messages for more details.
* pdnssec check-all-zones now reuses database connections, avoiding a socket
exhaustion issue in some situations. Code in commit 2749, closes ticket 519
* Ruben d'Arco submitted various improvements regarding trailing dots.
Additional lookups now try harder, pdnssec errors about trailing dots in
names, pdnssec warns about trailing dots in names inside content fields,
AXFR now strips the dot from SRV hostnames. Code in commit 2748, fixes
* Pre-3.0, backends would get cycled if they threw the right error. 3.2
reinstates this behaviour, as it is more robust. Change in commit 2734
(reverting commit 2100), fixes ticket 386.
* PowerDNS auth does not use the select() kernel/library call anymore. This
means fd-numbers over 1023 (and, in general, more than 1024 sockets,
including more than 1024 listening sockets) should now work reliably. Code
in commit 2739, commit 2740, fixes ticket 408.
* gmysql users can now specify the 'group' we connect as, using the
gmysql-group setting. Submitted by Kees Monshouwer, code in commit 2770,
commit 2771, commit 2778, commit 2780, closing ticket 463.
* The Linux-only traceback handler is now optional (use traceback-handler=off
to disable it). Suggested by Marc Haber. Change in commit 2798, closes
* We now use IPV6_V6ONLY to bind IPv6 sockets. This ensures consistent
behaviour between different operating systems. Change in commit 2799.
* MySQL connections are now logged at a higher loglevel, reducing log
clutter. Change in commit 2800.
* We now ship a systemd unit file in contrib/. Added in commit 2847 and
commit 2848, submitted by Morten Stevens.
* If a slave domain is removed while a transfer for it is queued, we no
longer try the transfer. This also avoids a rare crash in similar
circumstances. Code in commit 2802, closes ticket 596.
* When using pdnssec with gsql backends, sometimes an SSqlException would pop
up without any useful information. This no longer happens and errors are
now in general more meaningful. Fix in commit 2803.
* zone2sql now uses correct string syntax for PostgreSQL. This is needed for
importing with the changed default settings in PostgreSQL 9.2 and up. Code
in commit 2797, closes ticket 471.
* We no longer send v6 notifications if v6 is not available. Same for IPv4.
Code in commit 2772, fixes ticket 515.
* We would sometimes serve stale data after an incoming AXFR. Reported by
Martin Draschl, fixed by Ruben d'Arco in commit 2699, closing ticket 525.
* Duplicate incoming NOTIFYs could cause PowerDNS to try to insert the same
domain name into a database twice. Fixed in commit 2703, closing ticket 453
* pdnssec show-zone now works on a zone that has any number of keys, instead
of requiring active keys. Reported by Jeroen Tushuizen of myH2Oservers,
code in commit 2769, closes ticket 586.
* pdns-control notify-host now accepts v6 literals. Reported by Christof
Meerwald, fixed in commit 2704.
* The tinydnsbackend no longer chokes on questions longer than 64 bytes. Code
in commit 2622.
* *-all-domains commands in pdnssec now work with Postgres (gpgsql) too. Code
in commit 2645, closing ticket 472.
* We would sometimes leave the opcode of an outgoing packet uninitialized.
Fixed in commit 2680, closing ticket 532.
* nproxy can now listen on a configurable port. Code in commit 2684, fixes
* Improve mydnsbackend for SOA queries. Code in commit 2751, fixes ticket 439
, by Ruben d'Arco.
* Various non-functional fixes that make Valgrind happy (note that Valgrind
was right to complain in all of these situations), in commit 2715, commit
2716, commit 2718.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
-----END PGP SIGNATURE-----
More information about the Pdns-users