Previous topic

Changelogs for 4.0.x

Next topic

End of life statements

Contents

This Page

  1. Docs
  2. Changelogs
  3. Changelogs for 3.x and older

Changelogs for 3.x and older

These changelogs are included for historical purposes. Broken links may exist.

PowerDNS Authoritative Server 3.4.9

Released 17th of May 2016

This is a minor bugfix and performance release. Two contributions by Kees Monshouwer make 3.4.9 fully compatible with the new single key ECDSA default that is coming in version 4.0.0.

Changes since 3.4.8:

PowerDNS Authoritative Server 3.4.8

Released 3rd of February 2016

This is a small bugfix release. Additionally, the deb/RPM packages on downloads.powerdns.com (those with -static in the name) for 3.4.8 have been built against Botan 1.10.11 instead of Botan 1.10.3 like previous packages. Please see the Botan Security page for more information on the fixes in Botan 1.10.11. As a PowerDNS user, these issues only affect you if you ran our -static packages and allowed your users to upload private keys to your configuration.

Changes since 3.4.7:

  • commit edfa60a: Use AC_SEARCH_LIBS (Ruben Kerkhof)
  • commit 7b7a3af: Check for inet_aton in libresolv (Ruben Kerkhof)
  • commit 9322aee: Remove hardcoded -lresolv, -lnsl and -lsocket (Ruben Kerkhof)
  • commit 23d26d8: pdnssec: don’t check disabled records (Pieter Lexis)
  • commit ce92ff1: pdnssec: check all records (including disabled ones) only in verbose mode (Kees Monshouwer)
  • commit f745312: trailing dot in DNAME content (Kees Monshouwer)
  • commit ed02761: Fix luabackend compilation on FreeBSD i386 (RvdE)
  • commit 07ea6ac: silence g++ 6.0 warnings and error (Kees Monshouwer)
  • commit c6077b1: add gcc 5.3 and 6.0 support to boost.m4 (Kees Monshouwer)

PowerDNS Authoritative Server 3.4.7

Released 3rd of November 2015

This is a security release fixing Security Advisory 2015-03

Bug fixes:

Improvements:

New features:

PowerDNS Authoritative Server 3.4.6

Released 28th of August 2015

This is a security release fixing Security Advisory 2015-02

Bug fixes:

  • commits c849701 and 8c91e2c: Avoid superfluous backend recycling
  • commits 463fcff, 0fc08e8, 0fbe69c, 1a6af1c and 07f69d3: Removal of dnsdist from the authoritative server distribution (Kees Monshouwer among others).
  • commits 5cfea4c and ef011d9: Add EDNS unknown version handling and tests EDNS unknown version handling (Aki Tuomi)

Improvements:

  • commits 88dd8a7 and dc6c63d: Update YaHTTP to v0.1.7 (Aki Tuomi)
  • commit 0a344bc: Make trailing/leading spaces stand out in pdnssec check_zone
  • commits 2e982ad and 09bec1f: GCC 5.2 support and sync boost.m4 macro with upstream (Kees Monshouwer among others)
  • commit 1ad4e44: Log answer packets only if log-dns-details is enabled (Kees Monshouwer)

PowerDNS Authoritative Server 3.3.3

Released 9th of June 2015

This is a security release fixing Security Advisory 2015-01

Bug fixes:

PowerDNS Authoritative Server 3.4.5

Released 9th of June 2015

This is a security release fixing Security Advisory 2015-01

Bug fixes:

  • commit ffaae2b: be careful reading empty lines in our config parser and prevent integer overflow.
  • commit 8e30209: prevent crash after ^^list-modules (Ruben Kerkhof)
  • commit 6cf71cf: Limit the maximum length of a qname

Improvements:

PowerDNS Authoritative Server 3.3.2

Released 1st of May, 2015

Among other bug fixes and improvements (as listed below), this release incorporates a fix for CVE-2015-1868, as detailed in PowerDNS Security Advisory 2015-01

If you are running DNSSEC with version 3.3.1 or below, and you cannot currently upgrade to 3.4.4, please consider upgrading to 3.3.2; it has a lot of improvements and bug fixes and tremendously increases compliance.

We want to explicitly thank Kees Monshouwer for digging up all the DNSSEC improvements and porting them back to this release.

When upgrading, please run pdnssec rectify-all-zones and trigger an AXFR for all DNSSEC zones to make sure you benefit from all the compliance improvements present in this version.

Security fixes:

  • commit 9df4944: import CVE-2015-1868 patch (Peter van Dijk)
  • commit dbedfc5: kill some further mallocs and add note to remind us not to add them back (bert hubert)

Improvements:

Bug fixes:

  • commit 88c52fe: make makeRelative() case-insensitive (Kees Monshouwer)

DNSSEC improvements:

  • commit b3dec9c: change default for add-superfluous-nsec3-for-old-bind config option (Kees Monshouwer)
  • commit 017a78b: limit the number of NSEC3 iterations RFC5155 10.3 (Kees Monshouwer)
  • commit d768d7f: NSEC3 and related RRSIGS are not part of the dnstree (Kees Monshouwer)
  • commit 3a36a1c: import bindbackend rectify code from master (Kees Monshouwer)
  • commit 1ee7e22: limit mode 0 closest provable encloser to optout (Kees Monshouwer)
  • commit bbc0bc5: fix for errata 3441 of RFC5155 (Kees Monshouwer)
  • commit e8bfa7b: allow covering NSEC3 record in NODATA response (Kees Monshouwer)
  • commit f0b3b24: return NOTIMP for direct RRSIG request (Kees Monshouwer)
  • commit c79addc: import pdnssec checkZone() from master (Kees Monshouwer)
  • commit 2f1fec7: import pdnssec rectifyZone() from master (Kees Monshouwer)

PowerDNS Authoritative Server 3.4.4

Released 23rd of April, 2015

Warning: Version 3.4.4 of the PowerDNS Authoritative Server is a major upgrade if you are coming from 2.9.x. Additionally, if you are coming from any 3.x version (including 3.3.1), there is a mandatory SQL schema upgrade. Please refer to the Upgrade documentation for important information on correct and stable operation, as well as notes on performance and memory use.

Among other bug fixes and improvements (as listed below), this release incorporates a fix for CVE-2015-1868, as detailed in PowerDNS Security Advisory 2015-01

Bug fixes:

New Features:

Improvements:

  • commit e4f48ab: allow “pdnssec set-nsec3 ZONE” for insecure zones; this saves on one rectify when securing a NSEC3 zone
  • commits cce95b9, e2e9243 and e82da97: Improvements to the config-file parsing (Aki Tuomi)
  • commit 2180e21: postgresql check should not touch LDFLAGS (Ruben Kerkhof)
  • commit 0481021: Log error when remote cannot do AXFR (Aki Tuomi)
  • commit 1ecc3a5: Speed improvements when AXFR is disabled (Chris Hofstaedtler)
  • commits 1f7334e and b17799a: NSEC3 and related RRSIGS are not part of the dnstree (Kees Monshouwer)
  • commits dd943dd and 58c4834: Change ifdef to check for __GLIBC__ instead of __linux__ to prevent errors with other libc’s (James Taylor)
  • commit c929d50: Try to raise open files before dropping privileges (Aki Tuomi)
  • commit 69fd3dc: Add newline to carbon error message on auth (Aki Tuomi)
  • commit 3064f80: Make sure we send servfail on error (Aki Tuomi)
  • commit b004529: Ship lmdb-example.pl in tarball (Ruben Kerkhof)
  • commit 9e6b24f: Allocate TCP buffer dynamically, decreasing stack usage
  • commit 267fdde: throw if getSOA gets non-SOA record

PowerDNS Authoritative Server 3.4.3

Warning: Version 3.4.3 of the PowerDNS Authoritative Server is a major upgrade if you are coming from 2.9.x. Additionally, if you are coming from any 3.x version (including 3.3.1), there is a mandatory SQL schema upgrade. Please refer to the Upgrade documentation for important information on correct and stable operation, as well as notes on performance and memory use.

Released March 2nd, 2015

Find the downloads on our download page.

Bug fixes:

  • commit ceb49ce: pdns_control: exit 1 on unknown command (Ruben Kerkhof)
  • commit 1406891: evaluate KSK ZSK pairs per algorithm (Kees Monshouwer)
  • commit 3ca050f: always set di.notified_serial in getAllDomains (Kees Monshouwer)
  • commit d9d09e1: pdns_control: don’t open socket in /tmp (Ruben Kerkhof)

New features:

  • commit 2f67952: Limit who can send us AXFR notify queries (Ruben Kerkhof)

Improvements:

  • commit d7bec64: respond REFUSED instead of NOERROR for “unknown zone” situations
  • commit ebeb9d7: Check for Lua 5.3 (Ruben Kerkhof)
  • commit d09931d: Check compiler for relro support instead of linker (Ruben Kerkhof)
  • commit c4b0d0c: Replace PacketHandler with UeberBackend where possible (Christian Hofstaedtler)
  • commit 5a85152: PacketHandler: Share UeberBackend with DNSSECKeeper (Christian Hofstaedtler)
  • commit 97bd444: fix building with GCC 5

Experimental API changes (Chris Hofstaedtler):

PowerDNS Authoritative Server 3.4.2

Warning: Version 3.4.2 of the PowerDNS Authoritative Server is a major upgrade if you are coming from 2.9.x. Additionally, if you are coming from any 3.x version (including 3.3.1), there is a mandatory SQL schema upgrade. Please refer to the Upgrade documentation for important information on correct and stable operation, as well as notes on performance and memory use.

Released February 3rd, 2015

Find the downloads on our download page.

This is a performance and bugfix update to 3.4.1 and any earlier version. For high traffic setups, including those using DNSSEC, upgrading to 3.4.2 may show tremendous performance increases.

A list of changes since 3.4.1 follows.

Improvements:

Bug fixes:

Minor changes:

New features:

  • commit 1b97ba0: add signatures metric to auth, so we can plot signatures/second
  • commit 92cef2d: pdns_control: make it possible to notify all zones at once
  • commit f648752: JSON API: provide flush-cache, notify, axfr-retrieve
  • commit 02653a7: add ‘bench-db’ to do very simple database backend performance benchmark
  • commit a83257a: enable callback based metrics to statbas, and add 5 such metrics: uptime, sys-msec, user-msec, key-cache-size, meta-cache-size, signature-cache-size

Performance improvements:

PowerDNS Authoritative Server 3.4.1

Warning: Version 3.4.1 of the PowerDNS Authoritative Server is a major upgrade if you are coming from 2.9.x. Additionally, if you are coming from any 3.x version (including 3.3.1), there is a mandatory SQL schema upgrade. Please refer to the Upgrade documentation for important information on correct and stable operation, as well as notes on performance and memory use.

Released October 30th, 2014

Find the downloads on our download page.

This is a bugfix update to 3.4.0 and any earlier version.

A list of changes since 3.4.0 follows.

PowerDNS Authoritative Server 3.4.0

Released September 30th, 2014

This is a performance, feature, bugfix and conformity update to 3.3.1 and any earlier version. It contains a huge amount of work by various contributors, to whom we are very grateful.

Warning: Version 3.4.0 of the PowerDNS Authoritative Server is a major upgrade if you are coming from 2.9.x. Additionally, if you are coming from any 3.x version (including 3.3.1), there is a mandatory SQL schema upgrade. Please refer to the Upgrade documentation for important information on correct and stable operation, as well as notes on performance and memory use.

Downloads

Find the downloads on our download page.

A list of changes since 3.3.1 follows.

Changes between RC2 and 3.4.0:

Changes between RC1 and RC2:

Changes between 3.3.1 and 3.4.0-RC1 follow.

DNSSEC changes

  • commit bba8413: add option (max-signature-cache-entries) to limit the maximum number of cached signatures.
  • commit 28b66a9: limit the number of NSEC3 iterations (see RFC5155 10.3), with the max-nsec3-iterations option.
  • commit b50efd6: drop the ‘superfluous NSEC3’ option that old BIND validators need.
  • The bindbackend ‘hybrid’ mode was reintroduced by Kees Monshouwer. Enable it with bind-hybrid.
  • Aki Tuomi contributed experimental PKCS#11 support for DNSSEC key management with a (Soft)HSM.
  • Direct RRSIG queries now return NOTIMP.
  • commit fa37777: add secure-all-zones command to pdnssec
  • Unrectified zones can now get rectified ‘on the fly’ during outgoing AXFR. This makes it possible to run a hidden signing master without rectification.
  • commit 82fb538: AXFR in: don’t accept zones with a mixture of Opt-Out NSEC3 RRs and non-Opt-Out NSEC3 RRs
  • Various minor bugfixes, mostly from the unstoppable Kees Monshouwer.
  • commit 0c4c552: set non-zero exit status in pdnssec if an exception was thrown, for easier automatic usage.
  • commit b8bd119: pdnssec -v show-zone: Print all keys instead of just entry point keys.
  • commit 52e0d78: answer direct NSEC queries without DO bit
  • commit ca2eb01: output ZSK DNSKEY records if experimental-direct-dnskey support is enabled
  • commit 83609e2: SOA-EDIT: fix INCEPTION-INCREMENT handling
  • commit ac4a2f1: AXFR-out can handle secure and insecure NSEC3 optout delegations
  • commit ff47302: AXFR-in can handle secure and insecure NSEC3 optout delegations

New features

  • DNAME support. Enable with experimental-dname-processing.
  • PowerDNS can now send stats directly to Carbon servers. Enable with carbon-server, tweak with carbon-ourname and carbon-interval.
  • commit 767da1a: Add list-zone capability to pdns_control
  • commit 51f6bca: Add delete-zone to pdnssec.
  • The gsql backends now support record comments, and disabling records.
  • The new reuseport config option allows setting SO_REUSEPORT, which allows for some performance improvements.
  • local-address-nonexist-fail and local-ipv6-nonexist-fail allow pdns to start up even if some addresses fail to bind.
  • ‘AXFR-SOURCE’ in domainmetadata sets the source address for an AXFR retrieval.
  • commit 451ba51: Implement pdnssec get-meta/set-meta
  • Experimental RFC2136/DNS UPDATE support from Ruben d’Arco, with extensive testing by Kees Monshouwer.
  • pdns_control bind-add-zone
  • New option bind-ignore-broken-records ignores out-of-zone records while loading zone files.
  • pdnssec now has commands for TSIG key management.
  • We now support other algorithms than MD5 for TSIG.
  • commit ba7244a: implement pdns_control qtypes
  • Support for += syntax for options

Bugfixes

  • We verify the algorithm used for TSIG queries, and use the right algorithm in signing if there is possible confusion. Plus a few minor TSIG-related fixes.
  • commit ff99a74: making *-threads settings empty now yields a default of one instead of zero.
  • commit 9215e60: we had a deadly embrace in getUpdatedMasters in bindbackend reimplementation, thanks to Winfried for detailed debugging!
  • commit 9245fd9: don’t addSuckRequest after supermaster zone creation to avoid one cause of simultaneous AXFR for the same zone
  • commit 719f902: fix dual-stack superslave when multiple nameservers share an ip
  • commit 33966bf: avoid address truncation in doNotifications
  • commit eac85b1: prevent duplicate slave notifications caused by different ipv6 address formatting
  • commit 3c8a711: make notification queue ipv6 compatible
  • commit 0c13e45: make isMaster ip check more tolerant for different ipv6 notations
  • Various fixes for possible issues reported by Coverity Scan (commit f17c93b, )
  • commit 9083987: don’t rely on included polarssl header files when using system polarssl. Spotted by Oden Eriksson of Mandriva, thanks!
  • Various users reported pdns_control hangs, especially when using the guardian. We are confident that all causes of these hangs are now gone.
  • Decreasing the webserver ringbuffer size could cause crashes.
  • commit 4c89cce: nproxy: Add missing chdir(“/”) after chroot()
  • commit 016a0ab: actually notice timeout during AXFR retrieve, thanks hkraal

REST API changes

  • The REST API was much improved and is nearing stability, thanks to Chris Hofstaedtler and others.
  • Mark Schouten at Tuxis contributed a zone importer.

