From 44f0d73f53331f3356bf7be1c8a3b653863cf02c Mon Sep 17 00:00:00 2001 From: Pieter Lexis Date: Tue, 16 Dec 2014 08:33:37 +0100 Subject: [PATCH] Remove the old XML documentation and related files --- pdns/docs/Makefile | 34 +- pdns/docs/config.xsl | 23 - pdns/docs/docbook.css | 36 - pdns/docs/expand | 13 - pdns/docs/pdns.xml | 25463 ---------------------------------------- 5 files changed, 4 insertions(+), 25565 deletions(-) delete mode 100644 pdns/docs/config.xsl delete mode 100644 pdns/docs/docbook.css delete mode 100755 pdns/docs/expand delete mode 100644 pdns/docs/pdns.xml diff --git a/pdns/docs/Makefile b/pdns/docs/Makefile index ac52ed212..6880ee371 100644 --- a/pdns/docs/Makefile +++ b/pdns/docs/Makefile @@ -1,20 +1,12 @@ # $Id$ -all: pdns.txt pdns.pdf html/index.html html.tar.bz2 pdns-expanded.html manpages - -pdns-expanded.xml: pdns.xml - ./expand < $< > $@ +all: html-new/index.html manpages clean: - rm -rf *.dvi *.pdf *.tex *.toc *.aux *.ps *.bak *.tmp *~ *.log pdns.txt html.tar.bz2 html pdns pdns-expanded.html pdns-expanded.xml pdns_recursor.1 rec_control.1 html-new/index.html + rm -rf *.dvi *.pdf *.tex *.toc *.aux *.ps *.bak *.tmp *~ *.log pdns.txt html.tar.bz2 html pdns pdns-expanded.html pdns-expanded.xml pdns_recursor.1 rec_control.1 html-new/* manpages: dnsdist.1 pdns_recursor.1 rec_control.1 dnstcpbench.1 -html/index.html: pdns-expanded.xml - rm -rf html - xmlto xhtml -m config.xsl -o html $< - cp docbook.css html - html-new/index.html: process-md.sh mkdocs.yml markdown/** markdown/*/** rm -rf html-new/* mkdir -p html-new @@ -24,32 +16,14 @@ html-new/index.html: process-md.sh mkdocs.yml markdown/** markdown/*/** mkdocs build --clean ./process-md.sh post -pdns-expanded.html: pdns-expanded.xml - xmlto xhtml-nochunks -m config.xsl $< - -html.tar.bz2: html/index.html - tar cjf html.tar.bz2 html/ - -%.txt: %-expanded.xml - xmlto txt -m config.xsl $< - mv pdns-expanded.txt pdns.txt - -%.pdf: %-expanded.xml - xmlto --with-dblatex pdf $< - mv pdns-expanded.pdf pdns.pdf - %1.xml: %1.txt asciidoc -b docbook -d manpage $< - + %.1: %.1.xml xmlto man $< - + %.html: %1.txt asciidoc -b xhtml11 -d manpage $< - -publish: - rsync --exclude "*.png" --copy-links --delete -avrz ./html pdns.txt pdns.pdf html.tar.bz2 \ - xs.powerdns.com:/var/www/doc.powerdns.com/ publish3: rsync -crv ./html-new/ pdnsdocs@xs.powerdns.com:md/ diff --git a/pdns/docs/config.xsl b/pdns/docs/config.xsl deleted file mode 100644 index 0599c6268..000000000 --- a/pdns/docs/config.xsl +++ /dev/null @@ -1,23 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - diff --git a/pdns/docs/docbook.css b/pdns/docs/docbook.css deleted file mode 100644 index 7caa5e755..000000000 --- a/pdns/docs/docbook.css +++ /dev/null @@ -1,36 +0,0 @@ -body { - font-family: luxi sans,sans-serif; -} - -h5 { - font-size: 1.1em; -} - -.screen { - font-family: monospace; - font-size: 1em; - display: block; - padding: 10px; - border: 1px solid #bbb; - background-color: #eee; - color: #000; - overflow: auto; - border-radius: 2.5px; - -moz-border-radius: 2.5px; - margin: 0.5em 2em; - -} - -.programlisting { - font-family: monospace; - font-size: 1em; - display: block; - padding: 10px; - border: 1px solid #bbb; - background-color: #ddd; - color: #000; - overflow: auto; - border-radius: 2.5px; - -moz-border-radius: 2.5px; - margin: 0.5em 2em; -} diff --git a/pdns/docs/expand b/pdns/docs/expand deleted file mode 100755 index 1532dc105..000000000 --- a/pdns/docs/expand +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/sh -sed \ -'s|\|commit \1|g' | -sed \ -'s|\|\1|g' | -sed \ -'s|\|commit \1|g' | -sed \ -'s|\|\1|g' | -sed \ -'s|\| \1|g' | -sed \ -'s|\| ticket \1|g' diff --git a/pdns/docs/pdns.xml b/pdns/docs/pdns.xml deleted file mode 100644 index e15823854..000000000 --- a/pdns/docs/pdns.xml +++ /dev/null @@ -1,25463 +0,0 @@ - - - - - - PowerDNS manual - - - PowerDNS BV -
- powerdns.support@powerdns.com -
- - - - - -
- It is a book about a Spanish guy called Manual. You should read it. - -- Dilbert -
- - - - - - The PowerDNS Authoritative Server - - - The PowerDNS Authoritative Server is a versatile nameserver which supports a large number - of backends. These backends can either be plain zone files or be - more dynamic in nature. Additionally, through use of clever programming techniques, - PowerDNS offers very high domain resolution performance. - - - Prime examples of backends include relational databases, but also (geographical) load balancing and failover algorithms. - - - The company is called PowerDNS.COM BV, the nameserver daemons are called PowerDNS Authoritative Server and PowerDNS Recursor. - - - Function & design of PDNS - - PowerDNS consists of two parts: the Authoritative Server and the Recursor. Other nameservers - fully combine these functions, PowerDNS offers them separately, but can mix both authoritative and recursive - usage seamlessly. - - The Authoritative Server will answer questions about domains it knows about, - but will not go out on the net to resolve queries about other domains. However, it can use a - recursing backend to provide that functionality. Depending - on your needs, this backend can either be the PowerDNS recursor or an external one. - - - When the Authoritative Server answers a question, it comes out of the database, and can be trusted as being authoritative. There is - no way to pollute the cache or to confuse the daemon. - - - The Recursor, conversely, by default has no knowledge of domains itself, but will always consult other authoritative servers - to answer questions given to it. - - - PDNS has been designed to serve both the needs of small installations by being easy to setup, as well as - for serving very large query volumes on large numbers of domains. - - - Another prime goal is security. By the use of language features, the PDNS source code - is reasonably small which makes auditing easy. In the same way, library features have been used - to mitigate the risks of buffer overflows. - - - Finally, PowerDNS is able to give a lot of statistics on its operation which is both helpful in - determining the scalability of an installation as well as for spotting problems. - - - About this document - - If you are reading this document from disk, you may want to check http://doc.powerdns.com - for updates. The PDF version is available on http://doc.powerdns.com/pdf, a text file is - on http://doc.powerdns.com/txt/. - - - The most up to date version of the HTML documentation can be downloaded as a tar archive from - http://doc.powerdns.com/html.tar.bz2. - - - - Release notes - - Before proceeding, it is advised to check the release notes for your PDNS version, as specified in the name of the distribution - file. - - - Beyond PowerDNS 2.9.20, the Authoritative Server and Recursor are released separately. - - - PowerDNS Recursor 3.6.2 - - - Version 3.6.2 is a bugfix update to 3.6.1. Released on the 30th of October 2014. - - - Official download page - - - - A list of changes since 3.6.1 follows. - - - - - - gab14b4f: expedite servfail generation for ezdns-like failures (fully abort query resolving if we hit more than 50 outqueries) - - - - - g42025be: PowerDNS now polls the security status of a release at startup and periodically. More - detail on this feature, and how to turn it off, can be found in . - - - - - g5027429: We did not transmit the right 'local' socket address to Lua for TCP/IP queries in the recursor. In addition, we would attempt to lookup a filedescriptor that wasn't there in an unlocked map which could conceivably lead to crashes. Closes t1828, thanks Winfried for reporting - - - - - g752756c: Sync embedded yahttp copy. API: Replace HTTP Basic auth with static key in custom header - - - - - g6fdd40d: add missing #include <pthread.h> to rec-channel.hh (this fixes building on OS X). - - - - - PowerDNS Authoritative Server 3.4.1 - - - Version 3.4.1. of the PowerDNS Authoritative Server is a major - upgrade if you are coming from 2.9.x. Additionally, if you are coming from - any 3.x version (including 3.3.1), there is a mandatory SQL schema upgrade. - Please refer to and any relevant sections - before it, before deploying this version. There are no 3.4.1 upgrade notes. - - - - - Released October 30th, 2014 - - - Find the downloads on our download page. - - - - This is a bugfix update to 3.4.0 and any earlier version. - - - A list of changes since 3.4.0 follows. - - - - - gdcd6524, ga8750a5, g7dc86bf, g2fda71f: PowerDNS now polls the security status of a release - at startup and periodically. More detail on this feature, and how to turn it off, - can be found in . - - - - - g5fe6dc0: API: Replace HTTP Basic auth with static key in custom header (X-API-Key) - - - - - g4a95ab4: Use transaction for pdnssec increase-serial - - - - - g6e82a23: Don't empty ordername during pdnssec increase-serial - - - - - g535f4e3: honor SOA-EDIT while considering "empty IXFR" fallback, fixes t1835. This fixes - slaving of signed zones to IXFR-aware slaves like NSD or BIND. - - - - - PowerDNS Authoritative Server 3.4.0 - - - Version 3.4.0 of the PowerDNS Authoritative Server is a major - upgrade if you are coming from 2.9.x. Additionally, if you are coming from - any 3.x version (including 3.3.1), there is a mandatory SQL schema upgrade. - Please refer to and any relevant sections - before it, before deploying this version. - - - - - Released September 30th, 2014 - - - Find the downloads on our download page. - - - - This is a performance, feature, bugfix and conformity update to 3.3.1 and any earlier version. - It contains a huge amount of work by various contributors, to whom we are very grateful. - - - A list of changes since 3.3.1 follows. - - - Changes between RC2 and 3.4.0: - - - - - gad189c9, g445d93c: also distribute the dnsdist manual page - - - - - gb5a276d, g0b346e9, g74caf87, g642fd2e: Make sure all backends actually work as dynamic modules - - - - - g14b11c4: raise log level on dlerror(), fixes t1734, thanks @James-TR - - - - - g016d810: improve postgresql detection during ./configure - - - - - gdce1e90: DNAME: don't sign the synthesised CNAME - - - - - g25e7af3: send empty SERVFAIL after a backend throws a DBException, instead of including useless content - - - - - Changes between RC1 and RC2: - - - - - gbb6e54f: document udp6-queries, udp4-queries, add rd-queries, recursion-unanswered metrics & document. Closes t1400. - - - - - g4a23af7: init script: support DAEMON_ARGS; g7e5b3a0: init script: ensure socket dir exists - - - - - gdd930ed: don't import supermaster ips from other accounts - - - - - ged3afdf: fall back to central bind if reuseport bind fails; improves t1715 - - - - - g709ca59: GeoIP backend implementation. This is a new backend, still experimental! - - - - - gbf5a484: support EVERY future version of OS X, fixes t1702 - - - - - g4dbaec6: Check for __FreeBSD_kernel__ as per https://lists.debian.org/debian-bsd/2006/03/msg00127.html, fixes t1684; g74f389d: __FreeBSD_kernel__ is defined but empty on systems with FreeBSD kernels, breaking compile. Thanks pawal - - - - - g2e6bbd8: Catch PDNSException in Signingpiper::helperWorker to avoid abort - - - - - g0ffd51d: improve error reporting on malformed labels - - - - - gc48dec7: Fix forwarded TSIG message issue - - - - - gdad70f2: skip TCP_DEFER_ACCEPT on platforms that do not have it (like FreeBSD); fixes t1658 - - - - - gc7287b6: should fix t1662, reloading while checking for domains that need to be notified in BIND, causing lock - - - - - g3e67ea8: allow OPT pseudo record type in IXFR query - - - - - ga1caa8b: webserver: htmlescape VERSION and config name - - - - - gdf9d980: Remove "log-failed-updates" leftover - - - - - ga1fe72a: Remove unused "soa-serial-offset" option - - - - - Changes between 3.3.1 and 3.4.0-RC1 follow. - - - DNSSEC changes: - - - - - gbba8413: add option (max-signature-cache-entries) to limit the maximum number of cached signatures. - - - - - g28b66a9: limit the number of NSEC3 iterations (see RFC5155 10.3), with the max-nsec3-iterations option. - - - - - gb50efd6: drop the 'superfluous NSEC3' option that old BIND validators need. - - - - - The bindbackend 'hybrid' mode was reintroduced by Kees Monshouwer. Enable it with bind-hybrid. - - - - - Aki Tuomi contributed experimental PKCS#11 support for DNSSEC key management with a (Soft)HSM. - - - - - Direct RRSIG queries now return NOTIMP. - - - - - gfa37777: add secure-all-zones command to pdnssec - - - - - Unrectified zones can now get rectified 'on the fly' during outgoing AXFR. This makes it possible to run a hidden signing master without rectification. - - - - - g82fb538: AXFR in: don't accept zones with a mixture of Opt-Out NSEC3 RRs and non-Opt-Out NSEC3 RRs - - - - - Various minor bugfixes, mostly from the unstoppable Kees Monshouwer. - - - - - g0c4c552: set non-zero exit status in pdnssec if an exception was thrown, for easier automatic usage. - - - - - gb8bd119: pdnssec -v show-zone: Print all keys instead of just entry point keys. - - - - - g52e0d78: answer direct NSEC queries without DO bit - - - - - gca2eb01: output ZSK DNSKEY records if experimental-direct-dnskey support is enabled - - - - - g83609e2: SOA-EDIT: fix INCEPTION-INCREMENT handling - - - - - gac4a2f1: AXFR-out can handle secure and insecure NSEC3 optout delegations - - - - - gff47302: AXFR-in can handle secure and insecure NSEC3 optout delegations - - - - - New features: - - - - - DNAME support. Enable with experimental-dname-processing. - - - - - PowerDNS can now send stats directly to Carbon servers. Enable with carbon-server, tweak with carbon-ourname and carbon-interval. - - - - - g767da1a: Add list-zone capability to pdns_control - - - - - g51f6bca: Add delete-zone to pdnssec. - - - - - The gsql backends now support record comments, and disabling records. - - - - - The new reuseport config option allows setting SO_REUSEPORT, which allows for some performance improvements. - - - - - local-address-nonexist-fail and local-ipv6-nonexist-fail allow pdns to start up even if some addresses fail to bind. - - - - - 'AXFR-SOURCE' in domainmetadata sets the source address for an AXFR retrieval. - - - - - g451ba51: Implement pdnssec get-meta/set-meta - - - - - Experimental RFC2136/DNS UPDATE support from Ruben d'Arco, with extensive testing by Kees Monshouwer. - - - - - pdns_control bind-add-zone - - - - - New option bind-ignore-broken-records ignores out-of-zone records while loading zone files. - - - - - pdnssec now has commands for TSIG key management. - - - - - We now support other algorithms than MD5 for TSIG. - - - - - gba7244a: implement pdns_control qtypes - - - - - Support for += syntax for options - - - - - Bugfixes: - - - - - We verify the algorithm used for TSIG queries, and use the right algorithm in signing if there is possible confusion. Plus a few minor TSIG-related fixes. - - - - - gff99a74: making *-threads settings empty now yields a default of one instead of zero. - - - - - g9215e60: we had a deadly embrace in getUpdatedMasters in bindbackend reimplementation, thanks to Winfried for detailed debugging! - - - - - g9245fd9: don't addSuckRequest after supermaster zone creation to avoid one cause of simultaneous AXFR for the same zone - - - - - g719f902: fix dual-stack superslave when multiple namservers share a ip - - - - - g33966bf: avoid address truncation in doNotifications - - - - - geac85b1: prevent duplicate slave notications caused by different ipv6 address formatting - - - - - g3c8a711: make notification queue ipv6 compatible - - - - - g0c13e45: make isMaster ip check more tolerant for different ipv6 notations - - - - - Various fixes for possible issues reported by Coverity Scan (gf17c93b, ) - - - - - g9083987: don't rely on included polarssl header files when using system polarssl. Spotted by Oden Eriksson of Mandriva, thanks! - - - - - Various users reported pdns_control hangs, especially when using the guardian. We are confident that all causes of these hangs are now gone. - - - - - Decreasing the webserver ringbuffer size could cause crashes. - - - - - g4c89cce: nproxy: Add missing chdir("/") after chroot() - - - - - g016a0ab: actually notice timeout during AXFR retrieve, thanks hkraal - - - - - REST API changes: - - - - - The REST API was much improved and is nearing stability, thanks to Christian Hofstaedtler and others. - - - - - Mark Schouten at Tuxis contributed a zone importer. - - - - - Other changes: - - - - - Our tarballs and packages now include *.sql schema files for the SQL backends. - - - - - The webserver (including API) now has an ACL (webserver-allow-from). - - - - - Webserver (including API) is now powered by YaHTTP. - - - - - Various autotools usage improvements from Ruben Kerkhof. - - - - - The dist tarball is now bzip2-compressed instead of gzip. - - - - - Various remotebackend updates, including replacing curl with (included) yahttp. - - - - - Dynamic module loading is now allowed on Mac OS X. - - - - - The AXFR ACL (allow-axfr-ips) now defaults to 127.0.0.0/8,::1 instead of the whole world. - - - - - gba91c2f: remove unused gpgsql-socket option and document postgres socket usage - - - - - Improved support for Lua 5.2. - - - - - The edns-subnet option code is now fixed at 8, and the edns-subnet-option-numbers option has been removed. - - - - - geobackend now has very limited edns-subnet support - it will use the 'real' remote if available. - - - - - pipebackend ABI v4 adds the zone name to the AXFR command. - - - - - We now avoid getaddrinfo() as much as possible. - - - - - The packet cache now handles (forwarded) recursive answers better, including TTL aging and respecting allow-recursion. - - - - - gff5ba4f: pdns_server --help no longer exits with 1. - - - - - Mark Zealey contributed an experimental LMDB backend. Kees Monshouwer added experimental DNSSEC support to it. Thanks, both! - - - - - g81859ba: No longer attempt to answer questions coming in from port 0, reply would not reach them anyhow. Thanks to Niels Bakker and sid3windr for insight & debugging. Closes t844. - - - - - RCodes are now reported in text in various places, thanks Aki. - - - - - Kees Monshouwer set up automatic testing for the oracle and goracle backends, and fixed various issues in them. - - - - - Leftovers of previous support for Windows have been removed, thanks to Kees Monshouwer, Aki Tuomi. - - - - - Bundled PolarSSL has been upgraded to 1.3.2 - - - - - PolarSSL replaced previously bundled implementations of AES (ge22d9b4) and SHA (g9101035) - - - - - bindbackend is now a module - - - - - g14a2e52: Use the inet data type for supermasters.ip on postgrsql. - - - - - We now send an empty SERVFAIL when a CNAME chain is too long, instead of including the partial chain. - - - - - g3613a51: Show built-in features in --version output - - - - - g4bd7d35: make domainmetadata queries case insensitive - - - - - g088c334: output warning message when no to be notified NS's are found - - - - - g5631b44: gpsqlbackend: use empty defaults for dbname and user; libpq will use the current user name for both by default - - - - - gd87ded3: implement udp-truncation-threshold to override the previous 1680 byte maximum response datagram size - no matter what EDNS0 said. Plus document it. - - - - - Implement udp-truncation-threshold to override the previous 1680 byte maximum response datagram size - no matter what EDNS0 said. - - - - - Removed settings related to fancy records, as we haven't supported those since version 3.0 - - - - - Based on earlier work by Mark Zealey, Kees Monshouwer increased our packet cache performance between 200% and 500% depending on the situation, by simplifying some code in g801812e and g8403ade. - - - - - PowerDNS Recursor 3.6.1 - - - Version 3.6.1 is a mandatory security upgrade to 3.6.0! Released on the 10th of September 2014. - - - - PowerDNS Recursor 3.6.0 could crash with a specific sequence of packets. For more details, see - . PowerDNS Recursor 3.6.1 was very well tested, and is in full - production already, so it should be a safe upgrade. - - - Downloads: - - - - Official download page - - - - - - In addition to various fixes related to this potential crash, 3.6.1 fixes a few minor issues and adds - a debugging feature: - - - - We could not encode IPv6 AAAA records that mapped to IPv4 addresses in some cases (:ffff.1.2.3.4). - Fixed in gc90fcbd , closing t1663. - - - - - Improve systemd startup timing with respect to network availability (gcf86c6a), thanks to Morten Stevens. - - - - - Realtime telemetry can now be enabled at runtime, for example with 'rec_control carbon-server 82.94.213.34 ourname1234'. - This ties in to our existing carbon-server and carbon-ourname settings, but now at runtime. This specific - invocation will make your stats appear automatically on our public telemetry server. - - - - - - - PowerDNS Recursor version 3.6.0 - - - Downloads: - - - - Official download page - - - - - native RHEL5/6/7 packages from Kees Monshouwer - - - - - - - This is a performance, feature and bugfix update to 3.5/3.5.3. It contains - important fixes for slightly broken domain names, which your users expect to - work anyhow. It also brings robust resilience against certain classes of - attacks. - - - Changes between RC1 and release: - - - - g30b13ef: do not apply some of our filters to root and gtlds, plus remove some useless {} - - - - - gcc81d90: fix yahttp copy in dist-recursor for BSD cp - - - - - gb798618: define __APPLE_USE_RFC_3542 during recursor build on Darwin, fixes t1449 - - - - - g1d7f863: Merge pull request t1443 from zeha/recursor-nostrip - - - - - g5cdeede: remove (non-working) [aaaa-]additional-processing flags from the recursor. Closes t1448 - - - - - g984d747: Support building recursor on kFreeBSD and Hurd - - - - - g79240f1: Allow not stripping of binaries in recursor's make install - - - - - ge9c2ad3: document pdns.DROP for recursor, add policy-drops metric for it - - - - - - New features: - - - - gaadceba: Implement minimum-ttl-override config setting, plus runtime configurability via 'rec_control set-minimum-ttl'. - - - - - Lots of work on the JSON API, which is exposed via Aki Tuomi's 'yahttp'. Massive thanks to Christian Hofstaedtler for delivering - this exciting new functionality. Documentation & demo forthcoming, but code to use it is available - on GitHub. - - - - - Lua modules can now use 'pdnslog(INFO..'), as described in t1074, implemented in g674a305 - - - - - Adopt any-to-tcp feature to the recursor. Based on a patch by Winfried Angele. Closes t836, g56b4d21 and ge661a20. - - - - - g2c78bd5: implement built-in statistics dumper using the 'carbon' protocol, which is also understood by metronome (our mini-graphite). Use 'carbon-server', 'carbon-ourname' and 'carbon-interval' settings. - - - - - - New setting 'udp-truncation-threshold' to configure from how many bytes we should truncate. ga09a8ce. - - - - - Proper support for CHaos class for CHAOS TXT queries. gc86e1f2, addition for lua in gf94c53d, some warnings - in g438db54 however. - - - - - Added support for Lua scripts to drop queries w/o further processing. g0478c54. - - - - - Kevin Holly added qtype statistics to recursor and rec_control (get-qtypelist) (g79332bf) - - - - - Add support for include-files in configuration, also reload ACLs and zones defined in them (g829849d, g242b90e, g302df81). - - - - - - Paulo Anes contributed server-down-max-fails which helps combat Recursive DNS based amplification attacks. - Described in this post. Also comes with new metric 'failed-host-entries' in g406f46f. - - - - - g21e7976: Implement "followCNAMERecords" feature in the Lua hooks. - - - - - - Improvements: - - - - g06ea901: make pdns-distributes-queries use a hash so related queries get sent to the same thread. Original idea by Winfried Angele. Astoundingly effective, approximately halves CPU usage! - - - - - gb13e737: --help now writes to stdout instead of stderr. Thanks Winfried Angele. - - - - - - To aid in limiting DoS attacks, when truncating a response, we actually truncate all the way - so only the question remains. Suggested in t1092, code in gadd935a. - - - - - No longer experimental, the switch 'pdns-distributes-queries' can improve multi-threaded performance on Linux (various cleanup commits). - - - - - - Update to embedded PolarSSL, plus remove previous AES implementation and shift to PolarSSL (ge22d9b4, g990ad9a) - - - - - g92c0733 moves various Lua magic constants into an enum namespace. - - - - - set group and supplementary groups before chroot (g6ee50ce, t1198). - - - - - g4e9a20e: raise our socket buffer setting so it no longer generates a warning about lowering it. - - - - - g4e9a20e: warn about Linux suboptimal IPv6 settings if we detect them. - - - - - - SIGUSR2 turns on a 'trace' of all DNS traffic, a second SIGUSR2 now turns it off again. g4f217ce. - - - - - Various fixes for Lua 5.2. - - - - - g81859ba: No longer attempt to answer questions coming in from port 0, reply would not reach them anyhow. Thanks -to Niels Bakker and 'sid3windr' for insight & debugging. Closes t844. - - - - - gb1a2d6c: now, I'm not one to get OCD over things, but that log message about stats based on 1801 seconds got to - me. 1800 now. - - - - - Fixes: - - - - 0c9de4fc: stay away from getaddrinfo unless we really can't help it for ascii ipv6 conversions to binary - - - - - - g08f3f63: fix average latency calculation, closing t424. - - - - - g75ba907: Some of our counters were still 32 bits, now 64. - - - - - g2f22827: Fix statistics and stability when running with pdns-distributes-queries. - - - - - g6196f90: avoid merging old and new additional data, fixes an issue caused by weird (but probably legal) Akamai behaviour - - - - - g3a8a4d6: make sure we don't exceed the number of available filedescriptors for mthreads. Raises performance - in case of DoS. See this post for further details. - - - - - g7313fe6: implement indexed packet cache wiping for recursor, orders of magnitude faster. Important - when reloading all zones, which causes massive cache cleaning. - - - - - rec_control get-all would include 'cache-bytes' and 'packetcache-bytes', which were expensive operations, - too expensive for frequent polling. Removed in g8e42d27. - - - - - - All old workarounds for supporting Windows of the XP era have been removed. - - - - - Fix issues on S390X based systems which have unsigned characters (g916a0fd) - - - - - - PowerDNS Authoritative Server version 3.3.1 - Version 3.3.1 of the PowerDNS Authoritative Server is a major upgrade if you are coming from 2.9.x. There are also some important changes if you are coming from 3.0, 3.1 or 3.2. - Please refer to , , , and for important information on - correct and stable operation, as well as notes on performance and memory use. - - - - Released December 17th, 2013 - - - Downloads: - - - - Official download page - - - - - native RHEL5/6 packages from Kees Monshouwer - - - - - - - This is a bugfix update to 3.3. - - - Changes since 3.3: - - - - direct-dnskey is no longer experimental, thanks Kees Monshouwer & co for extensive testing (ge4b36a4). - - - - - Handle signals during poll (g5dde2c6). - - - - - g7538e56: Fix zone2{sql,json} exit codes - - - - - g7593c40: geobackend: fix possible nullptr deref - - - - - g3506cc6: gpsqlbackend: don't append empty dbname=/user= values to connect string - - - - - gpgsql queries were simplified through the use of casting (g9a6e39c). - - - - - ga7aa9be: Replace hardcoded make with variable - - - - - ge4fe901: make sure to run PKG_PROG_PKG_CONFIG before the first PKG_* usage - - - - - g29bf169: fix hmac-md5 TSIG key lookup - - - - - gc4e348b: fix 64+ character TSIG keys - - - - - g00a7b25: Fix comparison between signed and unsigned by using uint32_t for inception on INCEPTION-EPOCH - - - - - gd3f6432: fix building on os x 10.9, thanks Martijn Bakker. - - - - - We now allow building against Lua 5.2 (gbef3000, g2bdd03b, g88d9e99). - - - - - gfa1f845: autodetect MySQL 5.5+ connection charset - - - - - When misconfigured using 'right' timezones, a bug in (g)libc gmtime breaks our signatures. Fixed in ge4faf74 by Kees Monshouwer by implementing our - own gmtime_r. - - - - - When sending SERVFAIL due to a CNAME loop, don't uselessly include the CNAMEs (gdfd1b82). - - - - - Build fixes for platforms with 'weird' types (like s390/s390x): - gc669f7c (details), g07b904e and g2400764. - - - - - Support for += syntax for options, g98dd325 and others. - - - - - gf8f29f4: nproxy: Add missing chdir("/") after chroot() - - - - - g2e6e9ad: fix for "missing" libmysqlclient on RHEL/CentOS based systems - - - - - pdnssec check-zone improvements in g5205892, gedb255f, g0dde9d0, g07ee700, - g79a3091, g08f3452, gbcf9daf, gc9a3dd7, g6ebfd08, gfd53bd0, g7eaa83a, - ge319467, , - - - - - NSEC/NSEC3 fixes in g3191709, gf75293f, gcd30e94, g74baf86, g1fa8b2b - - - - - The webserver could crash when the ring buffers were resized, fixed in g3dfb45f. - - - - - g213ec4a: add constraints for name to pg schema - - - - - gf104427: make domainmetadata queries case insensitive - - - - - g78fc378: no label compression for name in TSIG records - - - - - g15d6ffb: pdnssec now outputs ZSK DNSKEY records if experimental-direct-dnskey support is enabled (renamed to direct-dnskey before release!) - - - - - gad67d0e: drop cryptopp from static build as libcryptopp.a is broken on Debian 7, which is what we build on - - - - - g7632dd8: support polarssl 1.3 externally. - - - - - Remotebackend was fully updated in various commits. - - - - - g82def39: SOA-EDIT: fix INCEPTION-INCREMENT handling - - - - - ga3a546c: add innodb-read-committed option to gmysql settings. - - - - - g9c56e16: actually notice timeout during AXFR retrieve, thanks hkraal - - - - - - PowerDNS Recursor version 3.5.3 - - - Released September 17th, 2013 - - - Downloads: - - - - Official download page - - - - - native RHEL5/6 packages from Kees Monshouwer - - - - - - - This is a bugfix and performance update to 3.5.2. It brings serious performance improvements for dual stack users. - - - Changes since 3.5.2: - - - - 3.5 replaced our ANY query with A+AAAA for users with IPv6 enabled. Extensive measurements by Darren Gamble - showed that this change had a non-trivial performance impact. We now do the ANY query like before, but fall - back to the individual A+AAAA queries when necessary. Change in g1147a8b. - - - - - The IPv6 address for d.root-servers.net was added in g66cf384, thanks Ralf van der Enden. - - - - - We now drop packets with a non-zero opcode (i.e. special packets like DNS UPDATE) earlier on. If the experimental pdns-distributes-queries flag is enabled, this fix avoids a crash. Normal setups were never susceptible to this crash. Code in g35bc40d, closes t945. - - - - - TXT handling was somewhat improved in g4b57460, closing t795. - - - - - - PowerDNS Recursor version 3.5.2 - - - Released June 7th, 2013 - - - Downloads: - - - - Official download page - - - - - native RHEL5/6 packages from Kees Monshouwer - - - - - - - This is a stability and bugfix update to 3.5.1. It contains important fixes that improve operation for certain domains. - - - Changes since 3.5.1: - - - - Responses without the QR bit set now get matched up to an outstanding query, so that resolution can be - aborted early instead of waiting for a timeout. Code in gee90f02. - - - - - The depth limiter changes in 3.5.1 broke some legal domains with lots of indirection. Improved in gd393c2d. - - - - - Slightly improved logging to aid debugging. Code in g437824d and g182005e. - - - - - - PowerDNS Authoritative Server version 3.3 - Version 3.3 of the PowerDNS Authoritative Server is a major upgrade if you are coming from 2.9.x. There are also some important changes if you are coming from 3.0, 3.1 or 3.2. - Please refer to , , and for important information on - correct and stable operation, as well as notes on performance and memory use. - - - - Released on July 5th 2013 - - - Downloads: - - - - Official download page - - - - - native RHEL5/6 packages from Kees Monshouwer - - - - - - - This a stability, bugfix and conformity update to 3.2. It improves interoperability with various validators, - either through bugfixes or by catering to their needs beyond the specifications. - - - Changes between RC2 and final: - - - - pdnssec rectify-zone now refuses to operate on presigned zones, as rectification already happens - during incoming transfer. Patch by Kees Monshouwer in g9bd211e. - - - - - We now handle zones with a mix of NSEC3 opt-out and non-opt-out ranges correctly during inbound and outbound AXFR. Many thanks to Kees Monshouwer. Code in g5aa7003 and gd3e7b17. - - - - - More remotebackend fixes (g32d4f44, g44c2ee8, g1fcc7b7, g0b1a3b2, g9a319b1), thanks Aki Tuomi. - - - - - Some compiler warnings were squashed (ged554db), thanks Morten Stevens. - - - - - Fix broken memory access in LOC parser (g4eec51b, gbea513c), thanks Aki Tuomi. - - - - - DNSSEC: DS queries at the apex of a zone for which we are not hosting the parent, would wrongly - get an 'unauth NOERROR'. Fixed by Kees Monshouwer in g34479a6. - - - - - - Changes between RC1 and RC2: - - - - Added dnstcpbench tool, by popular demand. - - - - - We always shipped a static tools RPM; we now have a similar Debian package. All packages have been cleaned up a bit, and the binary collections are now consistent between RPM and Deb. New: pass - --enable-tools to configure to have the tools included in 'make all' and 'make install'. - - - - - g4d2e3f5: add selinux policy files - - - - - We would sometimes send a single NULL byte, or nothing at all, instead of an OPT record. - Fixed in gbf7f822, g063076b, g90d361d. - - - - - g2ee9ba2: expand any-to-tcp to direct RRSIG queries - - - - - g5fff084, ge38ef51: drop no-op flag strict-rfc-axfrs, thanks Jelte Jansen. - - - - - gf3d8902, g7c0b859, g5eea730: Implement MINFO qtype for better interaction when slaving zones - from NSD (that contain MINFO). Thanks to Jelte Jansen. - - - - - g8655a42, gbf79c6a, g38c941b: SRV record can have a '.' as final field, from which we would dutifully strip the trailing ., leaving void, confusing everything. We now remove the trailing . in the right place, and not if we are trying to server '.'. Again thanks to Jelte & SIDN for catching this. - - - - - g70d5a66: improve error message in ill formed unknown record type, thanks Jelte Jansen for reporting. - - - - - g3640473: Built in webserver can now listen on IPv6, fixes t843. Also silences some useless messages about timeouts. - - - - - g7db735c, gd72166c: CHANGES BEHAVIOUR: before we launch, check if we can connect to the controlsocket we are about to obliterate. If it works, abort. Fixes t841 and changes standing behaviour. There might be circumstances where PowerDNS now refuses to start, where it previously would. However, starting and making our previous instance mute wasn't good. - - - - - g9130f9e: correctly refuse out-of-zone data in bindbackend, closes t845 - - - - - g3363ef7: initialise server-id after all parsing is done, instead of half way through. Fixes situations where server-id was emptied explicitly. Reported by Wouter de Jong - - - - - gcd4f253: bump boost requirement, thanks Wouter de Jong - - - - - g58cad74: Update pdns auth init script so it works on wheezy - - - - - g8714c9c: clang fixes by Aki Tuomi, thanks! - - - - - g146601d: stretch supermasters.ip for IPv6, thanks Dennis Krul - - - - - g1a5c5f9: various remotebackend improvements by Aki Tuomi - - - - - g6ab1a11: make sure systemd starts PowerDNS after relevant databases have been started, thanks Morten Stevens. - - - - - g606018f, gee5e175, gc76f6f4: check scopeMask of answer packet, not of query packet! - - - - - g2b18bcf: Added warning if trailing dot is used, thanks Aki Tuomi. - - - - - g16cf913: make superfluous 'bind' NSEC3 record optional - - - - - - New features and important changes since 3.2 (these changes are in RC1 and up): - - - - g04576ee, gb0e15c8: Implement pdnssec increase-serial, thanks Ruben d'Arco. - - - - - gcee857b: PowerDNS now sets additional groups while dropping privileges. - - - - - g7796a3b: Merge support for include-dir directive, thanks Aki Tuomi! - - - - - gd725755: make pdns-static Conflict with pdns-server, closes t640 - - - - - gc0d5504: pdnssec now emits 'INSERT INTO domain ..' queries when running without named.conf, thanks Ruben d'Arco. - - - - - ga1d6b0c: Older versions of the BIND 9 validating recursor need a superfluous NSEC3 record on positive wildcard responses. We now send this extra NSEC3. Closes t814. - - - - - g07bf35d: catch a lot more errors in pdnssec and report them. Fixes t588. - - - - - g032e390: make pdnssec exit with 1 on some error conditions, closes t677 - - - - - - g4af49b8, g4cec6ac: add ability to create an 'active' or inactive key using add-zone-key and import-zone-key, plus silenced some debugging. Fixes t707. - - - - - gfae4167: Compiling against Lua 5.2 (--with-lua=lua5.2) now disables some code used for regression - testing, instead of breaking during compile. This means that Lua 5.2 can be used in production. - - - - - gabc8f3f, G357f6a7: Implement the new any-to-tcp option that, when set, always replies with a truncated response (TC=1) to ANY queries, forcing them to use TCP. - - - - - g496073b: Since 3.0, pdnssec secure-zone has always generated 3 keys: one KSK and two ZSK, with one ZSK - active. For most, if not almost all, users, this inactive ZSK is never used. We now no longer generate - this useless ZSK. The resulting smaller DNSKEY RRset improves interoperability with certain validators. - Closes t824. - - - - - gdf55450: Non-DNSSEC ANY queries no longer get sent DNSSEC records. This improves - interoperability with some old resolvers. Patch by Kees Monshouwer. - - - - - g04b4bf6: Merge support for not using opt-out with NSEC3. Many thanks to Kees Monshouwer. - - - - - g8db49a6: We now try not to NOTIFY ourselves. In convoluted cases involving REUSE_PORT and binding to - 0.0.0.0 and ::, it might be possible that we guess wrong, in which case you can set - prevent-self-notification to off. - - - - - - Important bug fixes: - - - - g63e365d: don't mess up encoding when copying qname from question to answer in packetcache. Based on - reports&debugging by Jimmy Bergman (sigint), Daniel Norman (Loopia) and the fine people at ISC. - This avoids most issues related to BIND 9 erroneously blacklisting PowerDNS for lack of EDNS support. - - - - - g3526186: fix backslash handling in TXT parser, includes test. Thanks Jan-Piet Mens. - - - - - g830281f, Gaef7330: Accept chars >127 ('high ASCII') in TXT records, closing t541 and T723. - - - - - gfeef1ec: fix missing NSEC3 for secure delegation, thanks Kees Monshouwer, closes t682 - - - - - gb61e407: around Thursday midnight, during signature rollovers, we would update the SOA serial too early. Fixed by reverting gd90efbf, adding 7 days margin to inception. Fix by Kees Monshouwer. - - - - - gff64750: make sure mixed-case queries get a correct apex NSEC3 type bitmap - - - - - g4b153d8: always lowercase next name in NSEC to avoid interop troubles with validators, thanks Marco Davids&Matthijs Mekking. - - - - - - Other changes: - - - - g49977c6: fix bug in boost.m4 where it insists on setting -L, causing useless RPATH in our binaries. Closes t728 - - - - - g62ac758: use PolarSSL for MD5 hashing instead of shipping our own copy of md5 hashing code, thanks Aki Tuomi. - - - - - g775acd9: give a better error on trying to add nsec3 parameters to a weird zone like "1 0 1 ab" (which indicates that you forgot to specify a zone name on the command line). Fixes t800. - - - - - g315dd2e: Simplify socket listening code, and make sure we always set the nonblocking flag correctly. Patch by Mark Zealey, closes t664. - - - - - gb35da1b: if_ether.h is in netinet/ not net/ on OpenBSD, thanks