[Pdns-users] 3.2-RC1! Re: PowerDNS Authoritative Server 3.1 Release Candidate 1 available

Peter van Dijk peter.van.dijk at netherlabs.nl
Mon Nov 12 14:20:27 UTC 2012


Of course, this should have said 3.2-RC1. Thanks to Aki Tuomi for pointing that out. Brown paper bag engaged!

On Nov 12, 2012, at 14:51 , Peter van Dijk wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi everybody,
> 
> Release Candidate 1 of the PowerDNS Authoritative Server 3.2 is available from:
> 
> http://powerdnssec.org/downloads/pdns-3.2-rc1.tar.gz
> http://powerdnssec.org/downloads/packages/pdns-static-3.2rc1-1.i386.rpm
> http://powerdnssec.org/downloads/packages/pdns-static-3.2rc1-1.x86_64.rpm
> http://powerdnssec.org/downloads/packages/pdns-static_3.2-rc1-1_amd64.deb
> http://powerdnssec.org/downloads/packages/pdns-static_3.2-rc1-1_i386.deb
> 
> You are cordially invited to (carefully) test this Release Candidate for
> correct behaviour.
> 
> Full release notes, with clickable links, are available from:
> http://doc.powerdns.com/changelog.html#changelog-auth-3-2
> 
> Here is a text-only version:
> 
> This is a stability and confirmity update to 3.1. It mostly makes our DNSSEC
> implementation more robust, and improves interoperability with various
> validators. 3.2 has received very extensive testing on a lot of edge cases,
> verifying output both against common validators and compared against other
> authoritative servers.
> 
> In addition to all the changes below, we now auto-build semi-static packages.
> Relevant changes to make that possible are in commit 2849, commit 2853, 2858,
> commit 2859, commit 2860.
> 
> DNSSEC changes in 3.2:
> 
>  * Kees Monshouwer did a tremendous amount of work to improve and perfect our
>    DNSSEC implementation, mostly in the NSEC3 area. Code in commit 2687,
>    commit 2689, commit 2691, fixing ticket 486, ticket 537, ticket 540. He
>    also implemented support for Empty Non-Terminals, code in commit 2721,
>    commit 2732, commit 2745, fixing ticket 127 and ticket 558.
> 
>  * Presigned wildcard operation was improved with the help of many parties
>    (see commit message for commit 2676). Presigned operation was also changed
>    to be more consistent with master/live-signing operation. Code and a full
>    test suite in commit 2709, which also improves TTL behaviour for various
>    situations. Fixes ticket 460, ticket 533, ticket 559.
> 
>  * Depending on database & locale settings, names starting with underscore
>    would sometimes cause broken records. commit 2710 contains schema and code
>    changes for the gpgsql and gmysql backends to sort this (no pun intended)
>    definitively, closing ticket 550. In addition, a pdnssec test-schema
>    command was added (experimental and incomplete). It can be used to verify
>    underscore sorting and a few other parameters of the database. Code in
>    commit 2714.
> 
>  * We now always include an EDNS section in responses to queries that also had
>    an EDNS section. This was thought to improve BIND interoperability, but
>    this turned out to be false. In any case, this change improves standards
>    compliance. Spotted by Mats Dufberg, code in commit 2649.
> 
>  * It turns out we were storing Botan keys the wrong way. Botan did not care
>    but Polar did, causing interoperability problems. Fixed in commit 2720,
>    with the kind help of Paul Bakker of PolarSSL. Fixes ticket 492 as reported
>    by Florian Obser via Debian.
> 
>  * pdnssec add-zone-key now defaults to RSASHA256, like secure-zone already
>    did. Code in commit 2692.
> 
>  * pdns_control purge now also purges DNSSEC-related caches (keys and
>    metadata). Code in commit 2694, by Ruben d'Arco. Fixes ticket 530.
> 
>  * The signer thread would die in specific situations, leaving you with a
>    non-working but very busy system. Fixed in commit 2668, commit 2670,
>    closing ticket 517.
> 
>  * pdnssec secure-zone now warns when you just signed a slave zone. Suggested
>    by Mark Scholten, code in commit 2795, closes ticket 592.
