[Pdns-users] 3.2-RC1! Re: PowerDNS Authoritative Server 3.1 Release Candidate 1 available
Peter van Dijk
peter.van.dijk at netherlabs.nl
Mon Nov 12 14:20:27 UTC 2012
Of course, this should have said 3.2-RC1. Thanks to Aki Tuomi for pointing that out. Brown paper bag engaged!
On Nov 12, 2012, at 14:51 , Peter van Dijk wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Hi everybody,
> Release Candidate 1 of the PowerDNS Authoritative Server 3.2 is available from:
> You are cordially invited to (carefully) test this Release Candidate for
> correct behaviour.
> Full release notes, with clickable links, are available from:
> Here is a text-only version:
> This is a stability and confirmity update to 3.1. It mostly makes our DNSSEC
> implementation more robust, and improves interoperability with various
> validators. 3.2 has received very extensive testing on a lot of edge cases,
> verifying output both against common validators and compared against other
> authoritative servers.
> In addition to all the changes below, we now auto-build semi-static packages.
> Relevant changes to make that possible are in commit 2849, commit 2853, 2858,
> commit 2859, commit 2860.
> DNSSEC changes in 3.2:
> * Kees Monshouwer did a tremendous amount of work to improve and perfect our
> DNSSEC implementation, mostly in the NSEC3 area. Code in commit 2687,
> commit 2689, commit 2691, fixing ticket 486, ticket 537, ticket 540. He
> also implemented support for Empty Non-Terminals, code in commit 2721,
> commit 2732, commit 2745, fixing ticket 127 and ticket 558.
> * Presigned wildcard operation was improved with the help of many parties
> (see commit message for commit 2676). Presigned operation was also changed
> to be more consistent with master/live-signing operation. Code and a full
> test suite in commit 2709, which also improves TTL behaviour for various
> situations. Fixes ticket 460, ticket 533, ticket 559.
> * Depending on database & locale settings, names starting with underscore
> would sometimes cause broken records. commit 2710 contains schema and code
> changes for the gpgsql and gmysql backends to sort this (no pun intended)
> definitively, closing ticket 550. In addition, a pdnssec test-schema
> command was added (experimental and incomplete). It can be used to verify
> underscore sorting and a few other parameters of the database. Code in
> commit 2714.
> * We now always include an EDNS section in responses to queries that also had
> an EDNS section. This was thought to improve BIND interoperability, but
> this turned out to be false. In any case, this change improves standards
> compliance. Spotted by Mats Dufberg, code in commit 2649.
> * It turns out we were storing Botan keys the wrong way. Botan did not care
> but Polar did, causing interoperability problems. Fixed in commit 2720,
> with the kind help of Paul Bakker of PolarSSL. Fixes ticket 492 as reported
> by Florian Obser via Debian.
> * pdnssec add-zone-key now defaults to RSASHA256, like secure-zone already
> did. Code in commit 2692.
> * pdns_control purge now also purges DNSSEC-related caches (keys and
> metadata). Code in commit 2694, by Ruben d'Arco. Fixes ticket 530.
> * The signer thread would die in specific situations, leaving you with a
> non-working but very busy system. Fixed in commit 2668, commit 2670,
> closing ticket 517.
> * pdnssec secure-zone now warns when you just signed a slave zone. Suggested
> by Mark Scholten, code in commit 2795, closes ticket 592.
> * pdnssec check-zone now warns about out-of-zone data. Patch by Kees
> Monshouwer in commit 2826, closing ticket 604.
> * pdnssec now honours --no-config. Patch by Kees Monshouwer in commit 2810.
> * Various fixes for bindbackend presigned operation, mostly by Kees
> Monshouwer. Code in commit 2815, closing ticket 600.
> * Bindbackend could get confused about domain metadata, sometimes even
> causing hangs. Fixes by Kees Monshouwer in commit 2819 and commit 2834,
> closing ticket 600 and ticket 603.
> * SQL queries in gsql backends that reference the domain_id column have been
> made explicit about from what table they want this column. This makes it
> easier to operate custom schemas without changing the queries. Fix by Nicky
> Gerritsen in commit 2821.
> * In various situations involving CNAMEs and wildcards, and for ANY queries
> involving CNAMEs, we would sometimes return bogus results. Fixed in commit
> 2825 by Kees Monshouwer.
> * rectify-zone accidentally set auth=1 on NS records of secure delegations.