Florian Obser. - - - - - g71301b6: Replicate gsql backend feature of having separate -auth queries for DNSSEC into oraclebackend. Also lets you disable dnssec if you are not ready for it. Closes t527, patch by Aki Tuomi. - - - - - g2125dac: drop unused ignore-rd-bit flag - - - - - g8c1a6d6: NSECx optimizations, thanks Kees Monshouwer. - - - - - g664716a: drop unused variables in lua backend (t653) - - - - - gd8ec70f: fix db2 backend includes (t653) - - - - - g6477102: add goracle schema, thanks Aki Tuomi. - - - - - g9118638: make goraclebackend "at least work", closes t729, thanks Aki Tuomi. - - - - - ge0ad7bb: add DS digest type 4 to show-zone output; add algorithm names. Based on a patch by Aki Tuomi, - closes t744 - - - - - g61a7fac: enable AM_SILENT_RULES, closing t647 - - - - - g837f4b4: do a better job at escaping TXT, fixes t795 - - - - - g6ca3fa7: add SOA-EDIT INCEPTION-INCREMENT mode, thanks stbuehler - - - - - g6159c49: Add connection info to sql-connect message - - - - - g9f62e34, g0fc965f, g2035112: Added EUI48 and EUI64 record types - - - - - gf9cf6d9: cut the number of database queries in half for AXFR-in, thanks Kees Monshouwer. - - - - - gc87f987: add default for SOA contact e-mail - - - - - gbb4a573: move random backend to modules, thanks Kees Monshouwer. - - - - - g1071abd: restyle builtin webserver page, thanks Christian Hofstaedtler. - - - - - gcd5e158: correct bogus use of poll(2) related constants, improving non-Linux portability. Thanks Wouter de Jong. - - - - - g27ff60a: make sure our NSEC(3)s for names with spaces in them are correct. Reported by Jimmy Bergman. Includes test. - - - - - g116e28a: reduce log level of successful gpgsql/gsqlite3 connection to Info - - - - - - gb23b90a: Metadata update is now in the same transaction as the AXFR. This improves slaving speed - tremendously, especially for SQLite users. Patch by Kees Monshouwer. - - - - - g4620e8a: Added zone2json, thanks Aki Tuomi. - - - - - gf0fa8b6: Fix remotebackend setdomainmetadata return value handling. Fix by Aki Tuomi, closes t740. - - - - - g80e82d6: log control listener abort even more explicitly. - - - - - g7c0cb15, Ga718d74: support automake 1.12 - - - - - g3fe22eb, G6707cb1: update autoconf/automake preamble to non-deprecated variant, thanks Morten Stevens - - - - - g6c4e531: disarm dead code that causes gcc crashes on ARM, thanks Morten Stevens. - - - - - g36855b5: if we failed to make a new UDP socket, we'd report a confusing error about it. - - - - - g1b8e5e6: autoconf support for oracle, thanks Aki Tuomi. Closes t726. - - - - - g8ac0c06: allow setting of some oracle env vars. Patch by Aki Tuomi, closes t725. - - - - - g45e845b: add example.rb sample script for remotebackend, thanks Aki Tuomi. - - - - - g950bddd: add pdnssec generate-zone-key command, thanks Aki. Closes t711. - - - - - g2c03cde: Replace select with waitForData in remotebackend. Patch by Aki Tuomi, closes t715. - - - - - g450292c: accept ANY responses during recursive forwarding, thanks Jan-Piet Mens. - - - - - gd9dd76b: actually clean up unix domain sockets too after use. - - - - - g36758d2: merge t476 by Aki Tuomi, providing default-ksk/zsk-algorithms/size configuration parameters for pdnssec. - - - - - g2f2b014: apply variant of code in t714 so we can lauch pipe backend scripts with parameters, plus add experimental code that if pipe-command is a unix domain socket, we use that. - - - - - g9566683: merge patch from ticket 712 addressing memory leak in remotebackend, thanks Aki. - - - - - gfb6ed6f: explicitly set domain id during bindbackend superslave domain create, thanks Kees Monshouwer&Aki Tuomi. - - - - - g69bae20: use private temp dir when running under systemd, thanks Morten Stevens&Ruben Kerkhof. - - - - - gb26a48a: fix rapidjson usage in remotebackend, patch by Aki Tuomi. Closes t697. - - - - - gda8e6ae: also answer questions with : in them. - - - - - gef1c4bf: also spot trailing dots on CNAME content, thanks Jan-Piet Mens and Ruben d'Arco. - - - - - gfb31631: only setCloseOnExec on valid sockets - - - - - - PowerDNS Recursor version 3.5.1 - - - Released May 3rd, 2013 - - - Downloads: - - - - Official download page - - - - - native RHEL5/6 packages from Kees Monshouwer - - - - - - - This is a stability and bugfix update to 3.5. It contains important fixes that improve operation for certain domains. - - - Changes since 3.5: - - - - We now abort earlier while following endless glue or CNAME chains. Fix in g02d1742. - - - - - Some unused code would crash certain gcc versions on ARM. Reported by Morten Stevens, fixed in g5b188e8. - - - - - The 3.5 fix for t731 was too strict, causing trouble with at least one domain. Reported by Aki Tuomi, check slightly relaxed in g4134690. - - - - - Automake/autoconf now use non-deprecated syntax. Reported by Morten Stevens, change in gca17ef2. - - - - - - PowerDNS Recursor version 3.5 - - - Released April 15th, 2013 - - - Downloads: - - - - Official download page - - - - - native RHEL5/6 packages from Kees Monshouwer - - - - - - - This is a stability, security and bugfix update to 3.3/3.3.1. It contains - important fixes for slightly broken domain names, which your - users expect to work anyhow. - - - - Because a semi-sanctioned 3.4-pre was distributed for a long time, and people have come to call that - 3.4, we are skipping an actual 3.4 release to avoid confusion. - - - - Changes between RC5 and the final 3.5 release: - - - - Winfried Angele reported that restarting a very busy recursor could lead to crashes. Fixed in r3153, closing t735. - - - - - - Changes between RC4 and RC5: - - - - Bernd-René Predota of Liberty Global reported that Recursor 3.3 would treat empty non-AA NOERROR responses - as authoritative NXDATA responses. This bug turned out to be in 3.5-RC4 too. Fixed in c3146, related to t731. - - - - - - Changes between RC3 (unreleased) and RC4: - - - - Winfried Angele spotted, even before release, that c3132 in RC3 broke outgoing IPv6 - queries. We are grateful for his attention to detail! Fixed in c3141. - - - - - - Changes between RC2 and RC3 (unreleased): - - - - Use private temp dir when running under systemd, thanks Morten Stevens and Ruben Kerkhof. Change in c3105. - - - - - NSD mistakenly compresses labels for RP and other types, violating a MUST in RFC 3597. - Recursor does not decompress these labels, violating a SHOULD in RFC3597. We now - decompress these labels, and reportedly NSD will stop compressing them. Reported by - Jan-Piet Mens, fixed in c3109. - - - - - When forwarding to another recursor, we would handle responses to ANY queries - incorrectly. Spotted by Jan-Piet Mens, fixed in c3116, closes t704. - - - - - Our local-nets definition (used as a default for some settings) now includes the - networks from RFC 3927 and RFC 6598. Reported by Maik Zumstrull, fixed in c3122. - - - - - The RC1 change to stop using ANY queries to get A+AAAA for name servers in one go - had a 5% performance impact. This impact is corrected in c3132. Thanks to Winfried - Angele for measuring and reporting this. Closees t710. - - - - - New command 'rec_control dump-nsspeeds' will dump our NS speeds (latency) cache. - Code in c3131. - - - - - - Changes between RC1 and RC2: - - - - While Recursor 3.3 was not vulnerable to the specific attack noted in - 'Ghost Domain Names: Revoked Yet Still Resolvable' (more information at A New DNS Exploitation Technique: Ghost Domain Names), - further investigation showed that a variant of the attack could work. This was fixed in c3085. This should - also close the slightly bogus - CVE-2012-1193. Closes t668. - - - - - The auth-can-lower-ttl flag was removed, as it did not have any effect in most situations, and thus - did not operate as advertised. We now always comply with the related parts of RFC 2181. Change in - c3092, closing t88. - - - - - - Changes below are in RC1 (and up). - - - New features: - - - - The local zone server now understands wildcards, code in c2062. - - - - - The Lua postresolve and nodata hooks, that had been distributed as a '3.3-hooks' snapshot earlier, - have been merged. Code in c2309. - - - - - A new feature, rec_control trace-regex allows the tracing of lookups for specific names. Code in c3044, - c3073. - - - - - A new setting, export-etc-hosts-search-suffix, adds a configurable suffix to names imported from /etc/hosts. - Code in c2544, c2545. - - - - - - Improvements: - - - - We now throttle queries that don't work less aggressively, code in c1766. - - - - - Various improvements in tolerance against broken auths, code in c1996, c2188, c3074 (thanks Winfried). - - - - - - Additional processing is now optional, and disabled by default. Presumably this yields a performance - improvement. Change in c2542. - - - - - - - rec_control reload-lua-script now reports errors. Code in c2627, closing t278. - - - - - rec_control help now lists commands. Code in c2628. - - - - - - - rec_control wipe-cache now also wipes the recursor's packet cache. Code in c2880 from t333. - - - - - Morten Stevens contributed a systemd file. Import in c2966, now part of the recursor tarball. - - - - - c2990 updates the address of D.root-servers.net. - - - - - - Winfried Angele implemented and documented the ipv6-questions metric. Merge in c3034, closing t619. - - - - - - We no longer use ANY to get A+AAAA for nameservers, because some auth operators have decided to break - ANY lookups. As a bonus, we now track v4 and v6 latency separately. Change in c3064. - - - - - - - Bugs fixed: - - - - Some unaligned memory access was corrected, code in c2060, c2122, - c2123, which would cause problems on UltraSPARC. - - - - - Garbage encountered during reload-acls could cause crashes. Fixed in c2323, closing t330. - - - - - The recursor would lose its root hints in a very rare situation. Corrected in c2380. - - - - - We did not always drop supplemental groups while dropping privileges. Reported by David Black of - Atlassian, fixed in c2524. - - - - - Cache aging would sometimes get confused when we had a mix of expired and non-expired records in cache. - Spotted and fixed by Winfried Angele in c3068, closing t438. - - - - - rec_control reload-acl no longer ignores arguments. Fix in c3037, closing t490. - - - - - Since we re-parse our commandline in rec_control we've been doubling the commands on the commandline, causing weird output. Reported by Winfried Angele. Fixed in c2992, closing t618. - This issue was not present in any officially released - versions. - - - - - c2879 drops some spurious stderr logging from Lua scripts, and makes sure 'place' is always valid. - - - - - - We would sometimes refuse to resolve domains with just one nameserver living at the apex. Fixed in c2817. - - - - - We would sometimes stick RRs in the wrong parts of response packets. Fixed in c2625. - - - - - The ACL parser was too liberal, sometimes causing recursors to be very open. Fixed in c2629, closing t331. - - - - - rec_control now honours socket-dir from recursor.conf. Fixed in c2630. - - - - - When traversing CNAME chains, sometimes we would end up with multiple SOAs in the result. - Fixed in c2633. - - - - - - - - - PowerDNS Authoritative Server 3.2 - Version 3.2 of the PowerDNS Authoritative Server is a major upgrade if you are coming from 2.9.x. There are also some important changes if you are coming from 3.0 or 3.1 - Please refer to , and for important information on - correct and stable operation, as well as notes on performance and memory use. - - - Released January 17th, 2013 - Downloads: - - - - Official download page - - - - - native RHEL5/6 packages from Kees Monshouwer - - - - - additional third-party builds - - - - - - - This is a stability and conformity update to 3.1. It mostly makes our DNSSEC implementation more robust, - and improves interoperability with various validators. 3.2 has received very extensive testing on a lot - of edge cases, verifying output both against common validators and compared against other authoritative servers. - - - In addition to all the changes below, we now auto-build semi-static packages. Relevant changes to - make that possible are in c2849, c2853, 2858, c2859, c2860. - - - Changes between 3.2-RC4 and the final 3.2 release: - - - - Aki Tuomi contributed a bunch of fixes to our crypto drivers. Code in c3036 and c3055/c3057. - - - - - The ksk|zsk argument for pdnssec import-zone-key was required while it should be optional. Fixed in c3051. - - - - - - Changes between 3.2-RC3 and 3.2-RC4: - - - - The experimental undocumented bindbackend superslave mode would break the first added domain until a restart. Fixed by Kees Monshouwer in c3013. - - - - - Sander Hoentjen reported an issue with our choice of ports for outgoing TCP connections. Investigating it - turned up that we were randomizing TCP connections on purpose while leaving UDP port choice to the kernel, - which should be the other way around. Fixed in c3014, closing t643 and t644. - - - - - Aki Tuomi contributed some autoconf code to use mysql_config if it is available. Code in c3015 and c3019, closing t458. - - - - - The MongoDB backend was removed at the author's request, as it does not work with any current libmongo versions. - Change in c3017. - - - - - Mark Zealey discovered we were retrieving the ascii powerdns version string for each packet, not just for version string queries. Fixed in c3018, closing t651. - - - - - Our new json code would not compile on solaris 9 and 10 due to lack of strcasestr. Juraj Lutter contributed - a portable version in c3020. - - - - - Mark Zealey noted that RRs with low TTLs could lower our query-cache-ttl persistently. Fixed in c3023, closing t662. - - - - - pdnssec now honours module-dir, patch by Fredrik Danerklint in c3026. - - - - - - Changes between 3.2-RC2 and 3.2-RC3: - - - - Michael Scheffler noticed that the lazy-recursion setting had no effect at all. Setting removed in - c3003. - - - - - Mark Zealey found that an earlier performance improvement could cause crashes under high load, - with lots of IPs configured in local-address and receiver-threads higher than 1. Fixed in c3005. - - - - - - Changes between 3.2-RC1 and 3.2-RC2: - - - - The udp-queries metric would only count on the first thread launched, instead of on all threads. - Additionally, it was initialised at MAXINT at startup, instead of at 0. Both issues fixed by Kees - Monshouwer in c2999, closing t491 and t582. - - - - - Aki Tuomi contributed zone2json, a great way for programmers to benefit from our zone file parser. - Code in c2997, closes t509. - - - - - Our DNS TXT parser is not 8-bit safe, but our DNS TXT writer assumes the reader is! Reported by Jan-Piet Mens in t541, c2993 fixes our writer but not yet our parser. - - - - - Ruben d'Arco did some improvements to the MyDNS backend, and provided a full test suite for it, that we - now run after every commit. Code in c2988. - - - - - Some exceptions from backends would lose their meaning while bubbling up. Fixed by Aki Tuomi - in c2985, closing t639. - - - - - The packet-cache honours max reply length while matching cached packets against queries, but not EDNS - status. This would mean that EDNS-enabled replies with a 512 reply len could be returned on non-EDNS queries. - Spotted while investigating a report from Winfried Angele, patched by Ruben d'Arco in c2982, closing t630. - - - - - Errors involving creating, deletion or changing permissions on the control socket were unclear. - Ruben d'Arco improved this in c2981. - - - - - pipe-timeout was always documented to be in milliseconds, but it turns out it was in seconds! c2971 changes - them to actually be in ms, and 'increases' the default from 1000 seconds to 2000 milliseconds. - - - - - Some exceptions would get dropped during inbound AXFR, yielding a log file that says 'transaction started' - and nothing after that, making AXFR fail silently. c2976 and c2977 improve this somewhat. - - - - - We now error out on empty labels inside of names (www..example.com) instead of generating bogus reply - packets. Code in c2972, reported by several users. - - - - - Doing chmod before chown, instead of the other way around, apparently avoids requiring a whole SELinux capability. Reported by Sander Hoentjen, fixed in c2965. - - - - - Christian Hofstaedtler fixed a bug in our Debian init.d script. Code in c2963. - - - - - Superslave errors ('Unable to find backend willing to host ..') now include the NSset found at the master, to aid debugging. Code in c2887. - - - - - c2874 in RC1 broke compilation without SQLite3 and made query logging unreliable. Fixed in c2888, c2889. - - - - - The dnsreplay tool now processes single packet pcaps. Fix in c2895. - - - - - PowerDNS always derives NSEC/NSEC3 from the actual zone content. To accommodate this, zone2sql now drops NSEC/NSEC3 records, as those should never be in a PowerDNS backend directly (c2915), bindbackend ignores NSEC/NSEC3 while reading zonefiles (c2917) and pdnssec reports NSEC/NSEC3 in the database as an error condition (c2918). - - - - - The bindbackend now ignores NSEC/NSEC3 records while reading zonefiles. Change in c2917. - - - - - An EXPERIMENTAL feature ('direct-dnskey') for reading ZSKs from the records table/your BIND zonefile was added in c2920, c2921, c2922. - - - - - While fully optional, PowerDNS supports direct RRSIG queries. Kees Monshouwer improved on our behaviour for those queries in c2927. - - - - - IPv6 glue situations require AAAA records for the receiving end of a delegation in the ADDITIONAL section of a referral. This was supported ('do-ipv6-additional-processing') but not enabled by default. c2929 enables it by default. - - - - - pdnssec check-zone now warns for CNAME-and-other data at names in your zones. Code by Ruben d'Arco in c2930. - - - - - Positive ANY-responses would include a spurious NSEC3. Corrected in c2932 and c2933, cleaned up by Kees Monshouwer in c2935. - - - - - The ldapbackend now allows overriding the base dn for AXFR subtree search. Fixed in c2934, closing t536. - - - - - - Changes below are in 3.2-RC1 and up. - - - DNSSEC changes in 3.2: - - - - Kees Monshouwer did a tremendous amount of work to improve and perfect our DNSSEC implementation, - mostly in the NSEC3 area. Code in c2687, c2689, c2691, fixing t486, t537, t540. He also implemented support for Empty Non-Terminals, - code in c2721, c2732, c2745, fixing t127 and t558. - - - - - Presigned wildcard operation was improved with the help of many parties (see commit message for c2676). Presigned operation - was also changed to be more consistent with master/live-signing operation. Code and a full test suite in c2709, which also improves - TTL behaviour for various situations. Fixes t460, t533, t559. - - - - - Depending on database & locale settings, names starting with underscore would sometimes cause broken records. c2710 contains schema - and code changes for the gpgsql and gmysql backends to sort this (no pun intended) definitively, closing t550. In addition, a pdnssec test-schema command was added (experimental and incomplete). It can be used to verify underscore sorting and a few other parameters of the database. Code in c2714. - - - - - We now always include an EDNS section in responses to queries that also had an EDNS section. This was thought to improve BIND interoperability, but this turned out to be false. In any case, this change improves standards compliance. Spotted by Mats Dufberg, code in c2649. - - - - - It turns out we were storing Botan keys the wrong way. Botan did not care but Polar did, causing interoperability problems. Fixed in c2720, with the kind help of Paul Bakker of PolarSSL. Fixes t492 as reported by Florian Obser via Debian. - - - - - pdnssec add-zone-key now defaults to RSASHA256, like secure-zone already did. Code in c2692. - - - - - pdns_control purge now also purges DNSSEC-related caches (keys and metadata). Code in c2694, by Ruben