Het programma PowerDNS is een DNS server met een database als back-end waardoor het beheer van een groot aantal DNS entries op een gemakkelijke manier kan plaats vinden. De ontwikkelaars hebben eind april van dit jaar besloten om de twee delen waaruit PowerDNS bestaat, namelijk een recursor en een authoritative nameserver, apart uit te geven. Hierdoor kan men sneller een nieuwe versie uitbrengen, aldus de ontwikkelaars. Inmiddels is versie 3.1.1 van de PowerDNS recursor beschikbaar die de volgende opmerkingen heeft meegekregen sinds zijn geboorte ongeveer een maand geleden:
3.1.1 is identical to 3.1 except for a bug in the packet chaining code which would mainly manifest itself for IPv6 enabled Konqueror users with very fast connections to their PowerDNS installation. However, all 3.1 users are urged to upgrade to 3.1.1. Many thanks to Alessandro Bono for his quick aid in solving this problem.
Many thanks are due to the operators of some of the largest internet access providers in the world, each having many millions of customers, who have tested the various 3.1 pre-releases for suitability. They have uncovered and helped fix bugs that could impact us all, but are only (quickly) noticeable with such vast amounts of DNS traffic.
After version 3.0.1 has proved to hold up very well under tremendous loads, 3.1 adds important new features:
- Ability to serve authoritative data from 'BIND' style zone files (using auth-zones statement).
- Ability to forward domains so configured to external servers (using forward-zones).
- Possibility of 'serving' the contents of /etc/hosts over DNS, which is very well suited to simple domestic router/DNS setups. Enabled using export-etc-hosts.
- As recommended by recent standards documents, the PowerDNS recursor is now authoritative for RFC-1918 private IP space zones by default (suggested by Paul Vixie).
- Full outgoing IPv6 support (off by default) with IPv6 servers getting equal treatment with IPv4, nameserver addresses are chosen based on average response speed, irrespective of protocol.
- Initial Windows support, including running as a service ('NET START "POWERDNS RECURSOR"'). rec_channel is still missing, the rest should work. Performance appears to be below that of the UNIX versions, this situation is expected to improve.
- No longer send out SRV and MX record priorities as zero on big-endian platforms (UltraSPARC). Discovered by Eric Sproul.
- SRV records need additional processing, especially in an Active Directory setting. Reported by Kenneth Marshall.
- The root-records were not being refreshed, which could lead to problems under inconceivable conditions.
- Fix resolving domain names for nameservers with multiple IP addresses, with one of these addresses being lame. Other nameserver implementations were also unable to resolve these domains, so not a big bug.
- For a period of 5 minutes after expiring a negative cache entry, the domain would not be re-cached negatively, leading to a lot of duplicate outgoing queries for this short period. This fix has raised the average cache hit rate of the recursor by a few percent.
- Query throttling was not aggressive enough and not all sorts of queries were throttled.
- Fix possible crash during startup when parsing empty configuration lines.
- Fix possible crash when the first query after wiping a cache entry was for the just deleted entry. Rare in production servers.
- Recursor would send out differing TTLs when receiving a misconfigured, standards violating, RRSET with different TTLs. Implement fix as mandated by RFC 2181, paragraph 5.2. Reported by Stephen Harker.
- The top-remotes would list remotes duplicately, once per source port. Discovered by Jorn Ekkelenkamp.
- Default allow-from allowed queries from fe80::/16, corrected to fe80::/10. Spotted by Niels Bakker.
- While PowerDNS blocks failing queries quickly, multiple packets could briefly be in flight for the same domain and nameserver. This situation is now explicitly detected and queries are chained to identical queries already in flight.
- ANY queries are now implemented as in other nameserver implementations, leading to a decrease in outgoing queries. The RFCs are not very clear on desired behaviour, what is implemented now saves bandwidth and CPU and brings us in line with existing practice. Previously ANY queries were not cached by the PowerDNS recursor.
- rec_control was very sparse in its error reporting, and user unfriendly as well. Reported by Erik Bos.
- IPv6 addresses were printed in a non-standard way.
- TTLs of records are now capped at two weeks.
