PowerDNS is een dns-server met een database als back-end, waardoor het beheer van een groot aantal dns-entries op een gemakkelijke manier kan plaatsvinden. De ontwikkelaars hebben in april 2006 besloten om de twee delen waaruit PowerDNS bestaat, een recursor en een authoritative nameserver, apart uit te geven. Hierdoor kunnen sneller nieuwe versies worden uitgebracht, aldus de ontwikkelaars. De ontwikkelaars hebben eerder deze maand versie 3.2 van PowerDNS Authoritative Server uitgebracht. De bijbehorende aankondiging en de lijst met aanpassingen zien er als volgt uit:
PowerDNS Authoritative Server 3.2 is now available!
3.2 is the best version of the PowerDNS Authoratitive Server currently available, and we recommend upgrading to it. Please read http://doc.powerdns.com/from3.1to3.2.html before you do, however!
Please see http://doc.powerdns.com/changelog.html#changelog-auth-3-2 for full release notes and all download links.
You can get PowerDNS 3.2 from:
These files also come with GPG signatures (append .sig).
Additionaly, Kees Monshouwer has kindly provided native builds for RHEL/CentOS 5 and 6 at http://www.monshouwer.eu/download/3rd_party/pdns-server/
This is a stability and conformity update to 3.1. It mostly makes our DNSSEC implementation more robust, and improves interoperability with various validators. 3.2 has received very extensive testing on a lot of edge cases, verifying output both against common validators and compared against other authoritative servers.
In addition to all the changes below, we now auto-build semi-static packages. Relevant changes to make that possible are in commit 2849, commit 2853, 2858, commit 2859, commit 2860.
Changes between 3.2-RC4 and the final 3.2 release:
Changes between 3.2-RC3 and 3.2-RC4:
- Aki Tuomi contributed a bunch of fixes to our crypto drivers. Code in commit 3036 and commit 3055/commit 3057.
- The ksk|zsk argument for pdnssec import-zone-key was required while it should be optional. Fixed in r3051.
Changes between 3.2-RC2 and 3.2-RC3:
- * The experimental undocumented bindbackend superslave mode would break the first added domain until a restart. Fixed by Kees Monshouwer in commit 3013.
- Sander Hoentjen reported an issue with our choice of ports for outgoing TCP connections. Investigating it turned up that we were randomizing TCP connections on purpose while leaving UDP port choice to the kernel, which should be the other way around. Fixed in commit 3014, closing ticket 643 and ticket 644.
- Aki Tuomi contributed some autoconf code to use mysql_config if it is available. Code in commit 3015 and commit 3019, closing ticket 458.
- The Mongo backend was removed at the author's request, as it does not work with any current libmongo versions. Change in commit 3017.
- Mark Zealey discovered we were retrieving the ascii powerdns version string for each packet, not just for version string queries. Fixed in commit 3018, closing ticket 651.
- Our new json code would not compile on solaris 9 and 10 due to lack of strcasestr. Juraj Lutter contributed a portable version in commit 3020.
- Mark Zealey noted that RRs with low TTLs could lower our query-cache-ttl persistently. Fixed in commit 3023, closing ticket 662.
- pdnssec now honours module-dir, patch by Fredrik Danerklint in commit 3026.
Changes between 3.2-RC1 and 3.2-RC2:
- Michael Scheffler noticed that the lazy-recursion setting had no effect at all. Setting removed in commit 3003.
- Mark Zealey found that an earlier performance improvement could cause crashes under high load, with lots of IPs configured in local-address and receiver-threads higher than 1. Fixed in commit 3005.
Changes below are in 3.2-RC1 and up.
- The udp-queries metric would only count on the first thread launched, instead of on all threads. Additionally, it was initialised at MAXINT at startup, instead of at 0. Both issues fixed by Kees Monshouwer in commit 2999, closing ticket 491 and ticket 582.
- Aki Tuomi contributed zone2json, a great way for programmers to benefit from our zone file parser. Code in commit 2997, closes ticket 509.
- Our DNS TXT parser is not 8-bit safe, but our DNS TXT writer assumes the reader is! Reported by Jan-Piet Mens in ticket 541, commit 2993 fixes our writer but not yet our parser.
- Ruben d'Arco did some improvements to the MyDNS backend, and provided a full test suite for it, that we now run after every commit. Code in commit 2988.
- Some exceptions from backends would lose their meaning while bubbling up. Fixed by Aki Tuomi in commit 2985, closing ticket 639.