d'Arco. Fixes t530. - - - - - The signer thread would die in specific situations, leaving you with a non-working but very busy system. Fixed in c2668, c2670, closing t517. - - - - - pdnssec secure-zone now warns when you just signed a slave zone. Suggested by Mark Scholten, code in c2795, closes t592. - - - - - pdnssec check-zone now warns about out-of-zone data. Patch by Kees Monshouwer in c2826, closing t604. - - - - - pdnssec now honours --no-config. Patch by Kees Monshouwer in c2810. - - - - - Various fixes for bindbackend presigned operation, mostly by Kees Monshouwer. Code in c2815, closing t600. - - - - - Bindbackend could get confused about domain metadata, sometimes even causing hangs. Fixes by Kees Monshouwer in c2819 and c2834, closing t600 and t603. - - - - - SQL queries in gsql backends that reference the domain_id column have been made explicit about from what table they want this column. This makes it - easier to operate custom schemas without changing the queries. Fix by Nicky Gerritsen in c2821. - - - - - In various situations involving CNAMEs and wildcards, and for ANY queries involving CNAMEs, we would sometimes return bogus results. Fixed in c2825 by Kees Monshouwer. - - - - - rectify-zone accidentally set auth=1 on NS records of secure delegations. Reported by George Notaras, fixed by Kees Monshouwer in c2831, closing t605. - - - - - The DNSSEC signature cache now actually gets cleaned up, avoiding lasting spikes in memory usage every thursday. Code in c2836 and c2843, closing t594. - - - - - Signatures used to roll at midnight on thursday. We now roll them one hour after midnight, with inception - still set to midnight, to allow for some variations in clock quality on resolvers. Code in c2857. - - - - - Duplicate records (same name/type/content/priority) would sometimes get broken RRSIGs during - outgoing AXFR. Fixed in c2856. - - - - - A root zone (name="") with DNSSEC would cause crashes in some situations. Reported by Luuk Hendriks. Fixed in c2867, c2868, closing t614. - - - - - Direct RRSIG queries for zones with auto-completed SOA records would cause trouble. Reported by Kees Monshouwer and fixed by him in c2869. - - - - - When a name is matched only by a wildcard, but the type in the query is not present, we would be - lacking one NSEC(3) record to prove the existence of the wildcard. Fixed by Kees Monshouwer in c2872 and c2873. - - - - - Luuk Hendriks spotted that our PolarSSL RSA key generation code was using inferior entropy. This can be important on virtual machines with badly implemented clocks. Fixed in c2876, closing t615. - - - - - Non-DNSSEC improvements/changes in 3.2: - - - - Bindbackend would sometimes crash on startup, due to a sync_with_stdio call. This call has been - moved to pdns_server proper to occur before any threads are spawned, avoiding race conditions in this call. Note that this crash has only been observed twice in thousands of regression test runs and has never been reported in the real world. Change in c2882. - - - - - Leen Besselink submitted query logging support for the SQLite3 parts in the bindbackend. Code in c2874. - - - - - Multi-backend operation would sometimes cause garbage domain IDs to be passed to backends. Reported by Kees Monshouwer and fixed by him in c2871. - - - - - Bindbackend would sometimes crash during reloads/rediscovers. The changes in c2837 get rid of the crash, at the cost of returning SERVFAIL - during reloads. Closes t564. - - - - - Our label decompression code was naive, causing troubles for slaving of very specifically formatted zones. Fix in t2822, closes t599. - - - - - Bindbackend slaves would choke on unknown RR types and do silly things with RP and SRV records. Fixed in c2811 and c2812. - - - - - The luabackend can now compile against Lua 5.2. Patch by Fredrik Danerklint in c2794, additional - luabackend compile fixes in c2854. - - - - - A new backend, the 'Remote backend' was submitted by Aki Tuomi. It aims to replace the pipebackend with a better protocol and support for more connection methods, including HTTP. Code in c2755, c2756, c2757, c2758, c2759, c2824, closing t529, t597. - - - - - The gsqlite (SQLite 2) backend was removed. We were not aware of any users and it was not actually working anyway. Changes in commits C2773-C2777, closing t565. - - - - - Various tinydnsbackend improvements: ignore-bogus-records option; TAI offset updated; strip dots on names where suitable; various internal improvements. Code in c2762. - - - - - gpgsql no longer logs the database password in connection errors. Code in c2609, c2612, closing t459. - - - - - You can now finally specify 0.0.0.0 or :: as local-address/local-ipv6 without getting replies from the wrong address. This much-requested feature is implemented in c2763, c2766, c2779 and c2781. Tested on Linux, FreeBSD and Mac OS X. - - - - - 3.2 can be reliably built with or without Lua. This and many other configure/compile-related fixes in c2610, c2611 / t461, c2666, c2671, c2672 / t522, c2673 / t522, c2696 / t555, c2697 / t457, c2698, c2708, c2742 / t462), c2752 / t437, c2764, c2809, c2844, c2845, c2846, c2881. - - - - - Juraj Lutter contributed AXFR-SOURCE per zone metadata settings. Code in c2616. - - - - - Initscripts now have exit codes, submitted by Sander Hoentjen. Code in c2728. Guardian now returns 0 instead of 1 when receiving SIGTERM, requested by Morten Stevens of Fedora. Code in c2717. - - - - - Mark Zealey submitted various performance improvement patches and suggestions. Accepted as c2729 / t579, c2730 / t584), c2731 / t583), c2768 / t578). Please see commit messages for more details. - - - - - pdnssec check-all-zones now reuses database connections, avoiding a socket exhaustion issue in some situations. Code in c2749, closes t519. - - - - - Ruben d'Arco submitted various improvements regarding trailing dots. Additional lookups now try harder, pdnssec errors about trailing dots in names, pdnssec warns about trailing dots in names inside content fields, AXFR now strips the dot from SRV hostnames. Code in c2748, fixes t289. - - - - - Pre-3.0, backends would get cycled if they threw the right error. 3.2 reinstates this behaviour, as it is more robust. Change in c2734 (reverting c2100), fixes t386. - - - - - PowerDNS auth does not use the select() kernel/library call anymore. This means fd-numbers over 1023 (and, in general, more than 1024 sockets, including more than 1024 listening sockets) should now work reliably. Code in c2739, c2740, fixes t408. - - - - - gmysql users can now specify the 'group' we connect as, using the gmysql-group setting. Submitted by Kees Monshouwer, code in c2770, c2771, c2778, c2780, closing t463. - - - - - The Linux-only traceback handler is now optional (use traceback-handler=off to disable it). Suggested by Marc Haber. Change in c2798, closes t497. - - - - - We now use IPV6_V6ONLY to bind IPv6 sockets. This ensures consistent behaviour between different operating systems. Change in c2799. - - - - - MySQL connections are now logged at a higher loglevel, reducing log clutter. Change in c2800. - - - - - We now ship a systemd unit file in contrib/. Added in c2847 and c2848, submitted by Morten Stevens. - - - - - Assorted bugfixes: - - - - If a slave domain is removed while a transfer for it is queued, we no longer try the transfer. This also avoids a rare crash in similar circumstances. Code in c2802, closes t596. - - - - - When using pdnssec with gsql backends, sometimes an SSqlException would pop up without any useful information. This no longer happens and errors are now in general more meaningful. Fix in c2803. - - - - - zone2sql now uses correct string syntax for PostgreSQL. This is needed for importing with the changed default settings in PostgreSQL 9.2 and up. - Code in c2797, closes t471. - - - - - We no longer send v6 notifications if v6 is not available. Same for IPv4. Code in c2772, fixes t515. - - - - - We would sometimes serve stale data after an incoming AXFR. Reported by Martin Draschl, fixed by Ruben d'Arco in c2699, closing t525. - - - - - Duplicate incoming NOTIFYs could cause PowerDNS to try to insert the same domain name into a database twice. Fixed in c2703, closing t453. - - - - - pdnssec show-zone now works on a zone that has any number of keys, instead of requiring active keys. Reported by Jeroen Tushuizen of myH2Oservers, code in c2769, closes t586. - - - - - pdns-control notify-host now accepts v6 literals. Reported by Christof Meerwald, fixed in c2704. - - - - - The tinydnsbackend no longer chokes on questions longer than 64 bytes. Code in c2622. - - - - - *-all-domains commands in pdnssec now work with Postgres (gpgsql) too. Code in c2645, closing t472. - - - - - We would sometimes leave the opcode of an outgoing packet uninitialized. Fixed in c2680, closing t532. - - - - - nproxy can now listen on a configurable port. Code in c2684, fixes t534. - - - - - Improve mydnsbackend for SOA queries. Code in c2751, fixes t439, by Ruben d'Arco. - - - - - Various non-functional fixes that make Valgrind happy (note that Valgrind was right to complain in all of these situations), in c2715, c2716, c2718. - - - - - - - - - - PowerDNS Authoritative Server 3.1 - Version 3.1 of the PowerDNS Authoritative Server is a major upgrade if you are coming from 2.9.x. There are also some important changes if you are coming from 3.0. - Please refer to and for important information on - correct and stable operation, as well as notes on performance and memory use. - - - Released on the 4th of May 2012 - RC3 released on the 30th of April 2012 - RC2 released on the 14th of April 2012 - RC1 released on the 23th of March 2012 - - Downloads: - - - - Official download page - - - - - CentOS/RHEL 5/6 RPMs kindly provided by Kees Monshouwer. - - - - - Additional packages kindly provided by various other people. - - - - - - - - - Version 3.1 of the PowerDNS Authoritative Server represents the 'coming of age' of our DNSSEC implementation. - In addition, 3.1 solves a lot of '.0' issues typically associated with a major new release. - - - As usual, we are very grateful for the involvement of the PowerDNS community. The uptake of 3.0 - was rapid, and many users were very helpful in shaking out the bugs, and willing to test the fixes we provided or, in many cases, - provided the fixes themselves. - - - Of specific note is the giant PowerDNS DNSSEC deployment in Sweden by Atomia and Binero. PowerDNS 3.0 now powers - over 150000 DNSSEC domains in Sweden, around 95% of all DNSSEC domains, in a country were most internet service - providers actually validate all .SE domains. - - - Finally, this release has benefited a lot from Peter van Dijk joining us, as he has merged a tremendous amount of patches, - cleaned up years of accumulated dust in the code, and massively improved our regression testing into a full blown continuous integration setup - with full DNSSEC tests! - - - Additionally, we would like to thank Ruben d'Arco, Jose Arthur Benetasso Villanova, Marc Haber, Jimmy Bergman, Aki Tuomi and everyone else who helped us out! - - - Changes between RC3 and final: - - - - pdnssec now honours the default-soa-name setting. Reported by Kees Monshouwer, fixed in c2600. - - - - - - Changes between RC2 and RC3: - - - - The hidden test-algorithms command for pdnssec now has a little brother 'test-algorithm X'. Code in c2596, by Aki Tuomi. - - - - - PolarSSL upgraded to 1.1.2 due to weak RSA key generation (c2586). If you created RSA keys with RC1 or RC2 using PolarSSL, please replace them! This upgrade introduced a slowdown; speedup patch in c2593. - - - - - It turns out we were using libmysqlclient in a thread-unsafe manner. This issue was reported and painstakingly debugged by Marc Haber. Presumably fixed in c2591. - - - - - Updated a bunch of internal counters to be threadsafe. Code in c2579. - - - - - NSEC(3) bitmaps can now cover RRtypes above 255. Reported by Michael Braunoeder, patch by Aki Tuomi in c2590. - - - - - pdnssec check-zone now reports MBOXFW and URL records (as those are unsupported since 3.0). Reported by Gerwin Krist of Digitalus, patch by Ruben d'Arco. Closes t446. - - - - - The odbcbackend was removed. It only runs on Windows and Windows is unsupported since 3.0. Removal in c2576. - - - - - We used to send the chunk length and the actual chunk in two separate writes (often resulting in two separate TCP packets) during outbound AXFR. This confused MSDNS. We now combine those writes. Code in c2575. - - - - - The bindbackend can now run without SQLite3, as previously intended. Fix in c2574. - - - - - Some high-concurrency master setups would crash under load. Fixed in c2571. - - - - - - Changes between RC1 and RC2: - - - - We imported the TinyDNS backend by Ruben d'Arco. Code mostly in c2559. See . - - - - - Overriding C(XX)FLAGS is easier now. Problem pointed out by Jose Arthur Benetasso Villanova and others, fix suggested by Sten Spans. Patch in c2533. - - - - - TSIG fixes: skip embedded spaces in keys (c2536), compute signatures correctly (by Ruben d'Arco in c2547), - - - - - nproxy, dnsscan and dnsdemog did not compile at all. Fixes in c2538, c2554. - - - - - We now allow unescaped tabs in TXT records. Fix in c2539. - - - - - SOA records no longer disappear during incoming transfers. Fix by Ruben d'Arco in c2540. - - - - - PowerDNS compiles on OS X (and other platforms that support our auth server but not the recursor) again, fix in c2566. - - - - - Cleanups related to warnings from gcc and valgrind in c2561, c2562, c2565. - - - - - Solaris compatibility fixes by Ruben d'Arco, Juraj Lutter and others in c2548, c2552, c2553, c2560. - Fixes for *BSD in c2546. - - - - - pdns_control help would report 'version' twice, reported by Gerwin, fix in c2549. - - - - - - - DNSSEC related fixes: - - - - When slaving zones, PowerDNS now automatically detects that a zone is presigned. Code in c2502, closing t369, t392. - - - - - The bindbackend can now manage its own SQLite3 database to store key data, removing the need to run it with a gsql backend. Code in c2448, c2449, c2450, c2451, c2452, c2453, c2455, c2482, c2496, c2499. - - - - - NSEC/NSEC3 logic for picking 'boundary' names was tricky, and got it wrong in some cases. Fixes in c2289, c2429, c2435 and c2473. - - - - - The subtle differences between 'what records get NSEC', 'what records get NSEC3' and 'what records should get signed' did not translate well to the SQL auth column. We now use 'ordername IS NULL' to map the whole spectrum. Code in c2477, c2480, c2492. - - - - - Pre-signed AXFR output, although correct, was different from our query responses. Rectified in c2477. - - - - - Spotted & fixed by Jimmy Bergman of Atomia, CNAMEs and RRSIGs could have bad interactions. Fix in c2314, - further refined in c2318. Closes t411. - - - - - Spotted & fixed by Jimmy Bergman of Atomia, we now allow direct RRSIG queries even when do=0. - - - - - Spotted by Mark Scholten and Marco Davids, we would sometimes generate duplicate (and wrong) RRSIGs when signing an ANY answer - because of record jumbling. Fix in c2381. - - - - - Several fixes to handling of DS queries, in c2420, c2510, c2512. - - - - - We now lowercase the signer name in an RRSIG. This is not mandated by DNSSEC specification but it improves compatibility with some validators. Fix in c2426. - - - - - - Bug fixes: - - - - Winfried Angele discovered we would open an additional backend connection per zone in the BIND backend. - This only impacted users with multiple simultaneous backends. Fix in c2253, closing t383. - - - - - All versions of max-cache-entries setting had confusing behaviour when set to 0. Now clarified to mean that 0 truly means 0, and not 'infinite'. - Change in c2328. - - - - - Wildcards in the presence of delegations were broken. Reported by a cast of thousands. Fix & regression test in c2368. Closes t389. - - - - - Internal caches used an order of magnitude more memory than expected and some were not purged properly, which hindered real life deployments. Spotted - by Winfried Angele and others. Fixed in c2287 and c2328. - - - - - Christof Meerwald discovered our .tar file missed a file of the Lua backend. Change in c2257. - - - - - Paul Xek found out that the edns-subnet support did not work for subnets tinier than a /25 or /121. Fix in c2258. - - - - - edns-subnet aware PIPE scripts received bogus remote information on AXFR requests. Fixed in c2284. - - - - - Fix compilation against older versions of MySQL that do not have MYSQL_OPT_RECONNECT. c2264, closing t378. - - - - - D. Stussy of Snarked.net discovered that PowerDNS could not parse a DNS packet with a trailing blob of unknown length. Fixed in c2267. - - - - - 'pdnssec' did not work for records with NULL ttls. Fixed in c2266, closing t432. - - - - - Pipe backend had issues parsing IPv6 records in ABI version 3. Fixed in c2260. - - - - - We truncated the altitude in LOC records! I hope no one got lost. Fix in c2268. - - - - - Xander Soldaat discovered that even if the web server was not configured, we'd still listen on the port. Fix in c2269, closes t402. - - - - - The PIPE backend issues frequent fork()s, leading to potential fd leaks if these are not marked as - 'close on exec'. Solved in c2273, closing t194. - - - - - Robert van der Meulen found that we messed up the interaction between wildcards and CNAMEs. Fixed in c2276, which also - adds a regression test to prevent this issue from recurring. - - - - - Fred Wittekind discovered that our notification proxy 'nproxy' no longer built from source. Fixed in c2278. - - - - - Grant Keller found that we were inconsistent with spaces in labels, thus breaking DNS-SD. Fix in c2305. - - - - - Winfried Angele fixed our autoconf script for Lua detection in c2308. - - - - - BIND backend would leak an fd when including a configuration file from named.conf. Spotted - by Hannu Ylitalo of Nebula Oy in c2359. - - - - - GSQLite3 backend could crash on a network error at the wrong moment, leading to a restart by the guardian. - Fix in c2336. - - - - - './configure --enable-verbose-logging' was broken, fixed in c2312. - - - - - PowerDNS would serve up old SOA data immediately after sending out a notification. Complicated bug - documented perfectly in t427, which also came with not one but with two different patches to fix the problem. - Thanks to Keith Buck. Code in c2408. - - - - - Flag '--start-id' in zone2sql was not functional. Removed for now in c2387, closing t332. - - - - - Our distribution tarball did not have the SQL schemas. Fixed in c2459 and c2460. - - - - - "Empty" MX records would confuse one of our parsers. Fixed in c2468, closing Debian bug 533023. - - - - - The pdns.conf 'wildcards'-setting did not do anything in 3.0, so it was removed. Change in c2508, c2509. - - - - - Additional processing based on records loaded by the BIND backend might fail because of a trailing dot mismatch. Fix in c2398. - - - - - - New features: - - - - - Per-zone AXFR ACLs, based on the allow-axfr-ips zone metadata item. Code in c2274. Also, remove - some remains of our previous approach to supporting this in c2326. - - - - - Alberto Donato and Zsolt Dollenstein implemented autoserial support for the Generic SQL backends. Code in c2290, c2294, c2296, c2299, c2300, c2303. Closes t52, t299, t301, t336. - - - - - New SOA Serial Tweak mode INCEPTION-EPOCH for when operating as a 'signing slave', contributed by Jimmy Bergman. Code and documentation - in c2320. - - - - - Newlines in the 'content' field of backends are now allowed, restoring some DKIM setups to working condition. - Update in c2394, closing t395. - - - - - - Improvements: - - - - Depending on the encoding used, MySQL could take issue with our 'tsigkeys' table which contained very large rows. Trimmed in c2400, - closing t410. - - - - - Various build/configure-related fixes in c2319, c2373, c2386, closing t380, t405, t420. - - - - - We