> 
>  * pdnssec check-zone now warns about out-of-zone data. Patch by Kees
>    Monshouwer in commit 2826, closing ticket 604.
> 
>  * pdnssec now honours --no-config. Patch by Kees Monshouwer in commit 2810.
> 
>  * Various fixes for bindbackend presigned operation, mostly by Kees
>    Monshouwer. Code in commit 2815, closing ticket 600.
> 
>  * Bindbackend could get confused about domain metadata, sometimes even
>    causing hangs. Fixes by Kees Monshouwer in commit 2819 and commit 2834,
>    closing ticket 600 and ticket 603.
> 
>  * SQL queries in gsql backends that reference the domain_id column have been
>    made explicit about from what table they want this column. This makes it
>    easier to operate custom schemas without changing the queries. Fix by Nicky
>    Gerritsen in commit 2821.
> 
>  * In various situations involving CNAMEs and wildcards, and for ANY queries
>    involving CNAMEs, we would sometimes return bogus results. Fixed in commit
>    2825 by Kees Monshouwer.
> 
>  * rectify-zone accidentally set auth=1 on NS records of secure delegations.
>    Reported by George Notaras, fixed by Kees Monshouwer in r2831, closing
>    ticket 605.
> 
>  * The DNSSEC signature cache now actually gets cleaned up, avoiding lasting
>    spikes in memory usage every thursday. Code in commit 2836 and commit 2843,
>    closing ticket 594.
> 
>  * Signatures roll at midnight on thursday. We now set their inception to be
>    one hour before midnight, to allow for some variations in clock quality on
>    resolvers. Code in commit 2857.
> 
>  * Duplicate records (same name/type/content/priority) would sometimes get
>    broken RRSIGs during outgoing AXFR. Fixed in commit 2856.
> 
>  * A root zone (name="") with DNSSEC would cause crashes in some situations.
>    Reported by Luuk Hendriks. Fixed in commit 2867, commit 2868, closing
>    ticket 614.
> 
>  * Direct RRSIG queries for zones with auto-completed SOA records would cause
>    trouble. Reported by Kees Monshouwer and fixed by him in r2869.
> 
>  * When a name is matched only by a wildcard, but the type in the query is not
>    present, we would be lacking one NSEC(3) record to prove the existence of
>    the wildcard. Fixed by Kees Monshouwer in r2872 and r2873.
> 
>  * Luuk Hendriks spotted that our PolarSSL RSA key generation code was using
>    inferior entropy. This can be important on virtual machines with badly
>    implemented clocks. Fixed in commit 2876, closing ticket 615.
> 
> Non-DNSSEC improvements/changes in 3.2:
> 
>  * Bindbackend would sometimes crash on startup, due to a sync_with_stdio
>    call. This call has been moved to pdns_server proper to occur before any
>    threads are spawned, avoiding race conditions in this call. Note that this
>    crash has only been observed twice in thousands of regression test runs and
>    has never been reported in the real world. Change in commit 2882.
> 
>  * Leen Besselink submitted query logging support for the SQLite3 parts in the
>    bindbackend. Code in commit 2874.
> 
>  * Multi-backend operation would sometimes cause garbage domain IDs to be
>    passed to backends. Reported by Kees Monshouwer and fixed by him in r2871.
> 
>  * Bindbackend would sometimes crash during reloads/rediscovers. The changes
>    in commit 2837 get rid of the crash, at the cost of returning SERVFAIL
>    during reloads. Closes ticket 564.
> 
>  * Our label decompression code was naive, causing troubles for slaving of
>    very specifically formatted zones. Fix in ticket 2822, closes ticket 599.
> 
>  * Bindbackend slaves would choke on unknown RR types and do silly things with
>    RP and SRV records. Fixed in commit 2811 and commit 2812.
> 
>  * The luabackend can now compile against Lua 5.2. Patch by Fredrik Danerklint
>    in commit 2794, additional luabackend compile fixes in commit 2854.
> 
>  * A new backend, the 'Remote backend' Section 16, “Remote Backend” was
>    submitted by Aki Tuomi. It aims to replace the pipebackend with a better
>    protocol and support for more connection methods, including HTTP. Code in
>    commit 2755, commit 2756, commit 2757, commit 2758, commit 2759, commit
>    2824, closing ticket 529, ticket 597.
