Software-update: PowerDNS Authoritative Server 3.1

PowerDNS is een dns-server met een database als back-end, waardoor het beheer van een groot aantal dns-entries op een gemakkelijke manier kan plaatsvinden. De ontwikkelaars hebben in april 2006 besloten om de twee delen waaruit PowerDNS bestaat, een recursor en een authoritative nameserver, apart uit te geven. Hierdoor kunnen sneller nieuwe versies worden uitgebracht, aldus de ontwikkelaars. De ontwikkelaars hebben enkele dagen geleden versie 3.1 van PowerDNS Authoritative Server 3.0 uitgebracht. De bijbehorende aankondiging en de lijst met aanpassingen zien er als volgt uit:

Hi everybody,

PowerDNS Authoritative Server 3.1 is now available! 3.1 is the best version of the PowerDNS Authoratitive Server currently available, and we recommend upgrading to it. Please read before you do, however!

If you are coming from 2.9.x, please read in addition to the 3.0->3.1 notes.

Please see for full release notes and all download links.

You can get PowerDNS 3.1 from:

These files also come with GPG signatures (append .sig).

Additionaly, Kees Monshouwer has kindly provided native builds for RHEL/CentOS 5 and 6 at

Please see for full release notes and additional download links.

Full list of changes since 3.0:
  • pdnssec now honours the default-soa-name setting. Reported by Kees Monshouder, fixed in commit 2600.
  • The hidden test-algorithms command for pdnssec now has a little brother 'test-algorithm X'. Code in commit 2596, by Aki Tuomi.
  • PolarSSL upgraded to 1.1.2 due to weak RSA key generation (commit 2586). If you created RSA keys with RC1 or RC2 using PolarSSL, please replace them! This upgrade introduced a slowdown; speedup patch in commit 2593.
  • It turns out we were using libmysqlclient in a thread-unsafe manner. This issue was reported and painstakingly debugged by Marc Haber. Presumably fixed in commit 2591.
  • Updated a bunch of internal counters to be threadsafe. Code in commit 2579.
  • NSEC(3) bitmaps can now cover RRtypes above 255. Reported by Michael Braunoeder, patch by Aki Tuomi in commit 2590.
  • pdnssec check-zone now reports MBOXFW and URL records (as those are unsupported since 3.0). Reported by Gerwin Krist of Digitalus, patch by Ruben d'Arco. Closes ticket 446.
  • The odbcbackend was removed. It only runs on Windows and Windows is unsupported since 3.0. Removal in commit 2576.
  • We used to send the chunk length and the actual chunk in two separate writes (often resulting in two separate TCP packets) during outbound AXFR. This confused MSDNS. We now combine those writes. Code in commit 2575.
  • The bindbackend can now run without SQLite3, as previously intended. Fix in commit 2574.
  • Some high-concurrency master setups would crash under load. Fixed in commit 2571.
  • We imported the TinyDNS backend by Ruben d'Arco. Code mostly in commit 2559 . See Section 15, “TinyDNS Backend”.
  • Overriding C(XX)FLAGS is easier now. Problem pointed out by Jose Arthur Benetasso Villanova and others, fix suggested by Sten Spans. Patch in commit 2533.
  • TSIG fixes: skip embedded spaces in keys (commit 2536), compute signatures correctly (by Ruben d'Arco in commit 2547),
  • nproxy, dnsscan and dnsdemog did not compile at all. Fixes in commit 2538, commit 2554.
  • We now allow unescaped tabs in TXT records. Fix in commit 2539.
  • SOA records no longer disappear during incoming transfers. Fix by Ruben d'Arco in commit 2540.
  • PowerDNS compiles on OS X (and other platforms that support our auth server but not the recursor) again, fix in commit 2566.
  • Cleanups related to warnings from gcc and valgrind in commit 2561, commit 2562, commit 2565.
  • Solaris compatibility fixes by Ruben d'Arco, Juraj Lutter and others in commit 2548, commit 2552, commit 2553, commit 2560. Fixes for *BSD in commit 2546.
  • pdns_control help would report 'version' twice, reported by Gerwin, fix in commit 2549.
DNSSEC related fixes:
  • When slaving zones, PowerDNS now automatically detects that a zone is presigned. Code in commit 2502, closing ticket 369, ticket 392.
  • The bindbackend can now manage its own SQLite3 database to store key data, removing the need to run it with a gsql backend. Code in commit 2448, commit 2449, commit 2450, commit 2451, commit 2452, commit 2453, commit 2455, commit 2482, commit 2496, commit 2499.
