Het programma PowerDNS is een DNS server met een database als back-end waardoor het beheer van een groot aantal DNS entries op een gemakkelijke manier kan plaats vinden. De ontwikkelaars hebben eind april van 2006 besloten om de twee delen waaruit PowerDNS bestaat, namelijk een recursor en een authoritative nameserver, apart uit te geven. Hierdoor kan men sneller een nieuwe versie uitbrengen, aldus de ontwikkelaars. De ontwikkelaars hebben afgelopen weekend versie 2.9.21 van de PowerDNS Authoritative Server uitgebracht en voorzien van de volgende aankondigingen:
PowerDNS Authoritative Server 2.9.21 released
This release would not have been possible without large amounts of help and support from the PowerDNS Community. We specifically want to thank Massimo Bandinelli of Italy's Register.it, Dave Aaldering of Aaldering ICT, True BV, XS4ALL, Daniel Bilik of Neosystem, EasyDNS, Heinrich Ruthensteiner of Siemens, Augie Schwer, Mark Bergsma, Marco Davids, Marcus Rueckert of OpenSUSE, Andre Muraro of Locaweb, Antony Lesuisse, Norbert Sendetzky, Marco Chiavacci, Christoph Haas, Ralf van der Enden and Ruben Kerkhof.
This is the first release the PowerDNS Authoritative Server since the Recursor was split off to a separate product, and also marks the transfer of the new technology developed specifically for the recursor, back to the authoritative server.
This move has reduced the amount of code of the Authoritative server by over 2000 lines, while improving the quality of the program enormously.
However, since so much has been changed, care should be taken when deploying 2.9.21. It should be noted that 2.9.21 prereleases already power over a million domains.
To signify the magnitude of the underlying improvements, the next release of the PowerDNS Authoritative Server will be called 3.0.
Warning! The 'bind1' legacy version of our BIND backend has been dropped! There should be no need to rely on this old version anymore, as the main BIND backend has been very well tested recently.
- The previous packet parsing and generating code contained no known bugs, but was however very lengthy and overly complex, and might have had security problems. The new code is 'inherently safe' because it relies on bounds-checking C++ constructs. Therefore, a move to 2.9.21 is highly recommended.
- Pre-2.9.21, communication between master and server nameservers was not checked as rigidly as possible, possibly allowing third parties to disrupt but not modify such communications.
- Multi-part TXT records weren't supported. This has been fixed, and regression tests have been added. Code in commits 1016, 996, 994.
- Email addresses with embedded dots in SOA records were not parsed correctly, nor were other embedded dots. Noted by 'Bastiaan', fixed in commit 1026.
- BIND backend treated the 'm' TTL modifier as 'months' and not 'minutes'. Closes Debian bug 406462. Addressed in commit 1026.
- Our snapshots were built against a static version of PosgreSQL that was incompatible with many Linux distributions, leading to instant crashes on startup. Fixed in 1022 and 1023.
- CNAME referrals to child zones gave improper responses. Noted by Augie Schwer in ticket 123, fixed in commit 992.
- When passing a port number with the recursor setting, this would sometimes generate errors during additional processing. Switched off overly helpful additional processing for recursive queries to remove this problem. Implemented in commit 1031, spotted by Ralf van der Enden.
- NS to a nameserver with the name of the zone itself generated problems. Spotted by Augie Schwer, fixed in commit 947.
- Multi-line records in the BIND backend were not always parsed correctly. Fixed in commit 1014.
- The LOC-record had problems operating outside of the eastern hemisphere of the northern part of the world! Fixed in commit 1011.
- Backends were compiled without multithreading preprocessor flags. As far as we can determine, this would only cause problems for the BIND backend, but we cannot rule out this caused instability in other backends. Fixed in commit 1001.
- The BIND backend was highly unstable under reloads, and leaked memory and file descriptors. Thanks to Mark Bergsma and Massimo Bandinelli for respectively pointing this out to us and testing large amounts of patches to fix the problem. The fixes have resulted in better performance, less code, and a remarkable simplification of this backend. Commits 1039, 1034, 1035, 1006, 999, 905 and previous.
- BIND backend gave convincing NXDOMAINS on unloaded zones in some cases. Spotted and fixed by Daniel Bilik in commit 984.
- SOA records in zone transfers sometimes contained the wrong SOA TTL. Spotted by Christian Kuehn, fixed in commit 902.
- PowerDNS could get confused by very high SOA serial numbers. Spotted and fixed by Dan Billik, fixed in commit 626.
- Some versions of FreeBSD perform very strict checks on socket address sizes passed to 'connect', which could lead to problems retrieving zones over AXFR. Fixed in commit 891.
- Some versions of FreeBSD perform very strict checks on IPv6 socket addresses, leading to problems. Discovered by Sten Spans, fixed in commit 885 and commit 886.
- IXFR requests were not logged properly. Noted by Ralf van der Enden, fixed in commit 990.
