PowerDNS is een dns-server met een database als back-end, waardoor het beheer van een groot aantal dns-entries op een gemakkelijke manier kan plaatsvinden. De ontwikkelaars hebben eerder besloten om de twee delen waaruit PowerDNS bestaat, een recursor en een authoritative nameserver, apart uit te geven, zodat ze sneller en gerichter een nieuwe versie kunnen uitbrengen, aldus de ontwikkelaars. De authoritative nameserver zal alleen antwoorden op een dns-look-up als hij betrekking heeft op de domeinen waarvoor hij verantwoordelijk is. De ontwikkelaars hebben PowerDNS Authoritative Server 4.1.0 en 4.0.5 uitgebracht. De veranderingen van deze uitgaven zien er als volgt uit:
PowerDNS Authoritative Server 4.1.0
Version 4.1 is a major upgrade for the Authoritative Server, delivering improvements and speedups developed and tested over the past 12 months. Many large scale deployments have already migrated to this release because even unreleased, it was a better nameserver than 4.0.x (although the recently released 4.0.5 has fixed a number of relevant issues).
This release features prominent contributions from our community. We’d like to highlight the tireless work of Kees Monshouwer in improving the Authoritative Server based on his huge experience scaling PowerDNS to millions of DNSSEC production zones. Christian Hofstaedtler and Jan-Piet Mens contributed massively as well in many different places. Also a round of thanks to Grégory Oestreicher for revamping and reviving the LDAP backend. Wolfgang Studier, “#MrM0nkey”, Tudor Soroceanu and Benjamin Zengin delivered the DNSSEC management API, as part of their studies at TU Berlin.
We have tried to list everyone else in the full changelog, and we are very grateful for all the work and testing PowerDNS has received from the community!
Improved performance: 4x speedup in some scenarios
More than a year ago, the RIPE NCC benchmarked several nameserver implementations, and found PowerDNS was not a performant root-server. Although PowerDNS is great at serving millions of zones, we’d like to be fast on smaller zones as well. Results of this optimization spree are described here, and also in this longer article “Optimizing optimizing: some insights that led to a 400% speedup of PowerDNS”. Kees Monshouwer’s cache (re)work has been vital to attaining this performance improvement.
Crypto API: DNSSEC fully configurable via RESTful API
Our RESTful HTTP API has gained support for DNSSEC & key management. This API is “richer than most” since it is aware of DNSSEC semantics, and therefore allows you to manipulate zones without having to think about DNSSEC details. The API will do the right thing. This work was contributed by Wolfgang Studier, #MrM0nkey, Tudor Soroceanu and Benjamin Zengin as part of their work over at TU Berlin.
Database related: reconnection and 64 bit id fields
Database servers sometimes disconnect after shorter or longer idle periods. This could confuse both PowerDNS and database client libraries under some quiet conditions. 4.1 contains enhanced reconnection logic that we believe solves all associated problems. In a pleasing development, one PowerDNS user has a database so large they exceeded a 32 bit id counter, which has now been made 64 bit.
Our Pieter Lexis invested a ton of time improving not only the contents but also the appearance and search of our documentation. Take a look at https://doc.powerdns.com/authoritative/ and know you can easily edit our documentation via GitHub’s built in editor.
Recursor passthrough removal
This will impact many installations, and we realize this may be painful, but it is necessary. Previously, the PowerDNS Authoritative Server contained a facility for sending recursion desired queries to a resolving backend, possibly after first consulting its local cache. This feature (‘recursor=’) was frequently confusing and also delivered inconsistent results, for example when a query ended up referring to a CNAME that was outside of the Authoritative Server’s knowledge. To migrate from a 3.0 or 4.0 era PowerDNS Authoritative Server with a ‘recursor’ statement in the configuration file, please see Migrating from using recursion on the Authoritative Server to using a Recursor.
Support was added for TCP Fast Open. Non-local bind is now supported. pdnsutil check-zone will now warn about more errors or unlikely configurations. Our packages now ship with PKCS #11 support (which previously required a recompilation). Improved integration with systemd logging (timestamp removal).
The tarball is available on downloads.powerdns.com and packages for CentOS 6 and 7, Debian Jessie and Stretch, Ubuntu Artful, Trusty, Xenial and Zesty are available from repo.powerdns.com.
Please send us all feedback and issues you might have via the mailinglist, or in case of a bug, via GitHub.
PowerDNS Authoritative Server 4.0.5
This release fixes PowerDNS Security Advisory 2017-04: Missing check on API operations (CVE-2017-15091).
- #4650: Bindbackend: do not corrupt data supplied by other backends in getAllDomains
- #4751: API: prevent sending nameservers list and zone-level NS in rrsets
- #4929: gpgsql: make statement names actually unique
- #4997: Fix remotebackend params
- #5051: Fix godbc query logging
- #5125: For create-slave-zone, actually add all slaves, and not only first n times
- #5161: Fix a regression in axfr-rectify + test
- #5408: When making a netmask from a comboaddress, we neglected to zero the port
- #5599: Fix libatomic detection on ppc64
- #5641: Catch DNSName exception in the Zoneparser
- #5722: Publish inactive KSK/CSK as CDNSKEY/CDS
- #5730: Handle AFSDB record separately due to record structure. Fixes #4703
- #5678: Treat requestor’s payload size lower than 512 as equal to 512
- #5766: Correctly purge entries from the caches after a transfer
- #5777: Handle a signing pipe worker dying with work still pending
- #5815: Ignore SOA-EDIT for PRESIGNED zones. Fixes #5814
- #5933: Check return value for all getTSIGKey calls. Fixes #5931
- #5996: Deny cache flush, zone retrieve and notify if the API is RO (Security Advisory 2017-04)
- #4922: Fix ldap-strict autoptr feature, including a test
- #5043: mydnsbackend: Add getAllDomains
- #5112: Stubresolver: Use only recursor setting if given
- #5147: LuaWrapper: Allow embedded NULs in strings received from Lua
- #5277: sdig: Clarify that the ednssubnet option takes “subnet/mask”
- #5309: Tests: Ensure all required tools are available
- #5320: PowerDNS sdig does not truncate trailing bits of EDNS Client Subnet mask
- #5349: LuaJIT 2.1: Lua fallback functionality no longer uses Lua namespace
- #5498: Add support for Botan 2.x
- #5509: Ship ldapbackend schema files in tarball
- #5518: Collection of schema changes
- #5523: Fix typo in two log messages
- #5598: Add help text on autodetecting systemd support
- #5723: Use a unique pointer for bind backend’s d_of
- #5826: Fix some of the issues found by @jpmens