  • NSEC/NSEC3 logic for picking 'boundary' names was tricky, and got it wrong in some cases. Fixes in commit 2289, commit 2429, commit 2435 and commit 2473.
  • The subtle differences between 'what records get NSEC', 'what records get NSEC3' and 'what records should get signed' did not translate well to the SQL auth column. We now use 'ordername IS NULL' to map the whole spectrum. Code in commit 2477, commit 2480, commit 2492.
  • Pre-signed AXFR output, although correct, was different from our query responses. Rectified in commit 2477.
  • Spotted & fixed by Jimmy Bergman of Atomia, CNAMEs and RRSIGs could have bad interactions. Fix in commit 2314, further refined in commit 2318. Closes ticket 411.
  • Spotted & fixed by Jimmy Bergman of Atomia, we now allow direct RRSIG queries even when do=0.
  • Spotted by Mark Scholten and Marco Davids, we would sometimes generate duplicate (and wrong) RRSIGs when signing an ANY answer because of record jumbling. Fix in commit 2381.
  • Several fixes to handling of DS queries, in commit 2420, commit 2510, commit 2512.
  • We now lowercase the signer name in an RRSIG. This is not mandated by DNSSEC specification but it improves compatibility with some validators. Fix in commit 2426.
Bug fixes:
  • Winfried Angele discovered we would open an additional backend connection per zone in the BIND backend. This only impacted users with multiple simultaneous backends. Fix in commit 2253, closing ticket 383.
  • All versions of max-cache-entries setting had confusing behaviour when set to 0. Now clarified to mean that 0 truly means 0, and not 'infinite'. Change in commit 2328.
  • Wildcards in the presence of delegations were broken. Reported by a cast of thousands. Fix & regression test in commit 2368. Closes ticket 389.
  • Internal caches used an order of magnitude more memory than expected and some were not purged properly, which hindered real life deployments. Spotted by Winfried Angele and others. Fixed in commit 2287 and commit 2328.
  • Christof Meerwald discovered our .tar file missed a file of the Lua backend. Change in commit 2257.
  • Paul Xek found out that the edns-subnet support did not work for subnets tinier than a /25 or /121. Fix in commit 2258.
  • edns-subnet aware PIPE scripts received bogus remote information on AXFR requests. Fixed in commit 2284.
  • Fix compilation against older versions of MySQL that do not have MYSQL_OPT_RECONNECT. commit 2264, closing ticket 378.
  • D. Stussy of discovered that PowerDNS could not parse a DNS packet with a trailing blob of unknown length. Fixed in commit 2267.
  • 'pdnssec' did not work for records with NULL ttls. Fixed in commit 2266, closing ticket 432.
  • Pipe backend had issues parsing IPv6 records in ABI version 3. Fixed in commit 2260.
  • We truncated the altitude in LOC records! I hope no one got lost. Fix in commit 2268.
  • Xander Soldaat discovered that even if the web server was not configured, we'd still listen on the port. Fix in commit 2269, closes ticket 402.
  • The PIPE backend issues frequent fork()s, leading to potential fd leaks if these are not marked as 'close on exec'. Solved in commit 2273, closing ticket 194.
  • Robert van der Meulen found that we messed up the interaction between wildcards and CNAMEs. Fixed in commit 2276, which also adds a regression test to prevent this issue from recurring.
  • Fred Wittekind discovered that our notification proxy 'nproxy' no longer built from source. Fixed in commit 2278.
  • Grant Keller found that we were inconsistent with spaces in labels, thus breaking DNS-SD. Fix in commit 2305.
  • Winfried Angele fixed our autoconf script for Lua detection in commit 2308.
  • BIND backend would leak an fd when including a configuration file from named.conf. Spotted by Hannu Ylitalo of Nebula Oy in commit 2359.
  • GSQLite3 backend could crash on a network error at the wrong moment, leading to a restart by the guardian. Fix in commit 2336.
  • './configure --enable-verbose-logging' was broken, fixed in commit 2312.
