Hi everybody, (the short version, there is a snapshot worth looking at, packages on http://powerdnssec.org/downloads - documentation on http://powerdnssec.org )
Since our previous 'PowerDNSSEC' announcement, a lot has happened. PowerDNSSEC now offers support for almost all DNSSEC algorithms standardised (RSASHA1, RSASHA256, RSASHA512, GOST), and even for some that aren't yet (ECDSA). In addition, we've added support for pre-signed zones, so you can now slave signed zones from non-PowerDNS installations, and serve them. The other way around works too, you can slave unsigned zones and serve them with DNSSEC added to it, as a front-proxy. Finally, there is now a lot of documentation, a good place to start reading is still http://powerdnssec.org. Today, we've released snapshot 20110127.1921 which is in reasonably wide production. It powers every single access to the PowerDNS Wiki and the PowerDNS Subversion repository. Packages for 32 bit and 64 bit Linux distributions, plus source, can be found on http://powerdnssec.org/downloads We urge everybody with an interest in DNSSEC to give this snapshot and its associated documentation a go, if only to find out if it would 'work for you'. Releases notes follow: Version 3.0 of the PowerDNS Authoritative Server brings a number of important features, as well as over two years of accumulated bug fixing. The largest news in 3.0 is of course the advent of DNSSEC. Not only does PowerDNS now (finally) support DNSSEC, we think that our support of this important protocol is among the best available. Complete detail can be found in Chapter 11, Serving authoritative DNSSEC data. The goal of 'PowerDNSSEC' is to allow existing PowerDNS installations to start serving DNSSEC with as little hassle as possible, while maintaining performance and achieving high levels of security. This release has received exceptional levels of community support, and we'd like to thank the following people in addition to those mentioned explicitly below: Peter Koch (DENIC), Olaf Kolkman (NLNetLabs), Wouter Wijngaards (NLNetLabs), Marco Davids (SIDN), Markus Travaille (SIDN), Antoin Verschuren (SIDN), Olafur Gudmundsson (IETF), Dan Kaminsky (Recursion Ventures), Roy Arends (Nominet), Miek Gieben (SIDN), Stephane Bortzmeyer (AFNIC), Michael Braunoeder (nic.at), Peter van Dijk, Maik Zumstrull, Jose Arthur Benetasso Villanova (Locaweb), Stefan Schmidt, Roland van Rijswijk (Surfnet), Paul Bakker (Brainspark/Fox-IT), Mathew Hennessy, Johannes Kuehrer (Austrian World4You GmbH), Marc van de Geijn (bHosted.nl), Stefan Arentz and Martin van Hensbergen (Fox-IT) On to the release notes. A hyperlinked version is available on http://doc.powerdns.com/changelog.html#changelog-auth-3-0 Next to DNSSEC, other major new features include: ● Long TXT records are now split into 255-byte components automatically. Implemented in commit 1340, reported by Darren Gamble in ticket 188. ● Per zone AXFR ACLs, implemented in commit 1360. ● "Also-notify" support, implemented by Aki Tuomi in commit 1400. Support for Generic SQL backends and for the BIND backend. ● Support for binding to thousands of IP addresses, code in commit 1443. ● Massively parallel slaving infrastructure, able to check the freshness of thousands of remote zones per second, plus perform many incoming zone transfers simultaneously. Sponsored by Tyler Hall, code in 1449, 1500, 1859 ● Core DNS logic replaced completely to deal with the brave new world of DNSSEC. Bugs fixed: ● sqlite2 and sqlite3 backends used MySQL-style escaping, leading to SQL errors in some cases. Discovered by Sten Spans. Fixed in commit 1342. ● Internal webserver no longer prints '1e2%'. Bug rediscovered by Jeff Sipek. Fixed in commit 1342. ● In some cases, we would include duplicate CNAMEs. In addition, we would hand out a full root-referral when not configured to in some cases (t223). Discovered by Andreas Jakum, fixed in commit 1344. ● Shane Kerr discovered we would corrupt DNS transaction IDs from the packet cache on big endian systems. Fix in