Other changes

  • Our tarballs and packages now include *.sql schema files for the SQL backends.
  • The webserver (including API) now has an ACL (webserver-allow-from).
  • Webserver (including API) is now powered by YaHTTP.
  • Various autotools usage improvements from Ruben Kerkhof.
  • The dist tarball is now bzip2-compressed instead of gzip.
  • Various remotebackend updates, including replacing curl with (included) yahttp.
  • Dynamic module loading is now allowed on Mac OS X.
  • The AXFR ACL (allow-axfr-ips) now defaults to 127.0.0.0/8,::1 instead of the whole world.
  • commit ba91c2f: remove unused gpgsql-socket option and document postgres socket usage
  • Improved support for Lua 5.2.
  • The edns-subnet option code is now fixed at 8, and the edns-subnet-option-numbers option has been removed.
  • geobackend now has very limited edns-subnet support - it will use the ‘real’ remote if available.
  • pipebackend ABI v4 adds the zone name to the AXFR command.
  • We now avoid getaddrinfo() as much as possible.
  • The packet cache now handles (forwarded) recursive answers better, including TTL aging and respecting allow-recursion.
  • commit ff5ba4f: pdns_server ^^help no longer exits with 1.
  • Mark Zealey contributed an experimental LMDB backend. Kees Monshouwer added experimental DNSSEC support to it. Thanks, both!
  • commit 81859ba: No longer attempt to answer questions coming in from port 0, reply would not reach them anyhow. Thanks to Niels Bakker and sid3windr for insight & debugging. Closes ticket 844.
  • RCodes are now reported in text in various places, thanks Aki.
  • Kees Monshouwer set up automatic testing for the oracle and goracle backends, and fixed various issues in them.
  • Leftovers of previous support for Windows have been removed, thanks to Kees Monshouwer, Aki Tuomi.
  • Bundled PolarSSL has been upgraded to 1.3.2
  • PolarSSL replaced previously bundled implementations of AES (commit e22d9b4) and SHA (commit 9101035)
  • bindbackend is now a module
  • commit 14a2e52: Use the inet data type for supermasters.ip on postgresql.
  • We now send an empty SERVFAIL when a CNAME chain is too long, instead of including the partial chain.
  • commit 3613a51: Show built-in features in ^^version output
  • commit 4bd7d35: make domainmetadata queries case-insensitive
  • commit 088c334: output warning message when no to be notified NS’s are found
  • commit 5631b44: gpsqlbackend: use empty defaults for dbname and user; libpq will use the current user name for both by default
  • commit d87ded3: implement udp-truncation-threshold to override the previous 1680 byte maximum response datagram size - no matter what EDNS0 said. Plus document it.
  • Implement udp-truncation-threshold to override the previous 1680 byte maximum response datagram size - no matter what EDNS0 said.
  • Removed settings related to fancy records, as we haven’t supported those since version 3.0
  • Based on earlier work by Mark Zealey, Kees Monshouwer increased our packet cache performance between 200% and 500% depending on the situation, by simplifying some code in commit 801812e and commit 8403ade.

 PowerDNS Authoritative Server version 3.3.1

Released December 17th, 2013

This is a bugfix update to 3.3.

Changes since 3.3

PowerDNS Authoritative Server version 3.3

Released on July 5th 2013

This a stability, bugfix and conformity update to 3.2. It improves interoperability with various validators, either through bugfixes or by catering to their needs beyond the specifications.

Warning: Version 3.3 of the PowerDNS Authoritative Server is a major upgrade if you are coming from 2.9.x. There are also some important changes if you are coming from 3.0, 3.1 or 3.2. Please refer to the Upgrade documentation for important information on correct and stable operation, as well as notes on performance and memory use.

Changes between RC2 and final

Changes between RC1 and RC2

  • Added dnstcpbench tool, by popular demand.
  • We always shipped a static tools RPM; we now have a similar Debian package. All packages have been cleaned up a bit, and the binary collections are now consistent between RPM and Deb. New: pass ^^enable-tools to configure to have the tools included in ‘make all’ and ‘make install’.
  • commit 4d2e3f5: add selinux policy files
  • We would sometimes send a single NULL byte, or nothing at all, instead of an OPT record. Fixed in commit bf7f822, commit 063076b, commit 90d361d.
  • commit 2ee9ba2: expand any-to-tcp to direct RRSIG queries
  • commit 5fff084, commit e38ef51: drop no-op flag strict-rfc-axfrs, thanks Jelte Jansen.
  • commit f3d8902, commit 7c0b859, commit 5eea730: Implement MINFO qtype for better interaction when slaving zones from NSD (that contain MINFO). Thanks to Jelte Jansen.
  • commit 8655a42, commit bf79c6a, commit 38c941b: SRV record can have a ‘.’ as final field, from which we would dutifully strip the trailing ., leaving void, confusing everything. We now remove the trailing . in the right place, and not if we are trying to server ‘.’. Again thanks to Jelte & SIDN for catching this.
  • commit 70d5a66: improve error message in ill formed unknown record type, thanks Jelte Jansen for reporting.
  • commit 3640473: Built in webserver can now listen on IPv6, fixes ticket 843. Also silences some useless messages about timeouts.
  • commit 7db735c, commit d72166c: CHANGES BEHAVIOUR: before we launch, check if we can connect to the controlsocket we are about to obliterate. If it works, abort. Fixes ticket 841 and changes standing behaviour. There might be circumstances where PowerDNS now refuses to start, where it previously would. However, starting and making our previous instance mute wasn’t good.
  • commit 9130f9e: correctly refuse out-of-zone data in bindbackend, closes ticket 845
  • commit 3363ef7: initialise server-id after all parsing is done, instead of half way through. Fixes situations where server-id was emptied explicitly. Reported by Wouter de Jong
  • commit cd4f253: bump boost requirement, thanks Wouter de Jong
  • commit 58cad74: Update pdns auth init script so it works on wheezy
  • commit 8714c9c: clang fixes by Aki Tuomi, thanks!
  • commit 146601d: stretch supermasters.ip for IPv6, thanks Dennis Krul
  • commit 1a5c5f9: various remotebackend improvements by Aki Tuomi
  • commit 6ab1a11: make sure systemd starts PowerDNS after relevant databases have been started, thanks Morten Stevens.
  • commit 606018f, commit ee5e175, commit c76f6f4: check scopeMask of answer packet, not of query packet!
  • commit 2b18bcf: Added warning if trailing dot is used, thanks Aki Tuomi.
  • commit 16cf913: make superfluous ‘bind’ NSEC3 record optional

New features and important changes since 3.2 (these changes are in RC1 and up)

  • commit 04576ee, commit b0e15c8: Implement pdnssec increase-serial, thanks Ruben d’Arco.
  • commit cee857b: PowerDNS now sets additional groups while dropping privileges.
  • commit 7796a3b: Merge support for include-dir directive, thanks Aki Tuomi!
  • commit d725755: make pdns-static Conflict with pdns-server, closes ticket 640
  • commit c0d5504: pdnssec now emits ‘INSERT INTO domain ..’ queries when running without named.conf, thanks Ruben d’Arco.
  • commit a1d6b0c: Older versions of the BIND 9 validating recursor need a superfluous NSEC3 record on positive wildcard responses. We now send this extra NSEC3. Closes ticket 814.
  • commit 07bf35d: catch a lot more errors in pdnssec and report them. Fixes ticket 588.
  • commit 032e390: make pdnssec exit with 1 on some error conditions, closes ticket 677
  • commit 4af49b8, commit 4cec6ac: add ability to create an ‘active’ or inactive key using add-zone-key and import-zone-key, plus silenced some debugging. Fixes ticket 707.
  • commit fae4167: Compiling against Lua 5.2 (^^with-lua=lua5.2) now disables some code used for regression testing, instead of breaking during compile. This means that Lua 5.2 can be used in production.
  • commit abc8f3f, 357f6a7: Implement the new any-to-tcp option that, when set, always replies with a truncated response (TC=1) to ANY queries, forcing them to use TCP.
  • commit 496073b: Since 3.0, pdnssec secure-zone has always generated 3 keys: one KSK and two ZSK, with one ZSK active. For most, if not almost all, users, this inactive ZSK is never used. We now no longer generate this useless ZSK. The resulting smaller DNSKEY RRset improves interoperability with certain validators. Closes ticket 824.
  • commit df55450: Non-DNSSEC ANY queries no longer get sent DNSSEC records. This improves interoperability with some old resolvers. Patch by Kees Monshouwer.
  • commit 04b4bf6: Merge support for not using opt-out with NSEC3. Many thanks to Kees Monshouwer.
  • commit 8db49a6: We now try not to NOTIFY ourselves. In convoluted cases involving REUSE_PORT and binding to 0.0.0.0 and ::, it might be possible that we guess wrong, in which case you can set prevent-self-notification to off.

Important bug fixes

  • commit 63e365d: don’t mess up encoding when copying qname from question to answer in packetcache. Based on reports&debugging by Jimmy Bergman (sigint), Daniel Norman (Loopia) and the fine people at ISC. This avoids most issues related to BIND 9 erroneously blacklisting PowerDNS for lack of EDNS support.
  • commit 3526186: fix backslash handling in TXT parser, includes test. Thanks Jan-Piet Mens.
  • commit 830281f, aef7330: Accept chars >127 (‘high ASCII’) in TXT records, closing ticket 541 and 723.
  • commit feef1ec: fix missing NSEC3 for secure delegation, thanks Kees Monshouwer, closes ticket 682
  • commit b61e407: around Thursday midnight, during signature rollovers, we would update the SOA serial too early. Fixed by reverting commit d90efbf, adding 7 days margin to inception. Fix by Kees Monshouwer.
  • commit ff64750: make sure mixed-case queries get a correct apex NSEC3 type bitmap
  • commit 4b153d8: always lowercase next name in NSEC to avoid interop troubles with validators, thanks Marco Davids&Matthijs Mekking.

Other changes

  • commit 49977c6: fix bug in boost.m4 where it insists on setting -L, causing useless RPATH in our binaries. Closes ticket 728
  • commit 62ac758: use PolarSSL for MD5 hashing instead of shipping our own copy of md5 hashing code, thanks Aki Tuomi.
  • commit 775acd9: give a better error on trying to add nsec3 parameters to a weird zone like “1 0 1 ab” (which indicates that you forgot to specify a zone name on the command line). Fixes ticket 800.
  • commit 315dd2e: Simplify socket listening code, and make sure we always set the nonblocking flag correctly. Patch by Mark Zealey, closes ticket 664.
  • commit b35da1b: if_ether.h is in netinet/ not net/ on OpenBSD, thanks Florian Obser.
  • commit 71301b6: Replicate gsql backend feature of having separate -auth queries for DNSSEC into oraclebackend. Also lets you disable dnssec if you are not ready for it. Closes ticket 527, patch by Aki Tuomi.
  • commit 2125dac: drop unused ignore-rd-bit flag
  • commit 8c1a6d6: NSECx optimizations, thanks Kees Monshouwer.
  • commit 664716a: drop unused variables in lua backend ( ticket 653)
  • commit d8ec70f: fix db2 backend includes ( ticket 653)
  • commit 6477102: add goracle schema, thanks Aki Tuomi.
  • commit 9118638: make goraclebackend “at least work”, closes ticket 729, thanks Aki Tuomi.
  • commit e0ad7bb: add DS digest type 4 to show-zone output; add algorithm names. Based on a patch by Aki Tuomi, closes ticket 744
  • commit 61a7fac: enable AM_SILENT_RULES, closing ticket 647
  • commit 837f4b4: do a better job at escaping TXT, fixes ticket 795
  • commit 6ca3fa7: add SOA-EDIT INCEPTION-INCREMENT mode, thanks stbuehler
  • commit 6159c49: Add connection info to sql-connect message
  • commit 9f62e34, commit 0fc965f, commit 2035112: Added EUI48 and EUI64 record types
  • commit f9cf6d9: cut the number of database queries in half for AXFR-in, thanks Kees Monshouwer.
  • commit c87f987: add default for SOA contact e-mail
  • commit bb4a573: move random backend to modules, thanks Kees Monshouwer.
  • commit 1071abd: restyle builtin webserver page, thanks Chris Hofstaedtler.
  • commit cd5e158: correct bogus use of poll(2) related constants, improving non-Linux portability. Thanks Wouter de Jong.
  • commit 27ff60a: make sure our NSEC(3)s for names with spaces in them are correct. Reported by Jimmy Bergman. Includes test.
  • commit 116e28a: reduce log level of successful gpgsql/gsqlite3 connection to Info
  • commit b23b90a: Metadata update is now in the same transaction as the AXFR. This improves slaving speed tremendously, especially for SQLite users. Patch by Kees Monshouwer.
  • commit 4620e8a: Added zone2json, thanks Aki Tuomi.
  • commit f0fa8b6: Fix remotebackend setdomainmetadata return value handling. Fix by Aki Tuomi, closes ticket 740.
  • commit 80e82d6: log control listener abort even more explicitly.
  • commit 7c0cb15, a718d74: support automake 1.12
  • commit 3fe22eb, 6707cb1: update autoconf/automake preamble to non-deprecated variant, thanks Morten Stevens
  • commit 6c4e531: disarm dead code that causes gcc crashes on ARM, thanks Morten Stevens.
  • commit 36855b5: if we failed to make a new UDP socket, we’d report a confusing error about it.
  • commit 1b8e5e6: autoconf support for oracle, thanks Aki Tuomi. Closes ticket 726.
  • commit 8ac0c06: allow setting of some oracle env vars. Patch by Aki Tuomi, closes ticket 725.
  • commit 45e845b: add example.rb sample script for remotebackend, thanks Aki Tuomi.
  • commit 950bddd: add pdnssec generate-zone-key command, thanks Aki. Closes ticket 711.
  • commit 2c03cde: Replace select with waitForData in remotebackend. Patch by Aki Tuomi, closes ticket 715.
  • commit 450292c: accept ANY responses during recursive forwarding, thanks Jan-Piet Mens.
  • commit d9dd76b: actually clean up unix domain sockets too after use.
  • commit 36758d2: merge ticket 476 by Aki Tuomi, providing default-ksk/zsk-algorithms/size configuration parameters for pdnssec.
  • commit 2f2b014: apply variant of code in ticket 714 so we can launch pipe backend scripts with parameters, plus add experimental code that if pipe-command is a unix domain socket, we use that.
  • commit 9566683: merge patch from ticket 712 addressing memory leak in remotebackend, thanks Aki.
  • commit fb6ed6f: explicitly set domain id during bindbackend superslave domain create, thanks Kees Monshouwer&Aki Tuomi.
  • commit 69bae20: use private temp dir when running under systemd, thanks Morten Stevens&Ruben Kerkhof.
  • commit b26a48a: fix rapidjson usage in remotebackend, patch by Aki Tuomi. Closes ticket 697.
  • commit da8e6ae: also answer questions with : in them.
  • commit ef1c4bf: also spot trailing dots on CNAME content, thanks Jan-Piet Mens and Ruben d’Arco.
  • commit fb31631: only setCloseOnExec on valid sockets

PowerDNS Authoritative Server 3.2

Released January 17th, 2013

This is a stability and conformity update to 3.1. It mostly makes our DNSSEC implementation more robust, and improves interoperability with various validators. 3.2 has received very extensive testing on a lot of edge cases, verifying output both against common validators and compared against other authoritative servers.