  • PowerDNS would serve up old SOA data immediately after sending out a notification. Complicated bug documented perfectly in ticket 427, which also came with not one but with two different patches to fix the problem. Thanks to Keith Buck. Code in commit 2408.
  • Flag '--start-id' in zone2sql was not functional. Removed for now in commit 2387, closing ticket 332.
  • Our distribution tarball did not have the SQL schemas. Fixed in commit 2459 and commit 2460.
  • "Empty" MX records would confuse one of our parsers. Fixed in commit 2468, closing Debian bug 533023.
  • The pdns.conf 'wildcards'-setting did not do anything in 3.0, so it was removed. Change in commit 2508, commit 2509.
  • Additional processing based on records loaded by the BIND backend might fail because of a trailing dot mismatch. Fix in commit 2398.
New features:
  • Per-zone AXFR ACLs, based on the allow-axfr-ips zone metadata item. Code in commit 2274. Also, remove some remains of our previous approach to supporting this in commit 2326.
  • Alberto Donato and Zsolt Dollenstein implemented autoserial support for the Generic SQL backends. Code in commit 2290, commit 2294, commit 2296, commit 2299, commit 2300, commit 2303. Closes ticket 52, ticket 299, ticket 301, ticket 336.
  • New SOA Serial Tweak mode INCEPTION-EPOCH for when operating as a 'signing slave', contributed by Jimmy Bergman. Code and documentation in commit 2320.
  • Newlines in the 'content' field of backends are now allowed, restoring some DKIM setups to working condition. Update in commit 2394, closing ticket 395.
  • Depending on the encoding used, MySQL could take issue with our 'tsigkeys' table which contained very large rows. Trimmed in commit 2400, closing ticket 410.
  • Various build/configure-related fixes in commit 2319, commit 2373, commit 2386, closing ticket 380, ticket 405, ticket 420.
  • We now show the SOA serial after zone transfers. Code in commit 2385, closing ticket 416.
  • Ruben d'Arco submitted a full rework of our slave-side AXFR TSIG handling, closing ticket 393 and ticket 400 in the process. Code in commit 2506. Additional improvement in commit 2513.
  • The in the gpgsql schema is now constrained to lowercase, as PowerDNS would be unable to find other entries anyway. Fix in commit 2503, closing ticket 426.
  • The gsql-backends can now handle huge records, thanks to a patch by Ruben d'Arco. Code in commit 2476, closing ticket 407. Additional changes in commit 2292, commit 2487, commit 2489. Closes ticket 218, ticket 316.
  • Some of PowerDNS' internal classes would work with uninitialized data when repurposed outside of the PowerDNS core logic. Fix in commit 2469,
  • pdnssec now has 'check-all-zones' and 'rectify-all-zones' commands. Submitted by Ruben d'Arco, code in commit 2467.
  • 'restart' in our init.d-script would not start pdns if it was down before. Fixed in commit 2462.
  • 'pdnssec rectify-zone' now honours --verbose and is rather quiet without it. Code in commit 2443.
  • Improved error messages for systems without IPv6. Changes in commit 2425.
  • The packet- and querycache now honour TTLs from backend data. Code in commit 2414.
  • 'pdns_control help' now shows useful usage information. Code in commit 2410 and commit 2465.
  • Jasper Spaans improved our init.d script for compliance with Debian Squeeze. Patch in commit 2251. Further improvement with 'set -e' to initscript contributed by Marc Haber in commit 2301.
  • Klaus Darilion discovered our configuration file template and --help output explained the various cache TTLs wrongly, and he also added documentation for some missing parameters. commit 2271 and commit 2272.
  • Add support for building against Botan 1.10 (stable) and drop support for 1.9 (development). Changes in commit 2334. This fixes several bugs when building against 1.9.
  • Upgrade internal PolarSSL library to their version 1.1.1. Change in commit 2389 and beyond.
  • Compilation of several backends failed for Boost in non-standard locations. Fixes in commit 2316..
  • We now do additional processing for SRV records too. Code in commit 2388, closing ticket 423 (which also contained the patch). Regression test updates that flow from this in commit 2390.
  • Fix compilation on OSX. commit 2316.
