[Pdns-users] PowerDNS Recursor v4.2.0-alpha1 Available!

Erik Winkels erik.winkels at open-xchange.com
Fri Feb 1 15:52:25 UTC 2019


(From: https://blog.powerdns.com/2019/02/01/changes-in-the-powerdns-recursor-4-2-0/ )

The 4.2.0 release of the PowerDNS Recursor brings a lot of small, incremental changes over the 4.1.x releases. We expect little operational impact when upgrading from 4.1.x. However, several new features have been implemented and some features have changed.

This release was made possible by contributions from: Gibheer, cclauss, Aki Tuomi, Ruben, Doug Freed, Richard Gibson, Peter Gervai, Oli, Josh Soref, Rens Houben, Kirill Ponomarev, Kees Monshouwer, Matt Nordhoff, OSSO B.V., phonedph1, Rafael Buchbinder, Ruben Kerkhof, spirillen, Tom Ivar Helbekkmo and Chris Hofstaedtler.  Thanks!

DNS FLAG DAY

The 4.2.0 release of the PowerDNS Recursor removes several workarounds for authoritative servers that respond badly to EDNS(0) queries. This is part of a multi-vendor[1] effort known as DNS Flag Day[2] to move the DNS ecosystem forward by being less lenient on non-conforming implementations.

XPF SUPPORT

This release adds support for DNS `X-Proxied-For` (draft-bellis-dnsop-xpf-04[3]). This technique is roughly equivalent to HTTP's `X-Forwarded-For header`, it can communicate the IP address and port of the original requestor from a loadbalancer / frontend (like dnsdist) to the backend server. This can allow the backend server to make decisions regarding that specific client. XPF is disabled by default and can be enabled by setting the `xpf-allow-from` setting to the source IP address of the front-end proxy and setting `xpf-rr-code` to the code of the resource record used by the frontend.

EDNS CLIENT SUBNET IMPROVEMENTS

More granularity has been added for the users of EDNS Client Subnet[4]. The new `ecs-add-for` setting can be set to a list of netmasks for which the requestor’s IP address should be used as the EDNS Client Subnet for outgoing queries. For IP addresses not on this list, the PowerDNS Recursor will use the `ecs-scope-zero-address` instead, which matches the behavior of 4.1.x. Valid incoming ECS values from `use-incoming-edns-subnet` are not replaced.

NEW AND UPDATED SETTINGS

Sites that process large numbers of queries per second (100k+), may benefit from the new `distributor-threads` setting. This can be used in combination with `pdns-distributes-queries=yes` to spawn multiple threads that will pick up incoming queries and distribute them over the worker threads.

For several statistics, the PowerDNS Recursor uses a public suffix list[5] to group queries. Before, this list was built into the binary and only updated for every release. This release adds the `public-suffix-list-file` setting that allows operators to supply their own public suffix list. This option is unset by default, which means the built-in list is used.

Over the last years it has become clear that many networks on the internet lose large UDP packets, leading to authoritative servers being seen as dead from the recursor’s perspective. To ensure return packets from authoritative servers have a better chance of reaching the recursor, the `edns-outgoing-bufsize` setting’s default has changed from 1680 to 1232. 1232 was chosen because it is the largest DNS response that can be carried on an IPv6 link with the IPv6 minimal MTU (1280). In tandem with this change, the `udp-truncation-threshold` that decides when to truncate responses to clients has also been changed from 1680 to 1232.

LOOKING FORWARD

After the release of 4.2.0, the regular bugfix and improvement processes will happen.

At the same time, we will be working on the next major release of the PowerDNS Recursor (probably numbered 5.0) for which we are planning several new and exciting features aimed at moving the DNS ecosystem to a more privacy-centric and secure place. To do this, we would like to implement QNAME Minimisation[6] and support for (longlived) TLS connections to authoritatives[7].

Other improvements we’d like to implement is an experimental feature where the cache is shared between the worker threads.

If you have any ideas that should be in the PowerDNS Recursor in the future, you’re welcome to open a feature request on GitHub[8]. And if you would want to help write these features, we are still looking for people! Have a look at our careers page[9] or send you CV and motivation to powerdns.careers at powerdns.com.

[1] https://blog.powerdns.com/2018/03/22/removing-edns-workarounds/
[2] https://dnsflagday.net/
[3] https://tools.ietf.org/html/draft-bellis-dnsop-xpf-04
[4] https://tools.ietf.org/html/rfc7871.html
[5] https://publicsuffix.org/
[6] https://datatracker.ietf.org/doc/rfc7816/
[7] https://code.fb.com/security/dns-over-tls/
[8] https://github.com/PowerDNS/pdns/issues
[9] https://www.powerdns.com/careers.html
-- 
Erik Winkels
PowerDNS.COM BV -- https://www.powerdns.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 475 bytes
Desc: not available
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20190201/fb160100/attachment.sig>


More information about the Pdns-users mailing list