- Some NAPTR records needed an additional space character to encode correctly. Spotted by Heinrich Ruthensteiner, fixed in commit 1029.
- Many bugs in the TCP nameserver, leading to a PowerDNS process that did not respond to TCP queries over time. Many fixes provided by Dan Bilik, other problems were fixed by rewriting our TCP handling code. Commits 982 and 980, 950, 924, 889, 874, 869, 685, 684.
- Fix crashes on the ARM processor due to alignment errors. Thanks to Sjoerd Simons. Closes Debian bug 397031.
- Missing data in generic SQL backends would sometimes lead to faked SOA serial data. Spotted by Leander Lakkas from True. Fix in commit 866.
- When receiving two quick notifications in succession, the packet cache would sometimes "process" the second one, leading PowerDNS to ignore it. Spotted by Dan Bilik, fixed in commit 686.
- Geobackend (by Mark Bergsma) did not properly override the getSOA method, breaking non-overlay operation of this fine backend. The geobackend now also skips '.hidden' configuration files, and now properly disregards empty configuration files. Additionally, the overlapping abilities were improved. Details available in commit 876, by Mark.
- Thanks to EasyDNS, PowerDNS now supports multiple masters per domain. For configuration details, see Section 13.2. Implemented in commit 1018, commit 1017.
- Thanks to EasyDNS, PowerDNS now supports the KEY record type, as well the SPF record. In commit 976.
- Added support for CERT, SSHFP, DNSKEY, DS, NSEC, RRSIG record types, as part of the move to the new DNS parsing/generating code.
- Support for the AFSDB record type, as requested by 'Bastian'. Implemented in commit 978, closing ticket 129.
- Support for the MR record type. Implemented in commit 941 and commit 1019.
- Gsqlite3 backend was added by Antony Lesuisse in commit 942;
- Added the ability to send out light-weight root-referrals that save bandwidth yet still placate mediocre resolver implementations. Implemented in commit 912, enable with 'root-referral=lean'.
- Miscellaneous OpenDBX and LDAP backend improvements by Norbert Sendetzky. Applied in commit 977 and commit 1040.
- SGML source of the documentation was cleaned up by Ruben Kerkhof in commit 936.
- Speedups in core DNS label processing code. Implemented in commit 928, commit 654, commit 1020.
- When communicating with master servers and encountering errors, more useful details are logged. Reported by Stefan Arentz in ticket 137, closed by commit 1015.
- Database errors are now logged with more details. Addressed in commit 1004.
- pdns_control problems are now logged more verbosely. Change in commit 910.
- Erroneous address configuration was logged unclearly. Spotted by River Tarnell, fixed in commit 888.
- Example configuration shipped with PoAMEs pointing out of our bailiwick. Fixed in commit 983 and expedited by Locaweb.com.br.
- Built-in webserver logs errors more verbosely. Closes ticket 82, gixed in commit 991.
- Queries containing '@' no longer flood the logs. Addressed in commit 1014.
- The build process now looks for PostgreSQL in more places. Implemented in commit 998, closes ticket 90.
- Speedups in the BIND backend now mean large installations enjoy startup times up to 30 times faster than with the original BIND nameserver. Many thanks to Massimo Bandinelli.
- BIND backend now offers full support for query logging, implemented in commit 1026, commit 1029.
- BIND backend named.conf parsing is now fully case-insensitive for domain names. This closes Debian bug 406461, fixed in commit 1027.
- IPv6 and IPv4 address parsing routines have been replaced, which should result in prettier output in some cases. commit 962, commit 1012 and others.
- 5 new regression tests have been added to insure old bugs do not return.
- Fix small issues with very modern compilers and BOOST snapshots. Noted by Marcus Rueckert, addressed in commit 954, commit 964 commit 965, commit 1003.
Warning regarding stricter zone parsing in 2.9.21: query overload
While most users report good results with PowerDNS Authoritative Server 2.9.21, there are some important things you need to watch out for.
PowerDNS 2.9.20 and lower were very lenient with parsing malformed IP addresses, which could not be translated into valid DNS packets. These would be served as '255.255.255.255'.
PowerDNS 2.9.21 is very strict, and drops the question (or more precisely, the answer) once it finds it can't correctly parse the information from the database. This leads to rapid retransmits from your client nameservers, possibly overloading your database! So if your database is suddenly overloaded, verify that all your database records are correct.
A quick way of doing is is trying to AXFR all your zones, and see which ones fail. For MySQL, a trick is to try:
SELECT * FROM records WHERE (type='A' AND INET_ATON(content) IS NULL);
Possibly followed by:
DELETE FROM records WHERE (type='A' AND INET_ATON(content) IS NULL);
Depending on your mood of the day.
Other interesting queries are:
SELECT * FROM records WHERE content LIKE ' %';
So keep this in mind if your servers are suddenly overloaded after upgrading all of them to 2.9.21!