[Pdns-users] PowerDNS Recursor 4.5.1 Released

Otto Moerbeek otto.moerbeek at open-xchange.com
Tue May 11 09:49:26 UTC 2021 

 Hello!

   We are proud to announce the release of PowerDNS Recursor 4.5.1.
   Compared to the release candidate, this release contains two bug fixes.
   Note that 4.5.0 was never released publicly, since an issue was found
   during QA.

   Compared to the previous major (4.4) release of PowerDNS Recursor, this
   release contains a rewrite of the way zone cuts are determined,
   reducing the number of outgoing queries by up to 17% when doing DNSSEC
   validation while reducing the CPU usage more than 20% .

   Another notable feature is the implementation of EDNS0 padding (RFC
   7830[1]) for answers sent to clients.

   This 4.5.1 release includes an important addition: the implementation
   of RFC 8198[2]: Aggressive use of DNSSEC-Validated Cache. This enables
   the Recursor to answer queries for non-existing names with less effort
   in many cases. This feature uses both NSEC and NSEC3 records.
   Additionally the DNSSEC default mode[3] is now "process", while it was
   "process-no-validate" before. This means that clients asking for it
   will get DNSSEC validated answers by default.

   We also added a cache of non-resolving nameservers. This enhances
   performance when the Recursor encounters domains that list nameservers
   that do not resolve and further mitigates the TsuNAME[4] vulnerability.

   This release also features a re-worked negative cache that is shared
   between threads, allowing more efficient use of the cache and reduced
   memory consumption.

   Support for Extended DNS Errors (RFC 8914[5]) has been added. These can
   be enabled by setting the extended-resolution-errors[6] setting to
   'yes', this will send DNSSEC and resolution related errors to clients.
   Extended Errors are also hooked up to the Lua scripting engine[7],
   allowing fine-grained setting of both the error code and extra
   information in the response.

   A "refresh almost expired records" (also called "refetch") mechanism[8]
   has been introduced to keep the record cache warm. In short, if a query
   comes in and the cached record's TTL is almost expired (within N
   percent of its original value) the cached record is served to the
   client and the record queried for in the background, ensuring that new
   queries for that record are fresh and served from the cache.

   Other new features and improvements are:
     * The complete protobuf and dnstap logging code has been rewritten to
       have much smaller performance impact.
     * We have introduced non-offensive synonyms for words used in
       settings. See the upgrade[9] guide.
     * The default minimum TTL[10] override has been changed from 0 to 1.
     * The spoof-nearmiss-max setting[11]'s default has been changed to 1.
       This has the consequence that the Recursor will switch to do TCP
       queries to authoritative nameservers sooner as an effective measure
       against many spoofing attacks.
     * Incoming queries over TCP now also use the packet cache, providing
       another performance increase.
     * File written to by the rec_control command are new opened by the
       command itself. It is also possible to write the content to the
       standard output stream by using a hyphen as file name.
     * TCP FastOpen (RFC 7413[12]) support for outgoing TCP connections to
       authoritative servers and forwarders.

   Please refer to the changelog[13] for additional details.

   Please send us all feedback and issues you might have via the mailing
   list[14], or in case of a bug, via GitHub[15].

   The tarball[16] (signature[17]) is available from our download
   server[18] and packages for several distributions are available from
   our repository[19].

   With this 4.5.1 release, the 4.2.x releases will be EOL and the 4.3.x
   and 4.4.x releases will go into critical fixes only mode. Consult the
   EOL policy[20] for more details.

   We would also like to announce that with this release we will stop
   supporting systems using 32-bit time. This includes 32-bit Linux
   platforms like arm6, arm7, and i386.

   We are grateful to the PowerDNS community for the reporting of bugs,
   issues, feature requests, and especially to the submitters of fixes and
   implementations of features.

-Otto and the PowerDNS Team

References

   1. https://tools.ietf.org/html/rfc7830.html
   2. https://tools.ietf.org/html/rfc8198
   3. https://docs.powerdns.com/recursor/settings.html#dnssec
   4. https://blog.powerdns.com/2021/05/10/tsuname-vulnerability-and-powerdns-recursor/
   5. https://tools.ietf.org/html/rfc8914.html
   6. https://docs.powerdns.com/recursor/settings.html#extended-resolution-errors
   7. https://docs.powerdns.com/recursor/lua-scripting/dq.html#DNSQuestion.extendedErrorCode
   8. https://docs.powerdns.com/recursor/settings.html#refresh-on-ttl-perc
   9. https://docs.powerdns.com/recursor/upgrade.html#x-to-4-5-0-or-master
  10. https://docs.powerdns.com/recursor/settings.html#minimum-ttl-override
  11. https://docs.powerdns.com/recursor/settings.html#spoof-nearmiss-max
  12. https://tools.ietf.org/html/rfc7413.html
  13. https://doc.powerdns.com/recursor/changelog/4.5.html#change-4.5.1
  14. https://mailman.powerdns.com/mailman/listinfo/pdns-users
  15. https://github.com/PowerDNS/pdns/issues/new/choose
  16. https://downloads.powerdns.com/releases/pdns-recursor-4.5.1.tar.bz2
  17. https://downloads.powerdns.com/releases/pdns-recursor-4.5.1.tar.bz2.sig
  18. https://downloads.powerdns.com/releases/
  19. https://repo.powerdns.com/
  20. https://docs.powerdns.com/recursor/appendices/EOL.html


--
kind regards,
Otto Moerbeek
PowerDNS Developer


Email: otto.moerbeek at open-xchange.com

-------------------------------------------------------------------------------------
Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District Court Cologne HRB 95366
Managing Board: Andreas Gauger, Carsten Dirks, Dirk Valbert, Frank Hoberg, Stephan Martin
Chairman of the Board: Richard Seibt

PowerDNS.COM BV, Koninginnegracht 14L, 2514 AA Den Haag, The Netherlands
Managing Director: Robert Brandt, Carsten Dirks
-------------------------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 475 bytes
Desc: not available
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20210511/1ab01940/attachment.sig>

More information about the Pdns-users mailing list