Warning: Version 3.2 of the PowerDNS Authoritative Server is a major upgrade if you are coming from 2.9.x. There are also some important changes if you are coming from 3.0 or 3.1. Please refer to the Upgrade documentation for important information on correct and stable operation, as well as notes on performance and memory use.

Changes between 3.2-RC4 and the final 3.2 release

Changes between 3.2-RC3 and 3.2-RC4

Changes between 3.2-RC2 and 3.2-RC3

Changes between 3.2-RC1 and 3.2-RC2

Changes below are in 3.2-RC1 and up.

DNSSEC changes in 3.2

Non-DNSSEC improvements/changes

Assorted bugfixes

 PowerDNS Authoritative Server 3.1

Released on the 4th of May 2012 RC3 released on the 30th of April 2012 RC2 released on the 14th of April 2012 RC1 released on the 23th of March 2012

Warning: Version 3.1 of the PowerDNS Authoritative Server is a major upgrade if you are coming from 2.9.x. There are also some important changes if you are coming from 3.0. Please refer to the Upgrade documentation for important information on correct and stable operation, as well as notes on performance and memory use.

Version 3.1 of the PowerDNS Authoritative Server represents the ‘coming of age’ of our DNSSEC implementation. In addition, 3.1 solves a lot of ‘.0’ issues typically associated with a major new release.

As usual, we are very grateful for the involvement of the PowerDNS community. The uptake of 3.0 was rapid, and many users were very helpful in shaking out the bugs, and willing to test the fixes we provided or, in many cases, provided the fixes themselves.

Of specific note is the giant PowerDNS DNSSEC deployment in Sweden by Atomia and Binero. PowerDNS 3.0 now powers over 150000 DNSSEC domains in Sweden, around 95% of all DNSSEC domains, in a country were most internet service providers actually validate all .SE domains.

Finally, this release has benefited a lot from Peter van Dijk joining us, as he has merged a tremendous amount of patches, cleaned up years of accumulated dust in the code, and massively improved our regression testing into a full blown continuous integration setup with full DNSSEC tests!

Additionally, we would like to thank Ruben d’Arco, Jose Arthur Benetasso Villanova, Marc Haber, Jimmy Bergman, Aki Tuomi and everyone else who helped us out!

Downloads

Changes between RC3 and final

Changes between RC2 and RC3

Changes between RC1 and RC2

Bug fixes

New features

Improvements

Other changes

Authoritative Server version 2.9.22.6

Warning: The 2.9.22.x series of releases is end-of-life and unsupported. It contains many issues and potential security problems. We urge you to upgrade to a recent version of PowerDNS!

The improvements to the master/slave engine in 2.9.22.5 contained one serious bug that can cause crashes on busy setups. 2.9.22.6 fixes this crash.

 Authoritative Server version 2.9.22.5

Warning: The 2.9.22.x series of releases is end-of-life and unsupported. It contains many issues and potential security problems. We urge you to upgrade to a recent version of PowerDNS!

2.9.22.5 is an interim release for those not yet ready to make the jump to 3.0, but do need a more recent version of the Authoritative Server. It also contains the patch from PowerDNS Security Advisory 2012-01.

PowerDNS Authoritative Server 3.0.1

Warning: The DNSSEC implementation of PowerDNS Authoritative Server 3.0 and 3.0.1 contains many issues regarding CNAMES, wildcards and (in)secure delegations. If you use any of these, and you use DNSSEC you MUST upgrade to 3.1 or beyond!

3.0.1 consists of 3.0, plus the patch from PowerDNS Security Advisory 2012-01

PowerDNS Authoritative Server 3.0

Released on the 22nd of July 2011 RC1 released on the 4th of April 2011 RC2 released on the 19th of April 2011 RC3 released on the 19th of July 2011

Warning: Version 3.0 of the PowerDNS Authoritative Server is a major upgrade if you are coming from 2.9.x. Please refer to the Upgrade documentation for important information on correct and stable operation, as well as notes on performance and memory use.

Warning: The DNSSEC implementation of PowerDNS Authoritative Server 3.0 and 3.0.1 contains many issues regarding CNAMES, wildcards and (in)secure delegations. If you use any of these, and you use DNSSEC you MUST upgrade to 3.1 or beyond!

Version 3.0 of the PowerDNS Authoritative Server brings a number of important features, as well as over two years of accumulated bug fixing.

The largest news in 3.0 is of course the advent of DNSSEC. Not only does PowerDNS now (finally) support DNSSEC, we think that our support of this important protocol is among the easiest to use available. In addition, all important algorithms are supported.

Complete detail can be found in Serving authoritative DNSSEC data. The goal of PowerDNS’s DNSSEC support is to allow existing PowerDNS installations to start serving DNSSEC with as little hassle as possible, while maintaining performance and achieving high levels of security.

PowerDNS Authoritative Server 3.0 development has been made possible by the financial and moral support of

This release has received exceptional levels of community support, and we’d like to thank the following people in addition to those mentioned explicitly below: Peter Koch (DENIC), Olaf Kolkman (NLNetLabs), Wouter Wijngaards (NLNetLabs), Marco Davids (SIDN), Markus Travaille (SIDN), Leen Besselink, Antoin Verschuren (SIDN), Olafur Guðmundsson (IETF), Dan Kaminsky (Recursion Ventures), Roy Arends (Nominet), Miek Gieben (SIDN), Stephane Bortzmeyer (AFNIC), Michael Braunoeder (nic.at), Peter van Dijk, Maik Zumstrull, Jose Arthur Benetasso Villanova (Locaweb), Stefan Schmidt, Roland van Rijswijk (Surfnet), Paul Bakker (Brainspark/Fox-IT), Mathew Hennessy, Johannes Kuehrer (Austrian World4You GmbH), Marc van de Geijn (bHosted.nl), Stefan Arentz and Martin van Hensbergen (Fox-IT), Christof Meerwald, Detlef Peeters, Jack Lloyd, Frank Altpeter, Fredrik Danerklint, Vasiliy G Tolstov, Brielle Bruns, Evan Hunt, Ralf van der Enden, Marc Laros, Serge Belyshev, Chris Hofstaedtler, Charlie Smurthwaite, Nikolaos Milas, ..

Known issues as of RC3

  • Not all new features are fully documented yet

Changes between RC3 and final

Changes between RC2 and RC3

Other major new features

Bugs fixed

Improvements

Authoritative Server version 2.9.22

Warning: The 2.9.22.x series of releases is end-of-life and unsupported. It contains many issues and potential security problems. We urge you to upgrade to a recent version of PowerDNS!

Released on the 27th of January 2009.

This is a huge release, spanning almost 20 months of development. Besides fixing a lot of bugs, of note is the addition of the so called ‘Notification Proxy’, which allows PowerDNS to function as a master server behind a firewall, plus the huge performance improvement of the internal caches.

This work has been made possible by UPC Broadband and Directi, respectively.

Finally, the release candidates of this version have been tested & improved by Jorn Ekkelenkamp, Ton van Rosmalen, Jeff Sipek, Tyler Hall, Christof Meerwald and Stefan Schmidt.

Fixed between rc1 and rc2, but not an issue in 2.9.21.

New features

Performance

Bugs fixed

Improvements

Authoritative Server version 2.9.21.2

Released on the 18th of November 2008.

This release consists of a single patch to PowerDNS Authoritative Server version 2.9.21.1. In some configurations, notably with configuration option ‘distributor-threads=1’, the PowerDNS Authoritative Server crashes easily in some error conditions.

All users are urged to upgrade. Even though PowerDNS restarts itself on encountering such error conditions, and even though most PowerDNS configurations do not run in single threaded mode, an upgrade is recommended.

More detail can be found in PowerDNS Security Advisory 2008-02.

Authoritative Server version 2.9.21.1

Released on the 6th of August 2008.

This release consists of a single patch to PowerDNS Authoritative Server version 2.9.21. Brian J. Dowling of Simplicity Communications has discovered a security implication of the previous PowerDNS behaviour to drop queries it considers malformed. We are grateful that Brian notified us quickly about this problem.

This issue has been assigned CVE-2008-3337. The single patch is in commit 8b1ed874b009aeda37843f71e6b4ec25e75485fb. More detail can be found in PowerDNS Security Advisory 2008-02.

The implication is that while the PowerDNS Authoritative server itself does not face a security risk because of dropping these malformed queries, other resolving nameservers run a higher risk of accepting spoofed answers for domains being hosted by PowerDNS Authoritative Servers before 2.9.21.1.

While the dropping of queries does not aid sophisticated spoofing attempts, it does facilitate simpler attacks.

It may be good to know that several large sites already run with this patch applied, as it has been in the public code base for some weeks already.

PowerDNS Authoritative Server version 2.9.21

Released the 21st of April 2007.

This is the first release the PowerDNS Authoritative Server since the Recursor was split off to a separate product, and also marks the transfer of the new technology developed specifically for the recursor, back to the authoritative server.

This move has reduced the amount of code of the Authoritative server by over 2000 lines, while improving the quality of the program enormously.

However, since so much has been changed, care should be taken when deploying 2.9.21.

To signify the magnitude of the underlying improvements, the next release of the PowerDNS Authoritative Server will be called 3.0.

This release would not have been possible without large amounts of help and support from the PowerDNS Community. We specifically want to thank Massimo Bandinelli of Italy’s Register.it, Dave Aaldering of Aaldering ICT, True BV, XS4ALL, Daniel Bilik of Neosystem, EasyDNS, Heinrich Ruthensteiner of Siemens, Augie Schwer, Mark Bergsma, Marco Davids, Marcus Rueckert of OpenSUSE, Andre Muraro of Locaweb, Antony Lesuisse, Norbert Sendetzky, Marco Chiavacci, Christoph Haas, Ralf van der Enden and Ruben Kerkhof.

Security issues

  • The previous packet parsing and generating code contained no known bugs, but was however very lengthy and overly complex, and might have had security problems. The new code is ‘inherently safe’ because it relies on bounds-checking C++ constructs. Therefore, a move to 2.9.21 is highly recommended.
  • Pre-2.9.21, communication between master and server nameservers was not checked as rigidly as possible, possibly allowing third parties to disrupt but not modify such communications.

Warning: The ‘bind1’ legacy version of our BIND backend has been dropped! There should be no need to rely on this old version anymore, as the main BIND backend has been very well tested recently.

Bugs

Features

Improvements

Version 2.9.20

Released the 15th of March 2006

Besides adding OpenDBX, this release is mostly about fixing problems and speeding up the recursor. This release has been made possible by XS4ALL and True. Thanks!

Furthermore, we are very grateful for the help of Andrew Pinski, who hacks on gcc, and of Joaquín M López Muñoz, the author of boost::multi_index_container. Without their near-realtime help this release would’ve been delayed a lot. Thanks!

Bugs fixed in the recursor

Improvements to the recursor

Bugs fixed in the authoritative nameserver

Improvements to the authoritative nameserver

Miscellaneous

Version 2.9.19

Released 29th of October 2005.

As with other recent releases, the usage of PowerDNS appears to have skyrocketed. Informal, though strict, measurements show that PowerDNS now powers around 50% of all German domains, and somewhere in the order of 10-15% of the rest of the world. Furthermore, DNS is set to take a central role in connecting Voice over IP providers, with PowerDNS offering a very good feature set for these ENUM deployments. PowerDNS is already powering the E164.info ENUM zone and also acts as the backend for a major VoIP provisioning platform.

Included in this release is the now complete packet parsing/generating, record parsing/generating infrastructure. Furthermore, this framework is used by the recursor, hopefully making it very fast, memory efficient and robust. Many records are now processed using a single line of code. This has made the recursor a lot stricter in packet parsing, you will see some error messages which did not appear before. Rest assured however that these only happen for queries which have no valid answer in any case.

Furthermore, support for DNSSEC records is available in the new infrastructure, although is should be emphasised that there is more to DNSSEC than parsing records. There is no real support for DNSSEC (yet).

Additionally, the BIND Backend has been replaced by what was up to now known as the ‘Bind2Backend’. Initial benchmarking appears to show that this backend is faster, uses less memory and has shorter startup times. The code is also shorter.

This release fixes a number of embarrassing bugs and is a recommended upgrade.

Thanks are due to XS4ALL who are supporting continuing development of PowerDNS, the fruits of which can be found in this release already. Furthermore, a remarkable number of people have helped report bugs, validate solutions or have submitted entire patches. Many thanks!

Improvements

  • dnsreplay now has a help message and has received further massive updates, making the code substantially faster. It turns out that dnsreplay is often ‘heavier’ than the PowerDNS process being benchmarked.
  • PowerDNS recursor no longer prints out its queries by default as most recursor deployments have too much traffic for this to be useful.
  • PowerDNS recursor is now able to read its root-hints from disk, which is useful to operate with alternate roots, like the Open Root Server Network. See PowerDNS Recursor.
  • PowerDNS can now send out old-fashioned root-referrals when queried for domains for which it is not authoritative. Wastes some bandwidth but may solve incoming query floods if domains are delegated to you for which you are not authoritative, but which are queried by broken recursors.
  • PowerDNS now prints out a warning when running with legacy LinuxThreads implementation instead of the high performance NPTL library. commit 2b4d0a490fd39a1018135f42a669f35559f858d8.
  • A lot of superfluous calls to gettimeofday() have been removed, making PowerDNS and especially the recursor faster. Suggested by Kai.
  • SPF records are now supported natively. commit dd10362105be43185aa0e6c959d27e3eccc1e60d, closing ticket 22.
  • Improved IPv6 ‘bound to’ messages. Thanks to Niels Bakker, Wichert Akkerman and Gerty de Wolf for suggestions.
  • Separate graphs can now be made of IPv6 queries and answers. commit bd852e59a9606389b5ed355bdc19c4b042eccd58.
  • Out of zone additional processing is now on by default to better comply with standards. commit 9054d8a46ff923ec9c6dd0ae2831704136987baf.
  • Regression tests have been expanded to deal with more record types (SRV, NAPTR, TXT, duplicate SRV).
  • Improved query-logging in Bindbackend, which can be used for debugging purposes.
  • Dropped libpcap dependency, making compilation easier
  • pdns_control now has a help message.
  • Add RRSIG, DNSKEY, DS and NSEC records for DNSSEC-bis to new parser infrastructure.
  • Recursor now honours EDNS0 allowing it to send out larger answers.

Bugs fixed

Version 2.9.18

Released on the 16th of July 2005.

The ‘8 million domains’ release, which also marks the battle readiness of the PowerDNS Recursor. The latest improvements have been made possible by financial support and contributions by Register.com and XS4ALL. Thanks!

This release brings a number of new features (vastly improved recursor, Generic Oracle Support, DNS analysis and replay tools, and more) but also has a new build dependency, the Boost library (version 1.31 or higher).

Currently several big ISPs are evaluating the PowerDNS recursor for their resolving needs, some of them have switched already. In the course of testing, over 350 million actual queries have been recorded and replayed, the answers turn out to be satisfactorily.

This testing has verified that the pdns recursor, as shipped in this release, can stand up to heavy duty ISP loads (over 20000 queries/second) and in fact does so better than major other nameservers, giving more complete answers and being faster to boot.

We invited ISPs who noted recursor problems to record their problematic traffic and replay it using the tools described in “Tools to analyse DNS traffic” to discover if PowerDNS did a better job, and to let us know the results.