  • Fix pdnssec crash when asked to do DNSSEC without a DNSSEC capable backend. Code in commit 2369.
  • If PowerDNS was not configured to operate as a DNS master, it would still accept 'pdns_control notify' commands, but then not do it. Spotted by David Gavarret, patch by Jose Arthur Benetasso Villanova in commit 2379.
  • In various places we would only accept UPPERCASE DNS typenames. Fixed in commit 2370, closing ticket 390.
  • We would not always drop supplemental groups correctly. Reported by David Black of Atlassian.
  • Our regression tests have been strengthened a lot, and now cover way more features. Commits in 2280, 2281, 2282, 2317, 2348, 2349, 2350, 2351 and beyond.
  • Update to support the latest draft of DANE/TLSA. Spotted by James Cloos (commit 2338). Further improvements by Pieter Lexis in commit 2347, commit 2358.
  • Compilation on OpenBSD was eased by patches from Brad Smith, which can be found in commit 2288 and commit 2291, closing ticket 95.
  • 'make check' failed on the internal PolarSSL. Spotted by Daniel Briley, fix in commit 2283.
  • The default SQL schemas were expanded to contain far longer content fields. commit 2292, commit 2293.
  • Documentation typos, Jake Spencer (commit 2304), Jose Arthur Benetasso Villanova (commit 2337). Code typos in commit 2324 (closes ticket 296).
  • Manpage updates from Debian, provided by Matthijs Möhlmann. Content in commit 2306.
  • pdnssec rectify-zone can now accept multiple zones at the same time. Code in commit 2383.
  • As suggested in ticket 416, we now log the SOA serial number after committing an AXFRed zone to the backend. Code in commit 2385.
  • Pick up location of sqlite3 libraries using pkg-config. Implemented using a variation of the patch found in the, now closed, ticket 380. Code in commit 2386.
  • Documented 'pdnssec --verbose' flag is now accepted. Code in commit 2384, closing ticket 404.
  • 'pdnssec --help' now lists all supported signing algorithms. Suggested by Jose Arthur Benetasso Villanova.
  • PIPE backend example script with edns-subnet support was improved to actually use edns-subnet field. Plus update PIPE backend documentation. Code in commit 2285, more documentation regarding MX and SRV in commit 2313.
  • edns-subnet fields now also output in logfile when available (commit 2321).
  • When running with virtualized configuration files, we now allow dashes in the configuration name. Suggested by Marc Haber, code in commit 2295. Further fixes by Brielle Bruns in commit 2327.
  • Compilation fixes for GNU/Hurd in commit 2307 via Matthijs Möhlmann.
  • Marc Haber improved our Debian packaging scripts for smoother upgrades. Code in commit 2315.
  • When failing to bind to an IP address, report to which one it failed. commit 2325.
  • Supermaster checks were performed synchronously, leading to the possibilities of slowdowns. Fixed in commit 2402.
Other changes:
  • Removed the deprecated non-generic mysqlbackend, in commit 2488, commit 2514, commit 2515.
  • Removed the deprecated 'pdnsbackend', in commit 2490, commit 2516.
  • Removed GRANT statements from the gpgsql schema, as we can't assume they will work for everyone. Change in commit 2493.
Tickets closed but not associated with a commit:
  • ticket 125: "PowerDNS offers wild card info. when it is not queried for."
  • ticket 219: "Accept NOTIFY from masters on non-standard port"
  • ticket 247: "pdns caching weirdness with recursion-desired flag"
  • ticket 253: "bind backend crashes on long comment line in included file"
  • ticket 271: "PowerDNS Server responding with out-of-zone authority section in case there is a cname"
  • ticket 304: "also-notify option for pdns, also gives also-notify for bindbackend."
  • ticket 311: "PowerDNSSEC responding with SERVFAIL upon IN A query for a CNAME"
  • ticket 325: "CNAME working strange!"
  • ticket 376: "Unable to create long TXT records"
  • ticket 412: "--without-lua doesn't disable lua"
  • ticket 415: "Signing thread died during AXFR of signed domain"
  • ticket 422: "ecdsa256 keys bug"
Kind regards,
- --
Peter van Dijk
Netherlabs Computer Consulting BV -
Versienummer 3.1
Releasestatus Final
Besturingssystemen Linux, BSD, Solaris, UNIX
Website PowerDNS
Licentietype GPL