> 
>  * The gsqlite (SQLite 2) backend was removed. We were not aware of any users
>    and it was not actually working anyway. Changes in commits 2773-2777,
>    closing ticket 565.
> 
>  * Various tinydnsbackend improvements: ignore-bogus-records option; TAI
>    offset updated; strip dots on names where suitable; various internal
>    improvements. Code in commit 2762.
> 
>  * gpgsql no longer logs the database password in connection errors. Code in
>    commit 2609, commit 2612, closing ticket 459.
> 
>  * You can now finally specify 0.0.0.0 or :: as local-address/local-ipv6
>    without getting replies from the wrong address. This much-requested feature
>    is implemented in commit 2763, commit 2766, commit 2779 and commit 2781.
>    Tested on Linux, FreeBSD and Mac OS X.
> 
>  * 3.2 can be reliably built with or without Lua. This and many other
>    configure/compile-related fixes in commit 2610, commit 2611 / ticket 461,
>    commit 2666, commit 2671, commit 2672 / ticket 522, commit 2673 / ticket
>    522, commit 2696 / ticket 555, commit 2697 / ticket 457, commit 2698,
>    commit 2708, commit 2742 / ticket 462), commit 2752 / ticket 437, commit
>    2764, commit 2809, commit 2844, commit 2845, commit 2846, commit 2881.
> 
>  * Juraj Lutter contributed AXFR-SOURCE per zone metadata settings. Code in
>    commit 2616.
> 
>  * Initscripts now have exit codes, submitted by Sander Hoentjes. Code in
>    commit 2728. Guardian now returns 0 instead of 1 when receiving SIGTERM,
>    requested by Morten Stevens of Fedora. Code in commit 2717.
> 
>  * Mark Zealey submitted various performance improvement patches and
>    suggestions. Accepted as commit 2729 / ticket 579, commit 2730 / ticket 584
>    ), commit 2731 / ticket 583), commit 2768 / ticket 578). Please see commit
>    messages for more details.
> 
>  * pdnssec check-all-zones now reuses database connections, avoiding a socket
>    exhaustion issue in some situations. Code in commit 2749, closes ticket 519
>    .
> 
>  * Ruben d'Arco submitted various improvements regarding trailing dots.
>    Additional lookups now try harder, pdnssec errors about trailing dots in
>    names, pdnssec warns about trailing dots in names inside content fields,
>    AXFR now strips the dot from SRV hostnames. Code in commit 2748, fixes
>    ticket 289.
> 
>  * Pre-3.0, backends would get cycled if they threw the right error. 3.2
>    reinstates this behaviour, as it is more robust. Change in commit 2734
>    (reverting commit 2100), fixes ticket 386.
> 
>  * PowerDNS auth does not use the select() kernel/library call anymore. This
>    means fd-numbers over 1023 (and, in general, more than 1024 sockets,
>    including more than 1024 listening sockets) should now work reliably. Code
>    in commit 2739, commit 2740, fixes ticket 408.
> 
>  * gmysql users can now specify the 'group' we connect as, using the
>    gmysql-group setting. Submitted by Kees Monshouwer, code in commit 2770,
>    commit 2771, commit 2778, commit 2780, closing ticket 463.
> 
>  * The Linux-only traceback handler is now optional (use traceback-handler=off
>    to disable it). Suggested by Marc Haber. Change in commit 2798, closes
>    ticket 497.
> 
>  * We now use IPV6_V6ONLY to bind IPv6 sockets. This ensures consistent
>    behaviour between different operating systems. Change in commit 2799.
> 
>  * MySQL connections are now logged at a higher loglevel, reducing log
>    clutter. Change in commit 2800.
> 
>  * We now ship a systemd unit file in contrib/. Added in commit 2847 and
>    commit 2848, submitted by Morten Stevens.
> 
> Assorted bugfixes:
> 
>  * If a slave domain is removed while a transfer for it is queued, we no
>    longer try the transfer. This also avoids a rare crash in similar
>    circumstances. Code in commit 2802, closes ticket 596.