Additionally, the bind2backend is almost ready to replace the stock bind backend. If you run with Bind zones, you are cordially invited to substitute launch=bind2 for launch=bind. This will happen automatically in 2.9.19!

In other news, the entire Wikipedia constellation now runs on PowerDNS using the Geo Backend! Thanks to Mark Bergsma for keeping us updated.

There are two bugs with security implications, which only apply to installations running with the LDAP backend, or installations providing recursion to a limited range of IP addresses. If any of these apply to you, an upgrade is highly advised

  • The LDAP backend did not properly escape all queries, allowing it to fail and not answer questions. We have not investigated further risks involved, but we advise LDAP users to update as quickly as possible (Norbert Sendetzky, Jan de Groot)
  • Questions from clients denied recursion could blank out answers to clients who are allowed recursion services, temporarily. Reported by Wilco Baan. This would’ve made it possible for outsiders to blank out a domain temporarily to your users. Luckily PowerDNS would send out SERVFAIL or Refused, and not a denial of a domain’s existence.

General bugs fixed

  • TCP authoritative server would not relaunch a backend after failure (reported by Norbert Sendetzky)
  • Fix backend restarting logic (reported, and fix suggested by Norbert Sendetzky)
  • Launching identical backends multiple times, with different settings, did not work. Reported by Mario Manno.
  • Master/slave queries did not honour the query-local-address setting. Spotted by David Levy of Register.com. The fix also randomises the local port used, slightly improving security.

Compilation fixes

  • Fix compile on Solaris, they define ‘PC’ for some reason. Reported by Eric Yiu.
  • PowerDNS recursor would not compile on FreeBSD due to Linux specific defines, as reported in cvstrac ticket 26 (Ralf van der Enden)
  • Several 64 bits issues have been fixed, especially in the Logging subsystem.
  • SSQLite would fail to compile on recent Debian systems (Matthijs Möhlmann)
  • Generic MySQL would not compile on 64-bit platforms.

Improvements

  • PowerDNS now reports stray command line arguments, like when running ‘^^local-port 5300’ instead of ‘^^local-port=5300’. Reported by Christian Welzel.
  • We now warn against erroneous logging-facility specification, ie specifying an unknown facility.
  • ^^version now outputs gcc version used, so we can tell people 2.95 is no longer supported.
  • Extended regression tests, moved them to the new ‘sdig’ tool (see below).
  • Bind2backend is now blazingly fast, and highly memory efficient to boot. As a special bonus it can read gzipped zones directly. The ‘.NET’ zone is hosted using 401MB of memory, the same size as the zone on disk.
  • The Pipe Backend has been improved such that it can send out different answers based on the IP address the question was received ON. See PipeBackend protocol for how this changed the Pipe Backend protocol. Note that you need to set pipebackend-abi-version to benefit from this change, existing clients are not affected. Change and documentation contributed by Marc Jauvin of Register4Less.
  • LDAP backend has been updated (Norbert Sendetzky).

Recursor improvements and fixes.

See Recursion for details. The changes below mean that all of the caveats listed for the recursor have now been addressed.

  • After half an hour of uptime, the entire cache would be pruned for each packet, which is a tad slow. It now appears the pdns recursor is among the fastest around.
  • Under high loads, or when unlucky, some query mthreads would get ‘stuck’, and show up in the statistics as eternally running queries.
  • Lots of redundant gettimeofday() and time() calls were removed, which has resulted in a measurable speedup.
  • pdns_recursor can now listen on several addresses simultaneously.
  • Now supports setuid and setgid operation to allow running as a less privileged user (Bram Vandoren).
  • Return code of pdns_recursor binary did not make sense (Matthijs Möhlmann and Thomas Hood)
  • Timeouts and errors are now split out in statistics.
  • Many people reported broken statistics, it turned out that no statistics were being reported if there had been no questions to base them on. We now log a message to that effect.
  • Add query-local-address support, which allows the recursor to send questions from a specific IP address. Useful for anycast setups.
  • Add outgoing TCP query support and proper truncated answer support. Needed for Worldnic Denial of Service protection, which sends out truncated packets to force clients to connect over TCP, which prevents spoofing.
  • Properly truncate our own answers.
  • Improve our TCP answers by using writev, which is slightly friendlier to the network.
  • On FreeBSD, TCP errors could cause the recursor to exit suddenly due to a SIGPIPE signal.
  • Maximum number of simultaneous client TCP connections can now be limited with the max-tcp-clients setting.
  • Add aggressive timeouts for TCP clients to make sure resources are not wasted. Defaults to two seconds, can be configured with the client-tcp-timeout setting.

Backend fixes

  • SQLite backend would not slave properly (Darron Broad)
  • Generic MySQL would not compile on 64-bit platforms.

New technology

  • Added the new DNS parser logic, called MOADNSParser. Completely modular, every memory access checked.
  • ‘sdig’, a simple dig work-alike with ‘canonical’ output, which is used for the regression tests. Based on the new DNS parser logic.
  • dnswasher, dnsreplay and dnsscope, all DNS analysis tools.
  • Generic Oracle Backend, sponsored by Register.COM.

Version 2.9.17

See the new timeline for progress reports.

The ‘million domains’ release - PowerDNS has now firmly established itself as a major player with the unofficial count (ie, guesswork) now at over two million PowerDNS domains! Also, the GeoBackend has been tested by a big website and may soon see wider deployment. Thanks to Mark Bergsma for spreading the word!

It is also a release with lots of changes and fixes. Take care when deploying!

Security issues

  • PowerDNS could be temporarily DoSed using a random stream of bytes. Reported cause of this has been fixed.

Enhancements

  • Reported version can be changed, or removed - see the “version-string” setting.
  • Duplicate MX records are now no longer considered duplicate if their priorities differ. Some people need this feature for spam filtering.

Bug fixes

  • NAPTR records can now be slaved, patch by Lorens Kockum.
  • GMySQL now works on Solaris
  • PowerDNS could be confused by questions with a %-sign in them - fixing cvstrac ticket #16 (reported by dilinger at voxel.net)
  • An authentication bug in the webserver was possibly fixed, please report if you were suffering from this. Being unable to authenticate to the webserver was what you would’ve noticed.
  • Fix for cvstrac ticket #2, PowerDNS could lose sync when sending out a very large number of notifications. Excellent bug report by Martin Hoffman, who also improved our original bugfix.
  • Fix the oldest PowerDNS bug in existence - under some circumstances, PowerDNS would log to syslog one character at a time. This was cvstrac ticket #4
  • HINFO records can now be slaved, fixing cvstrac ticket #8.
  • pdns_recursor could block under some circumstances, especially in case of corrupt UDP packets. Reported by Wichert Akkerman. Fix by Christopher Meer. This was cvstrac ticket #13.
  • Large SOA serial numbers would sometimes be logged as a signed integer, leading to negative numbers in the log.
  • PowerDNS now fully supports 32 bit SOA serial numbers (thanks to Mark Bergsma), closing cvstrac ticket #5.
  • pdns_recursor ^^local-address help text was wrong.
  • Very devious bug - PowerDNS did not clear its cache before sending out update notifications, leading slaves to conclude there was no update to AXFR. Excellent debugging by mkuchar at wproduction.cz.
  • Probably fixed cvstrac ticket #26, which caused pdns_recursor to fail on recent FreeBSD 5.3 systems. Please check, I have no such system to test on.
  • Geobackend did not get built for Debian.

Version 2.9.16

The ‘it must still be Friday somewhere’ release. Massive number of fixes, portability improvements and the new Geobackend by Mark Bergsma & friends.

New

  • The Geobackend which makes it possible to send different answers to different IP ranges. Initial documentation can be found in pdns/modules/geobackend/README.
  • qgen query generation tool. Nearly completely undocumented and hard to build too, it requires Boost. But very spiffy. Use cd pdns; make qgen to build it.

Bugfixes

  • The most reported bug ever was fixed. Zone2sql required the inclusion of unistd.h, except on Debian unstable.
  • PowerDNS tried to listen on its control “pipe” which does not work. Probably harmless, but might have caused some oddities.
  • The Packet Cache did not always set its TTL immediately, causing some packets to be inserted, even when running with the cache disabled (Mark Bergsma).
  • Valgrind found some uninitialized reads, causing bogus values in the priority field when it was not needed.
  • Valgrind found a bug in MTasker where we used delete instead of delete[].
  • SOA serials and other parameters are unsigned. This means that very large SOA serial numbers would be messed up (Michel Stol, Stefano Straus)
  • PowerDNS left its controlsocket around after exit and reported confusing errors if a socket was already in use.
  • The recursor proxy did not work on big endian systems like SPARC and some MIPS processors (Remco Post)
  • We no longer dump core on processing LOC records on UltraSPARC (Andrew Mulholland supplied a testing machine)

Improvements

  • MySQL can now connect to a specified port again (Chris Anderton).
  • When running chroot()ed and with master or slave support active, PowerDNS needs to resolve domain names to find slaves. This in turn may require access to certain libraries. Previously, these needed to be available in the chroot directory but by forcing an initial lookup, these libraries are now loaded before the chrooting.
  • pdns_recursor was very slow after having done a larger number of queries because of the checks to see if a query should be throttled. This is now done using a set which is a lot faster than the previous full sequential scan.
  • The throttling code may not have throttled as much as was configured.
  • Yet another big LDAP update. The LDAP backend now load balances connections over several hosts (Norbert Sendetzky)
  • Updated b.root-servers.net address in the recursor

Version 2.9.15

This release fixes up some of the shortcomings in 2.9.14, and adds some new features too.

Bugfixes

  • allow-recursion-override was on by default, it was meant to be off.
  • Logging was still off in daemon mode, fixed.
  • debian/rules forgot to build an sqlite package
  • Recursor accidentally linked in MySQL - this was the result of an experiment with a persistent recursor cache.
  • The PowerDNS recursor had stability problems. It now sorts nameservers (roughly) by responsiveness. The ‘roughly’ part upset the sorting algorithm used, the speeds being sorted on changed during sorting.
  • The recursor now outputs the nameserver average response times in trace mode
  • LDAP compiles again.

Improvements

  • zone2sql can now accept - as a file name which causes it to read stdin. This allows the following to work: dig axfr example.org | zone2sql ^^gmysql ^^zone=- | mysql pdns, which is a nice way to import a zone.
  • zone2sql now ignores duplicate SOA records which are identical - which also makes the above possible.
  • Remove libpqpp dependencies - since we now use the native C API for PostgreSQL

Version 2.9.14

Big release with the fix for the all important 2^30 seconds problem and a lot of other news. - errno problems would cause compilation problems when using LDAP (Norbert Sendetzky) - The Generic SQL backend could cause crashes on PostgreSQL when using pdns_control notify (Georg Bauer) - Debian compatible init.d script (Wichert Akkerman) - If using the master or slave features, pdns had the notion of eternity ending in 2038, except that due to a thinko, eternity ended out to be the 10th of January 2004. This caused a loop to timeout immediately. Many thanks to Jasper Spaans for spotting the bug within five minutes. - Parts of the SOA field were not canonicalized. - The loglevel could in fact cause nothing to be logged (Norbert Sendetzky)

Improvements

  • The recursor now chooses the fastest nameserver, which causes a big speedup!
  • LDAP now has different lookup models
  • Cleanups, better load distribution, better exception handling, zone2ldap improvements
  • The recursor was somewhat chatty about TCP connections
  • PostgreSQL now only depends on the C API and not on the deprecated C++ one
  • PowerDNS can now fully overrule external zones when doing recursion. See Recursion.

Version 2.9.13

Big news! Windows is back! Our great friend Michel Stol found the time to update the PowerDNS code so it works again under windows.

Furthermore, big thanks go out to Dell who quickly repaired my trusty laptop.

His changes - Generic SQLite support added - Removed the ODBC backend, replaced it by the Generic ODBC Backend, which has all the cool configurability of the Generic MySQL and PostgreSQL backends. - The PowerDNS Recursor now runs as a Service. It defaults to running on port 5300, PowerDNS itself is configured to expect the Recursor on port 5300 now. - The PowerDNS Service is now known as ‘PowerDNS’ to Windows. - The Installer was redone, this time with NSIS2. - General updates and fixes.

Other news

Note: There appears to be a problem with PowerDNS on Red Hat 7.3 with GCC 2.96 and self-compiled binaries. The symptoms are that PowerDNS works on the foreground but fails as a daemon. We’re working on it.

If you do note problems, let the list know, if you don’t, please do so as well. Tell us if you use the RPM or compiled yourself.

It is known that not compiling in MySQL support helps solve the problem, but then you don’t have MySQL.

There have been a number of reports on MySQL connections being dropped on FreeBSD 4.x, which sometimes causes PowerDNS to give up and reload itself. To combat this, MySQL error messages have been improved in some places in hopes of figuring out what is up. The initial indication is that MySQL itself sometimes terminates the connection and, amazingly, that switching to a Unix domain socket instead of TCP solves the problem.

Bug fixes

  • allow-axfr-ips did not work for individual IP addresses (bug & fix by Norbert Sendetzky)

Improvements

  • Opteron support! Thanks to Jeff Davey for providing a shell on an Opteron. The fixes should also help PowerDNS on other platforms with a 64 bit userspace.

    Btw, the PowerDNS team has a strong desire for an Opteron :-)

  • pdns_recursor jumbles answers now. This means that you can do poor man’s round robin by supplying multiple A, MX or AAAA records for a service, and get a random one on top each time. Interestingly, this feature appeared out of nowhere, this change was made to the authoritative code but due to the wonders of code-reuse had an effect on pdns_recursor too.

  • Big LDAP cleanup. Support for TLS was added. Zone2LDAP also gained the ability to generate ldif files containing a tree or a list of entries. (Norbert Sendetzky)

  • Zone2sql is now somewhat clearer when reporting malformed line errors - it did not always include the name of the file causing a problem, especially for big installations. Problem noted by Thom May.

  • pdns_recursor now survives the expiration of all its root records, most often caused by prolonged disconnection from the net.

Version 2.9.12

Release rich in features. Work on Verisign oddities, addition of SQLite backend, pdns_recursor maturity.

New features

  • ^^version command (requested by Mike Benoit)
  • delegation-only, a Verisign special.
  • Generic SQLite support, by Michel ‘Who da man?’ Stol. See Generic SQLite backend.
  • init.d script for pdns_recursor
  • Recursor now actually purges its cache, saving memory.
  • Slave configuration now no longer falls over when presented with a NULL master
  • Bindbackend2 now has supermaster support (Mark Bergsma, untested)
  • Answers are now shuffled! It turns out a few recursors don’t do shuffling (pdns_recursor, djbdns), so we do it now. Requested by Jorn Ekkelenkamp of ISP-Services. This means that if you have multiple IP addresses for one host, they will be returned in differing order every once in a while.

Bugs

  • 0.0.0.0/0 didn’t use to work (Norbert Sendetzky)
  • pdns_recursor would try to resolve IP address which to bind to, potentially causing chicken/egg problem
  • gpgsql no longer reports as gmysql (Sherwin Daganoto)
  • SRV would not be parsed right from disk (Christof Meerwald)
  • An AXFR from a zone hosted on the LDAP backend no longer transmits all the reverse entries too (Norbert Sendetzky)
  • PostgreSQL backend now does error checking. It would be a bit too trusting before.

Improvements, cleanups

  • PowerDNS now reports the numerical IP addresses it binds to instead of the, possibly, alphanumeric names the operator passed.
  • Removed only-soa hackery (noticed by Norbert Sendetzky)
  • Debian packaging fixes (Wichert Akkerman)
  • Some parameter descriptions were improved.
  • Cleanups by Norbert: getAuth moved to chopOff, arguments::contains massive cleanup, more.

