Download Powerdns Authoritative Server 2.9.21.2 / 2.9.22-rc1

Spread the love

Powerdns is a dns server with a database as backend, which makes it easy to manage a large number of dns entries. The developers decided in April 2006 to release the two parts that make up Powerdns, a recursor and an authoritative name server, separately. This allows a new version to be released faster, according to the developers. The developers have released two new versions of Powerdns Authoritative Server. Version 2.9.21.2 fixes a minor bug in the current production release that could cause the Authoritative Server to crash. In addition, the first release candidate of version 2.9.22 has been released, which contains a large number of changes and improvements. The announcements for both releases are as follows:

Version 2.9.21.2:

This release consists of a single patch to PowerDNS Authoritative Server version 2.9.21.1. In some configurations, notably with configuration option ‘distributor-threads=1’, the PowerDNS Authoritative Server crashes easily in some error conditions.

All users are urged to upgrade. Even though PowerDNS restarts itself on encountering such error conditions, and even though most PowerDNS configurations do not run in single threaded mode, an upgrade is recommended.

More details:

Daniel Drown discovered that his PowerDNS 2.9.21.1 installation crashed on receiving a HINFO CH query. In his enthusiasm, he shared his discovery with the world, forcing a rapid over the weekend release cycle.

While we thank Daniel for his discovery, please study our security policy as outlined in before making vulnerabilities public.

It is believed that this issue only impacts PowerDNS Authoritative Servers operating with ‘distributor-threads=1’, but even on other configurations a database reconnect occurs on receiving a CH HINFO query.

Version 2.9.22-rc1:

2.9.22 will be a very important PowerDNS release, especially since it contains so much change compared to 2.9.21. This is why the full 2.9.22 release is preceeded by at least one Release Candidate, and this is it. Some major sites already run this version, totalling over 100,000 domains, so things appear to work. We sincerely hope more people will help test this release. If you report success, or failure, we’ll insert your name below in the release notes. This is an easy way to contribute to the success of PowerDNS, and get your name immortalized! Finally – this RC also protects against the issue for which 2.9.21.2 was released this morning. So even from a security perspective, it makes sense to test this release.

Provisional Release Notes:

This is a huge release, spanning almost 18 months of development. Besides fixing a lot of bugs, of note is the addition of the so called ‘Notification Proxy’, which allows PowerDNS to function as a master server behind a firewall, plus the huge performance improvement of the internal caches.

This work has been made possible by UPC Broadband and Directi, respectively.

Finally, the release candidates of this version have been tested & improved by Jorn Ekkelenkamp, ​​Ton van Rosmalen and (your name here!).

New features:

  • pdns_control can now also work over TCP/IP. Sponsored by Directi. Commits 1246, 1251, 1254, 1255.
  • Implemented a notification proxy, see Section 19.1. This work was sponsored by UPC Broadband. Implemented in commits 1075, 1077, 1082, 1083, 1085 and 1086.
  • IXFR queries are now supported in the sense that we treat them as AXFR queries, silencing warnings in other nameservers. Suggested in ticket 131.
  • The PIPE backend has been extended by David Apgar to allow the reporting of errors using the ‘FAIL’ command, plus support for responses with whitespace. Implemented in commit 1114.
  • PowerDNS Authoritative server now parses incoming EDNS options, like maximum allowed packet size. Implemented in commit 1123 and commit 1281.
  • Added support for DHCID, IPSECKEY and KX records, thanks Norbert Sendetzky for the hint. Implemented in commit 1144.
  • Norbert Sendetzky has added support for all record types supported by PowerDNS to the LDAPBackend. Furthermore, the detection of OpenLDAP in autoconf has been improved. Finally, debian has supplied some fixes to PowerLDAP. Implemented in commit 1152 and commit 1153.
  • Implemented EDNS NSID option for retrieving the nameserver ID out of band. Defaults to hostname, can be specified using the server-id setting. Code in commit 1232.
  • Implemented experimental EDNS PING for enhanced forgery resilience. Code in commit 1232.

Performance:

  • Improve packet generation performance, in some cases by 25%. Code at 1258, 1259.
  • Improved access list checking performance. commit 1261.
  • PowerDNS Authoritative caches were completely redone, and are now based on the same cache that is in the resolver. This work has been sponsored by Directi. In large benchmarks, PowerDNS performance has improved by an order of magnitude or more. This new version allows for near-instantaneous cache purging, plus very rapid purging based on suffix. Purge commands can also be batched. This work is partially based on an innovative reverse-string comparison function authored by Aki Tuomi.
  • BIND backend speedups in commit 1108, measured at around a 20% improvement, possibly more on very large setups.