- The packet-cache honours max reply length while matching cached packets against queries, but not EDNS status. This would mean that EDNS-enabled replies with a 512 reply len could be returned on non-EDNS queries. Spotted while investigating a report from Winfried Angele, patched by Ruben d'Arco in commit 2982, closing ticket 630.
- Errors involving creating, deletion or changing permissions on the control socket were unclear. Ruben d'Arco improved this in commit 2981.
- pipe-timeout was always documented to be in milliseconds, but it turns out it was in seconds! commit 2971 changes them to actually be in ms, and 'increases' the default from 1000 seconds to 2000 milliseconds.
- Some exceptions would get dropped during inbound AXFR, yielding a log file that says 'transaction started' and nothing after that, making AXFR fail silently. commit 2976 and commit 2977 improve this somewhat.
- We now error out on empty labels inside of names (www..example.com) instead of generating bogus reply packets. Code in commit 2972, reported by several users.
- Doing chmod before chown, instead of the other way around, apparently avoids requiring a whole SELinux capability. Reported by Sander Hoentjen, fixed in r2965.
- Christian Hofstaedtler fixed a bug in our Debian init.d script. Code in commit 2963.
- Superslave errors ('Unable to find backend willing to host ..') now include the NSset found at the master, to aid debugging. Code in commit 2887.
- commit 2874 in RC1 broke compilation without SQLite3 and made query logging unreliable. Fixed in commit 2888, commit 2889.
- The dnsreplay tool now processes single packet pcaps. Fix in commit 2895.
- PowerDNS always derives NSEC/NSEC3 from the actual zone content. To accomodate this, zone2sql now drops NSEC/NSEC3 records, as those should never be in a PowerDNS backend directly (commit 2915), bindbackend ignores NSEC/NSEC3 while reading zonefiles (commit 2917) and pdnssec reports NSEC/ NSEC3 in the database as an error condition (commit 2918).
- The bindbackend now ignores NSEC/NSEC3 records while reading zonefiles. Change in commit 2917.
- An EXPERIMENTAL feature ('direct-dnskey') for reading ZSKs from the records table/your BIND zonefile was added in commit 2920, commit 2921, commit 2922.
- While fully optional, PowerDNS supports direct RRSIG queries. Kees Monshouwer improved on our behaviour for those queries in commit 2927.
- IPv6 glue situations require AAAA records for the receiving end of a delegation in the ADDITIONAL section of a referral. This was supported ('do-ipv6-additional-processing') but not enabled by default. commit 2929 enables it by default.
- pdnssec check-zone now warns for CNAME-and-other data at names in your zones. Code by Ruben d'Arco in commit 2930.
- Positive ANY-responses would include a spurious NSEC3. Corrected in commit 2932 and commit 2933, cleaned up by Kees Monshouwer in commit 2935.
- The ldapbackend now allows overriding the base dn for AXFR subtree search. Fixed in commit 2934, closing ticket 536.
DNSSEC changes in 3.2:
Non-DNSSEC improvements/changes in 3.2:
- Kees Monshouwer did a tremendous amount of work to improve and perfect our DNSSEC implementation, mostly in the NSEC3 area. Code in commit 2687, commit 2689, commit 2691, fixing ticket 486, ticket 537, ticket 540. He also implemented support for Empty Non-Terminals, code in commit 2721, commit 2732, commit 2745, fixing ticket 127 and ticket 558.
- Presigned wildcard operation was improved with the help of many parties (see commit message for commit 2676). Presigned operation was also changed to be more consistent with master/live-signing operation. Code and a full test suite in commit 2709, which also improves TTL behaviour for various situations. Fixes ticket 460, ticket 533, ticket 559.
- Depending on database & locale settings, names starting with underscore would sometimes cause broken records. commit 2710 contains schema and code changes for the gpgsql and gmysql backends to sort this (no pun intended) definitively, closing ticket 550. In addition, a pdnssec test-schema command was added (experimental and incomplete). It can be used to verify underscore sorting and a few other parameters of the database. Code in commit 2714.
- We now always include an EDNS section in responses to queries that also had an EDNS section. This was thought to improve BIND interoperability, but this turned out to be false. In any case, this change improves standards compliance. Spotted by Mats Dufberg, code in commit 2649.
- It turns out we were storing Botan keys the wrong way. Botan did not care but Polar did, causing interoperability problems. Fixed in commit 2720, with the kind help of Paul Bakker of PolarSSL. Fixes ticket 492 as reported by Florian Obser via Debian.
- pdnssec add-zone-key now defaults to RSASHA256, like secure-zone already did. Code in commit 2692.
- pdns_control purge now also purges DNSSEC-related caches (keys and metadata). Code in commit 2694, by Ruben d'Arco. Fixes ticket 530.