Version 2.9.11

Yet another iteration, hopefully this will be the last silly release.

Warning: There has been a change in behaviour whereby disable-axfr does what it means now! From now on, setting allow-axfr-ips automatically disables AXFR from unmentioned subnets.

This release enables AXFR again, disable-axfr did the opposite of what it claimed. Furthermore, the pdns_recursor now cleans its cache, which should save some memory in the long run. Norbert contributed some small LDAP work which should come in useful in the future.

Version 2.9.10

Small bugfixes, LDAP update. Released 3rd of July 2003. Apologies for the long delay, real life keeps interfering.

Warning: Do not use or try to use 2.9.9, it was a botched release!

Warning: There has been a change in behaviour whereby disable-axfr does what it means now! From now on, setting allow-axfr-ips automatically disables AXFR from unmentioned subnets.

  • 2.9.8 was prone to crash on adding additional records. Thanks to excellent debugging by PowerDNS users worldwide, the bug was found quickly and is in fact present in all earlier PowerDNS releases, but for some reason doesn’t cause crashes there.
  • Notifications now jump in front of the queue of domains that need to be checked for changes, giving much greater perceived performance. This is needed if you have tens of thousands of slave domains and your master server is on a high latency link. Thanks to Mark Jeftovic of EasyDNS for suggesting this change and testing it on their platform.
  • Dean Mills reported that PowerDNS does confusing logging about changing GIDs and UIDs, fixed. Cosmetic only.
  • pdns_recursor may have logged empty lines for some users, fixed. Solution suggested by Norbert Sendetzky.
  • LDAP: DNS TTLs were random values (Norbert Sendetzky, Stefan Pfetzing). New ldap-default-ttl option.
  • LDAP: Now works with OpenLDAP 2.1 (Norbert Sendetzky)
  • LDAP: error handling for invalid MX records implemented (Norbert Sendetzky)
  • LDAP: better exception handling (Norbert Sendetzky)
  • LDAP: code cleanup of lookup() (Norbert Sendetzky)
  • LDAP: added support for scoped searches (Norbert Sendetzky)

Version 2.9.8

Queen’s day release! 30th of April 2003.

Added support for AIX, fixed negative SOA caching. Some other cleanups. Not a major release but enough reasons to upgrade.

Bugs fixed

  • Recursor had problems expiring negatively cached entries, which wasted memory and also led to the continued non-existence of hosts that since had come into existence.
  • The Generic SQL backends did not lowercase the names of records, which led to new records not being found by case-sensitive databases (notably PostgreSQL). Found by Volker Goetz.
  • NS queries for zones for which we did not carry authority, but only had delegation information, had their NS records in the wrong section. Minor detail, but a standards violation nonetheless. Spotted by Stephane Bortzmeyer.

Improvements

  • Removed crypt.h dependency from powerldap.hh, which was a problem on some platforms (Richard Arends)
  • PowerDNS can’t parse so called binary labels which we now detect and ignore, after printing a warning.
  • Specifying allow-axfr-ips now automatically disables AXFR for all non-mentioned addresses.
  • A Solaris ready init.d script is now part of the tar.gz (contributed, but I lost by whom).
  • Added some fixes to PowerDNS can work on AIX (spotted by Markus Heimhilcher).
  • Norbert Sendetzky contributed zone2ldap.
  • Everybody’s favorite compiler warning from zone2sql.cc was removed!
  • Recursor now listens on TCP!

Version 2.9.7

Released on 2003-03-20.

This is a sweeping release in the sense of cleanup. There are some new features but mostly a lot of cleanup going on. Hiding inside is the bind2backend, the next generation of the bind backend. A work in progress. Those of you with overlapping zones, as mentioned in the changelog of 2.9.6, are invited to check it out by replacing launch=bind by launch=bind2 and renaming all bind- parameters to bind2-. Be aware that if you run with many small zones, this backend is faster, but if you run with a few large ones, it is slower. This will improve.

Features

  • Mark Bergsma contributed query-local-address which allows the operator to select which source address to use. This is useful on servers with multiple source addresses and the operating system selecting an unintended one, leading to remotes denying access.
  • PowerDNS can now perform AAAA additional processing optionally, turned on by setting do-ipv6-additional-processing. Thanks to Stephane Bortzmeyer for pointing out the need.
  • Bind2backend, which is almost in compliance with the new IETF AXFR-clarify (some would say ‘redefinition’) draft. This backend is not ready for primetime but you may want to try it if you currently have overlapping zones and note problems. An overlapping zone would be having “ipv6.powerdns.com” and “powerdns.com” zones on one server.

Improvements

  • Zone2sql would happily try to read from a directory and not give a useful error about this.
  • PowerDNS now reports the case where it can’t figure out any IP address of slave nameservers for a zone
  • Removed receiver-threads setting which was experimental and in fact only made things worse.
  • LDAP backend updates from its author Norbert Sendetzky. Reverse lookups should work now too.
  • An error message about unparsable packets did not include the originating IP address (fixed by Mark Bergsma)
  • PowerDNS can now be started via path resolution while running with a guardian. Suggested by Maurice Nonnekes.
  • pdns_recursor moved to sbin (reported by Norbert Sendetzky)
  • Retuned some logger errorlevels, a lot of master/slave chatter was logged as ‘Error’. Reported by Willem de Groot.

Bugs fixed

  • zone2sql did not remove trailing dots in SOA records.
  • ldapbackend did not include utility.hh which caused compilation problems on Solaris (reported by Remco Post)
  • pdns_control could leave behind remnants in case PowerDNS was not running (reported by dG)
  • Incoming AXFR did not work on Solaris and other big-endian systems (Willem de Groot helped debugging this long-standing problem).
  • Recursor could crash on convoluted CNAME loops. Thanks to Dan Faerch for delivering core dumps.
  • Silly ‘wuh’ debugging output in zone2sql and bindbackend removed (spotted by Ivo van der Wijk).
  • Recursor neglected to differentiate between negative cache of NXDOMAIN and NOERROR, leading to problems with IPv6 enabled Windows clients. Thanks to Stuart Walsh for reporting this and testing the fix.
  • PowerDNS set the ‘aa’ bit on serving NS records in a zone for which it was authoritative. Most implementations drop the ‘aa’ bit in this case and Stephane Bortzmeyer informed us of this. PowerDNS now also drops the ‘aa’ bit in this case.
  • The webserver tended to fail after prolonged operation on FreeBSD, this was due to an uninitialised timeout, other platforms were lucky. Thanks to G.P. de Boer for helping debug this.
  • getAnswers() in dnspacket.cc could be forced to read bytes beyond the end of the packet, leading to crashes in the PowerDNS recursor. This is an ongoing project that needs more work. Reported by Dan Faerch, with a core dump proving the problem.

Version 2.9.6

Two new backends - Generic ODBC (windows only) and LDAP. Furthermore, a few important bugs have been fixed which may have hampered sites seeing a lot of outgoing zone transfers. Additionally, the pdns recursor now has ‘query throttling’ which is pretty cool. In short this makes sure that PowerDNS does not send out heaps of queries if a nameserver is unable to provide an answer. Many operators of authoritative setups are all too aware of recursing nameservers that hammer them for zones they don’t have, PowerDNS won’t do that anymore now, no matter what clients request of it.

Warning: There is an unresolved issue with the BIND backend and ‘overlapping’ slave zones. So if you have ‘example.com’ and also have a separate slave zone called ‘external.example.com’, things may go wrong badly. Thanks to Christian Laursen for working with us a lot in finding this issue. We hope to resolve it soon.

  • BIND Backend now honours notifies, code to support this was accidentally left out. Thanks to Christian Laursen for noticing this.
  • Massive speedup for those of you using the slightly deprecated MBOXFW records. Thanks to Jorn of ISP Services for helping and testing this improvement.
  • $GENERATE had an off-by-one bug where it would omit the last record to be generated (Christian Laursen)
  • Simultaneous AXFRs may have been problematic on some backends. Thanks to Jorn of ISP-Services again for helping us resolve this issue.
  • Added LDAP backend by Norbert Sendetzky, see LDAP Backend.
  • Added Generic ODBC backend for Windows by Michel Stol.
  • Simplified ‘out of zone data’ detection in incoming AXFR support, hopefully removing a case sensitivity bug there. Thanks again to Christian Laursen for reporting this issue.
  • $include in-zonefile was broken under some circumstances, losing the last character of a file name. Thanks to Joris Vandalon for noticing this.
  • The zone parser was more case-sensitive than BIND, refusing to accept ‘in’ as well as ‘IN’. Thanks to Joris Vandalon for noticing this.

Version 2.9.5

Released on 2002-02-03.

This version is almost entirely about recursion with major changes to both the pdns recursor, which is renamed to ‘pdns_recursor’ and to the main PowerDNS binary to make it interact better with the recursing component.

Sadly, due to technical reasons, compiling the pdns recursor and pdns authoritative nameserver into one binary is not immediately possible. During the release of 2.9.4 we stated that the recursing nameserver would be integrated in the next release - this won’t happen now.

However, this turns out to not be that bad at all. The recursor can now be restarted without having to restart the rest of the nameserver, for example. Cooperation between the both halves of PowerDNS is also almost seamless. As a result, ‘non-lazy recursion’ has been dropped. See Recursion for more details.

Furthermore, the recursor only works on Linux, Windows and Solaris (not entirely). FreeBSD does not support the required functions. If you know any important FreeBSD people, plea with them to support set/get/swapcontext! Alternatively, FreeBSD coders could read the solution presented here in figure 5.

The ‘Contributor of the Month’ award goes to Mark Bergsma who has responded to our plea for help with the label compressor and contributed a wonderfully simple and right fix that allows PowerDNS to compress just as well as other nameservers out there. An honorary mention goes to Ueli Heuer who, despite having no C++ experience, submitted an excellent SRV record implementation.

Excellent work was also performed by Michel Stol, the Windows guy, in fixing all our non-portable stuff again. Christof Meerwald has also done wonderful work in porting MTasker to Windows, which was then used by Michel to get the recursor functioning on Windows.

Other changes

  • dnspacket.cc was cleaned up by factoring out common operations
  • Heaps of work on the recursing nameserver. Has now achieved days of uptime!
  • Recursor renamed from syncres to pdns_recursor
  • PowerDNS can now serve records it does not know about. To benefit from this slightly undocumented feature, add 1024 to the numerical type of a record and include the record in binary form in your database. Used internally by the recursing nameserver but you can use it too.
  • PowerDNS now knows about SIG and KEY records names. It does not support them yet but can at least report so now.
  • HINFO records can now be transferred from a master to PowerDNS (thanks to Ueli Heuer for noticing it didn’t work).
  • Yet more UltraSPARC alignment issues fixed (Chris Andrews).
  • Dropped non-lazy recursion, nobody was using it. Lazy recursion became even more lazy after Dan Bernstein pointed out that additional processing is not vital, so PowerDNS does its best to do additional processing on recursive queries, but does not scream murder if it does not succeed. Due to caching, the next identical query will be successfully additionally processed.
  • Label compression was improved so we can now fit all . records in 436 bytes, this used to be 460! (Code & formal proof of correctness by Mark Bergsma).
  • SRV support (incoming and outgoing), submitted by Ueli Heuer.
  • Generic backends do not support SOA serial autocalculation, it appears. Could lead to random SOA serials in case of a serial of 0 in the database. Fixed so that 0 stays zero in that case. Don’t set the SOA serial to 0 when using Generic MySQL or Generic PostgreSQL!
  • J root-server address was updated to its new location.
  • SIGUSR1 now forces the recursor to print out statistics to the log.
  • Meaning of recursor logging was changed a bit - a cache hit is now a question that was answered with 0 outgoing packets needed. Used to be a weighted average of internal cache hits.
  • MySQL compilation did not include -lz which causes problems on some platforms. Thanks to James H. Cloos Jr for reporting this.
  • After a suggestion by Daniel Meyer and Florus Both, the built in webserver now reports the configuration name when multiple PowerDNS instances are active.
  • Brad Knowles noticed that zone2sql had problems with the root.zone, fixed. This also closes some other zone2sql annoyances with converting single zones.

Version 2.9.4

Yet another grand release. Big news is the addition of a recursing nameserver which has sprung into existence over the past week. It is in use on several computers already but it is not ready for prime time. Complete integration with PowerDNS is expected around 2.9.5, for now the recursor is a separate program.

In preliminary tests, the recursor appears to be four times faster than BIND 9 on a naive benchmark starting from a cold cache. BIND 9 managed to get through to some slower nameservers however, which were given up on by PowerDNS. We will continue to tune the recursor. See PowerDNS Recursor for further details.

The BIND Backend has also been tested (see the bind-domain-status item below) rather heavily by several parties. After some discussion online, one of the BIND authors ventured that the newsgroup comp.protocols.dns.bind may now in fact be an appropriate venue for discussing PowerDNS. Since this discussion, traffic to the PowerDNS pages has increased sixfold and shows no signs of slowing down.

From this, it is apparent that far more people are interested in PowerDNS than yet know about it. So spread the word!

In other news, we now have a security page at Security. Furthermore, Maurice Nonnekes contributed an OpenBSD port! See his page for more details!

New features and improvements

  • All SQL queries in the generic backends are now available for configuration. (Martin Klebermass, Bert Hubert). See Generic SQL backends.
  • A recursing nameserver! See PowerDNS Recursor.
  • An incoming AXFR now only starts a backend zone replacement transaction after the first record arrived successfully, thus making sure no work is done when a remote nameserver is unable/unwilling to AXFR a zone to us.
  • Zone parser error messages were improved slightly (thanks to Stef van Dessel for spotting this shortcoming)
  • XS4ALL’s Erik Bos checked how PowerDNS reacted to a BIND installation with almost 60.000 domains, some of which with >100.000 records, and he discovered the pdns_control bind-domain-status command became very slow with larger numbers of domains. Fixed, 60.000 domains are now listed in under one second.
  • If a remote nameserver disconnects during an incoming AXFR, the update is now rolled back, unless the AXFR was properly terminated.
  • The migration chapter mentioned the use of deprecated backends.

A tremendous number of bugs were discovered and fixed

  • Zone parser would only accept $include and not $INCLUDE
  • Zone parser had problems with $lines with comments on the end
  • Wildcard ANY queries were broken (thanks Colemarcus for spotting this)
  • A connection failure with the Generic backends would lead to a powerdns reload (cast of many)
  • Generic backends had some semantic problems with slave support. Symptoms were oft-repeated notifications and transfers (thanks to Mark Bergsma for helping resolve this).
  • Solaris version compiles again. Thanks to Mohamed Lrhazi for reporting that it didn’t.
  • Some UltraSPARC alignment fixes. Thanks to Mohamed Lrhazi for being helpful in spotting these. One problem is still outstanding, Mohamed sent a core dump that tells us where the problem is. Expect the fix to be in 2.9.5. Volunteers can grep the source for ‘UltraSPARC’ to find where the problem is.
  • Our support of IPv6 on FreeBSD had phase of moon dependent bugs, fixed by Peter van Dijk.
  • Some crashes of and by pdns_control were fixed, thanks to Mark Bergsma for helping resolve these.
  • Outgoing AXFR in pdns installations with multiple loaded backends was broken (thanks to Stuart Walsh for reporting this).
  • A failed BIND Backend incoming AXFR would block the zone until it succeeded again.
  • Generic PostgreSQL backend wouldn’t compile with newer libpq++, fixed by Julien Lemoine/SpeedBlue.
  • Potential bug (not observed) when listening on multiple interfaces fixed.
  • Some typos in manpages fixed (reported by Marco Davids).