now show the SOA serial after zone transfers. Code in c2385, closing t416. - - - - - Ruben d'Arco submitted a full rework of our slave-side AXFR TSIG handling, closing t393 and t400 in the process. Code in c2506. Additional improvement in c2513. - - - - - The records.name-column in the gpgsql schema is now constrained to lowercase, as PowerDNS would be unable to find other entries anyway. Fix in c2503, closing t426. - - - - - The gsql-backends can now handle huge records, thanks to a patch by Ruben d'Arco. Code in c2476, closing t407. Additional changes in c2292, c2487, c2489. Closes t218, t316. - - - - - Some of PowerDNS' internal classes would work with uninitialized data when repurposed outside of the PowerDNS core logic. Fix in c2469, - - - - - pdnssec now has 'check-all-zones' and 'rectify-all-zones' commands. Submitted by Ruben d'Arco, code in c2467. - - - - - 'restart' in our init.d-script would not start pdns if it was down before. Fixed in c2462. - - - - - 'pdnssec rectify-zone' now honours --verbose and is rather quiet without it. Code in c2443. - - - - - Improved error messages for systems without IPv6. Changes in c2425. - - - - - The packet- and querycache now honour TTLs from backend data. Code in c2414. - - - - - 'pdns_control help' now shows useful usage information. Code in c2410 and c2465. - - - - - Jasper Spaans improved our init.d script for compliance with Debian Squeeze. Patch in c2251. Further improvement with 'set -e' - to initscript contributed by Marc Haber in c2301. - - - - - Klaus Darilion discovered our configuration file template and --help output explained the various cache TTLs wrongly, - and he also added documentation for some missing parameters. c2271 and c2272. - - - - - Add support for building against Botan 1.10 (stable) and drop support for 1.9 (development). Changes in c2334. This fixes - several bugs when building against 1.9. - - - - - Upgrade internal PolarSSL library to their version 1.1.1. Change in c2389 and beyond. - - - - - Compilation of several backends failed for Boost in non-standard locations. Fixes in c2316.. - - - - - We now do additional processing for SRV records too. Code in c2388, closing t423 (which also contained the patch). Regression test - updates that flow from this in c2390. - - - - - Fix compilation on OSX. c2316. - - - - - Fix pdnssec crash when asked to do DNSSEC without a DNSSEC capable backend. Code in c2369. - - - - - If PowerDNS was not configured to operate as a DNS master, it would still accept 'pdns_control notify' commands, - but then not do it. Spotted by David Gavarret, patch by Jose Arthur Benetasso Villanova in c2379. - - - - - In various places we would only accept UPPERCASE DNS typenames. Fixed in c2370, closing t390. - - - - - We would not always drop supplemental groups correctly. Reported by David Black of Atlassian. - - - - - Our regression tests have been strengthened a lot, and now cover way more features. Commits in C2280, C2281, C2282, C2317, C2348, - C2349, C2350, C2351 and beyond. - - - - - Update to support the latest draft of DANE/TLSA. Spotted by James Cloos (c2338). Further improvements by Pieter Lexis in c2347, c2358. - - - - - Compilation on OpenBSD was eased by patches from Brad Smith, which can be found in c2288 and c2291, closing t95. - - - - - 'make check' failed on the internal PolarSSL. Spotted by Daniel Briley, fix in c2283. - - - - - The default SQL schemas were expanded to contain far longer content fields. c2292, c2293. - - - - - Documentation typos, Jake Spencer (c2304), Jose Arthur Benetasso Villanova (c2337). Code typos in c2324 (closes t296). - - - - - Manpage updates from Debian, provided by Matthijs Möhlmann. Content in c2306. - - - - - pdnssec rectify-zone can now accept multiple zones at the same time. Code in c2383. - - - - - As suggested in t416, we now log the SOA serial number after committing an AXFRed zone to the backend. Code in c2385. - - - - - Pick up location of sqlite3 libraries using pkg-config. Implemented using a variation of the patch found in the, now closed, t380. Code in c2386. - - - - - Documented 'pdnssec --verbose' flag is now accepted. Code in c2384, closing t404. - - - - - 'pdnssec --help' now lists all supported signing algorithms. Suggested by Jose Arthur Benetasso Villanova. - - - - - PIPE backend example script with edns-subnet support was improved to actually use edns-subnet field. Plus update - PIPE backend documentation. Code in c2285, more documentation regarding MX and SRV in c2313. - - - - - edns-subnet fields now also output in logfile when available (c2321). - - - - - When running with virtualized configuration files, we now allow dashes in the configuration name. Suggested by Marc Haber, - code in c2295. Further fixes by Brielle Bruns in c2327. - - - - - Compilation fixes for GNU/Hurd in c2307 via Matthijs Möhlmann. - - - - - Marc Haber improved our Debian packaging scripts for smoother upgrades. Code in c2315. - - - - - When failing to bind to an IP address, report to which one it failed. c2325. - - - - - Supermaster checks were performed synchronously, leading to the possibilities of slowdowns. - Fixed in c2402. - - - - - - Other changes: - - - - Removed the deprecated non-generic mysqlbackend, in c2488, c2514, c2515. - - - - - Removed the deprecated 'pdnsbackend', in c2490, c2516. - - - - - Removed GRANT statements from the gpgsql schema, as we can't assume they will work for everyone. Change in c2493. - - - - - - Tickets closed but not associated with a commit: - - - - t125: "PowerDNS offers wild card info. when it is not queried for." - - - - - t219: "Accept NOTIFY from masters on non-standard port" - - - - - t247: "pdns caching weirdness with recursion-desired flag" - - - - - t253: "bind backend crashes on long comment line in included file" - - - - - t271: "PowerDNS Server responding with out-of-zone authority section in case there is a cname" - - - - - t304: "also-notify option for pdns, also gives also-notify for bindbackend." - - - - - t311: "PowerDNSSEC responding with SERVFAIL upon IN A query for a CNAME" - - - - - t325: "CNAME working strange!" - - - - - t376: "Unable to create long TXT records" - - - - - t412: "--without-lua doesn't disable lua" - - - - - t415: "Signing thread died during AXFR of signed domain" - - - - - t422: "ecdsa256 keys bug" - - - - - - Authoritative Server version 2.9.22.6 - - The improvements to the master/slave engine in 2.9.22.5 contained one serious bug that can cause crashes - on busy setups. 2.9.22.6 fixes this crash. - - - Authoritative Server version 2.9.22.5 - - 2.9.22.5 is an interim release for those not yet ready to make the jump to 3.0, but do need a more - recent version of the Authoritative Server. It also contains the patch from - - - - - - Improved performance of master/slave engine, especially when hosting tens or hundreds of thousands of slave zones. - Code in commits C1657, C1658, C1661 (which also brings multi-master support), C1662 (non-standard ports for masters), - C1664, C1665, C1666, C1667, C1672, C1673, C2063). - - - - - Compilation fixes for more modern compilers (c1660, c1694) - - - - - Don't crash on communication error with pdns_control (c2015). - - - - - Packet cache fixes for UltraSPARC (c1663) - - - - - Fix crashes in the BIND backend (c1693, c1692) - - - - - - PowerDNS Authoritative Server 3.0.1 - - The DNSSEC implementation of PowerDNS Authoritative Server 3.0 and 3.0.1 contains many issues regarding - CNAMES, wildcards and (in)secure delegations. If you use any of these, and you use DNSSEC you MUST upgrade to 3.1 or beyond! - 3.0.1 consists of 3.0, plus the patch from - - - PowerDNS Authoritative Server 3.0 - - Version 3.0 of the PowerDNS Authoritative Server is a major upgrade. - Please refer to for important information on - correct and stable operation, as well as notes on performance and memory use. - The DNSSEC implementation of PowerDNS Authoritative Server 3.0 and 3.0.1 contains many issues regarding - CNAMES, wildcards and (in)secure delegations. If you use any of these, and you use DNSSEC you MUST upgrade to 3.1 or beyond! - - - Known issues as of RC3 include: - - Not all new features are fully documented yet - - - Released on the 22nd of July 2011RC1 released on the 4th of April 2011 - RC2 released on the 19th of April 2011 - RC3 released on the 19th of July 2011 - - - Version 3.0 of the PowerDNS Authoritative Server brings a number of important features, as - well as over two years of accumulated bug fixing. - - - The largest news in 3.0 is of course the advent of DNSSEC. Not only does PowerDNS now (finally) - support DNSSEC, we think that our support of this important protocol is among the easiest to use available. - In addition, all important algorithms are supported. - - - Complete detail can be found in . The goal of 'PowerDNSSEC' is to allow - existing PowerDNS installations to start serving DNSSEC with as little hassle as possible, - while maintaining performance and achieving high levels of security. - - - Tutorials and examples of how to use DNSSEC in PowerDNS can be found linked from . - - - PowerDNS Authoritative Server 3.0 development has been made possible by the financial and moral support of: - - AFNIC, the French registry - IPCom's RcodeZero Anycast DNS, a subsidiary of NIC.AT, the Austrian registry - SIDN, the Dutch registry - .. (awaiting details) .. - - - - This release has received exceptional levels of community support, and we'd like to thank the following people - in addition to those mentioned explicitly below: - Peter Koch (DENIC), Olaf Kolkman (NLNetLabs), Wouter Wijngaards (NLNetLabs), Marco Davids (SIDN), Markus Travaille (SIDN), - Leen Besselink, Antoin Verschuren (SIDN), Olafur Guðmundsson (IETF), Dan Kaminsky (Recursion Ventures), Roy Arends (Nominet), - Miek Gieben (SIDN), Stephane Bortzmeyer (AFNIC), Michael Braunoeder (nic.at), Peter van Dijk, Maik Zumstrull, - Jose Arthur Benetasso Villanova (Locaweb), Stefan Schmidt, Roland van Rijswijk (Surfnet), Paul Bakker (Brainspark/Fox-IT), - Mathew Hennessy, Johannes Kuehrer (Austrian World4You GmbH), Marc van de Geijn (bHosted.nl), Stefan Arentz and - Martin van Hensbergen (Fox-IT), Christof Meerwald, Detlef Peeters, Jack Lloyd, Frank Altpeter, Fredrik Danerklint, Vasiliy G Tolstov, - Brielle Bruns, Evan Hunt, Ralf van der Enden, Marc Laros, Serge - Belyshev, Christian Hofstaedtler, Charlie Smurthwaite, Nikolaos - Milas, .. - - - Changes between RC3 and final: - - - - Slight tweak to the pipebackend to ease DNSSEC operations (c2239, c2247). Also fix pipebackend support in pdnssec tool (c2244). - - - - - Upgrade the experimental native Lua backend to the latest version from Fredrik Danerklint (c2240) and include this backend in the .deb packages (c2242) - - - - - Remove IPv6 dependency, it was only possible to run master/slave operations on a server with at least one IPv6 address. Some very old virtualized setups - turned out to have no IPv6 at all. Fix in c2246. - - - - - - Changes between RC2 and RC3: - - - - PowerDNS Authoritative Server could not be configured to use an IPv6 based resolving backend. Solved in c2191. - - - - - LDAP backend reconfigured the timezone (TZ) setting of the daemon, leading to confusing logfile entries. Fixed by - Christian Hofstaedtler in c2913, closing t313. - - - - - Non-DNSSEC capable backends could crash on DNSSEC queries. Fixed in c2194 and c2196 (thanks to Charlie Smurthwaite) closing t360. - - - - - Errors looking up a UID or GID were reported confusingly ('Success'), fixed in c2195, closing t359. - - - - - Fix compilation against older MySQL, client libraries (c2198, c2199, c2204), especially for older RHEL/CentOS. Also addresses - the failure to look in lib64 directory for PostgreSQL. - - - - - Sqlite3 needs write access not just to its database file, but also to the directory it is in. If this wasn't the case, - no useful error message was provided. Improvement in c2202. - - - - - Update of MongoDB backend (c2203, c2212). - - - - - 'pdnssec hash-zone-record' emitted an inverted warning about narrow NSEC3 hashes. Spotted by Jan-Piet Mens, fix in c2205. - - - - - PowerDNS can fill out default fields for SOA records, but neglected to do so if the SOA record was matched by an incoming ANY question. - Spotted by Marc Laros & others. Fixes t357, code in c2206. - - - - - PowerDNS would mistreat binary data in TXT records. Fix in c2207. Again spotted by Jan-Piet Mens. Closes t356. - - - - - Add experimental Lua backend by our star contributor Fredrik Danerklint. c2208. - - - - - Christoph Meerwald discovered our RRSIG freshness checking checked more than the intended RRSIG (on the SOA record). Fix in c2209. - - - - - Christoph Meerwald discovered we got confused by TSIG signed EDNS-adorned queries, since we expected the EDNS OPT pseudorecord to be - the very last record. Fix in c2214. - - - - - Christoph Meerwald discovered that when using SOA outgoing editing we would sign and THEN edit. This was not productive. Fixed in c2215. - - - - - Add missing-but-documented pdnssec command 'disable-dnssec'. Spotted by Craig Whitmore. Plus fixed misleading --help output. Code in c2216. - - - - - By popular demand, a tweak which makes an overloaded database no longer restart PowerDNS but to drop queries until the database is available again. - Code in c2217, lightly tested. Enable by setting 'overload-queue-length=100' (for example). - - - - - By suggestion of Miek Gieben of SIDN, add SOA-EDIT mode 'EPOCH' which sets the SOA serial number to the 'UNIX time'. Implemented in - c2218. - - - - - Added some US export control & ECCN to documentation, needed because of DNSSEC content. Update in c2219. - - - - - Fix up various spelling mistakes and badly formatted messages (c2220 and c2221) by Maik Zumstrull and 'anonymous'. - - - - - After a lot of thought, we now handle CNAMEs to names outside our knowledge ('bailiwick') exactly as in BIND 9.8.0, even though - our way was standards compliant too. It confused things. Update in c2222 and c2224. - - - - - Tweak sqlite3 library location detection for newer Ubuntu versions. Change in c2223. - - - - - DNSSEC SQL schema improvements allowing for the use of constraints and foreign keys in c2225, by Gerald Gruenberg, closing t371. - - - - - Add support for EDNS option 'edns-subnet', based on draft-vandergaast-edns-client-subnet (c2226, c2228, c2229, c2230, c2231, c2233). - - - - - Silence SIGCHLD warning from Perl when used to power 'pipe' backends (c2232). - - - - - Add experimental support, off by default, for - draft-edns-subnet. See c2233 and c2239 for details how to use - this feature. - - - - - - PostgreSQL and LDAP backends can now deal with a restart of - their respective servers. Many thanks to Peter van Dijk for - debugging and Nikolaos Milas for supplying a reproduction - path of the problem (& much nagging). Fixes in c2233 and - c2235. - - - - - - Jan-Piet Mens discovered that records inserted by Lua on zone retrieval did not get correct 'ordername' and 'auth' fields for DNSSEC. - Fixed in c2174. - - - - - Silenced various relevant and less relevant compilation warnings (c2175). Thanks to Serge Belyshev for pointing out the error - in our ways. - - - - - Steve Bauer discovered we would cache empty recursive answers in some cases. Addressed in c2176. - - - - - James Cloos reported that 'pdnssec check-zone' tripped over SRV records. Fixed this, and added check-zone to the regression tests. - Code in c2177. - - - - - DNSSEC regression tests were added in commits C2178, C2179, C2182, C2186 We test against the fine tools from NLNetLabs. - - - - - Secure DNSSEC delegations to ourselves picked wrong zone to serve the DS record from. Fixed in c2180, c2181, c2183. - reported by Niek Willems of InterNLnet. - - - - - Stef Van Dessel suggested we made our RPMs state explicitly that they need glibc 2.4 on Linux. Code in c2184. - - - - - John Leach discovered our MySQL based backends would wait for ages on a failing MySQL server. - The patch merged in c2189 reduces the timeout significantly, which is especially useful with haproxy and mysqlproxy. - - - - - c2190 fixes a crash reported by Marc Laros when using a non-DNSSEC capable backend. Should also improve non-DNSSEC performance. - - - - - - Changes between RC1 and RC2: - - - - Zone2sql sent out the wrong 'COMMIT' statement in sqlite mode. In addition, in this mode, zone2sql would not emit statements - to update the domains table unless the 'slave' setting was chosen. Code in c2167. - - - - - We dropped the Authoritative Answer flag on an out-of-bailiwick CNAME referral, which was unnecessary. Code in c2170. - - - - - Kees Monshouwer discovered that we failed to detect the location of PostgreSQL on RHEL/CentOS. Fix in c2144. In addition, - c2162 eases detection of MySQL on RHEL/CentOS 64 bits systems. - - - - - Marc Laros re-reported an old bug in the internally used 'pdns' backend where details of the SOA record were not filled out correctly. - Resolved in c2145. - - - - - Jan-Piet Mens found that our TSIG signed SOA zone freshness check was signed incorrectly. Fixed in c2147. Improved error - messages that helped debug this issue in c2148, c2149. - - - - - Jan-Piet Mens helped debug an issue where some servers were "almost always" unable to transfer a TSIG signed zone correctly. - Turns out that the TSIG signing code used an internal timestamp and not the remote timestamp. Because of good NTP synchronization - this quite often was not a problem. Fix in c2159. - - - - - Thor Spruyt of Telenet discovered that the PowerDNS code would try to emit DNS answers over TCP of over 65535 bytes long, which failed. - We now truncate such answers properly. Code in c2150. - - - - - The Slave engine now reuses an existing database connection, removing the need to create a new database connection every minute (and worse, log about it). - Code in c2153. - - - - - Fix a potential Year 2106 bug in the TSIG signing code. Because we care (c2156). - - - - - Added experimental support for the 'DANE' TLSA record which is used to authenticate SSL certificates via DNSSEC. c2161. - - - - - Added experimental support for the MongoDB 'NoSQL' backend, contributed by Fredrik Danerklint in c2162. - - - - - - On to the release notes. Next to DNSSEC, other major new features include: - - - - - - TSIG for authorizing and authenticating AXFR requests & incoming zone transfers (Code in C2024, C2025, C2033, C2034). - This allows for retrieving TSIG protected content, as well as serving it. - - - - - Per zone also-notify. - - - - - MyDNS compatible backend, allowing for 'instantaneous' migration from this authoritative nameserver. Code in c1418, contributed - by Jonathan Oddy. - - - - - PowerDNS can now slave zones over IPv6 and notify IPv6 remotes of updates. Already. Code in c2009 and beyond. - - - - - Lua based incoming zone editing, allowing masters or signing slaves to add information to the zone they will (re-)serve. Implemented - in c2065. To enable, use LUA-AXFR-SCRIPT zone metadata setting. - - - - - Native Oracle backend with full DNSSEC support. Contributed by Maik Zumstrull, then at the Steinbuch -Centre for Computing at the Karlsruhe Institute of Technology. - - - - - "Also-notify" support, implemented by Aki Tuomi in c1400. Support for Generic SQL backends and - for the BIND backend. Further code in c1360. - - - - - Support for binding to thousands of IP addresses, code in c1443. - - - - - Generic MySQL backend now supports stored procedures. Implemented in c2084, closing t231. - - - - - Generic ODBC backend compiles again, and is reported to work for some users that need it. Code contributed in t309, - author unknown. - - - - - Massively parallel slaving infrastructure, able to check the freshness of thousands of remote - zones per second, plus perform many incoming zone transfers simultaneously. Sponsored by Tyler Hall, - code in