- The signer thread would die in specific situations, leaving you with a non-working but very busy system. Fixed in commit 2668, commit 2670, closing ticket 517.
- pdnssec secure-zone now warns when you just signed a slave zone. Suggested by Mark Scholten, code in commit 2795, closes ticket 592.
- pdnssec check-zone now warns about out-of-zone data. Patch by Kees Monshouwer in commit 2826, closing ticket 604.
- pdnssec now honours --no-config. Patch by Kees Monshouwer in commit 2810.
- Various fixes for bindbackend presigned operation, mostly by Kees Monshouwer. Code in commit 2815, closing ticket 600.
- Bindbackend could get confused about domain metadata, sometimes even causing hangs. Fixes by Kees Monshouwer in commit 2819 and commit 2834, closing ticket 600 and ticket 603.
- SQL queries in gsql backends that reference the domain_id column have been made explicit about from what table they want this column. This makes it easier to operate custom schemas without changing the queries. Fix by Nicky Gerritsen in commit 2821.
- In various situations involving CNAMEs and wildcards, and for ANY queries involving CNAMEs, we would sometimes return bogus results. Fixed in commit 2825 by Kees Monshouwer.
- rectify-zone accidentally set auth=1 on NS records of secure delegations. Reported by George Notaras, fixed by Kees Monshouwer in r2831, closing ticket 605.
- The DNSSEC signature cache now actually gets cleaned up, avoiding lasting spikes in memory usage every thursday. Code in commit 2836 and commit 2843, closing ticket 594.
- Signatures used to roll at midnight on thursday. We now roll them one hour after midnight, with inception still set to midnight, to allow for some variations in clock quality on resolvers. Code in commit 2857.
- Duplicate records (same name/type/content/priority) would sometimes get broken RRSIGs during outgoing AXFR. Fixed in commit 2856.
- A root zone (name="") with DNSSEC would cause crashes in some situations. Reported by Luuk Hendriks. Fixed in commit 2867, commit 2868, closing ticket 614.
- Direct RRSIG queries for zones with auto-completed SOA records would cause trouble. Reported by Kees Monshouwer and fixed by him in r2869.
- When a name is matched only by a wildcard, but the type in the query is not present, we would be lacking one NSEC(3) record to prove the existence of the wildcard. Fixed by Kees Monshouwer in r2872 and r2873.
- Luuk Hendriks spotted that our PolarSSL RSA key generation code was using inferior entropy. This can be important on virtual machines with badly implemented clocks. Fixed in commit 2876, closing ticket 615.
- Bindbackend would sometimes crash on startup, due to a sync_with_stdio call. This call has been moved to pdns_server proper to occur before any threads are spawned, avoiding race conditions in this call. Note that this crash has only been observed twice in thousands of regression test runs and has never been reported in the real world. Change in commit 2882.
- Leen Besselink submitted query logging support for the SQLite3 parts in the bindbackend. Code in commit 2874.
- Multi-backend operation would sometimes cause garbage domain IDs to be passed to backends. Reported by Kees Monshouwer and fixed by him in r2871.
- Bindbackend would sometimes crash during reloads/rediscovers. The changes in commit 2837 get rid of the crash, at the cost of returning SERVFAIL during reloads. Closes ticket 564.
- Our label decompression code was naive, causing troubles for slaving of very specifically formatted zones. Fix in ticket 2822, closes ticket 599.
- Bindbackend slaves would choke on unknown RR types and do silly things with RP and SRV records. Fixed in commit 2811 and commit 2812.
- The luabackend can now compile against Lua 5.2. Patch by Fredrik Danerklint in commit 2794, additional luabackend compile fixes in commit 2854.
- A new backend, the 'Remote backend' Section 15, “Remote Backend” was submitted by Aki Tuomi. It aims to replace the pipebackend with a better protocol and support for more connection methods, including HTTP. Code in commit 2755, commit 2756, commit 2757, commit 2758, commit 2759, commit 2824, closing ticket 529, ticket 597.
- The gsqlite (SQLite 2) backend was removed. We were not aware of any users and it was not actually working anyway. Changes in commits 2773-2777, closing ticket 565.
- Various tinydnsbackend improvements: ignore-bogus-records option; TAI offset updated; strip dots on names where suitable; various internal improvements. Code in commit 2762.
- gpgsql no longer logs the database password in connection errors. Code in commit 2609, commit 2612, closing ticket 459.
- You can now finally specify 0.0.0.0 or :: as local-address/local-ipv6 without getting replies from the wrong address. This much-requested feature is implemented in commit 2763, commit 2766, commit 2779 and commit 2781. Tested on Linux, FreeBSD and Mac OS X.