Version 2.9.3a

Note: 2.9.3a is identical to 2.9.3 except that zone2sql does work

Broad range of huge improvements. We now have an all-static .rpm and .deb for Linux users and a link to an OpenBSD port. Major news is that work on the Bind backend has progressed to the point that we’ve just retired our last Bind server and replaced it with PowerDNS in Bind mode! This server is operating a number of master and slave setups so it should stress the Bind backend somewhat.

This version is rapidly approaching the point where it is a better-Bind-than-Bind and nearly a drop-in replacement for authoritative setups. PowerDNS is now equipped with a powerful master/slave apparatus that offers a lot of insight and control to the user, even when operating from Bind zone files and a Bind configuration. Observe.

After the SOA of example.org was raised

pdns[17495]: All slave domains are fresh
pdns[17495]: 1 domain for which we are master needs notifications
pdns[17495]: Queued notification of domain 'example.org' to 195.193.163.3
pdns[17495]: Queued notification of domain 'example.org' to 213.156.2.1
pdns[17520]: AXFR of domain 'example.org' initiated by 195.193.163.3
pdns[17520]: AXFR of domain 'example.org' to 195.193.163.3 finished
pdns[17521]: AXFR of domain 'example.org' initiated by 213.156.2.1
pdns[17521]: AXFR of domain 'example.org' to 213.156.2.1 finished
pdns[17495]: Removed from notification list: 'example.org' to 195.193.163.3 (was acknowledged)
pdns[17495]: Removed from notification list: 'example.org' to 213.156.2.1 (was acknowledged)
pdns[17495]: No master domains need notifications

If however our slaves would ignore us, as some are prone to do, we can send some additional notifications

$ sudo pdns_control notify example.org
Added to queue
pdns[17492]: Notification request for domain 'example.org' received
pdns[17492]: Queued notification of domain 'example.org' to 195.193.163.3
pdns[17492]: Queued notification of domain 'example.org' to 213.156.2.1
pdns[17495]: Removed from notification list: 'example.org' to 195.193.163.3 (was acknowledged)
pdns[17495]: Removed from notification list: 'example.org' to 213.156.2.1 (was acknowledged)

Conversely, if PowerDNS needs to be reminded to retrieve a zone from a master, a command is provided

$ sudo pdns_control retrieve forfun.net
Added retrieval request for 'forfun.net' from master 212.187.98.67
pdns[17495]: AXFR started for 'forfun.net', transaction started
pdns[17495]: Zone 'forfun.net' (/var/cache/bind/forfun.net) reloaded
pdns[17495]: AXFR done for 'forfun.net', zone committed

Also, you can force PowerDNS to reload a zone from disk immediately with pdns_control bind-reload-now. All this happens ‘live’, per your instructions. Without instructions, the right things also happen, but the operator is in charge.

For more about all this coolness, see “pdns_control” and “pdns_control commands”.

Warning: Again some changes in compilation instructions. The hybrid pgmysql backend has been split up into ‘gmysql’ and ‘gpgsql’, sharing a common base within the PowerDNS server itself. This means that you can no longer compile ^^with-modules=”pgmysql” ^^enable-mysql ^^enable-pgsql but that you should now use: ^^with-modules=”gmysql gpgsql”. The old launch-names remain available.

If you launch the Generic PostgreSQL backend as gpgsql2, all parameters will have gpgsql2 as a prefix, for example gpgsql2-dbname. If launched as gpgsql, the regular names are in effect.

Warning: The pdns_control protocol was changed which means that older pdns_controls cannot talk to 2.9.3. The other way around is broken too. This may lead to problems with automatic upgrade scripts, so pay attention if your daemon is truly restarted.

Also make sure no old pdns_control command is around to confuse things.

Improvements

  • Bind backend can now deal with missing files and try to find them later.
  • Bind backend is now explicitly master capable and triggers the sending of notifications.
  • General robustness improvements in Bind backend - many errors are now non-fatal.
  • Accessibility, Serviceability. New pdns_server commands like bind-list-rejects (lists zones that could not be loaded, and the reason why), bind-reload-now (reload a zone from disk NOW), rediscover (reread named.conf NOW). More is coming up.
  • Added support for retrieving RP (Responsible Person) records from remote masters. Serving them was already possible.
  • Added support for LOC records, which encode the geographical location of a host, both serving and retrieving (thanks to Marco Davids using them on our last Bind server, forcing us to implement this silly record).
  • Configuration file parser now strips leading spaces too, allowing “chroot= /tmp” to work, as well as “chroot=/tmp” (Thanks to Hub Dohmen for reporting this for months on end).
  • Added bind-domain-status command that shows the status of all domains (when/if they were parsed, any errors encountered while parsing them).
  • Added bind-reload-now command that tries to reload a zone from disk NOW, and reports back errors to the operator immediately.
  • Added retrieve command that queues a request to retrieve a zone from its master.
  • Zones retrieved from masters are now stored way smaller on disk because the domain is stripped from records, which is derived from the configuration file. Retrieved zones are now prefixed with some information on where they came from.

Changes

  • gpgsql and gmysql backends split out of the hybrid pgmysqlbackend. This again changed compilation instructions!
  • pdns_control now uses the rarely seen SOCK_STREAM Unix Domain socket variety so it can transport large amounts of text, which is needed for the bind-domain-status command, for which see Pdns_control commands. This breaks compatibility with older pdns_control and pdns_server binaries!
  • Bind backend now ignores ‘hint’ and ‘forward’ and other unsupported zone types.
  • AXFRs are now logged more heavily by default. An AXFR is a heavy operation anyhow, some more logging does not further increase the load materially. Does help in clearing up what slaves are doing.
  • A lot of master/slave chatter has been silenced, making output more relevant. No more repetitive ‘No master domains need notifications’ etc, only changes are reported now.

Bugfixes

  • Windows version did not compile without minor changes.
  • Confusing error reporting on Windows 98 (which does not support PowerDNS) fixed
  • Potential crashes with shortened packets addressed. An upgrade is advised!
  • notify (which was already there, just badly documented) no longer prints out debugging garbage.
  • pgmysql backend had problems launching when not compiled in but available as a module. Workaround for 2.9.2 is ‘load-modules=pgmysql’, but even then gpgsql would not work! gmysql would then, however. These modules are now split out, removing such issues.

 Version 2.9.2

Bugfixes galore. Solaris porting created some issues on all platforms. Great news is that PowerDNS is now in Debian ‘sid’ (unstable). The 2.9.1 packages in there currently aren’t very good but the 2.9.2 ones will be. Many thanks to Wichert Akkerman, our ‘downstream’ for making this possible.

Warning: The Generic MySQL backend, part of the Generic MySQL & PostgreSQL backend, is now the DEFAULT! The previous default, the ‘mysql’ backend (note the lack of ‘g’) is now DEPRECATED. This was the source of much confusion. The ‘mysql’ backend does not support MASTER or SLAVE operation. The Generic backends do.

To get back the mysql backend, add ^^with-modules=”mysql” or ^^with-dynmodules=”mysql” if you prefer to load your modules at runtime.

Bugs fixed

  • Silly debugging output removed from the webserver (found by Paul Wouters)
  • SEVERE: due to Solaris portability fixes, qtypes<127 were broken. These include NAPTR, ANY and AXFR. The upshot is that powerdns wasn’t performing outgoing AXFRs nor ANY queries. These were the ‘question for type -1’ warnings in the log
  • incoming AXFR could theoretically miss some trailing records (not observed, but could happen)
  • incoming AXFR did not support TXT records (spotted by Paul Wouters)
  • with some remotes, an incoming AXFR would not terminate until a timeout occurred (observed by Paul Wouters)
  • Documentation bug, pgmysql != mypgsql

Documentation

Features

  • pdns init.d script is now +x by default
  • OpenBSD is on its way of becoming a supported platform! As of 2.9.2, PowerDNS compiles on OpenBSD but swiftly crashes. Help is welcome.
  • ODBC backend (for Windows only) was missing from the distribution, now added.
  • xdb backend added. Designed for use by root-server operators.
  • Dynamic modules are back which is good news for distributors who want to make a pdns packages that does not depend one every database under the sun.

Version 2.9.1

Thanks to the great enthusiasm from around the world, powerdns is now available for Solaris and FreeBSD users again! Furthermore, the Windows build is back. We are very grateful for the help of

  • Michel Stol
  • Wichert Akkerman
  • Edvard Tuinder
  • Koos van den Hout
  • Niels Bakker
  • Erik Bos
  • Alex Bleker
  • Steven Stillaway
  • Roel van der Made
  • Steven Van Steen

We are happy to have been able to work with the open source community to improve PowerDNS!

Changes

  • The monitor command set no longer allows the changing of nonexistent variables.
  • IBM Universal Database DB2 backend now included in source distribution (untested!)
  • Oracle backend now included in source distribution (slightly tested!)
  • configure script now searches for postgresql and mysql includes
  • Bind parser now no longer dies on records with a ‘ in them (Erik Bos)
  • The pipebackend was accidentally left out of 2.9
  • FreeBSD fixes (with help from Erik Bos, Alex Bleeker, Niels Bakker)
  • Heap of Solaris work (with help from Edvard Tuinder, Stefan Van Steen, Koos van den Hout, Roel van der Made and especially Mark Bakker). Now compiles in 2.7 and 2.8, haven’t tried 2.9. May be a bit dysfunctional on 2.7 though - it won’t do IPv6 and it won’t serve AAAA. Patches welcome!
  • Windows 32 build is back! Michel Stol updated his earlier work to the current version.
  • S/Linux (Linux on Sparc) build works now (with help from Steven Stillaway).
  • Silly debugging message (‘sd.ttl from cache’) removed
  • .deb files are back, hopefully in ‘sid’ soon! (Wichert Akkerman)
  • Removal of bzero and other less portable constructs. Discovered that recent Linux glibc’s need -D_GNU_SOURCE (Wichert Akkerman).

Version 2.9

Open source release. Do not deploy unless you know what you are doing. Stability is expected to return with 2.9.1, as are the binary builds.

  • License changed to the GNU General Public License version 2.
  • Cleanups by Erik Bos @ xs4all.
  • Build improvements by Wichert Akkerman
  • Lots of work on the build system, entirely revamped. By PowerDNS.

Version 2.8

From this release onwards, we’ll concentrate on stabilising for the 3.0 release. So if you have any must-have features, let us know soonest. The 2.8 release fixes a bunch of small stability issues and add two new features. In the spirit of the move to stability, this release has already been running 24 hours on our servers before release.

  • pipe backend gains the ability to restricts its invocation to a limited number of requests. This allows a very busy nameserver to still serve packets from a slow perl backend.
  • pipe backend now honors query-logging, which also documents which queries were blocked by the regex.
  • pipe backend now has its own backend chapter.
  • An incoming AXFR timeout at the wrong moment had the ability to crash the binary, forcing a reload. Thanks to our bug spotting champions Mike Benoit and Simon Kirby of NetNation for reporting this.

Version 2.7 and 2.7.1

This version fixes some very long-standing issues and adds a few new features. If you are still running 2.6, upgrade yesterday. If you were running 2.6.1, an upgrade is still strongly advised.

Features

  • The controlsocket is now readable and writable by the ‘setgid’ user. This allows for non-root access to PowerDNS which is nice for mrtg or cricket graphs.
  • MySQL backend (the non-generic one) gains the ability to read from a different table using the mysql-table setting.
  • pipe backend now has a configurable timeout using the pipe-timeout setting. Thanks to Steve Bromwich for pointing out the need for this.
  • Experimental backtraces. If PowerDNS crashes, it will log a lot of numbers and sometimes more to the syslog. If you see these, please report them to us. Only available under Linux.

Bugs

  • 2.7 briefly broke the mysql backend, so don’t use it if you use that. 2.7.1 fixes this.
  • SOA records could sometimes have the wrong TTL. Thanks to Jonas Daugaard for reporting this.
  • An ANY query might lead to duplicate SOA records being returned under exceptional circumstances. Thanks to Jonas Daugaard for reporting this.
  • Underlying the above bug, packet compression could sometimes suddenly be turned off, leading to overly large responses and non-removal of duplicate records.
  • The allow-axfr-ips setting did not accept IP ranges (192.0.2.0/24) which the documentation claimed it did (thanks to Florus Both of Ascio technologies for being sufficiently persistent in reporting this).
  • Killed backends were not being respawned, leading to suboptimal behaviour on intermittent database errors. Thanks to Steve Bromwich for reporting this.
  • Corrupt packets during an incoming AXFR when acting as a slave would cause a PowerDNS reload instead of just failing that AXFR. Thanks to Mike Benoit and Simon Kirby of NetNation for reporting this.
  • Label compression in incoming AXFR had problems with large offsets, causing the above mentioned errors. Thanks to Mike Benoit and Simon Kirby of NetNation for reporting this.

Version 2.6.1

Quick fix release for a big cache problem.

 Version 2.6

Performance release. A lot of work has been done to raise PowerDNS performance to staggering levels in order to take part in benchmarketing efforts. Together with our as yet unnamed partner, PowerDNS has been benchmarked at 60.000 mostly cached queries/second on off the shelf PC hardware. Uncached performance was 17.000 uncached DNS queries/second on the .ORG domain.

Performance has been increased by both making PowerDNS itself quicker but also by lowering the number of backend queries typically needed. Operators will typically see PowerDNS taking less CPU and the backend seeing less load.

Furthermore, some real bugs were fixed. A couple of undocumented performance switches may appear in ^^help output but you are advised to stay away from these.

Developers: this version needs the pdns-2.5.1 development kit, available on http://downloads.powerdns.com/releases/dev. See also Backend writers’ guide.

Performance

  • A big error in latency calculations - cached packets were weighed 50 times less, leading to inflated latency reporting. Latency calculations are now correct and way lower - often in the microseconds range.
  • It is now possible to run with 0 second cache TTLs. This used to cause very frequent cache cleanups, leading to performance degradation.
  • Many tiny performance improvements, removing duplicate cache key calculations, etc. The cache itself has also been reworked to be more efficient.
  • First ‘CNAME’ backend query replaced by an ‘ANY’ query, which most of the time returns the actual record, preventing the need for a separate CNAME lookup, halving query load.
  • Much of the same for same-level-NS records on queries needing delegation.

Bugs fixed

  • Incidentally, the cache count would show ‘unknown’ packets, which was harmless but confusing. Thanks to Mike and Simon of NetNation for reporting this.
  • SOA hostmaster with a . in the local-part would be cached wrongly, leading to a stray backslash in case of multiple successively SOA queries. Thanks to Ascio Technologies for spotting this bug.
  • zone2sql did not parse Verisign zone files correctly as these contained a $TTL statement in mid-record.
  • Sometimes packets would not be accounted, leading to ‘udp-queries’ and ‘udp-answers’ divergence.

Features

  • ‘cricket’ command added to init.d scripts that provides unadorned output for parsing by ‘Cricket’.

Version 2.5.1

Brown paper bag release fixing a huge memory leak in the new Query Cache.

Developers: this version needs the new pdns-2.5.1 development kit, available on http://downloads.powerdns.com/releases/dev. See also Backend writers’ guide.

And some small changes

  • Added support for RFC 2308 compliant negative-answer caching. This allows remotes to cache the fact that a domain does not exist and will not exist for a while. Thanks to Chris Thompson for pointing out how tiny our minds are. This feature may cause a noticeable reduction in query load.
  • Small speedup to non-packet-cached queries, incidentally fixing the huge memory leak.
  • pdns_control ccounts command outputs statistics on what is in the cache, which is useful to help optimize your caching strategy.