Reacties (2)

Wijzig sortering
Gweldige database dit dmv zijn Mysql backend.
Wat ik tijdens een projectje op werk heb gedaan (data center), is onze huidige database tabellen gefilterd op server-namen en hun bijbehorende IP dmv van SQL-views, deze views werden aangevuld met gegevens die PowerDNS verwacht in zijn tabelformaat -- et voila. Nu zonder gekke hacks of redundante informatie in de database kan ik nu servers benaderen via hun servercode (natuurlijk alleen voor intern gebruik aangezien een TLD mist).
Hierdoor kunnen sneller nieuwe versies worden uitgebracht, aldus de ontwikkelaars.
* DeTeraarist kijkt naar de updategeschiedenis
Het kan wel, maar het hoeft niet!

Kies score Let op: Beoordeel reacties objectief. De kwaliteit van de argumentatie is leidend voor de beoordeling van een reactie, niet of een mening overeenkomt met die van jou.

Een uitgebreider overzicht van de werking van het moderatiesysteem vind je in de Moderatie FAQ

Rapporteer misbruik van moderaties in Frontpagemoderatie.

Op dit item kan niet meer gereageerd worden.

Nintendo Switch (OLED model) Apple iPhone SE (2022) LG G1 Google Pixel 6 Call of Duty: Vanguard Samsung Galaxy S22 Garmin fēnix 7 Nintendo Switch Lite

Tweakers vormt samen met Hardware Info, AutoTrack,, Nationale Vacaturebank, Intermediair en Independer DPG Online Services B.V.
Alle rechten voorbehouden © 1998 - 2022 Hosting door True

Tweakers maakt gebruik van cookies

Tweakers plaatst functionele en analytische cookies voor het functioneren van de website en het verbeteren van de website-ervaring. Deze cookies zijn noodzakelijk. Om op Tweakers relevantere advertenties te tonen en om ingesloten content van derden te tonen (bijvoorbeeld video's), vragen we je toestemming. Via ingesloten content kunnen derde partijen diensten leveren en verbeteren, bezoekersstatistieken bijhouden, gepersonaliseerde content tonen, gerichte advertenties tonen en gebruikersprofielen opbouwen. Hiervoor worden apparaatgegevens, IP-adres, geolocatie en surfgedrag vastgelegd.

Meer informatie vind je in ons cookiebeleid.


Toestemming beheren

Hieronder kun je per doeleinde of partij toestemming geven of intrekken. Meer informatie vind je in ons cookiebeleid.

Functioneel en analytisch

Deze cookies zijn noodzakelijk voor het functioneren van de website en het verbeteren van de website-ervaring. Klik op het informatie-icoon voor meer informatie. Meer details


    Relevantere advertenties

    Dit beperkt het aantal keer dat dezelfde advertentie getoond wordt (frequency capping) en maakt het mogelijk om binnen Tweakers contextuele advertenties te tonen op basis van pagina's die je hebt bezocht. Meer details

    Tweakers genereert een willekeurige unieke code als identifier. Deze data wordt niet gedeeld met adverteerders of andere derde partijen en je kunt niet buiten Tweakers gevolgd worden. Indien je bent ingelogd, wordt deze identifier gekoppeld aan je account. Indien je niet bent ingelogd, wordt deze identifier gekoppeld aan je sessie die maximaal 4 maanden actief blijft. Je kunt deze toestemming te allen tijde intrekken.

    Ingesloten content van derden

    Deze cookies kunnen door derde partijen geplaatst worden via ingesloten content. Klik op het informatie-icoon voor meer informatie over de verwerkingsdoeleinden. Meer details