> Reported by George Notaras, fixed by Kees Monshouwer in r2831, closing
> ticket 605.
> * The DNSSEC signature cache now actually gets cleaned up, avoiding lasting
> spikes in memory usage every thursday. Code in commit 2836 and commit 2843,
> closing ticket 594.
> * Signatures roll at midnight on thursday. We now set their inception to be
> one hour before midnight, to allow for some variations in clock quality on
> resolvers. Code in commit 2857.
> * Duplicate records (same name/type/content/priority) would sometimes get
> broken RRSIGs during outgoing AXFR. Fixed in commit 2856.
> * A root zone (name="") with DNSSEC would cause crashes in some situations.
> Reported by Luuk Hendriks. Fixed in commit 2867, commit 2868, closing
> ticket 614.
> * Direct RRSIG queries for zones with auto-completed SOA records would cause
> trouble. Reported by Kees Monshouwer and fixed by him in r2869.
> * When a name is matched only by a wildcard, but the type in the query is not
> present, we would be lacking one NSEC(3) record to prove the existence of
> the wildcard. Fixed by Kees Monshouwer in r2872 and r2873.
> * Luuk Hendriks spotted that our PolarSSL RSA key generation code was using
> inferior entropy. This can be important on virtual machines with badly
> implemented clocks. Fixed in commit 2876, closing ticket 615.
> Non-DNSSEC improvements/changes in 3.2:
> * Bindbackend would sometimes crash on startup, due to a sync_with_stdio
> call. This call has been moved to pdns_server proper to occur before any
> threads are spawned, avoiding race conditions in this call. Note that this
> crash has only been observed twice in thousands of regression test runs and
> has never been reported in the real world. Change in commit 2882.
> * Leen Besselink submitted query logging support for the SQLite3 parts in the
> bindbackend. Code in commit 2874.
> * Multi-backend operation would sometimes cause garbage domain IDs to be
> passed to backends. Reported by Kees Monshouwer and fixed by him in r2871.
> * Bindbackend would sometimes crash during reloads/rediscovers. The changes
> in commit 2837 get rid of the crash, at the cost of returning SERVFAIL
> during reloads. Closes ticket 564.
> * Our label decompression code was naive, causing troubles for slaving of
> very specifically formatted zones. Fix in ticket 2822, closes ticket 599.
> * Bindbackend slaves would choke on unknown RR types and do silly things with
> RP and SRV records. Fixed in commit 2811 and commit 2812.
> * The luabackend can now compile against Lua 5.2. Patch by Fredrik Danerklint
> in commit 2794, additional luabackend compile fixes in commit 2854.
> * A new backend, the 'Remote backend' Section 16, “Remote Backend” was
> submitted by Aki Tuomi. It aims to replace the pipebackend with a better
> protocol and support for more connection methods, including HTTP. Code in
> commit 2755, commit 2756, commit 2757, commit 2758, commit 2759, commit
> 2824, closing ticket 529, ticket 597.
> * The gsqlite (SQLite 2) backend was removed. We were not aware of any users
> and it was not actually working anyway. Changes in commits 2773-2777,
> closing ticket 565.
> * Various tinydnsbackend improvements: ignore-bogus-records option; TAI
> offset updated; strip dots on names where suitable; various internal
> improvements. Code in commit 2762.
> * gpgsql no longer logs the database password in connection errors. Code in
> commit 2609, commit 2612, closing ticket 459.
> * You can now finally specify 0.0.0.0 or :: as local-address/local-ipv6
> without getting replies from the wrong address. This much-requested feature
> is implemented in commit 2763, commit 2766, commit 2779 and commit 2781.
> Tested on Linux, FreeBSD and Mac OS X.
> * 3.2 can be reliably built with or without Lua. This and many other
> configure/compile-related fixes in commit 2610, commit 2611 / ticket 461,
> commit 2666, commit 2671, commit 2672 / ticket 522, commit 2673 / ticket
> 522, commit 2696 / ticket 555, commit 2697 / ticket 457, commit 2698,
> commit 2708, commit 2742 / ticket 462), commit 2752 / ticket 437, commit
> 2764, commit 2809, commit 2844, commit 2845, commit 2846, commit 2881.
> * Juraj Lutter contributed AXFR-SOURCE per zone metadata settings. Code in
> commit 2616.
