[Pdns-users] PowerDNS Authoritative Server 3.4.2 Released
bert.hubert at powerdns.com
Tue Feb 3 10:34:42 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Warning: Version 3.4.2 of the PowerDNS Authoritative Server is a major
upgrade if you are coming from 2.9.x. Additionally, if you are coming from
any 3.x version (including 3.3.1), there is a mandatory SQL schema upgrade.
Please refer to the Upgrade documentation for important information on
correct and stable operation, as well as notes on performance and memory
Find the downloads on our download page, https://www.powerdns.com/downloads.html
This is a performance and bugfix update to 3.4.1 and any earlier version.
For high traffic setups, including those using DNSSEC, upgrading to 3.4.2
may show tremendous performance increases. Please let us know.
We would like to thank Patrik WallstrÃÂ¶m of IIS, Kees Monshouwer and Fredrik
Eriksson of Loopia for working with us on solving several issues that only
became apparent on a 750000 domain (!) DNSSEC installation, the last of
which we could eventually trace to memory fragmentation in the secure
allocator of our cryptography library. This bug chase, which lasted for
over a month, led to numerous other improvements, like better statistical
metrics for plotting (actual CPU usage, uptime, key cache size,
signatures/s) and the 'sharding' of our internal caches to better support
A list of changes since 3.4.1 follows. Please see the full clickable changelog at
* implement CORS for the HTTP API
* qtype is now case insensitive in API and database
* Allow (optional) PIE hardening
* json-api: remove priority from json
* backport remotebackend fixes
* Support Lua 5.3
* support single-type ZSK signing
* Potential fix for ticket #1907, we now try to trigger libgcc_s.so.1 to
load before we chroot. I can't reproduce the bug on my local system, but
this "should" help.
* update polarssl to 1.3.9
* refuse overly long labels in names
* auth: limit long version strings to 63 characters and catch exceptions in
* pdnssec: fix ttl check for RRSIG records
* fix up latency reporting for sub-millisecond latencies (would clip to 0)
* make sure we don't throw an exception on "pdns_control show" of an unknown
* fix startup race condition with carbon thread already trying to broadcast
* make qsize-q more robust
* Kees Monshouwer discovered we count corrupt packets and EAGAIN situations as
validly received packets, skewing the udp questions/answers graphs on auth.
* make latency & qsize reporting 'live'. Plus fix that we only reported the qsize
of the first distributor.
* fix up statbag for carbon protocol and function pointers
* get priority from table in Lua axfrfilter; fixes ticket #1857
* various backends: fix records pointing at root
* remove additional layer of trailing . stripping, which broke MX records to the
root in the BIND backend. Should close ticket #1243.
* api: use uncached results for getKeys()
* read ALLOW-AXFR-FROM from the backend with the metadata
* move manpages to section 1
* secpoll: Replace ~ with _
* only zones with an active ksk are secure
* api: show keys for zones without active ksk
* add signatures metric to auth, so we can plot signatures/second
* pdns_control: make it posible to notify all zones at once
* JSON API: provide flush-cache, notify, axfr-receive
* add 'bench-db' to do very simple database backend performance benchmark
* enable callback based metrics to statbags, and add 5 such metrics: uptime,
sys-msec, user-msec, key-cache-size, meta-cache-size, signature-cache-size
* better key for packetcache
* don't do time(0) under signature cache lock
* shard the packet cache, closing ticket #1910.
* with thanks to Jack Lloyd, this works around the default Botan allocator
slowing down for us during production use.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the Pdns-users