- 3.2 can be reliably built with or without Lua. This and many other configure/compile-related fixes in commit 2610, commit 2611 / ticket 461, commit 2666, commit 2671, commit 2672 / ticket 522, commit 2673 / ticket 522, commit 2696 / ticket 555, commit 2697 / ticket 457, commit 2698, commit 2708, commit 2742 / ticket 462), commit 2752 / ticket 437, commit 2764, commit 2809, commit 2844, commit 2845, commit 2846, commit 2881.
- Juraj Lutter contributed AXFR-SOURCE per zone metadata settings. Code in commit 2616.
- Initscripts now have exit codes, submitted by Sander Hoentjen. Code in commit 2728. Guardian now returns 0 instead of 1 when receiving SIGTERM, requested by Morten Stevens of Fedora. Code in commit 2717.
- Mark Zealey submitted various performance improvement patches and suggestions. Accepted as commit 2729 / ticket 579, commit 2730 / ticket 584 ), commit 2731 / ticket 583), commit 2768 / ticket 578). Please see commit messages for more details.
- pdnssec check-all-zones now reuses database connections, avoiding a socket exhaustion issue in some situations. Code in commit 2749, closes ticket 519.
- Ruben d'Arco submitted various improvements regarding trailing dots. Additional lookups now try harder, pdnssec errors about trailing dots in names, pdnssec warns about trailing dots in names inside content fields, AXFR now strips the dot from SRV hostnames. Code in commit 2748, fixes ticket 289.
- Pre-3.0, backends would get cycled if they threw the right error. 3.2 reinstates this behaviour, as it is more robust. Change in commit 2734 (reverting commit 2100), fixes ticket 386.
- PowerDNS auth does not use the select() kernel/library call anymore. This means fd-numbers over 1023 (and, in general, more than 1024 sockets, including more than 1024 listening sockets) should now work reliably. Code in commit 2739, commit 2740, fixes ticket 408.
- gmysql users can now specify the 'group' we connect as, using the gmysql-group setting. Submitted by Kees Monshouwer, code in commit 2770, commit 2771, commit 2778, commit 2780, closing ticket 463.
- The Linux-only traceback handler is now optional (use traceback-handler=off to disable it). Suggested by Marc Haber. Change in commit 2798, closes ticket 497.
- We now use IPV6_V6ONLY to bind IPv6 sockets. This ensures consistent behaviour between different operating systems. Change in commit 2799.
- MySQL connections are now logged at a higher loglevel, reducing log clutter. Change in commit 2800.
- We now ship a systemd unit file in contrib/. Added in commit 2847 and commit 2848, submitted by Morten Stevens.
- If a slave domain is removed while a transfer for it is queued, we no longer try the transfer. This also avoids a rare crash in similar circumstances. Code in commit 2802, closes ticket 596.
- When using pdnssec with gsql backends, sometimes an SSqlException would pop up without any useful information. This no longer happens and errors are now in general more meaningful. Fix in commit 2803.
- zone2sql now uses correct string syntax for PostgreSQL. This is needed for importing with the changed default settings in PostgreSQL 9.2 and up. Code in commit 2797, closes ticket 471.
- We no longer send v6 notifications if v6 is not available. Same for IPv4. Code in commit 2772, fixes ticket 515.
- We would sometimes serve stale data after an incoming AXFR. Reported by Martin Draschl, fixed by Ruben d'Arco in commit 2699, closing ticket 525.
- Duplicate incoming NOTIFYs could cause PowerDNS to try to insert the same domain name into a database twice. Fixed in commit 2703, closing ticket 453.
- pdnssec show-zone now works on a zone that has any number of keys, instead of requiring active keys. code in commit 2769, closes ticket 586.
- pdns-control notify-host now accepts v6 literals. Reported by Christof Meerwald, fixed in commit 2704.
- The tinydnsbackend no longer chokes on questions longer than 64 bytes. Code in commit 2622.
- *-all-domains commands in pdnssec now work with Postgres (gpgsql) too. Code in commit 2645, closing ticket 472.
- We would sometimes leave the opcode of an outgoing packet uninitialized. Fixed in commit 2680, closing ticket 532.
- nproxy can now listen on a configurable port. Code in commit 2684, fixes ticket 534.
- Improve mydnsbackend for SOA queries. Code in commit 2751, fixes ticket 439 , by Ruben d'Arco.
- Various non-functional fixes that make Valgrind happy (note that Valgrind was right to complain in all of these situations), in commit 2715, commit 2716, commit 2718.