> * Initscripts now have exit codes, submitted by Sander Hoentjes. Code in
> commit 2728. Guardian now returns 0 instead of 1 when receiving SIGTERM,
> requested by Morten Stevens of Fedora. Code in commit 2717.
> * Mark Zealey submitted various performance improvement patches and
> suggestions. Accepted as commit 2729 / ticket 579, commit 2730 / ticket 584
> ), commit 2731 / ticket 583), commit 2768 / ticket 578). Please see commit
> messages for more details.
> * pdnssec check-all-zones now reuses database connections, avoiding a socket
> exhaustion issue in some situations. Code in commit 2749, closes ticket 519
> * Ruben d'Arco submitted various improvements regarding trailing dots.
> Additional lookups now try harder, pdnssec errors about trailing dots in
> names, pdnssec warns about trailing dots in names inside content fields,
> AXFR now strips the dot from SRV hostnames. Code in commit 2748, fixes
> ticket 289.
> * Pre-3.0, backends would get cycled if they threw the right error. 3.2
> reinstates this behaviour, as it is more robust. Change in commit 2734
> (reverting commit 2100), fixes ticket 386.
> * PowerDNS auth does not use the select() kernel/library call anymore. This
> means fd-numbers over 1023 (and, in general, more than 1024 sockets,
> including more than 1024 listening sockets) should now work reliably. Code
> in commit 2739, commit 2740, fixes ticket 408.
> * gmysql users can now specify the 'group' we connect as, using the
> gmysql-group setting. Submitted by Kees Monshouwer, code in commit 2770,
> commit 2771, commit 2778, commit 2780, closing ticket 463.
> * The Linux-only traceback handler is now optional (use traceback-handler=off
> to disable it). Suggested by Marc Haber. Change in commit 2798, closes
> ticket 497.
> * We now use IPV6_V6ONLY to bind IPv6 sockets. This ensures consistent
> behaviour between different operating systems. Change in commit 2799.
> * MySQL connections are now logged at a higher loglevel, reducing log
> clutter. Change in commit 2800.
> * We now ship a systemd unit file in contrib/. Added in commit 2847 and
> commit 2848, submitted by Morten Stevens.
> Assorted bugfixes:
> * If a slave domain is removed while a transfer for it is queued, we no
> longer try the transfer. This also avoids a rare crash in similar
> circumstances. Code in commit 2802, closes ticket 596.
> * When using pdnssec with gsql backends, sometimes an SSqlException would pop
> up without any useful information. This no longer happens and errors are
> now in general more meaningful. Fix in commit 2803.
> * zone2sql now uses correct string syntax for PostgreSQL. This is needed for
> importing with the changed default settings in PostgreSQL 9.2 and up. Code
> in commit 2797, closes ticket 471.
> * We no longer send v6 notifications if v6 is not available. Same for IPv4.
> Code in commit 2772, fixes ticket 515.
> * We would sometimes serve stale data after an incoming AXFR. Reported by
> Martin Draschl, fixed by Ruben d'Arco in commit 2699, closing ticket 525.
> * Duplicate incoming NOTIFYs could cause PowerDNS to try to insert the same
> domain name into a database twice. Fixed in commit 2703, closing ticket 453
> * pdnssec show-zone now works on a zone that has any number of keys, instead
> of requiring active keys. Reported by Jeroen Tushuizen of myH2Oservers,
> code in commit 2769, closes ticket 586.
> * pdns-control notify-host now accepts v6 literals. Reported by Christof
> Meerwald, fixed in commit 2704.
> * The tinydnsbackend no longer chokes on questions longer than 64 bytes. Code
> in commit 2622.
> * *-all-domains commands in pdnssec now work with Postgres (gpgsql) too. Code
> in commit 2645, closing ticket 472.
> * We would sometimes leave the opcode of an outgoing packet uninitialized.
> Fixed in commit 2680, closing ticket 532.
> * nproxy can now listen on a configurable port. Code in commit 2684, fixes
> ticket 534.
> * Improve mydnsbackend for SOA queries. Code in commit 2751, fixes ticket 439
> , by Ruben d'Arco.
> * Various non-functional fixes that make Valgrind happy (note that Valgrind
> was right to complain in all of these situations), in commit 2715, commit
> 2716, commit 2718.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> -----END PGP SIGNATURE-----
> Pdns-announce mailing list
> Pdns-announce at mailman.powerdns.com
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/
More information about the Pdns-users