Version 2.5

An important release which has seen quite a lot of trial and error testing. As a result, PowerDNS can now run with a huge cache and concurrent invalidations. This is useful when running of a slower database or under high traffic load with a fast database.

Furthermore, the gpgsql2 backend has been validated for use and will soon supplant the gpgsql backend entirely. This also bodes well for the gmysql backend which is the same code.

Also, a large amount of issues biting large scale slave operators were addressed. Most of these issues would only show up after prolonged uptime.

New features

  • Query cache. The old Packet Cache only cached entire questions and their answers. This is very CPU efficient but does not lead to maximum hitrate. Two packets both needing to resolve smtp.you.com internally would not benefit from any caching. Furthermore, many different DNS queries lead to the same backend queries, like ‘SOA for .COM?’.

    PowerDNS now also caches backend queries, but only those having no answer (the majority) and those having one answer (almost the rest).

    In tests, these additional caches appear to halve the database backend load numerically and perhaps even more in terms of CPU load. Often, queries with no answer are more expensive than those having one.

    The default ttls for the query-cache and negquery-cache are set to safe values (20 and 60 seconds respectively), you should be seeing an improvement in behaviour without sacrificing a lot in terms of quick updates.

    The webserver also displays the efficiency of the new Query Cache.

    The old Packet Cache is still there (and useful) but see Authoritative Server Performance for more details.

  • There is now the ability to shut off some logging at a very early stage. High performance sites doing thousands of queries/second may in fact spend most of their CPU time on attempting to write out logging, even though it is ignored by syslog. The new flag log-dns-details, on by default, allows the operator to kill most informative-only logging before it takes any cpu.

  • Flags which can be switched ‘on’ and ‘off’ can now also be set to ‘off’ instead of only to ‘no’ to turn them off.

Enhancements

  • Packet Cache is now case-insensitive, leading to a higher hitrate because identical queries only differing in case now both match. Care is taken to restore the proper case in the answer sent out.

  • Packet Cache stores packets more efficiently now, savings are estimated at 50%.

  • The Packet Cache is now asynchronous which means that PowerDNS continues to answer questions while the cache is busy being purged or queried. Incidentally this will mean a cache miss where previously the question would wait until the cache became available again.

    The upshot of this is that operators can call pdns_control purge as often as desired without fearing performance loss. Especially the full, non-specific, purge was sped up tremendously.

    This optimization is of little merit for small sites but is very important when running with a large packetcache, such as when using recursion under high load.

  • AXFR log messages now all contain the word ‘AXFR’ to ease grepping.

  • Linux static version now compiled with gcc 3.2 which is known to output better and faster code than the previously used 3.0.4.

Bugs fixed

  • Packetcache would sometimes send packets back with slightly modified flags if these differed from the flags of the cached copy.
  • Resolver code did bad things with file descriptors leading to fd exhaustion after prolonged uptimes and many slave SOA currency checks.
  • Resolver code failed to properly log some errors, leading to operator uncertainty regarding to AXFR problems with remote masters.
  • After prolonged uptime, slave code would try to use privileged ports for originating queries, leading to bad replication efficiency.
  • Masters sending back answers in differing case from questions would lead to bogus ‘Master tried to sneak in out-of-zone data’ errors and failing AXFRs.

Version 2.4

Developers: this version is compatible with the pdns-2.1 development kit, available on http://downloads.powerdns.com/releases/dev. See also *Backend writers’ guide*.

This version fixes some stability issues with malformed or malcrafted packets. An upgrade is advised. Furthermore, there are interesting new features.

New features

  • Recursive queries are now also cached, but in a separate namespace so non-recursive queries don’t get recursed answers and vice versa. This should mean way lower database load for sites running with the current default lazy-recursion. Up to now, each and every recursive query would lead to a large amount of SQL queries.

    To prevent the packetcache from becoming huge, a separate recursive-cache-ttl can be specified.

  • The ability to change parameters at runtime was added. Currently, only the new query-logging flag can be changed.

  • Added query-logging flag which hints a backend that it should output a textual representation of queries it receives. Currently only gmysql and gpgsql2 honor this flag.

  • Gmysql backend can now also talk to PostgreSQL, leading to less code. Currently, the old postgresql driver (‘gpgsql’) is still the default, the new driver is available as ‘gpgsql2’ and has the benefit that it does query logging. In the future, gpgsql2 will become the default gpgsql driver.

  • DNS recursing proxy is now more verbose in logging odd events which may be caused by buggy recursing backends.

  • Webserver now displays peak queries/second 1 minute average.

Bugs fixed

  • Failure to connect to database in master/slave communicator thread could lead to an unclean reload, fixed.

Documentation: added details for strict-rfc-axfrs. This feature can be used if very old clients need to be able to do zone transfers with PowerDNS. Very slow.

Version 2.3

Developers: this version is compatible with the pdns-2.1 development kit, available on http://downloads.powerdns.com/releases/dev. See also Backend writers’ guide

This release adds the Generic MySQL backend which allows full master/slave semantics with MySQL and InnoDB tables (or other tables that support transactions). See Generic MySQL backend.

Other new features

  • Improved error messages in master/slave communicator will help down track problems.
  • slave-cycle-interval setting added. Very large sites with thousands of slave domains may need to raise this value above the default of 60. Every cycle, domains in indeterminate state are checked for their condition. Depending on the health of the masters, this may entail many SOA queries or attempted AXFRs.

Bugs fixed

  • ‘pdns_control purge ``domain``’ and ‘pdns_control purge ``domain$``’ were broken in version 2.2 and did not in fact purge the cache. There is a slight risk that domain-specific purge commands could force a reload in previous version. Thanks to Mike Benoit of NetNation for discovering this.
  • Master/slave communicator thread got confused in case of delayed answers from slow masters. While not causing harm, this caused inefficient behaviour when testing large amounts of slave domains because additional ‘cycles’ had to pass before all domains would have their status ascertained.
  • Backends implementing special SOA semantics (currently only the undocumented ‘pdns express backend’, or homegrown backends) would under some circumstances not answer the SOA record in case of an ANY query. This should put an end to the last DENIC problems. Thanks to DENIC for helping us find the problem.

Version 2.2

Developers: this version is compatible with the pdns-2.1 development kit, available on http://downloads.powerdns.com/releases/dev. See also Backend writers’ guide

Again a big release. PowerDNS is seeing some larger deployments in more demanding environments and these are helping shake out remaining issues, especially with recursing backends.

The big news is that wildcard CNAMEs are now supported, an oft requested feature and nearly the only part in which PowerDNS differed from BIND in authoritative capabilities.

If you were seeing signal 6 errors in PowerDNS causing reloads and intermittent service disruptions, please upgrade to this version.

For operators of PowerDNS Express trying to host .DE domains, the very special soa-serial-offset feature has been added to placate the new DENIC requirement that the SOA serial be at least six digits. PowerDNS Express uses the SOA serial as an actual serial and not to insert dates and hence often has single digit soa serial numbers, causing big problems with .DE redelegations.

Bugs fixed

  • Malformed or shortened TCP recursion queries would cause a signal 6 and a reload. Same for EOF from the TCP recursing backend. Thanks to Simon Kirby and Mike Benoit of NetNation for helping debug this.
  • Timeouts on the TCP recursing backend were far too long, leading to possible exhaustion of TCP resolving threads.
  • pdns_control purge domain accidentally cleaned all packets with that name as a prefix. Thanks to Simon Kirby for spotting this.
  • Improved exception error logging - in some circumstances PowerDNS would not properly log the cause of an exception, which hampered problem resolution.

New features

  • Wildcard CNAMEs now work as expected!
  • pdns_control purge can now also purge based on suffix, allowing operators to purge an entire domain from the packet cache instead of only specific records. See also pdns_control Thanks to Mike Benoit for this suggestion.
  • soa-serial-offset for installations with small SOA serial numbers wishing to register .DE domains with DENIC which demands six-figure SOA serial numbers. See also Chapter 21, *Index of all Authoritative Server settings*.

Version 2.1

This is a somewhat bigger release due to pressing demands from customers. An upgrade is advised for installations using Recursion. If you are using recursion, it is vital that you are aware of changes in semantics. Basically, local data will now override data in your recursing backend under most circumstances. Old behaviour can be restored by turning lazy-recursion off.

Developers: this version has a new pdns-2.1 development kit, available on http://downloads.powerdns.com/releases/dev. See also Backend writers’ guide.

Warning: Most users will run a static version of PowerDNS which has no dependencies on external libraries. However, some may need to run the dynamic version. This warning applies to these users.

To run the dynamic version of PowerDNS, which is needed for backend drivers which are only available in source form, gcc 3.0 is required. RedHat 7.2 comes with gcc 3.0 as an optional component, RedHat 7.3 does not. However, the RedHat 7.2 Update gcc rpms install just fine on RedHat 7.3. For Debian, we suggest running ‘woody’ and installing the g++-3.0 package. We expect to release a FreeBSD dynamic version shortly.

Bugs fixed

  • RPM releases sometimes overwrote previous configuration files. Thanks to Jorn Ekkelenkamp of Hubris/ISP Services for reporting this.
  • TCP recursion sent out overly large responses due to a byte order mistake, confusing some clients. Thanks to the capable engineers of NetNation for bringing this to our attention.
  • TCP recursion in combination with a recursing backend on a non-standard port did not work, leading to a non-functioning TCP listener. Thanks to the capable engineers of NetNation for bringing this to our attention.

Unexpected behaviour

  • Wildcard URL records where not implemented because they are a performance penalty. To turn these on, enable wildcard-url in the configuration.
  • Unlike other nameservers, local data did not override the internet for recursing queries. This has mostly been brought into conformance with user expectations. If a recursive question can be answered entirely from local data, it is. To restore old behaviour, disable lazy-recursion. Also see Recursion.

Features

  • Oracle support has been tuned, leading to the first public release of the Oracle backend. Zone2sql now outputs better SQL and the backend is now fully documented. Furthermore, the queries are compatible with the PowerDNS XML-RPC product, allowing PowerDNS express to run off Oracle.
  • Zone2sql now accepts ^^transactions to wrap zones in a transaction for PostgreSQL and Oracle output. This is a major speedup and also makes for better isolation of inserts. See Zone2sql.
  • pdns_control now has the ability to purge the PowerDNS cache or parts of it. This enables operators to raise the TTL of the Packet Cache to huge values and only to invalidate the cache when changes are made. See also Authoritative Server Performance and pdns_control.

Version 2.0.1

Maintenance release, fixing three small issues.

Developers: this version is compatible with 1.99.11 backends.

  • PowerDNS ignored the logging-facility setting unless it was specified on the command line. Thanks to Karl Obermayer from WebMachine Technologies for noticing this.
  • Zone2sql neglected to preserve ‘slaveness’ of domains when converting to the slave capable PostgreSQL backend. Thanks to Mike Benoit of NetNation for reporting this. Zone2sql now has a ^^slave option.
  • SOA Hostmaster addresses with dots in them before the @-sign were mis-encoded on the wire.

Version 2.0

Two bugfixes, one stability/security related. No new features.

Developers: this version is compatible with 1.99.11 backends.

Bugfixes - zone2sql refused to work under some circumstances, taking 100% cpu and not functioning. Thanks to Andrew Clark and Mike Benoit for reporting this. - Fixed a stability issue where malformed packets could force PowerDNS to reload. Present in all earlier 2.0 versions.

Version 2.0 Release Candidate 2

Mostly bugfixes, no really new features.

Developers: this version is compatible with 1.99.11 backends.

Bugs fixed

  • chroot() works again - 2.0rc1 silently refused to chroot. Thanks to Hub Dohmen for noticing this.
  • setuid() and setgid() security features were silently not being performed in 2.0rc1. Thanks to Hub Dohmen for noticing this.
  • MX preferences over 255 now work as intended. Thanks to Jeff Crowe for noticing this.
  • IPv6 clients can now also benefit from the recursing backend feature. Thanks to Andy Furnell for proving beyond any doubt that this did not work.
  • Extremely bogus code removed from DNS notification reception code - please test! Thanks to Jakub Jermar for working with us in figuring out just how broken this was.
  • AXFR code improved to handle more of the myriad different zone transfer dialects available. Specifically, interoperability with Bind 4 was improved, as well as Bind 8 in ‘strict rfc conformance’ mode. Thanks again for Jakub Jermar for running many tests for us. If your transfers failed with ‘Unknown type 14!!’ or words to that effect, this was it.

Features

  • Win32 version now has a zone2sql tool.
  • Win32 version now has support for specifying how urgent messages should be before they go to the NT event log.

Remaining issues

  • One persistent report of the default ‘chroot=./’ configuration not working.
  • One report of disable-axfr and allow-axfr-ips not working as intended.
  • Support for relative paths in zones and in Bind configuration is not bug-for-bug compatible with bind yet.

Version 2.0 Release Candidate 1

The Mac OS X release! A very experimental OS X 10.2 build has been added. Furthermore, the Windows version is now in line with Unix with respect to capabilities. The ODBC backend now has the code to function as both a master and a slave.

Developers: this version is compatible with 1.99.11 backends.

  • Implemented native packet response parsing code, allowing Windows to perform AXFR and NS and SOA queries.

  • This is the first version for which we have added support for Darwin 6.0, which is part of the forthcoming Mac OS X 10.2. Please note that although this version is marked RC1, that we have not done extensive testing yet. Consider this a technology preview.

    • The Darwin version has been developed on Mac OS X 10.2 (6C35). Other versions may or may not work.
    • Currently only the random, bind, mysql and pdns backends are included.
    • The menu based installer script does not work, you will have to edit pathconfig by hand as outlined in chapter 2.
    • On Mac OS X Client, PowerDNS will fail to start because a system service is already bound to port 53.

    This version is distributed as a compressed tar file. You should follow the generic UNIX installation instructions.

Bugs fixed

  • Zone2sql PostgreSQL mode neglected to lowercase $ORIGIN. Thanks to Maikel Verheijen of Ladot for spotting this.
  • Zone2sql PostgreSQL mode neglected to remove a trailing dot from $ORIGIN if present. Thanks to Thanks to Maikel Verheijen of Ladot for spotting this.
  • Zone file parser was not compatible with bind when $INCLUDING non-absolute file names. Thanks to Jeff Miller for working out how this should work.
  • Bind configuration parser was not compatible with bind when including non-absolute file names. Thanks to Jeff Miller for working out how this should work.
  • Documentation incorrectly listed the Bind backend as ‘slave capable’. This is not yet true, now labeled ‘experimental’.

Windows changes. We are indebted to Dimitry Andric who educated us in the ways of distributing Windows software.

  • pdns.conf is now read if available.
  • Console version responds to ^c now.
  • Default pdns.conf added to distribution
  • Uninstaller missed several files, leaving remnants behind
  • DLLs are now installed locally, with the pdns executable.
  • pdns_control is now also available on Windows
  • ODBC backend can now act as master and slave. Experimental.
  • The example zone missed indexes and had other faults.
  • A runtime DLL that is present on most windows systems (but not all!) was missing.

Version 1.99.12 Prerelease

The Windows release! See Installing on Microsoft Windows. Beware, windows support is still very fresh and untested. Feedback is very welcome.

Developers: this version is compatible with 1.99.11 backends.