C1449, C1500, C1859 - - - - - - Core DNS logic replaced completely to deal with the brave new world of DNSSEC. - - - - - Bugs fixed: - - - - sqlite2 and sqlite3 backends used MySQL-style escaping, leading to SQL -errors in some cases. Discovered by Sten Spans. Fixed in c1342. - - - - - Internal webserver no longer prints '1e2%'. Bug rediscovered by Jeff Sipek. Fixed in c1342. - - - - - PowerDNS would refuse to serve domain names with spaces in them, or otherwise non-printable characters. Addressed in - c2081. - - - - - PowerDNS can now serve escaped labels, as described by RFC 4343. Data should be present in backends - in that escaped form. Code in c2089. - - - - - In some cases, we would include duplicate CNAMEs. In addition, we would hand out - a full root-referral when not configured to in some cases (ticket T223). Discovered by Andreas Jakum, fixed in c1344. - - - - - Shane Kerr discovered we would corrupt DNS transaction IDs from the packet cache on big endian systems. - Fix in c1346, closing t222. - - - - - PowerDNS did not use RFC 1982 serial arithmetic, leading to a SOA serial number of 1 to be regarded as older than 4400000000, when in fact - it is 'newer'. Issue (re-)discovered by Jan-Piet Mens. - - - - - BIND backend got confused of a zone's file name changed after a configuration reload. - Fix in c1347, closing t228. - - - - - When restarted by the Guardian, PowerDNS will perform a full multi-threaded cache cleanup, which - took a long time and could crash. Fix in c1364. - - - - - Under artificial circumstances, PowerDNS would never clean its packet cache. Found by Marcus Goller, fix in - c1399 and c1408. This update also retunes the cleanup frequency. - - - - - Packetcache would cache things it should not have been caching. Fixes in commits C1407, C1488, C1869, C1880 - - - - - When processing incoming notifications, the BIND backend was case-sensitive, and would disregard - notifications in the wrong case. Discovered by 'Dolphin', fix in c1420. - - - - - The init.d script did not mention the 'reload' command. Code in c1463, closes t233. - - - - - Generic SQL Backends would sometimes emit obscure error messages. Fix in c2049. - - - - - - PowerDNS would be confused by embedded NULs in domain names, and would also - mess up the escaping of some characters. Fix in c1468, c1469, c1478, c1480, - - - - - SOA queries for the name of a delegation point were not referred. Fix in c1466, closing t224. - In addition, queries for AAAA for a CNAMEd record pointing to a name with no AAAA would deliver - a direct SOA, without the CNAME in between. Fix in c1542, c1607. - Also, wildcard CNAMEs pointing to a record without the type requested suffered from the same issue, fix in c1543. - - - - - On processing an incoming AXFR, once an MX or SRV record had been seen, all future fields - got a 'priority' entry as well. This had no operational impact, but looked messy. Fixed in c1437. - - - - - Aki Tuomi discovered that the BIND zone file parser would misrepresent 'something IN MX 15 @'. Fix in c1621. - - - - - Marco Davids discovered the BIND zone file parser would trip over really long lines. Fix in c1624, c1625. - - - - - Thomas Mieslinger discovered that our webserver would only be started after dropping privileges, - which could cause problems. Fix in c1629. - - - - - Zone2sql did quite often not do exactly what was required, which users fixed by editing the SQL output. - Revamped in c2032. - - - - - An Ubuntu user discovered in Launchpad bug 600479 that restarting database threads - cost a lot of memory. Normally this is rare, except in case of problems. Addressed in c1676. - - - - - BIND backend could crash under (very) high load with very large numbers of zones (hundreds of thousands). - Fixed in c1690. - - - - - Miek Gieben and Marco Davids spotted that PowerDNS would answer the version.bind query in the IN class too. - Bug reported via twitter! Fix in c1709. - - - - - Marcus Lauer and the OpenDNSSEC project discovered that outgoing notifications did not carry the 'aa' flag. - Fixed in c1746. - - - - - Debugging PowerDNS, or backgrounding it, could cause crashes. Fixed by Anders Kaseorg in c1747. - - - - - Fixed a bug that could cause crashes on launching thousands of backend connections. Never observed to occur, - but who knows. Fix in c1792. - - - - - Under some circumstances, large answers could be truncated in mid-record. While technically legal, - this upset a number of resolver implementations (including the PowerDNS Recursor!). Fixed in c1830, re-closes - t200. - - - - - Jan Piet Mens and Florian Weimer discovered we had problems dealing with escaped labels and escaped TXT - fields. Fixed in c2000. - - - - - After 2.2 billion queries, statistics would wrap oddly. Fix in c2019, closing t327. - - - - Improvements: - - - - Long TXT records are now split into 255-byte components automatically. Implemented in c1340, reported by Darren Gamble - in t188. - - - - - When receiving large numbers of notifications, PowerDNS would check these synchronously, leading to a slowdown - for other services. Fixed in c2058, problem diagnosed by Richard Poole of Heart Internet. - - - - - Fixed compilation on newer compilers and newer versions of Boost. - Changes in C1345 (closes t227), C1391, C1394, C1425, C1427, C1428, C1429, C1440, C1653, thanks to Ruben Kerkhof and others. - - - - - Moved Generic PostgreSQL backend over to the newer E'' style escapes. c2094. - - - - - Compilation fixes for Mac OS X 10.5.7 in c1389, thanks to Tobias Markmann. - - - - - We can now bind to scoped IPv6 addresses, lack spotted by Darren Gamble. Part of the fix is in c2018. - - - - - Built-in query cache can now also cache queries which lead to multiple answers. Code in c2069. - - - - - Prodded on by Jan Piet Mens, we now support 'unknown types' (which look like TYPE65534). - - - - - Add 'slave-renotify' to retransmit notifies for slaved zones, which is helpful when acting as a 'signing slave' - for a hidden master. Code in c1950. - - - - - No longer let zone2sql and zone2ldap import BIND 'hint' zones. c1998. - - - - - Allow for timestamps to explicitly be specified in (s)econds. Code in c1398, closing t250. - - - - - Zones with URL and MBOXFW records can be transferred over AXFR, code in c1464. - - - - - - Maik Zumstrull cleaned up the BIND Backend makefile, plus taught our init.d script to read /etc/default/pdns. - Code in c1601, c1602. - - - - - - Generic SQL backends now support multiple masters in the domains table. Code in c1857. Additionally, - masters can also have :port numbers. Code in c1858. - - - - - - - Recursor version 3.3.1 - - - - Unreleased - - - - - Version 3.3.1 contains a small number of important fixes, adds some memory usage statistics, but no new features. - - - - - Discovered by John J and Robin J, the PowerDNS Recursor did not process packets that were truncated in mid-record, and also did not act - on the 'truncated' (TC) flag in that case. This broke a very small number of domains, most of them served by very old versions of the - PowerDNS Authoritative Server. Fix in c1740. - - - - - PowerDNS emitted a harmless, but irritating, error message on receiving certain very short packets. Discovered by Winfried A and John J, fix - in c1729. - - - - - PowerDNS could crash on startup if configured to provide service on malformed IPv6 addresses on FreeBSD, or in case when the FreeBSD kernel - was compiled without any form of IPv6 support. Debugged by Bryan Seitz, fix in c1727. - - - - - Add max-mthread-stack metric to debug rare crashes. Could be used to save memory on constrained systems. Implemented in c1745. - - - - - Add cache-bytes and packetcache-bytes metrics to measure our 'pre-malloc' memory utilization. Implemented in c1750. - - - - - - Recursor version 3.3 - - - - Released on the 22nd of September 2010. - - - - - Version 3.3 fixes a number of small but persistent issues, rounds off our IPv6 %link-level support and adds - an important feature for many users of the Lua scripts. - - - In addition, scalability on Solaris 10 is improved. - - - - Bug fixes: - - - 'dist-recursor' script was not compatible with pure POSIX /bin/sh, discovered by Simon Kirby. Fix in c1545. - - - Simon Bedford, Brad Dameron and Laurient Papier discovered relatively high TCP/IP loads could cause TCP/IP service to shut down over time. - Addressed in commits C1546, C1640, C1652, C1685, C1698. Additional information provided by Zwane Mwaikambo, Nicholas Miell and Jeff Roberson. - Testing by Christian Hofstaedtler and Michael Renner. - - - The PowerDNS Recursor could not read the 'root zone' (this is something else than the root hints) because of an unquoted TXT record. - This has now been addressed, allowing operators to hardcode the root zone. This can improve security if the root zone used is kept up to date. - Change in c1547. - - - A return of an old bug, when a domain gets new nameservers, but the old nameservers continue to contain a copy of the domain, PowerDNS could get 'stuck' with the old servers. - Fixed in c1548. - - - Discovered & reported by Alexander Gall of SWITCH, the Recursor used to try to resolve 'AXFR' records over UDP. Fix in c1619. - - - The Recursor embedded authoritative server messed up parsing a record like '@ IN MX 15 @'. Spotted by Aki Tuomi, fix in c1621. - - - The Recursor embedded authoritative server messed up parsing really really long lines. Spotted by Marco Davids, fix in c1624, c1625. - - - Packet cache was not DNS class correct. Spotted by "Robin", fix in c1688. - - - The packet cache would cache some NXDOMAINs for too long. Solving this bug exposed an underlying oddity where the initial NXDOMAIN response - had an overly long (untruncated) TTL, whereas all the next ones would be ok. Solved in c1679, closing t281. Especially important for RBL operators. - Fixed after some nagging by Alex Broens (thanks). - - - - - Improvements: - - - The priming of the root now uses more IPv6 addresses. Change in c1550, closes t287. Also, the IPv6 address of I.ROOT-SERVERS.NET was added in c1650. - - - The rec_control dump-cache command now also dumps the 'negative query' cache. Code in c1713. - - - PowerDNS Recursor can now bind to fe80 IPv6 space with '%eth0' link selection. Suggested by Darren Gamble, implemented with help from Niels Bakker. Change in c1620. - - - Solaris on x86 has a long standing bug in port_getn(), which we now work around. Spotted by 'Dirk' and 'AS'. Solution suggested by the Apache runtime library, - update in c1622. - - - New runtime statistic: 'tcp-clients' which lists the number of currently active TCP/IP clients. Code in c1623. - - - Deal better with UltraDNS style CNAME redirects containing SOA records. Spotted by Andy Fletcher from UKDedicated in t303, fix in c1628. - - - The packet cache, which has 'ready to use' packets containing answers, now artificially ages the ready to use packets. Code in c1630. - - - Lua scripts can now indicate that certain queries will have 'variable' answers, which means that the packet cache will not touch these answers. - This is great for overriding some domains for some users, but not all of them. Use setvariable() in Lua to indicate such domains. Code in c1636. - - - Add query statistic called 'dont-outqueries', plus add IPv6 address :: and IPv4 address 0.0.0.0 to the default "dont-query" set, - preventing the Recursor from talking to itself. Code in c1637. - - - Work around a gcc 4.1 bug, still in wide use on common platforms. Code in c1653. - - - Add 'ARCHFLAGS' to PowerDNS Recursor Makefile, easing 64 bit compilation on mainly 32 bit platforms (and vice versa). - - - Under rare circumstances, querying the Recursor for statistics under very high load could lead to a crash (although this has never been observed). Bad code removed & - good code unified in c1675. - - - Spotted by Jeff Sipek, the rec_control manpage did not list the new get-all command. c1677. - - - On some platforms, it may be better to have PowerDNS itself distribute queries over threads (instead of leaving it up to the kernel). - This experimental feature can be enabled with the 'pdns-distributes-queries' setting. Code in c1678 and beyond. Speeds up Solaris measurably. - - - Cache cleaning code was cleaned up, unified and expanded to cover the 'negative cache', which used to be cleaned rather bluntly. Code in c1702, further tweaks in c1712, - spotted by Darren Gamble, Imre Gergely and Christian Kovacic. - - - - - Changes between RC1, RC2 and RC3. - - - RC2: Fixed linking on RHEL5/CentOS5, which both ship with a gcc compiler that claims to support atomic operations, but doesn't. Code in c1714. Spotted by 'Bas' and Imre Gergely. - - - RC2: Negative query cache was configured to grow too large, and was not cleaned efficiently. Code in c1712, spotted by Imre Gergely. - - - RC3: Root failed to be renewed automatically, relied on fallback to make this happen. Code in c1716, spotted by Detlef Peeters. - - - - - - Recursor version 3.2 - - - - Released on the 7th of March 2010. - - - - - - - Lua scripts from version 3.1.7.* are fully compatible with version 3.2. However, scripts written for development snapshot releases, are NOT. - Please see for details! - - - - - The 3.2 release is the first major release of the PowerDNS Recursor in a long time. Partly this is because 3.1.7.* functioned very well, - and delivered satisfying performance, partly this is because in order to really move forward, some heavy lifting had to be done. - - - As always, we are grateful for the large PowerDNS community that is actively involved in improving the quality of our software, be it by submitting - patches, by testing development versions of our software or helping debug interesting issues. We specifically want to thank Stefan Schmidt and Florian Weimer, - who both over the years have helped tremendously in keeping PowerDNS fast, stable and secure. - - - This version of the PowerDNS Recursor contains a rather novel form of lock-free multithreading, a situation that comes close to the old '--fork' trick, - but allows the Recursor to fully utilize multiple CPUs, while delivering unified statistics and operational control. - - - In effect, this delivers the best of both worlds: near linear scaling, with almost no administrative overhead. - - - Compared to 'regular multithreading', whereby threads cooperate more closely, more memory is used, since each thread maintains its own DNS cache. - However, given the economics, and the relatively limited total amount of memory needed for high performance, this price is well worth it. - - - In practical numbers, over 40,000 queries/second sustained performance has now been measured by a third party, with a 100.0% packet response rate. This means that the needs - of around 400,000 residential connections can now be met by a single commodity server. - - - In addition to the above, the PowerDNS Recursor is now providing resolver service for many more Internet users than ever before. This has brought with it - 24/7 Service Level Agreements, and 24/7 operational monitoring by networking personnel at some of the largest telecommunications companies in the world. - - - In order to facilitate such operation, more statistics are now provided that allow the visual verification of proper PowerDNS Recursor operation. As an example of this - there are now graphs that plot how many queries were dropped by the operating system because of a CPU overload, plus statistics that can be monitored to determine - if the PowerDNS deployment is under a spoofing attack. - - - All in all, this is a large and important PowerDNS Release, paving the way for further innovation. - - - - - This release removes support for the 'fork' multi-processor option. In addition, the default is now to spawn two threads. This has been done - in such a way that total memory usage will remain identical, so each thread will use half of the allocated maximum number of cache entries. - - - Changes between RC2 and -release: - - - 'Make install' when an existing configuration file contained a 'fork' statement has been fixed. Spotted by Darren Gamble, code in c1534. - - - Reloading a non-existent allow-from-file caused the control thread to stop working. Spotted by Imre Gergely, code in c1532. - - - Parser got confused by reading en empty line in auth-forward-zones. Spotted by Imre Gergely, code in c1533. - - - David Gavarret discovered undocumented and not-working settings to set the owner, group and access modes of the control socket. Code by Aki Tuomi - and documentation in c1535. Fixup in c1536 for FreeBSD as found by Ralf van der Enden. - - - Tiny improvement possibly solving an issue on Solaris 10's completion port event multiplexer (c1537). - - - Changes between RC1 and RC2: - - - Compilation on Solaris 10 has been fixed (various patchlevels had different issues), code in c1522. - - - Compatibility with CentOS4/RHEL4 has been restored, the gcc and glibc versions shipped with this distribution contain a Thread Local Storage bug - which we now work around. Thanks to Darren Gamble and Imre Gergely for debugging this issue, code in c1527. - - - A failed setuid operation, because of misconfiguration, would result in a crash instead of an error message. Fixed in c1523. - - - Imre Gergely discovered that PowerDNS was doing spurious root repriming when invalidating nssets. Fixed in c1531. - - - Imre Gergely discovered our rrd graphs had not been changed for the new multithreaded world, and did not allow scaling beyond 200% cpu use. In addition, - CPU usage graphs did not add up correctly. Implemented in c1524. - - - Andreas Jakum discovered the description of 'max-packetcache-entries' and 'forward-zones-recurse' was wrong in the output of '--help' and '--config'. - In addition, some stray backup files made it into the RC1 release. Addressed in c1529. - - - Full release notes follow, including some overlap with the incremental release notes above. - Improvements: - - - - Multithreading, allowing near linear scaling to multiple CPUs or cores. Configured using 'threads=' (many commits). - This also deprecates the '--fork' option. - - - - - Added ability to read a configuration item of a running PowerDNS Recursor using 'rec_control get-parameter' (c1243), suggested by Wouter de Jong. - - - - - Added ability to read all statistics in one go of a running PowerDNS Recursor using 'rec_control get-all' (c1496), suggested by Michael Renner. - - - - - Speedups in packet generation (Commits C1258, C1259, C1262) - - - - - TCP deferred accept() filter is turned on again for slight DoS protection. Code in c1414. - - - - - PowerDNS Recursor can now do TCP/IP queries to remote IPv6 addresses (c1412). - - - - - - Solaris 9 '/dev/poll' support added, Solaris 8 now deprecated. Changes in c1421, c1422, c1424, c1413. - - - - - - Lua functions can now also see the address _to_ which a question was sent, using getlocaladdress(). Implemented in c1309 and c1315. - - - - - Maximum cache sizes now default to a sensible value. Suggested by Roel van der Made, implemented in c1354. - - - - - Domains can now be forwarded to IPv6 addresses too, using either ::1 syntax or [::1]:25. Thanks to Wijnand Modderman for discovering this issue, fixed in c1349. - - - - - Lua scripts can now load libraries at runtime, for example to calculate md5 hashes. Code by Winfried Angele in c1405. - - - - - - Periodic statistics output now includes average queries per second, as well as packet cache numbers (c1493). - - - - - New metrics are available for graphing, plus added to the default graphs (c1495, c1498, c1503) - - - - - - Fix errors/crashes on more recent versions of Solaris 10, where the ports functions could return ENOENT under some circumstances. Reported and debugged by - Jan Gyselinck, fixed in c1372. - - - - New features: - - - - Add pdnslog() function for Lua scripts, so errors or other messages can be