> 
>  * When using pdnssec with gsql backends, sometimes an SSqlException would pop
>    up without any useful information. This no longer happens and errors are
>    now in general more meaningful. Fix in commit 2803.
> 
>  * zone2sql now uses correct string syntax for PostgreSQL. This is needed for
>    importing with the changed default settings in PostgreSQL 9.2 and up. Code
>    in commit 2797, closes ticket 471.
> 
>  * We no longer send v6 notifications if v6 is not available. Same for IPv4.
>    Code in commit 2772, fixes ticket 515.
> 
>  * We would sometimes serve stale data after an incoming AXFR. Reported by
>    Martin Draschl, fixed by Ruben d'Arco in commit 2699, closing ticket 525.
> 
>  * Duplicate incoming NOTIFYs could cause PowerDNS to try to insert the same
>    domain name into a database twice. Fixed in commit 2703, closing ticket 453
>    .
> 
>  * pdnssec show-zone now works on a zone that has any number of keys, instead
>    of requiring active keys. Reported by Jeroen Tushuizen of myH2Oservers,
>    code in commit 2769, closes ticket 586.
> 
>  * pdns-control notify-host now accepts v6 literals. Reported by Christof
>    Meerwald, fixed in commit 2704.
> 
>  * The tinydnsbackend no longer chokes on questions longer than 64 bytes. Code
>    in commit 2622.
> 
>  * *-all-domains commands in pdnssec now work with Postgres (gpgsql) too. Code
>    in commit 2645, closing ticket 472.
> 
>  * We would sometimes leave the opcode of an outgoing packet uninitialized.
>    Fixed in commit 2680, closing ticket 532.
> 
>  * nproxy can now listen on a configurable port. Code in commit 2684, fixes
>    ticket 534.
> 
>  * Improve mydnsbackend for SOA queries. Code in commit 2751, fixes ticket 439
>    , by Ruben d'Arco.
> 
>  * Various non-functional fixes that make Valgrind happy (note that Valgrind
>    was right to complain in all of these situations), in commit 2715, commit
>    2716, commit 2718.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> 
> iQIcBAEBAgAGBQJQoP13AAoJENz1E/p+7RnzWMgQAOKzAq6DmmDiC8pkwC8G3Oll
> SwRL9RMT4Clb1Kocsc123XB7FOzWvz8EqS7pV3/CMEzmxHrqrAqMY8+etHRUCYYP
> B4siE0xDwmflcqtcV/rbZ59mEnRqCsUWve+/xd2g8Sro+1mPVZUK6W++7R20N9AA
> S0d9qX8gr4e0X8MOop0HuXPFj9ccrqqg7+VONnUfvALNAn798VOZ8aJC/QnHUchS
> iogL/9cQsdwYDQWd2z2EDOvWWTHd/ac5fdvT0QMavoRyt+fvCBBMW+0TvLH7d4mO
> 9/I/ARM+eD4LeUPNi9TZAp6bofNYlsW59qC2PmFJbNl5FIzQAWXWR53UBqRS07ZI
> Wgsy68ELSFU7c5ayOJddRUC0c12ipzizsa5xT4F8RFGtUTn54U5LTWS63HvxpMLF
> g3hglkmNFTYEzmsiFxy6ivid5+hBwnY8hZdpBsOfwcTCKNAKybSbmxFigjOtLhGO
> KfyqTOSNcW8q5KjUkSZazDW8AANFqsAo2cRQRxto6a/wmYloH+3pMTzKAN8LEbtT
> GYkIDWI/d7r/UIoMNNv+lDsJqltsIRYFDDGVoyQYZo4VmMM87GqWFc3RVhg4+E6O
> peYbQq8OLY/VINFWy+gvwRme3Di9E2SZMaVnwygtdh/E6vXdbi60BEyaQfo6rFcS
> N0Ch4E3Ekhel4O0YoK1R
> =3Sgm
> -----END PGP SIGNATURE-----
> _______________________________________________
> Pdns-announce mailing list
> Pdns-announce at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-announce

Kind regards,
-- 
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/




More information about the Pdns-users mailing list