  • Windows 2000 code base merge completed. This resulted in quite some changes on the Unix end of things, so this may impact reliability.
  • ODBC backend added for Windows. See ODBC backend.
  • IBM DB2 Universal Database backend available for Linux.
  • Zone2sql now understands $INCLUDE. Thanks to Amaze Internet for nagging about this
  • The SOA Minimum TTL now has a configurable default (soa-minimum-ttl)value to placate the DENIC requirements.
  • Added a limit on the simultaneous numbers of TCP connections to accept (max-tcp-connections). Defaults to 10.

Bugs fixed

  • When operating in virtual hosting mode (See Virtual hosting), the additional init.d scripts would not function correctly and interface with other pdns instances.
  • PowerDNS neglected to conserve case on answers. So a query for WwW.PoWeRdNs.CoM would get an answer listing the address of www.powerdns.com. While this did not confuse resolvers, it is better to conserve case. This has semantic consequences for all backends, which the documentation now spells out.
  • PostgreSQL backend was case-sensitive and returned only answers in case an exact match was found. The Generic PostgreSQL backend is now officially all lower case and zone2sql in PostgreSQL mode enforces this. Documentation has been updated to reflect the case change. Thanks to Maikel Verheijen of Ladot for spotting this!
  • Documentation bug - postgresql create/index statements created a duplicate index. If you’ve previously copy pasted the commands and not noticed the error, execute CREATE INDEX rec_name_index ON records(name) to remedy. Thanks to Jeff Miller for reporting this. This also lead to depressingly slow ‘ANY’ lookups for those of you doing benchmarks.

Features

Version 1.99.11 Prerelease

This release is important because it is the first release which is accompanied by an Open Source Backend Development Kit, allowing external developers to write backends for PowerDNS. Furthermore, a few bugs have been fixed

  • Lines with only whitespace in zone files confused PowerDNS (thanks Henk Wevers)
  • PowerDNS did not properly parse TTLs with symbolic suffixes in zone files, ie 2H instead of 7200 (thanks Henk Wevers)

Version 1.99.10 Prerelease

IMPORTANT: there has been a tiny license change involving free public webbased dns hosting, check out the changes before deploying!

PowerDNS is now feature complete, or very nearly so. Besides adding features, a lot of ‘fleshing out’ work is done now. There is an important performance bug fix which may have lead to disappointing benchmarks - so if you saw any of that, please try either this version or 1.99.8 which also does not have the bug.

This version has been very stable for us on multiple hosts, as was 1.99.9.

PostgreSQL users should be aware that while 1.99.10 works with the schema as presented in earlier versions, advanced features such as master or slave support will not work unless you create the new ‘domains’ table as well.

Bugs fixed

  • Wildcard AAAA queries sometimes received an NXDOMAIN error where they should have gotten an empty NO ERROR. Thanks to Jeroen Massar for spotting this on the .TK TLD!
  • Do not disable the packetcache for ‘recursion desired’ packets unless a recursor was configured. Thanks to Greg Schueler for noticing this.
  • A failing backend would not be reinstated. Thanks to ‘Webspider’ for discovering this problem with PostgreSQL connections that die after prolonged inactivity.
  • Fixed loads of IPv6 transport problems. Thanks to Marco Davids and others for testing. Considered ready for production now.
  • Zone2sql printed a debugging statement on range $GENERATE commands. Thanks to Rene van Valkenburg for spotting this.

Features

  • PowerDNS can now act as a master, sending out notifications in case of changes and allowing slaves to AXFR. Big rewording of replication support, domains are now either ‘native’, ‘master’ or ‘slave’. See Master/Slave operation & replication for lots of details.
  • Zone2sql in PostgreSQL mode now populates the ‘domains’ table for easy master, slave or native replication support.
  • Ability to run on IPv6 transport only
  • Logging can now happen under a ‘facility’ so all PowerDNS messages appear in their own file. See Operational logging using syslog.
  • Different OS releases of PowerDNS now get different install path defaults. Thanks to Mark Lastdrager for nagging about this and to Nero Imhard and Frederique Rijsdijk for suggesting saner defaults.
  • Infrastructure for ‘also-notify’ statements added.

Version 1.99.9 Early Access Prerelease

This is again a feature and an infrastructure release. We are nearly feature complete and will soon start work on the backends to make sure that they are all master, slave and ‘superslave’ capable.

Bugs fixed

  • PowerDNS sometimes sent out duplicate replies for packets passed to the recursing backend. Mostly a problem on SMP systems. Thanks to Mike Benoit for noticing this.
  • Out-of-bailiwick CNAMEs (ie, a CNAME to a domain not in PowerDNS) caused a ‘ServFail’ packet in 1.99.8, indicating failure, leading to hosts not resolving. Thanks to Martin Gillstrom for noticing this.
  • Zone2sql balked at zones edited under operating systems terminating files with ^Z (Windows). Thanks Brian Willcott for reporting this.
  • PostgreSQL backend logged the password used to connect. Now only does so in case of failure to connect. Thanks to ‘Webspider’ for noticing this.
  • Debian unstable distribution wrongly depended on home compiled PostgreSQL libraries. Thanks to Konrad Wojas for noticing this.

Features

  • When operating as a slave, AAAA records are now supported in the zone. They were already supported in master zones.
  • IPv6 transport support - PowerDNS can now listen on an IPv6 socket using the local-ipv6 setting.
  • Very silly randombackend added which appears in the documentation as a sample backend. See Backend writers’ guide.
  • When transferring a slave zone from a master, out of zone data is now rejected. Malicious operators might try to insert bad records otherwise.
  • ‘Supermaster’ support for automatic provisioning from masters. See Supermaster automatic provisioning of slaves.
  • Recursing backend can now live on a non-standard (!=53) port. See Recursion.
  • Slave zone retrieval is now queued instead of immediate, which scales better and is more resilient to temporary failures.
  • max-queue-length parameter. If this many packets are queued for database attention, consider the situation hopeless and respawn.

Internal

  • SOA records are now ‘special’ and each backend can optionally generate them in special ways. PostgreSQL backend does so when operating as a slave.
  • Writing backends is now a lot easier. See Backend writers’ guide.
  • Added Bindbackend to internal regression tests, confirming that it is compliant.

Version 1.99.8 Early Access Prerelease

A lot of infrastructure work gearing up to 2.0. Some stability bugs fixed and a lot of new features.

Bugs fixed

  • Bindbackend was overly complex and crashed on some systems on startup. Simplified launch code.
  • SOA fields were not always properly filled in, causing default values to go out on the wire
  • Obscure bug triggered by malicious packets (we know who you are) in SOA finding code fixed.
  • Magic serial number calculation contained a double free leading to instability.
  • Standards violation, questions for domains for which PowerDNS was unauthoritative now get a SERVFAIL answer. Thanks to the IETF Namedroppers list for helping out with this.
  • Slowly launching backends were being relaunched at a great rate when queries were coming in while launching backends.
  • MySQL-on-unix-domain-socket on SMP systems was overwhelmed by the quick connection rate on launch, inserted a small 50ms delay.
  • Some SMP problems appear to be compiler related. Shifted to GCC 3.0.4 for Linux.
  • Ran ispell on documentation.

Feature enhancements

Known bugs

  • Wildcard CNAMEs do not work as they do with bind.
  • Recursion sometimes sends out duplicate packets (fixed in 1.99.9 snapshots)
  • Some stability issues which are caught by the guardian

Missing features

Features present in this document, but disabled or withheld from the current release - gmysqlbackend, oraclebackend

Version 1.99.7 Early Access Prerelease

Named.conf parsing got a lot of work and many more bind configurations can now be parsed. Furthermore, error reporting was improved. Stability is looking good.

Bugs fixed

  • Bind parser got confused by file names with underscores and colons.
  • Bind parser got confused by spaces in quoted names
  • FreeBSD version now stops and starts when instructed to do so.
  • Wildcards were off by default, which violates standards. Now on by default.
  • ^^oracle was broken in zone2sql

Feature enhancements

  • Line number counting goes on as it should when including files in named.conf
  • Added ^^no-config to enable users to start the pdns daemon without parsing the configuration file.
  • zone2sql now has ^^bare for unformatted output which can be used to generate insert statements for different database layouts
  • zone2sql now has ^^gpgsql, which is an alias for ^^mysql, to output in a format useful for the default Generic PostgreSQL backend
  • zone2sql is now documented.

Known bugs

Wildcard CNAMEs do not work as they do with bind.

Missing features

Features present in this document, but disabled or withheld from the current release - gmysqlbackend, oraclebackend

Some of these features will be present in newer releases.

Version 1.99.6 Early Access Prerelease

This version is now running on dns-eu1.powerdns.net and working very well for us. But please remain cautious before deploying!

Bugs fixed

  • Webserver neglected to show log messages
  • TCP question/answer miscounted multiple questions over one socket. Fixed misnaming of counter
  • Packetcache now detects clock skew and times out entries
  • named.conf parser now reports errors with line number and offending token
  • File names in named.conf can now contain:

Feature enhancements

  • The webserver now by default does not print out configuration statements, which might contain database backends. Use webserver-print-arguments to restore the old behaviour.
  • Generic PostgreSQL backend is now included. Still rather beta.

Known bugs

  • FreeBSD version does not stop when requested to do so.
  • Wildcard CNAMEs do not work as they do with bind.

Missing features

Features present in this document, but disabled or withheld from the current release - gmysqlbackend, oraclebackend

Some of these features will be present in newer releases.

Version 1.99.5 Early Access Prerelease

The main focus of this release is stability and TCP improvements. This is the first release PowerDNS-the-company actually considers for running on its production servers!

Major bugs fixed

  • Zone2sql received a floating point division by zero error on named.confs with less than 100 domains.
  • Huffman encoder failed without specific error on illegal characters in a domain
  • Fixed huge memory leaks in TCP code.
  • Removed further file descriptor leaks in guardian respawning code
  • Pipebackend was too chatty.
  • pdns_server neglected to close fds 0, 1 & 2 when daemonizing

Feature enhancements

  • bindbackend can be instructed not to check the ctime of a zone by specifying bind-check-interval=0, which is also the new default.
  • pdns_server ^^list-modules lists all available modules.

Performance enhancements

  • TCP code now only creates a new database connection for AXFR.
  • TCP connections timeout rather quickly now, leading to less load on the server.

Known bugs

  • FreeBSD version does not stop when requested to do so.
  • Wildcard CNAMEs do not work as they do with bind.

Missing features

Features present in this document, but disabled or withheld from the current release - gmysqlbackend, oraclebackend, gpgsqlbackend

Some of these features will be present in newer releases.

Version 1.99.4 Early Access Prerelease

A lot of new named.confs can now be parsed, zone2sql & bindbackend have gained features and stability.

Major bugs fixed

  • Label compression was not always enabled, leading to large reply packets sometimes.
  • Database errors on TCP server lead to a nameserver reload by the guardian.
  • MySQL backend neglected to close its connection properly.
  • BindParser miss parsed some IP addresses and netmasks.
  • Truncated answers were also truncated on the packetcache, leading to truncated TCP answers.

Feature enhancements

  • Zone2sql and the bindbackend now understand the Bind $GENERATE{} syntax.
  • Zone2sql can optionally gloss over non-existing zones with ^^on-error-resume-next.
  • Zone2sql and the bindbackend now properly expand @ also on the right hand side of records.
  • Zone2sql now sets a default TTL.
  • DNS UPDATEs and NOTIFYs are now logged properly and sent the right responses.

Performance enhancements

  • ‘Fancy records’ are no longer queried for on ANY queries - this is a big speedup.

Known bugs

  • FreeBSD version does not stop when requested to do so.
  • Zone2sql refuses named.confs with less than 100 domains.
  • Wildcard CNAMEs do not work as they do with bind.

Missing features

Features present in this document, but disabled or withheld from the current release - gmysqlbackend, oraclebackend, gpgsqlbackend

Some of these features will be present in newer releases.

Version 1.99.3 Early Access Prerelease

The big news in this release is the BindBackend which is now capable of parsing many more named.conf Bind configurations. Furthermore, PowerDNS has successfully parsed very large named.confs with large numbers of small domains, as well as small numbers of large domains (TLD).

Zone transfers are now also much improved.

Major bugs fixed - zone2sql leaked file descriptors on each domain, used wrong Bison recursion leading to parser stack overflows. This limited the amount of domains that could be parsed to 1024. - zone2sql can now read all known zone files, with the exception of those containing $GENERATE - Guardian relaunching a child lost two file descriptors - Don’t die on a connection reset by peer during zone transfer. - Webserver does not crash anymore on ringbuffer resize

Feature enhancements

  • AXFR can now be disabled, and re-enabled per IP address
  • ^^help accepts a parameter, will then show only help items with that prefix.
  • zone2sql now accepts a ^^zone-name parameter
  • BindBackend maturing - 9500 zones parsed in 3.5 seconds. No longer case-sensitive.

Performance enhancements

  • Implemented RFC-breaking AXFR format (which is the industry standard). Zone transfers now zoom along at wire speed (many megabits/s).

Known bugs

  • FreeBSD version does not stop when requested to do so.
  • BindBackend cannot parse zones with $GENERATE statements.

Missing features

Features present in this document, but disabled or withheld from the current release

  • gmysqlbackend, oraclebackend, gpgsqlbackend

Some of these features will be present in newer releases.

Version 1.99.2 Early Access Prerelease

Major bugs fixed

  • Database backend reload does not hang the daemon anymore
  • Buffer overrun in local socket address initialisation may have caused binding problems
  • setuid changed the uid to the gid of the selected user
  • zone2sql doesn’t crash (dump core) on invocation anymore. Fixed lots of small issues.
  • Don’t parse configuration file when creating configuration file. This was a problem with reinstalling.

Performance improvements

  • removed a lot of unnecessary gettimeofday calls
  • removed needless select(2) call in case of listening on only one address
  • removed 3 useless syscalls in the fast path

Having said that, more work may need to be done. Testing on a 486 saw packet rates in a simple setup (question/wait/answer/question..) improve from 200 queries/second to over 400.

Usability improvements

  • Fixed error checking in init.d script (show, mrtg)
  • Added ‘uptime’ to the mrtg output
  • removed further GNUisms from installer and init.d scripts for use on FreeBSD
  • Debian package and apt repository, thanks to Wichert Akkerman.
  • FreeBSD /usr/ports, thanks to Peter van Dijk (in progress).

Stability may be an issue as well as performance. This version has a tendency to log a bit too much which slows the nameserver down a lot.

Known bugs

  • Decreasing a ringbuffer on the website is a sure way to crash the daemon. Zone2sql, while improved, still has problems with a zone in the following format
name         IN            A        192.0.2.4
             IN            A        192.0.2.5

To fix, add ‘name’ to the second line.

Zone2sql does not close file descriptors.

FreeBSD version does not stop when requested via the init.d script.

Missing features

Features present in this document, but disabled or withheld from the current release - gmysqlbackend, oraclebackend, gpgsqlbackend - fully functioning bindbackend - will try to parse named.conf, but probably fail

Some of these features will be present in newer releases.

Version 1.99.1 Early Access Prerelease

This is the first public release of what is going to become PowerDNS 2.0. As such, it is not of production quality. Even PowerDNS-the-company does not run this yet.

Stability may be an issue as well as performance. This version has a tendency to log a bit too much which slows the nameserver down a lot.

Known bugs

Decreasing a ringbuffer on the website is a sure way to crash the daemon. Zone2sql is very buggy.

Missing features

Features present in this document, but disabled or withheld from the current release:

  • gmysqlbackend, oraclebackend, gpgsqlbackend
  • fully functioning bindbackend - will not parse configuration files

Some of these features will be present in newer releases.

Changelogs for 4.0.x
End of life statements
© Copyright PowerDNS.COM BV. Created using Sphinx.