[Pdns-users] PowerDNS Authoritative Server 3.4.0 released
Peter van Dijk
peter.van.dijk at netherlabs.nl
Tue Sep 30 10:41:27 UTC 2014
Hi everybody,
PowerDNS Authoritative Server 3.4.0 is now available!
3.4.0 is the best version of the PowerDNS Authoritative Server currently
available, and we recommend upgrading to it. Please read
http://doc.powerdns.com/html/from3.3.1to3.4.0.html before you do, however!
Please see http://doc.powerdns.com/changelog.html#changelog-auth-3.4.0 for full
release notes and all download links.
You can get PowerDNS 3.4.0 from:
http://downloads.powerdns.com/releases/pdns-3.4.0.tar.bz2
http://downloads.powerdns.com/releases/deb/pdns-static_3.4.0-1_i386.deb
http://downloads.powerdns.com/releases/deb/pdns-static_3.4.0-1_amd64.deb
http://downloads.powerdns.com/releases/rpm/pdns-static-3.4.0-1.i386.rpm
http://downloads.powerdns.com/releases/rpm/pdns-static-3.4.0-1.x86_64.rpm
These files also come with GPG signatures (append .sig).
Additionally, Kees Monshouwer has kindly provided native builds for RHEL and CentOS
at https://www.monshouwer.eu/download/3rd_party/pdns/
This is a performance, feature, bugfix and conformity update to
3.3.1 and any earlier version. It contains a huge amount of
work by various contributors, to whom we are very grateful.
A list of changes since 3.3.1 follows.
Changes between RC2 and 3.4.0:
* gad189c9, g445d93c: also distribute the dnsdist manual page
* gb5a276d, g0b346e9, g74caf87, g642fd2e: Make sure all
backends actually work as dynamic modules
* g14b11c4: raise log level on dlerror(), fixes t1734, thanks
@James-TR
* g016d810: improve postgresql detection during ./configure
* gdce1e90: DNAME: don't sign the synthesised CNAME
* g25e7af3: send empty SERVFAIL after a backend throws a
DBException, instead of including useless content
Changes between RC1 and RC2:
* gbb6e54f: document udp6-queries, udp4-queries, add
rd-queries, recursion-unanswered metrics & document. Closes
t1400.
* g4a23af7: init script: support DAEMON_ARGS; g7e5b3a0: init
script: ensure socket dir exists
* gdd930ed: don't import supermaster ips from other accounts
* ged3afdf: fall back to central bind if reuseport bind
fails; improves t1715
* g709ca59: GeoIP backend implementation. This is a new
backend, still experimental!
* gbf5a484: support EVERY future version of OS X, fixes t1702
* g4dbaec6: Check for __FreeBSD_kernel__ as per
https://lists.debian.org/debian-bsd/2006/03/msg00127.html,
fixes t1684; g74f389d: __FreeBSD_kernel__ is defined but
empty on systems with FreeBSD kernels, breaking compile.
Thanks pawal
* g882ca9d: revert setpgrp changes
* g2e6bbd8: Catch PDNSException in Signingpiper::helperWorker
to avoid abort
* g0ffd51d: improve error reporting on malformed labels
* gc48dec7: Fix forwarded TSIG message issue
* gdad70f2: skip TCP_DEFER_ACCEPT on platforms that do not
have it (like FreeBSD); fixes t1658
* gc7287b6: should fix t1662, reloading while checking for
domains that need to be notified in BIND, causing lock
* g3e67ea8: allow OPT pseudo record type in IXFR query
* ga1caa8b: webserver: htmlescape VERSION and config name
* gdf9d980: Remove "log-failed-updates" leftover
* ga1fe72a: Remove unused "soa-serial-offset" option
Changes between 3.3.1 and 3.4.0-RC1 follow.
DNSSEC changes:
* gbba8413: add option (max-signature-cache-entries) to limit
the maximum number of cached signatures.
* g28b66a9: limit the number of NSEC3 iterations (see RFC5155
10.3), with the max-nsec3-iterations option.
* gb50efd6: drop the 'superfluous NSEC3' option that old BIND
validators need.
* The bindbackend 'hybrid' mode was reintroduced by Kees
Monshouwer. Enable it with bind-hybrid.
* Aki Tuomi contributed experimental PKCS#11 support for
DNSSEC key management with a (Soft)HSM.
* Direct RRSIG queries now return NOTIMP.
* gfa37777: add secure-all-zones command to pdnssec
* Unrectified zones can now get rectified 'on the fly' during
outgoing AXFR. This makes it possible to run a hidden
signing master without rectification.
* g82fb538: AXFR in: don't accept zones with a mixture of
Opt-Out NSEC3 RRs and non-Opt-Out NSEC3 RRs
* Various minor bugfixes, mostly from the unstoppable Kees
Monshouwer.
* g0c4c552: set non-zero exit status in pdnssec if an
exception was thrown, for easier automatic usage.
* gb8bd119: pdnssec -v show-zone: Print all keys instead of
just entry point keys.
* g52e0d78: answer direct NSEC queries without DO bit
* gca2eb01: output ZSK DNSKEY records if
experimental-direct-dnskey support is enabled
* g83609e2: SOA-EDIT: fix INCEPTION-INCREMENT handling
* gac4a2f1: AXFR-out can handle secure and insecure NSEC3
optout delegations
* gff47302: AXFR-in can handle secure and insecure NSEC3
optout delegations
New features:
* DNAME support. Enable with experimental-dname-processing.
* PowerDNS can now send stats directly to Carbon servers.
Enable with carbon-server, tweak with carbon-ourname and
carbon-interval.
