From: Bert Hubert Date: Thu, 20 Apr 2006 16:21:11 +0000 (+0000) Subject: documentation, install fix, compilation fix for Solaris on intel (thanks Eric Sproul) X-Git-Tag: rec-3-0-1~16 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=6a5b669b8c005c5bcbe774309508bb7455db4b64;p=pdns documentation, install fix, compilation fix for Solaris on intel (thanks Eric Sproul) git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@755 d19b8d6e-7fed-0310-83ef-9ca221ded41b --- diff --git a/pdns/dnsrecords.cc b/pdns/dnsrecords.cc index 816cc1cd8..6f58366b2 100644 --- a/pdns/dnsrecords.cc +++ b/pdns/dnsrecords.cc @@ -246,7 +246,7 @@ boilerplate_conv(CERT, 37, conv.xfr8BitInt(d_algorithm); conv.xfrBlob(d_certificate); ) - +#undef DS boilerplate_conv(DS, 43, conv.xfr16BitInt(d_tag); conv.xfr8BitInt(d_algorithm); diff --git a/pdns/docs/pdns.sgml b/pdns/docs/pdns.sgml index b3ded036f..6ae288eac 100644 --- a/pdns/docs/pdns.sgml +++ b/pdns/docs/pdns.sgml @@ -81,6 +81,95 @@ Before proceeding, it is advised to check the release notes for your PDNS version, as specified in the name of the distribution file. + Recursor version 3.0 + + Released 20th of April 2006, download. + + + This is the first separate release of the PowerDNS Recursor. There are many reasons for this, one of the most important ones is that + previously we could only do a release when both the recursor and the authoritative nameserver were fully tested and in good shape. The split + allows us to release new versions when each part is ready. + + + Now for the real news. This version of the PowerDNS recursor powers the network access of over two million internet connections. Two large + access providers have been running pre-releases of 3.0 for the past few weeks and results are good. Furthermore, the various pre-releases + have been tested nearly non-stop with DNS traffic replayed at 3000 queries/second. + + + As expected, the 2 million househoulds shook out some very rare bugs. But even a rare bug happens once in a while when there are this many users. + + + We consider this version of the PowerDNS recursor to be the most advanced resolver publicly available. Given current levels of spam, phishing + and other forms of internet crime we think no recursor should offer less than the best in spoofing protection. We urge all + operators of resolvers without proper spoofing countermeasures to consider PowerDNS, as it is a Better Internet Nameserver Daemon. + + + A good article on DNS spoofing can be found here. Some + more information, based on a previous version of PowerDNS, can be found on the + PowerDNS development blog. + + + + + Because of recent DNS based denial of service attacks, running an open recursor has become a security risk. Therefore, unless configured otherwise + this version of PowerDNS will only listen on localhost, which means it does not resolve for hosts on your network. + To fix, configure the local-address setting with all addresses you want to listen on. Additionally, by default + service is restricted to RFC 1918 private IP addresses. Use allow-from to selectively open up the recursor + for your own network. See for details. + + + + + Important new features of the PowerDNS recursor 3.0: + + + + Best spoofing protection and detection we know of. Not only is spoofing made harder by using a new network address for each query, + PowerDNS detects when an attempt is made to spoof it, and temporarily ignores the data. For details, see . + + + + + First nameserver to benefit from epoll/kqueue/Solaris completion ports event reporting framework, for stellar performance. + + + + + Best statistics of any recursing nameserver we know of, see . + + + + + Last-recently-used based cache cleanup algorithm, keeping the 'best' records in memory + + + + + First class Solaris support, built on a 'try and buy' Sun CoolThreads T 2000. + + + + + Full IPv6 support, implemented natively. + + + + + Access filtering, both for IPv4 and IPv6. + + + + + Experimental SMP support for nearly double performance. See . + + + + + Many people helped package and test this release. Jorn Ekkelenkamp of ISP-Services helped find the '8000 SOAs' bug and spotted + many other oddities and XS4ALL internet funded a lot of the recent development. + Joaquín M López Muñoz of the boost::multi_index_container was again of great help. + + Version 2.9.20 Released the 15th of March 2006 @@ -5895,7 +5984,7 @@ local0.err /var/log/pdns.err The PowerDNS recursor is controlled and queried using the rec_control tool. - pdns_recursor settings + pdns_recursor settings At startup, the recursing nameserver reads the file recursor.conf from the configuration directory, often /etc/powerdns or /usr/local/etc. Each setting below can appear on the command line, @@ -6256,35 +6345,52 @@ local0.err /var/log/pdns.err Details - - PowerDNS implements a very simple but effective nameserver. Care has been taken not to overload remote servers in case - of overly active clients. - - - This is implemented using the 'throttle'. This accounts all recent traffic and prevents queries that have been sent out - recently from going out again. - - - There are three levels of throttling. - - - - If a remote server indicates that it is lame for a zone, the exact question won't - be repeated in the next 60 seconds. - - - - - After 4 ServFail responses in 60 seconds, the query gets throttled too. - - - - - 5 timeouts in 20 seconds also lead to query suppression. - - - - + Anti-spoofing + + The PowerDNS recursor 3.0 uses a fresh UDP source port for each outgoing query, making spoofing around 64000 times harder. This + raises the bar from 'easily doable given some time' to 'very hard'. Under some circimstances, 'some time' has been measured at 2 seconds. + This technique was first used by dnscache by Dan J. Bernstein. + + + In addition, PowerDNS detects when it is being sent too many unexpected answers, and mistrusts a proper answer if found within + a clutch of unexpected ones. + + + This behaviour can be tuned using the spoof-nearmiss-max. + + + Throttling + + PowerDNS implements a very simple but effective nameserver. Care has been taken not to overload remote servers in case + of overly active clients. + + + This is implemented using the 'throttle'. This accounts all recent traffic and prevents queries that have been sent out + recently from going out again. + + + There are three levels of throttling. + + + + If a remote server indicates that it is lame for a zone, the exact question won't + be repeated in the next 60 seconds. + + + + + After 4 ServFail responses in 60 seconds, the query gets throttled too. + + + + + 5 timeouts in 20 seconds also lead to query suppression. + + + + + + Statistics diff --git a/pdns/docs/rec_control.1.txt b/pdns/docs/rec_control.1.txt index 9e04f07a8..31ab951f6 100644 --- a/pdns/docs/rec_control.1.txt +++ b/pdns/docs/rec_control.1.txt @@ -1,5 +1,5 @@ -PDNS_RECURSOR(1) -================ +REC_CONTROL(1) +============== bert hubert v3.0, 19 April 2006 diff --git a/pdns/sysdeps-recursor/Linux.inc b/pdns/sysdeps-recursor/Linux.inc index 049df00d6..58988ca19 100644 --- a/pdns/sysdeps-recursor/Linux.inc +++ b/pdns/sysdeps-recursor/Linux.inc @@ -1,5 +1,5 @@ OPTIONALS:=optional/epollmplexer.o -OS_SPECIFIC_INSTALL=mkdirhier $(DESTDIR)/etc/init.d ; cp pdns-recursor.init.d $(DESTDIR)/etc/init.d/pdns-recursor +OS_SPECIFIC_INSTALL=mkdir -p $(DESTDIR)/etc/init.d ; cp pdns-recursor.init.d $(DESTDIR)/etc/init.d/pdns-recursor optional/epollmplexer.o: epollmplexer.cc $(CXX) $(CXXFLAGS) -c $< -o $@ ; true