Bug fixed:

  • Tyler Hall discovered the PowerDNS configuration file parser had problems with trailing tabs. This turned out to be a wider problem in PowerDNS. Buggy code replaced by a library call in commit 1237 and commit 1240.
  • Connection reset by peer events in the TCP nameserver no longer lead to the cycling of database connections. Code in commit 1241.
  • PowerDNS used to ignore certain queries it could not answer. These queries are no longer ignored, but get a SERVFAIL response. Implemented in commit 1239.
  • Fix subtle CNAME and wildcard interactions reported by ‘zzyzz’, implemented in commit 1147.
  • The generic backends did not honor the default-ttl setting. Spotted and implemented by Matti Hiljanen.
  • Matti Hiljanen discovered that the OpenDBX backend did not fill out the SOA ttl value properly. Matti also improved the SQL statements for better compatability. Implemented in commit 1181.
  • Treat invalid WWW requests better. Spotted by Maikel Verheijen, implemented in commit 1092.
  • Documentation errors and typos, spotted by Marco Davids (commit 1097) and Rejo Zengers (commit 1119)
  • Properly fill out the ‘recursion available’ flag. Spotted by Augie Schwer in ticket 167.
  • Several memory leaks on bad data in the database or other errors have been fixed. Addressed in 1078 and 1079.
  • In contravention to the documentation, the domain type as specified in the database (‘MASTER’, ‘SLAVE’ or ‘NATIVE’) was interpreted case sensitively. 1084.
  • BIND backend could crash on processing information about slave zones to be checked. Spotted by Stefan Schmidt, fixed in 1089.
  • Jelte Jansen of NLNetLabs Foundation discovered PowerDNS in BIND mode couldn’t operate as a root-server! Fixed in 1057.
  • ‘DPS’ discovered there was a rare opportunity for PowerDNS to lock up waiting for new data. Addressed in 1076.
  • Make single threaded mode more resilient against errors.commit 1272.
  • DNSSEC records were part of 2.9.21, but were not actually hooked up. Please note that while PowerDNS can serve most DNSSEC records, it does not do DNSSEC processing. Implemented in 1046.
  • Shawn Starr migrated all his domains to PowerDNS in one evening, from an installation that had been used since BIND4. In doing so, he found 3 bugs in as many hours. An IN statement in the BIND named.conf with a zone with a trailing dot was misparsed, fixed in commit 1233. Secondly, the zonefile parser tripped over a line consisting of nothing but comments in the wrong place. Finally ‘$ORIGIN.’ had been misparsed. Last two issues fixed in commit 1234.
  • Our statistics counters did not wrap correctly after the 2.15 billion mark. Spotted by Stefan Schmidt, reported in ticket 179, fixed in commit 1284.
  • Bindbackend could sometimes generate very strange error messages while processing a malformed zone file. Sometimes such error messages could cause a crash (reported on HP-UX). Addressed by commit 1279. This could not be triggered remotely. Closes ticket ticket 203.

Improvements:

  • Zoneparser improvements mean $TTL and $INCLUDES now work a lot better. Implemented in 1056, 1062.
  • Direct queries for ‘fancy records’ would lead to errors, such queries now fail early. Spotted by Jorn Ekkelenkamp, ​​implemented in 1051.
  • Fix typo in geobackend, closing ticket 157, implemented in 1090.
  • Initial work on TSIG support – not done yet. Spurred on by Marco Davids.
  • Embarrassingly, the ‘master’ configuration setting was not documented in the list of all settings!
  • Norbert has updated OpenDBX so that SQLite reads and writes no longer deadlock, plus compliation fixes on Solaris, plus the addition of autoserials to backends that support triggers. Implemented in commit 1154.
  • Random generator is now based on AES, improving the security of certain proxy operations. This is the same random generator that is in the recursor. Implemented in commit 1256.
  • Documentation for ‘supermaster’ mode was improved due to popular demand.
  • When binding to a UDP port failed, supply a more precise error message (commit 1245)
  • The zoneparser error messages were vastly improved, partially inspired by Shawn’s cowboy migration. Code in commit 1235.
  • Labels are compressed more efficiently (case-insensitively), leading to smaller packets. Implemented in commit 1156.
  • Fix handling of TCP timeouts to not cause a reload of the backends. Implemented in commit 1092.
  • Move from select() to poll()-based multiplexing, allowing PowerDNS to listen on more than 1024 sockets simultaneously. One big PowerDNS user needs this. Implemented in 1072.
  • Zone2sql now reads source files in performance enhancing inode order. Additionally, zone2sql

Version number 2.9.21.2 / 2.9.22-rc1
Release status Final
Operating systems Linux, BSD, Solaris, UNIX
Website powerdns
Download
License type GPL
You might also like