logged properly. - - - - New settings to set the owner, group and access modes of the control socket (socket-owner, socket-group, socket-mode). Code by Aki Tuomi - and documentation in c1535. Fixup in c1536 for FreeBSD as found by Ralf van der Enden. - - - - rec_control now accepts a --timeout parameter, which can be useful when reloading huge Lua scripts. Implemented in c1366. - - - - - Domains can now be forwarded with the 'recursion-desired' bit on or off, using either forward-zones-recurse or by prefixing - the name of a zone with a '+' in forward-zones-file. Feature suggested by Darren Gamble, implemented in c1451. - - - - - Access control lists can now be reloaded at runtime (implemented in c1457). - - - - - PowerDNS Recursor can now use a pool of query-local-addresses to further increase resilience against spoofing. Suggested by Ad Spelt, implemented in c1426. - - - - - PowerDNS Recursor now also has a packet cache, greatly speeding up operations. Implemented in c1426, c1433 and further. - - - - - Cache can be limited in how long it maximally stores records, for BIND compatibility (TTL limiting), by setting max-cache-ttl.Idea by Winfried Angele, implemented in c1438. - - - - - Cache cleaning turned out to be scanning more of the cache than necessary for cache maintenance. In - addition, far more frequent but smaller cache cleanups improve responsiveness. Thanks to Winfried Angele for - discovering this issue. (commits C1501, C1507) - - - - - Performance graphs enhanced with separate CPU load and cache effectiveness plots, plus - display of various overload situations (commits C1503) - - - - - Compiler/Operating system/Library updates: - - - - PowerDNS Recursor can now compile against newer versions of Boost (verified up to and including 1.42.0). Reported & fixed by Darix in c1274. Further fixes in c1275, c1276, c1277, c1283. - - - - - Fix compatibility with newer versions of GCC (closes ticket t227, spotted by Ruben Kerkhof, code in c1345, more fixes in commit C1394, C1416, C1440). - - - - - Rrdtool update graph is now compatible with FreeBSD out of the box. Thanks to Bryan Seitz (c1517). - - - - - Fix up Makefile for older versions of Make (c1229). - - - - - Solaris compilation improvements (out of the box, no handwork needed). - - - - - Solaris 9 MTasker compilation fixes, as suggested by John Levon. Changes in c1431. - - - - - - Bug fixes: - - - - Under rare circumstances, the recursor could crash on 64 bit Linux systems running glibc 2.7, as found in Debian Lenny. - These circumstances became a lot less rare for the 3.2 release. Discovered by Andreas Jakum and debugged by #powerdns, fix in - c1519. - - - - Imre Gergely discovered that PowerDNS was doing spurious root repriming when invalidating nssets. Fixed in c1531. - - - - Configuration parser is now resistant against trailing tabs and other whitespace (c1242) - - - - - - Fix typo in a Lua error message. Close t210, as reported by Stefan Schmidt (c1319). - - - - - Profiled-build instructions were broken, discovered & fixes suggested by Stefan Schmidt. t239, fix in c1462. - - - - - Fix up duplicate SOA from a remote authoritative server from showing up in our output (c1475). - - - - - - All security fixes from 3.1.7.2 are included. - - - - - - Under highly exceptional circumstances on FreeBSD the PowerDNS Recursor could crash because of a TCP/IP error. - Reported and fixed by Andrei Poelov in t192, fixed in c1280. - - - - - PowerDNS Recursor can be a root-server again. Error spotted by the ever vigilant Darren Gamble (ticket T229), fix in c1458. - - - - - - Rare TCP/IP errors no longer lead to PowerDNS Recursor logging errors or becoming confused. Debugged by Josh Berry of Plusnet PLC. Code in c1457. - - - - - - Do not hammer parent servers in case child zones are misconfigured, requery at most once every 10 seconds. Reported & investigated by - Stefan Schmidt and Andreas Jakum, fixed in c1265. - - - - - Properly process answers from remote authoritative servers that send error answers without including the original question (c1329, c1327). - - - - - - No longer spontaneously turn on 'export-etc-hosts' after reloading zones. Discovered by Paul Cairney, reported in t225, addressed in c1348. - - - - - - Very abrupt server failure of large numbers of high-volume authoritative servers could trigger an out of memory situation. Addressed in c1505. - - - - - - - Make timeouts for queries to remote authoritative servers configurable with millisecond granularity. In addition, the old code turned out to consider the timeout - expired when the integral number of seconds since 1970 increased by 1 - which *on average* is after 500ms. This might have caused spurious timeouts! New default - timeout is 1500ms. See network-timeout setting for more details. - Code in c1402. - - - - - - - - Recursor version 3.1.7.2 - - - - Released on the 6th of January 2010. - - - - - This release consist of a number of vital security updates. These updates address issues - that can in all likelihood lead to a full system compromise. In addition, it is possible for - third parties to pollute your cache with dangerous data, exposing your users to possible harm. - - - This version has been well tested, and at the time of this release is already powering millions - of internet connections, and should therefore be a risk-free upgrade from 3.1.7.1 or any earlier - version of the PowerDNS Recursor. - - - All known versions of the PowerDNS Recursor are impacted to a greater or lesser extent, so an immediate update is advised. - - - These vulnerabilities were discovered by a third party that can't yet be named, - but who we thank for their contribution to a more secure PowerDNS Recursor. - - - For more information, see and . - - - - Recursor version 3.1.7.1 - - - - Released on the 2nd of August 2009. - - - - - This release consists entirely of fixes for tiny bugs that have been reported over the past year. In - addition, compatibility has been restored with the latest versions of the gcc compiler and the 'boost' libraries. - - - No features have been added, but some debugging code that very slightly impacted performance (and polluted the - console when operating in the foreground) has been removed. - - - FreeBSD users may want to upgrade because of a very remote chance of 3.1.7 and previous crashing once every few years. - For other operators not currently experiencing problems, there is no reason to upgrade. - - - - - - Improved error messages when parsing zones for authoritative serving (c1235). - - - - - - Better resilience against whitespace in configuration (changesets C1237, C1240, C1242) - - - - - - Slight performance increase (c1378) - - - - - - Fix rare case where timeouts were not being reported to the right query-thread (c1260) - - - - - - Fix compilation against newer versions of the Boost C++ libraries (c1381) - - - - - - Close very rare issue with TCP/IP close reporting ECONNRESET on FreeBSD. Reported by Andrei Poelov in t192. - - - - - Silence debugging output (c1286). - - - - - Fix compilation against newer versions of gcc (c1384) - - - - - No longer set export-etc-hosts to 'on' on reload-zones. Discovered by Paul Cairney, closes t225. - - - - - Sane default for the maximum cache size in the Recursor, suggested by Roel van der Made (c1354). - - - - - - No longer exit because of the changed behaviour of the Solaris 'completion ports' in more recent versions of Solaris. Fix in c1372, reported by Jan Gyselinck. - - - - - - - Authoritative Server version 2.9.22 - - - - Released on the 27th of January 2009. - - - - - This is a huge release, spanning almost 20 months of development. Besides fixing a lot of bugs, of note is the addition of the so called 'Notification Proxy', - which allows PowerDNS to function as a master server behind a firewall, plus the huge performance improvement of the internal caches. - - - This work has been made possible by UPC Broadband and Directi, respectively. - - - Finally, the release candidates of this version have been tested & improved by Jorn Ekkelenkamp, Ton van Rosmalen, Jeff Sipek, Tyler Hall, Christof Meerwald and - Stefan Schmidt. - - - Fixed between rc1 and rc2, but not an issue in 2.9.21. - - - - pdns_control ccounts again outputs proper cache statistics. Implemented in c1304. - - - - - Negative query caching was reinstated, leading to 6 times fewer backend queries than rc1 on the Express.powerdns.com servers. - - - - - Packetcache no longer needlessly parses outgoing packets before sending them. - - - - - Fancy records work again. This work has been sponsored by ISP Services. Implemented in c1302 and c1299. - - - - - - - New features: - - - - pdns_control can now also work over TCP/IP. Sponsored by Directi. Commits C1246, C1251, C1254, C1255. - - - - - Implemented a notification proxy, see . This work was sponsored by UPC Broadband. Implemented in commits C1075, C1077, C1082, - C1083, C1085 and C1086. - - - - - IXFR queries are now supported in the sense that we treat them as AXFR queries, silencing warnings in other nameservers. Suggested in t131. - - - - - The PIPE backend has been extended by David Apgar to allow the reporting of errors using the 'FAIL' command, plus - support for responses with whitespace. Implemented in c1114. - - - - - PowerDNS Authoritative server now parses incoming EDNS options, like maximum allowed packet size. Implemented in c1123 and c1281. - - - - - Added support for DHCID, IPSECKEY and KX records, thanks Norbert Sendetzky for the hint. Implemented in c1144. - - - - - - Norbert Sendetzky has has added support for all record types supported by PowerDNS to the LDAPBackend. Furthermore, the detection - of OpenLDAP in autoconf has been improved. Finally, debian has supplied some fixes to PowerLDAP. Implemented in c1152 and c1153. - - - - - Implemented EDNS NSID option for retrieving the nameserver ID out of band. Defaults to hostname, can be specified using the - server-id setting. Code in c1232. - - - - - Implemented experimental EDNS PING for enhanced forgery resilience. Code in c1232. - - - - - - Performance: - - - - Improve packet generation performance, in some cases by 25%. Code in C1258, C1259. - - - - - Improved access list checking performance. c1261. - - - - - PowerDNS Authoritative caches were completely redone, and are now based on the same cache that is in the resolver. This work has been sponsored - by Directi. In large benchmarks, PowerDNS performance has improved by an order of magnitude or more. This new version allows for near-instantaneous - cache purging, plus very rapid purging based on suffix. Purge commands can also be batched. This work is partially based on an innovative - reverse-string comparison function authored by Aki Tuomi. - - - - - Installations which run with very high cache hitrates can now benefit from multiple CPUs by setting receiver-threads to the number - of desired CPUs to utilize in cache operations. Implemented in c1316. - - - - - BIND backend speedups in c1108, measured at around a 20% improvement, possibly more on very large setups. - - - - - - - Bugs fixed: - - - - Tyler Hall discovered the PowerDNS configuration file parser had problems with trailing tabs. This turned out to be a wider problem in PowerDNS. - Buggy code replaced by a library call in c1237 and c1240. - - - - - David Apgar of Yahoo discovered that our 'guardian' method of restarting PowerDNS in case of problems was not fool proof, and submitted a fix. - A variation of this fix can be found in c1323. Also reported by Directi. - - - - - - Connection reset by peer events in the TCP nameserver no longer lead to the cycling of database connections. Code in c1241. - - - - - FreeBSD compilation with Generic PostgreSQL backend was fixed. Reported by Wouter de Jong of WideXS, fixed in c1305, closes t95. - - - - - - Webserver no longer prints '1e2%'. Finally closes t26. Much friendly nagging for over 3 years by Jeff Sipek, code in c1303. - - - - - PowerDNS used to ignore certain queries it could not answer. These queries are no longer ignored, but get a SERVFAIL response. Implemented in c1239. - - - - - - Fix subtle CNAME and wildcard interactions reported by 'zzyzz', implemented in c1147. - - - - - The generic backends did not honour the default-ttl setting. Spotted and implemented by Matti Hiljanen. - - - - - Matti Hiljanen discovered that the OpenDBX backend did not fill out the SOA ttl value properly. Matti also improved the SQL statements - for better compatibility. Implemented in c1181. - - - - - - Treat invalid WWW requests better. Spotted by Maikel Verheijen, implemented in c1092. - - - - - Documentation errors and typos, spotted by Marco Davids (c1097) and Rejo Zengers (c1119) - - - - - Properly fill out the 'recursion available'-flag. Spotted by Augie Schwer in t167. - - - - - Several memory leaks on bad data in the database or other errors have been fixed. Addressed in C1078 and C1079. - - - - - In contravention to the documentation, the domain type as specified in the database ('MASTER', 'SLAVE' or 'NATIVE') was interpreted - case sensitively. C1084. - - - - - BIND backend could crash on processing information about slave zones to be checked. Spotted by Stefan Schmidt, fixed in C1089. - - - - - - Jelte Jansen of Stichting NLNetLabs discovered PowerDNS in BIND mode couldn't operate as a root-server! Fixed in C1057. - - - - - 'DPS' discovered there was a rare opportunity for PowerDNS to lock up waiting for new data. Addressed in C1076. - - - - - - Make singlethreaded mode more resilient against errors. c1272. - - - - - DNSSEC records were part of 2.9.21, but were not actually hooked up. Please note that while PowerDNS can serve most DNSSEC records, - it does not do DNSSEC processing. Implemented in C1046. - - - - - Shawn Starr migrated all his domains to PowerDNS in one evening, from an installation that had been used since BIND4. - In doing so, he found 3 bugs in as many hours. An IN statement in the BIND named.conf - with a zone with a trailing dot was misparsed, fixed in c1233. Secondly, the zone file parser tripped over a line consisting of nothing - but comments in the wrong place. Finally '$ORIGIN .' was misparsed. Last two issues fixed in c1234. - - - - - - Our statistics counters did not wrap correctly after the 2.15 billion mark. Spotted by Stefan Schmidt, reported in t179, fixed in c1284. - - - - - Bindbackend could sometimes generate very strange error messages while processing a malformed zone file. Sometimes such error messages - could cause a crash (reported on HP-UX). Addressed by c1279. This could not be triggered remotely. Closes ticket t203. - - - - - Pipe backend did not clean up killed coprocesses. Found and fixed by Daniel Drown - - - - - Installations with tens of thousands of slave domains would never complete the cycle to check the freshness of all zones - as each incoming notification disrupted this cycle. Addressed in cooperation with Tyler Hall of EditDNS. - - - - - - - Improvements: - - - - Zone parser improvements mean $TTL and $INCLUDES now work a lot better. Implemented in C1056, C1062. - - - - - No longer report temporary recvfrom errors, which used to spam the log on many systems. Addressed in c1320. - - - - - - Direct queries for 'fancy records' would lead to errors, such queries now fail early. Spotted by Jorn Ekkelenkamp, implemented in C1051. - - - - - Fix typo in geobackend, closing t157, implemented in C1090. - - - - - Initial work on TSIG support - not done yet. Spurred on by Marco Davids. - - - - - Embarrassingly, the 'master' configuration setting was not documented in the list of all settings! - - - - - Norbert has updated OpenDBX so that SQLite reads and writes no longer deadlock, plus compilation fixes on Solaris, plus the addition - of autoserials to backends that support triggers. Implemented in c1154. - - - - - Random generator is now based on AES, improving the security of certain proxy operations. This is the same random generator that is in - the recursor. Implemented in c1256. - - - - - Documentation for 'supermaster' mode was improved due to popular demand. - - - - - - When binding to a UDP port failed, supply a more precise error message (c1245) - - - - - - The zone parser error messages were vastly improved, partially inspired by Shawn's cowboy migration. Code in c1235. - - - - - Labels are compressed more efficiently (case-insensitively), leading to smaller packets. Implemented in c1156. - - - - - - Fix handling of TCP timeouts to not cause a reload of the backends. Implemented in c1092. - - - - - TCP Receiver no longer spams the log with common network errors. Implemented in c1306. - - - - - - Move from select() to poll()-based multiplexing, allowing PowerDNS to listen on more than 1024 sockets simultaneously. - One big PowerDNS user needs this. Implemented in C1072. - - - - - Zone2sql now reads source files in performance enhancing inode order. Additionally, zone2sql no longer dies on a missing zone file if - --on-error-resume-next was specified. Finally, statistics of zone2sql conversion have been improved. Implemented in C1055. - - - - - - Address issues found by more recent g++ versions. Spotted and/or fixed by Jorn Ekkelenkamp (c1051), Marcus Rueckert (c1094), Norbert Sendetzky (c1107), - Serge Belyshev (c1171). - - - - - The Intel C Compiler implements certain things differently, causing the master/slave communicator to malfunction. Spotted by Marcus Rueckert, implemented - in C1052, plus fallout in C1105. - - - - - PowerDNS can now be compiled with Boost 1.37.0. - - - - - Andre Lorbach of Adiscon discovered the Microsoft Windows 2003 nameserver - adds out of zone data to zone transfers, which we need to ignore, instead of - rejecting the entire zone. Implemented in C1048. - - - - - PowerDNS now skips remote master servers which consistently generate timeout messages, improving the master checking cycle time tremendously. - Developed in cooperation with Tyler Hall. Implemented in c1278. - - - - - - When binding to a UDP port failed, supply a more precise error message (c1245) - - - - - dnsreplay now waits for the final answers to arrive, making it possible to process even small pcap files and - get meaningful statistics. c1268. - - - - - dnsreplay has a more sane default timeout now, which can be configured too. Suggested by Augie Schwer in t163, implemented in c1287. - - - - - - Authoritative Server version 2.9.21.2 - - Released on the 18th of November 2008. - - - This release consists of a single patch to PowerDNS Authoritative Server version 2.9.21.1. - In some configurations, notably with configuration option 'distributor-threads=1', the PowerDNS Authoritative Server - crashes easily in some error conditions. - - - All users are urged to upgrade. Even though PowerDNS restarts itself on encountering such error conditions, and even - though most PowerDNS configurations do not run in single threaded mode, an upgrade is recommended. - - - More detail can be found in . - - - Authoritative Server version 2.9.21.1 - - Released on the 6th of August 2008. - - - This release consists of a single patch to PowerDNS Authoritative Server version 2.9.21. - Brian J. Dowling of Simplicity Communications has discovered a security implication of - the previous PowerDNS behaviour to drop queries it considers malformed. We are grateful that - Brian notified us quickly about this problem. - - - This issue has been assigned CVE-2008-3337. The single patch is in c1239. More detail can be found in - . - - - The implication is that while the PowerDNS Authoritative server itself does not face a security risk because - of dropping these malformed queries, other resolving nameservers run a higher risk of accepting spoofed - answers for domains being hosted by PowerDNS Authoritative Servers before 2.9.21.1. - - - While the dropping of queries does not aid sophisticated spoofing attempts, it does