- allow-from IPv4 netmasks now automatically work for IP4-to-IPv6 mapper IPv4 addresses, which appear when running on the wildcard :: IPv6 address. Lack of feature noted by Marcus 'darix' Rueckert.
- Errors before daemonizing are now also sent to syslog. Suggested by Marcus 'darix' Rueckert.
- When launching without any form of configured network connectivity, all root-servers would be cached as 'down' for some time. Detect this special case and treat it as a resource-constraint, which is not accounted against specific nameservers. Spotted by Seth Arnold.
- The recursor now does not allow authoritative servers to keep supplying its own NS records into perpetuity, which causes problems when a domain is redelegated but the old authorative servers are not updated to this effect. Noticed and explained at length by Darren Gamble of Shaw Communications.
- Some operators may want to follow RFC 2181 paragraph 5.2 and 5.4. This harms performance and does not solve any real problem, but does make PowerDNS more compliant. If you want this, enable auth-can-lower-ttl.
This release consists of nothing but tiny fixes to 3.0, including one with security implications. An upgrade is highly recommended.
Operating system specific fixes:
- Compilation used both cc and gcc, leading to the possibility of compiling with different compiler versions.
- rec_control would leave files named lsockXXXXXX around in the configured socket-dir. Operators may wish to remove these files from their socket-dir (often /var/run), quite a few might have accumulated already
- Certain malformed packets could crash the recursor. As far as we can determine these packets could only lead to a crash, but as always, there are no guarantees. A quick upgrade is highly recommended. Reported by David Gavarret.
- Recursor would not distinguish between NXDOMAIN and NXRRSET. Reported and debugged by Jorn Ekkelenkamp.
- Some error messages and trace logging statements were improved.
- stderr was closed during daemonizing, but not dupped to /dev/null, leading to slight chance of odd behaviour on reporting errors.
- The stock Debian sarge Linux kernel, 2.6.8, claims to support epoll but fails at runtime. The epoll self-testing code has been improved, and PowerDNS will fall back to a select based multiplexer if needed. Reported by Michiel van Es.
- Solaris 8 compilation and runtime issues were addressed. Reported by Juergen Georgi and Kenneth Marshall.
- Solaris 10 x86_64 compilation issues were addressed. Reported and debugged by Eric Sproul.
This is the first separate release of the PowerDNS Recursor. There are many reasons for this, one of the most important ones is that previously we could only do a release when both the recursor and the authoritative nameserver were fully tested and in good shape. The split allows us to release new versions when each part is ready.
Now for the real news. This version of the PowerDNS recursor powers the network access of over two million internet connections. Two large access providers have been running pre-releases of 3.0 for the past few weeks and results are good. Furthermore, the various pre-releases have been tested nearly non-stop with DNS traffic replayed at 3000 queries/second. As expected, the 2 million househoulds shook out some very rare bugs. But even a rare bug happens once in a while when there are this many users.
We consider this version of the PowerDNS recursor to be the most advanced resolver publicly available. Given current levels of spam, phishing and other forms of internet crime we think no recursor should offer less than the best in spoofing protection. We urge all operators of resolvers without proper spoofing countermeasures to consider PowerDNS, as it is a Better Internet Nameserver Daemon.
Important new features of the PowerDNS recursor 3.0:
Many people helped package and test this release. Jorn Ekkelenkamp of ISP-Services helped find the '8000 SOAs' bug and spotted many other oddities and XS4ALL internet funded a lot of the recent development. Joaquín M López Muñoz of the boost::multi_index_container was again of great help.
- Best spoofing protection and detection we know of. Not only is spoofing made harder by using a new network address for each query, PowerDNS detects when an attempt is made to spoof it, and temporarily ignores the data.
- First nameserver to benefit from epoll/kqueue/Solaris completion ports event reporting framework, for stellar performance.
- Best statistics of any recursing nameserver we know of.
- Last-recently-used based cache cleanup algorithm, keeping the 'best' records in memory
- First class Solaris support, built on a 'try and buy' Sun CoolThreads T 2000.
- Full IPv6 support, implemented natively.
- Access filtering, both for IPv4 and IPv6.
- Experimental SMP support for nearly double performance.