commit 1346, closing ticket 222. ● BIND backend got confused of a zone's filename changed after a configuration reload. Fix in commit 1347, closing ticket 228. ● When restarted by the Guardian, PowerDNS will perform a full multi-threaded cache cleanup, which took a long time and could crash. Fix in commit 1364. ● Under artificial circumstances, PowerDNS would never clean its packet cache. Found by Marcus Goller, fix in commit 1399 and commit 1408. This update also retunes the cleanup frequency. ● Packetcache would cache things it should not have been caching. Fixes in commits 1407, 1488, 1869, 1880 ● When processing incoming notifications, the BIND backend was case-sensitive, and would disregard notifications in the wrong case. Discovered by 'Dolphin', fix in commit 1420. ● The init.d script did not mention the 'reload' command. Code in commit 1463 , closes ticket 233. ● PowerDNS would be confused by embedded NULs in domain names, and would also mess up the escaping of some characters. Fix in commit 1468, commit 1469, commit 1478, commit 1480, ● SOA queries for the name of a delegation point were not referred. Fix in commit 1466, closing ticket 224. In addition, queries for AAAA for a CNAMEd record pointing to a name with no AAAA would deliver a direct SOA, without the CNAME in between. Fix in commit 1542, commit 1607. Also, wildcard CNAMEs pointing to a record without the type requested suffered from the same issue, fix in commit 1543. ● On processing an incoming AXFR, once an MX or SRV record had been seen, all future fields got a 'priority' entry as well. This had no operational impact, but looked messy. Fixed in commit 1437. ● Aki Tuomi discovered that the BIND zonefile parser would misrepresent 'something IN MX 15 @'. Fix in commit 1621. ● Marco Davids discovered the BIND zonefile parser would trip over really long lines. Fix in commit 1624, commit 1625. ● Thomas Mieslinger discovered that our webserver would only be started after dropping privileges, which could cause problems. Fix in commit 1629. ● An Ubuntu user discovered in Launchpad bug 600479 that restarting database threads cost a lot of memory. Normally this is rare, except in case of problems. Addressed in commit 1676. ● BIND backend could crash under (very) high load with very large numbers of zones (hundreds of thousands). Fixed in commit 1690. ● Miek Gieben and Marco Davids spotted that PowerDNS would answer the version.bind query in the IN class too. Bug reported via twitter! Fix in commit 1709. ● Marcus Lauer and the OpenDNSSEC project discovered that outgoing notifications did not carry the 'aa' flag. Fixed in commit 1746. ● Debugging PowerDNS, or backgrounding it, could cause crashes. Fixed by Anders Kaseorg in commit 1747. ● Fixed a bug that could cause crashes on launching thousands of backend connections. Never observed to occur, but who knows. Fix in commit 1792. ● Under some circumstances, large answers could be truncated in mid-record. While technically legal, this upset a number of resolver implementations (including the PowerDNS Recursor!). Fixed in commit 1830, re-closes ticket 200. Improvements: ● Fixed compilation on newer compilers and newer versions of Boost. Changes in 1345 (t227), 1391, 1394, 1425, 1427, 1428, 1429, 1440, 1653, thanks to Ruben Kerkhof and others. ● Compilation fixes for Mac OS X 10.5.7 in commit 1389, thanks to Tobias Markmann. ● Allow for timestamps to explicitly be specified in (s)econds. Code in commit 1398, closing ticket 250. ● Internal support for TSIG, not yet hooked up. Commits 1417, 1485 and beyond. ● Zones with URL and MBOXFW records can be transferred over AXFR, code in commit 1464. ● Maik Zumstrull cleaned up the BIND Backend makefile, plus taught our init.d script to read /etc/default/pdns. Code in commit 1601, commit 1602. ● Generic SQL backends now support multiple masters in the domains table. Code in commit 1857. Additionally, masters can also have :port numbers. Code in commit 1858. _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