* g767da1a: Add list-zone capability to pdns_control
* g51f6bca: Add delete-zone to pdnssec.
* The gsql backends now support record comments, and
disabling records.
* The new reuseport config option allows setting
SO_REUSEPORT, which allows for some performance
improvements.
* local-address-nonexist-fail and local-ipv6-nonexist-fail
allow pdns to start up even if some addresses fail to bind.
* 'AXFR-SOURCE' in domainmetadata sets the source address for
an AXFR retrieval.
* g451ba51: Implement pdnssec get-meta/set-meta
* Experimental RFC2136/DNS UPDATE support from Ruben d'Arco,
with extensive testing by Kees Monshouwer.
* pdns_control bind-add-zone
* New option bind-ignore-broken-records ignores out-of-zone
records while loading zone files.
* pdnssec now has commands for TSIG key management.
* We now support other algorithms than MD5 for TSIG.
* gba7244a: implement pdns_control qtypes
* Support for += syntax for options
Bugfixes:
* We verify the algorithm used for TSIG queries, and use the
right algorithm in signing if there is possible confusion.
Plus a few minor TSIG-related fixes.
* gff99a74: making *-threads settings empty now yields a
default of one instead of zero.
* g9215e60: we had a deadly embrace in getUpdatedMasters in
bindbackend reimplementation, thanks to Winfried for
detailed debugging!
* g9245fd9: don't addSuckRequest after supermaster zone
creation to avoid one cause of simultaneous AXFR for the
same zone
* g719f902: fix dual-stack superslave when multiple
namservers share a ip
* g33966bf: avoid address truncation in doNotifications
* geac85b1: prevent duplicate slave notications caused by
different ipv6 address formatting
* g3c8a711: make notification queue ipv6 compatible
* g0c13e45: make isMaster ip check more tolerant for
different ipv6 notations
* Various fixes for possible issues reported by Coverity Scan
(gf17c93b, )
* g9083987: don't rely on included polarssl header files when
using system polarssl. Spotted by Oden Eriksson of
Mandriva, thanks!
* Various users reported pdns_control hangs, especially when
using the guardian. We are confident that all causes of
these hangs are now gone.
* Decreasing the webserver ringbuffer size could cause
crashes.
* g4c89cce: nproxy: Add missing chdir("/") after chroot()
* g016a0ab: actually notice timeout during AXFR retrieve,
thanks hkraal
REST API changes:
* The REST API was much improved and is nearing stability,
thanks to Christian Hofstaedtler and others.
* Mark Schouten at Tuxis contributed a zone importer.
Other changes:
* Our tarballs and packages now include *.sql schema files
for the SQL backends.
* The webserver (including API) now has an ACL
(webserver-allow-from).
* Webserver (including API) is now powered by YaHTTP.
* Various autotools usage improvements from Ruben Kerkhof.
* The dist tarball is now bzip2-compressed instead of gzip.
* Various remotebackend updates, including replacing curl
with (included) yahttp.
* Dynamic module loading is now allowed on Mac OS X.
* The AXFR ACL (allow-axfr-ips) now defaults to
127.0.0.0/8,::1 instead of the whole world.
* gba91c2f: remove unused gpgsql-socket option and document
postgres socket usage
* Improved support for Lua 5.2.
* The edns-subnet option code is now fixed at 8, and the
edns-subnet-option-numbers option has been removed.
* geobackend now has very limited edns-subnet support - it
will use the 'real' remote if available.
* pipebackend ABI v4 adds the zone name to the AXFR command.
* We now avoid getaddrinfo() as much as possible.
* The packet cache now handles (forwarded) recursive answers
better, including TTL aging and respecting allow-recursion.
* gff5ba4f: pdns_server --help no longer exits with 1.
* Mark Zealey contributed an experimental LMDB backend. Kees
Monshouwer added experimental DNSSEC support to it. Thanks,
both!
* g81859ba: No longer attempt to answer questions coming in
from port 0, reply would not reach them anyhow. Thanks to
Niels Bakker and sid3windr for insight & debugging. Closes
t844.
* RCodes are now reported in text in various places, thanks
Aki.
* Kees Monshouwer set up automatic testing for the oracle and
goracle backends, and fixed various issues in them.
* Leftovers of previous support for Windows have been
removed, thanks to Kees Monshouwer, Aki Tuomi.
* Bundled PolarSSL has been upgraded to 1.3.2
* PolarSSL replaced previously bundled implementations of AES
(ge22d9b4) and SHA (g9101035)
* bindbackend is now a module
* g14a2e52: Use the inet data type for supermasters.ip on
postgrsql.
* We now send an empty SERVFAIL when a CNAME chain is too
long, instead of including the partial chain.
* g3613a51: Show built-in features in --version output
* g4bd7d35: make domainmetadata queries case insensitive
* g088c334: output warning message when no to be notified
NS's are found
* g5631b44: gpsqlbackend: use empty defaults for dbname and
user; libpq will use the current user name for both by
default
* gd87ded3: implement udp-truncation-threshold to override
the previous 1680 byte maximum response datagram size - no
matter what EDNS0 said. Plus document it.
* Implement udp-truncation-threshold to override the previous
1680 byte maximum response datagram size - no matter what
EDNS0 said.
* On shutdown, PowerDNS now attempts to stop all processes in
its process group, especially useful for pipe/remotebackend
users. Feature donated by Spotify.
* Removed settings related to fancy records, as we haven't
supported those since version 3.0
* Based on earlier work by Mark Zealey, Kees Monshouwer
increased our packet cache performance between 200% and
500% depending on the situation, by simplifying some code
in g801812e and g8403ade.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20140930/2d2816f7/attachment.sig>
More information about the Pdns-users
mailing list