facilitate simpler attacks. - - - It may be good to know that several large sites already run with this patch applied, as it has been in the - public code base for some weeks already. - - - Recursor version 3.1.7 - - Released the 25th of June 2008. - - - This version contains powerful scripting abilities, allowing operators to modify DNS responses in many - interesting ways. Among other things, these abilities can be used to filter out malware domains, to perform - load balancing, to comply with legal and other requirements and finally, to implement 'NXDOMAIN' redirection. - - - It is hoped that the addition of Lua scripting will enable responsible DNS modification for those that need it. - - - For more details about the Lua scripting, which can be modified, loaded and unloaded at runtime, see . - Many thanks are due to the #lua irc channel, for excellent near-realtime Lua support. In addition, a number of PowerDNS users have been - enthousiastically testing prereleases of the scripting support, and have found and solved many issues. - - - In addition, 3.1.7 fixes a number of bugs: - - - - - - - In 3.1.5 and 3.1.6, an authoritative server could continue to renew its authority, even though a domain had been delegated - to other servers in the meantime. - - - In the rare cases where this happened, and the old servers were not shut down, the observed effect is that users were fed outdated data. - - - Bug spotted and analysed by Darren Gamble, fix in c1182 and c1183. - - - - - Thanks to long time PowerDNS contributor Stefan Arentz, for the first time, Mac OS X 10.5 users can compile and run the PowerDNS Recursor! - Patch in c1185. - - - - - Sten Spans spotted that for outgoing TCP/IP queries, the query-local-address setting was not honored. Fixed in c1190. - - - - - rec_control wipe-cache now also wipes domains from the negative cache, hurrying up the expiry - of negatively cached records. Suggested by Simon Kirby, implemented in c1204. - - - - - When a forwarder server is configured for a domain, using the forward-zones setting, this server IP address was - filtered using the dont-query setting, which is generally not what is desired: the server to which queries are - forwarded will often live in private IP space, and the operator should be trusted to know what he is doing. Reported and argued by Simon - Kirby, fix in c1211. - - - - - - Marcus Rueckert of OpenSUSE reported that very recent gcc versions emitted a (correct) warning on an overly complicated line - in syncres.cc, fixed in c1189. - - - - - Stefan Schmidt discovered that the netmask matching code, used by the new Lua scripts, but also by all other parts of PowerDNS, had problems - with explicit '/32' matches. Fixed in c1205. - - - - - - - - Recursor version 3.1.6 - - Released on the 1st of May 2008. - - - This version fixes two important problems, each on its own important enough to justify a quick upgrade. - - - - - Version 3.1.5 had problems resolving several slightly misconfigured domains, including for a time 'juniper.net'. Nameserver timeouts were not being - processed correctly, leading PowerDNS to not update the internal clock, which in turn meant - that any queries immediately following an error would time out as well. Because of retries, this would usually not be a problem except on very busy servers, - for domains with different nameservers at different levels of the DNS-hierarchy, like 'juniper.net'. - - - This issue was fixed rapidly because of the help of XS4ALL (Eric Veldhuyzen, Kai Storbeck), - Brad Dameron and Kees Monshouwer. Fix in c1178. - - - - - The new high-quality random generator was not used for all random numbers, especially in source port selection. This means that 3.1.5 is still - a lot more secure than 3.1.4 was, and its algorithms more secure than most other nameservers, but it also means 3.1.5 is not as secure as it could be. - A quick upgrade is recommended. Discovered by Thomas Biege of Novell (SUSE), fixed in c1179. - - - - - Recursor version 3.1.5 - - Released on the 31st of March 2008. - - - Much like 3.1.4, this release does not add a lot of major features. Instead, performance has been improved significantly (estimated at around 20%), and many rare - and not so rare issues were addressed. Multi-part TXT records now work as expected - the only significant functional bug found in 15 months. One of the oldest - feature requests was fulfilled: version 3.1.5 can finally forward queries for designated domains to multiple servers, on differing port numbers if needed. - Previously only one forwarder address was supported. This lack held back a number of migrations to PowerDNS. - - - We would like to thank Amit Klein of Trusteer for bringing a serious - vulnerability to our attention which would enable a smart attacker to - 'spoof' previous versions of the PowerDNS Recursor into accepting possibly - malicious data. - - - Details can be found on this Trusteer page. - - - It is recommended that all users of the PowerDNS Recursor upgrade to 3.1.5 - as soon as practicable, while we simultaneously note that busy servers are - less susceptible to the attack, but not immune. - - - The PowerDNS Security Advisory can be found in . - - - This version can properly benefit from all IPv4 and IPv6 addresses in use at the root-servers as of early February 2008. In order to implement this, - changes were made to how the Recursor deals internally with A and AAAA queries for nameservers, see below for more details. - - - Additionally, newer releases of the G++ compiler required some fixes (see t173). - - - This release was made possible by the help of Wichert Akkerman, Winfried Angele, Arnoud Bakker (Fox-IT), Niels Bakker (no relation!), - Leo Baltus (Nederlandse Publieke Omroep), Marco Davids (SIDN), David Gavarret (Neuf Cegetel), Peter Gervai, Marcus Goller (UPC), - Matti Hiljanen (Saunalahti/Elisa), Ruben Kerkhof, - Alex Kiernan, Amit Klein (Trusteer), Kenneth Marshall (Rice University), Thomas Rietz, Marcus Rueckert (OpenSUSE), Augie Schwer (Sonix), Sten Spans (Bit), Stefan Schmidt (Freenet), - Kai Storbeck (xs4all), - Alex Trull, Andrew Turnbull (No Wires) and Aaron Thompson, and many more who filed bugs anonymously, or who we forgot to mention. - - - Security related issues: - - - - Amit Klein has informed us that System random generator output can be predicted based on its past behaviour, allowing a smart attacker to 'spoof' - our nameserver. Full details in . - - - - - The Recursor will by default no longer query private-space nameservers. This closes a slight security risk and simultaneously - improves performance and stability. For more information, see dont-query in . - Implemented in c923. - - - - - Applied fix for t110 ('PowerDNS should change directory to '/' in chroot), implemented in c944. - - - - - - - Performance: - - - - The DNS packet writing and parsing infrastructure performance was improved in several ways, see commits - C925, C926, C928, C931, C1021, C1050. - - - - - Remove multithreading overhead from the Recursor (c999). - - - - - - Bug fixes: - - - - Built-in authoritative server now properly derives the TTL from the SOA record if not specified. Implemented in c1165. - Additionally, even when TTL was specified for the built-in authoritative server, it was ignored. Reported by Stefan Schmidt, - closing t147. - - - - - Empty TXT record components can now be served. Implemented in c1166, closing t178. Spotted by Matti Hiljanen. - - - - - The Recursor would not properly override old data with new, sometimes serving old and new data concurrently. Fixed in c1137. - - - - - SOA records with embedded carriage-return characters are now parsed correctly. Implemented in c1167, closing t162. - - - - - Some routing conditions could cause UDP connected sockets to generate an error which PowerDNS did not deal with properly, leading - to a leaked file descriptor. As these run out over time, the recursor could crash. This would also happen for IPv6 queries - on a host with no IPv6 connectivity. Thanks to Kai of xs4all and Wichert Akkerman for - reporting this issue. Fix in c1133. - - - - - Empty unknown record types can now be stored without generating a scary error (c1129) - - - - - Applied fix for t111, t112 and t153 - large (multipart) TXT records are now retrieved - and served properly. Fix in c996. - - - - - - Solaris compilation instructions in Recursor documentation were wrong, leading to an instant crash on startup. - Luckily nobody reads the documentation, except for Marcus Goller who found the error. Fixed in c1124. - - - - - On Solaris, finally fix the issue where queries get distributed strangely over CPUs, or not get distributed at all. - Much debugging and analysing performed by Alex Kiernan, who also supplied fixes. Implemented in c1091, c1093. - - - - - Various fixes for modern G++ versions, most spotted by Marcus Rueckert (commits C964, C965, C1028, C1052), and - Ruben Kerkhof (c1136, closing t175). - - - - - Recursor would not properly clean up pidfile and control socket, closing t120, code in c988, c1098 (part of fix by Matti Hiljanen, spotted by Leo Baltus) - - - - - Recursor can now serve multi-line records from its limited authoritative server (c1014). - - - - - When parsing zones, the 'm' time specification stands for minutes, not months! Closing Debian bug 406462 (c1026) - - - - - Authoritative zone parser did not support '@' in the content of records. Spotted by Marco Davids, fixed in c1030. - - - - - Authoritative zone parser could be confused by trailing TABs on record lines (c1062). - - - - - - EINTR error code could block entire server if received at the wrong time. Spotted by Arnoud Bakker, fix in c1059. - - - - - Fix crash on NetBSD on Alpha CPUs, might improve startup behaviour on empty caches on other architectures as well (c1061). - - - - - Outbound TCP queries were being performed sub-optimally because of an interaction with the 'MPlexer'. Fixes in c1115, c1116. - - - - - - New features: - - - - Implemented rec_control command get uptime, as suggested by Niels Bakker (c935). Added - to default rrdtool scripts in c940. - - - - - The Recursor Authoritative component, meant for having the Recursor serve some zones authoritatively, now supports $INCLUDE and - $GENERATE. Implemented in c951 and c952, c967 (discovered by Thomas Rietz), - - - - - Implemented forward-zones-file option in order to support larger amounts of zones which should - be forwarded to another nameserver (c963). - - - - - Both forward-zones and forward-zones-file can now specify multiple forwarders per domain, - implemented in c1168, closing t81. Additionally, both these settings can also specify non-standard port numbers, as suggested in ticket - t122. Patch authored by Aaron Thompson, with additional work by Augie Schwer. - - - - - Sten Spans contributed allow-from-file, implemented in c1150. This feature allows the Recursor to read - access rules from a (large) file. - - - - - - General improvements: - - - - Ruben Kerkhof fixed up weird permission bits as well as our SGML documentation code in c936 and c937. - - - - - Full IPv6 parity. If configured to use IPv6 for outgoing queries (using query-local-address6=::0 for example), IPv6 and IPv4 - addresses are finally treated 100% identically, instead of 'mostly'. This feature is implemented using 'ANY' queries to find A and AAAA addresses - in one query, which is a new approach. Treat with caution. - - - - - Now perform EDNS0 root refreshing queries, so as to benefit from all returned addresses. Relevant since early February 2008 when the root-servers - started to respond with IPv6 addresses, which made the default non-EDNS0 maximum packet length reply no longer contain all records. Implemented in c1130. - Thanks to dns-operations AT mail.oarc.isc.org for quick suggestions on how to deal with this change. - - - - - rec_control now has a timeout in case the Recursor does not respond. Implemented in c945. - - - - - (Error) messages are now logged with saner priorities (c955). - - - - - Outbound query IP interface stemmed from 1997 (!) and was in dire need of a cleanup (c1117). - - - - - L.ROOT-SERVERS.NET moved (c1118). - - - - - - PowerDNS Authoritative Server version 2.9.21 - - Released the 21st of April 2007. - - - This is the first release the PowerDNS Authoritative Server since the Recursor was split off to a separate product, and also marks the transfer - of the new technology developed specifically for the recursor, back to the authoritative server. - - - This move has reduced the amount of code of the Authoritative server by over 2000 lines, while improving the quality - of the program enormously. - - - However, since so much has been changed, care should be taken when deploying 2.9.21. - - - To signify the magnitude of the underlying improvements, the next release of the PowerDNS Authoritative Server will be called 3.0. - - - This release would not have been possible without large amounts of help and support from the PowerDNS Community. We specifically want to thank - Massimo Bandinelli of Italy's Register.it, Dave Aaldering of Aaldering ICT, - True BV, XS4ALL, Daniel Bilik of Neosystem, - EasyDNS, Heinrich Ruthensteiner of Siemens, - Augie Schwer, Mark Bergsma, Marco Davids, - Marcus Rueckert of OpenSUSE, Andre Muraro of Locaweb, - Antony Lesuisse, Norbert Sendetzky, Marco Chiavacci, Christoph Haas, - Ralf van der Enden and Ruben Kerkhof. - - - Security issues: - - - - The previous packet parsing and generating code contained no known bugs, but was however very lengthy and overly complex, and might have had - security problems. The new code is 'inherently safe' because it relies on bounds-checking C++ constructs. Therefore, a move to 2.9.21 is highly - recommended. - - - - - Pre-2.9.21, communication between master and server nameservers was not checked as rigidly as possible, possibly allowing third parties to disrupt - but not modify such communications. - - - - - - - - The 'bind1' legacy version of our BIND backend has been dropped! There should be no need to rely on this old version anymore, as the main BIND backend - has been very well tested recently. - - - - - Bugs: - - - - Multi-part TXT records weren't supported. This has been fixed, and regression tests have been added. Code in commits C1016, C996, C994. - - - - - Email addresses with embedded dots in SOA records were not parsed correctly, nor were other embedded dots. Noted by 'Bastiaan', fixed in c1026. - - - - - BIND backend treated the 'm' TTL modifier as 'months' and not 'minutes'. Closes Debian bug 406462. Addressed in c1026. - - - - - Our snapshots were built against a static version of PostgreSQL that was incompatible with many Linux distributions, leading to instant - crashes on startup. Fixed in C1022 and C1023. - - - - - CNAME referrals to child zones gave improper responses. Noted by Augie Schwer in t123, fixed in c992. - - - - - When passing a port number with the recursor setting, this would sometimes generate errors during additional processing. Switched off - overly helpful additional processing for recursive queries to remove this problem. Implemented in c1031, spotted by Ralf van der Enden. - - - - - NS to a nameserver with the name of the zone itself generated problems. Spotted by Augie Schwer, fixed in c947. - - - - - Multi-line records in the BIND backend were not always parsed correctly. Fixed in c1014. - - - - - The LOC-record had problems operating outside of the eastern hemisphere of the northern part of the world! Fixed in c1011. - - - - - Backends were compiled without multithreading preprocessor flags. As far as we can determine, this would only cause problems for the BIND backend, - but we cannot rule out this caused instability in other backends. Fixed in c1001. - - - - - The BIND backend was highly unstable under reloads, and leaked memory and file descriptors. - Thanks to Mark Bergsma and Massimo Bandinelli for respectively pointing this out to us and testing - large amounts of patches to fix the problem. The fixes have resulted in better performance, less code, and a remarkable simplification - of this backend. Commits C1039, C1034, C1035, C1006, C999, C905 and previous. - - - - - BIND backend gave convincing NXDOMAINs on unloaded zones in some cases. Spotted and fixed by Daniel Bilik in c984. - - - - - SOA records in zone transfers sometimes contained the wrong SOA TTL. Spotted by Christian Kuehn, fixed in c902. - - - - - PowerDNS could get confused by very high SOA serial numbers. Spotted and fixed by Dan Bilik, fixed in c626. - - - - - Some versions of FreeBSD perform very strict checks on socket address sizes passed to 'connect', which could lead to problems retrieving zones over AXFR. - Fixed in c891. - - - - - Some versions of FreeBSD perform very strict checks on IPv6 socket addresses, leading to problems. Discovered by Sten Spans, fixed in c885 and c886. - - - - - IXFR requests were not logged properly. Noted by Ralf van der Enden, fixed in c990. - - - - - Some NAPTR records needed an additional space character to encode correctly. Spotted by Heinrich Ruthensteiner, fixed in c1029. - - - - - Many bugs in the TCP nameserver, leading to a PowerDNS process that did not respond to TCP queries over time. Many fixes provided by - Dan Bilik, other problems were fixed by rewriting our TCP handling code. Commits C982 and C980, C950, C924, C889, C874, C869, C685, C684. - - - - - Fix crashes on the ARM processor due to alignment errors. Thanks to Sjoerd Simons. Closes Debian bug 397031. - - - - - Missing data in generic SQL backends would sometimes lead to faked SOA serial data. Spotted by Leander Lakkas from True. Fix in c866. - - - - - When receiving two quick notifications in succession, the packet cache would sometimes "process" the second one, leading PowerDNS to ignore it. Spotted by - Dan Bilik, fixed in c686. - - - - - Geobackend (by Mark Bergsma) did not properly override the getSOA method, breaking non-overlay operation of this fine backend. The geobackend now also - skips '.hidden' configuration files, and now properly disregards empty configuration files. Additionally, the overlapping abilities were improved. Details - available in c876, by Mark. - - - - - - Features: - - - - Thanks to EasyDNS, PowerDNS now supports multiple masters per domain. For configuration - details, see . Implemented in c1018, c1017. - - - - - Thanks to EasyDNS, PowerDNS now supports the KEY record type, as well the SPF record. In c976. - - - - - Added support for CERT, SSHFP, DNSKEY, DS, NSEC, RRSIG record types, as part of the move to the new DNS parsing/generating code. - - - - - Support for the AFSDB record type, as requested by 'Bastian'. Implemented in c978, closing t129. - - - - - Support for the MR record type. Implemented in c941 and c1019. - - - - - Gsqlite3 backend was added by Antony Lesuisse in c942; - - - - - Added the ability to send out light-weight root-referrals that save bandwidth yet still placate mediocre resolver implementations. Implemented in c912, - enable with 'root-referral=lean'. - - - - - - Improvements: - - - - Miscellaneous OpenDBX and LDAP backend improvements by Norbert Sendetzky. Applied in c977 and c1040. - - - - - SGML source of the documentation was cleaned up by Ruben Kerkhof in c936. - - - - - Speedups in core DNS label processing code. Implemented in c928, c654, c1020. - - - - - When communicating with master servers and encountering errors, more useful details are logged. Reported by Stefan Arentz in t137, closed by c1015. - - - - - Database errors are now logged with more details. Addressed in c1004. - - - - - pdns_control problems are now logged more verbosely. Change in c910. - - - - - Erroneous address configuration was logged unclearly. Spotted by River Tarnell, fixed in c888. - - - - - Example configuration shipped with PowerDNS was very old. Noted by Leen Besselink, fixed in c946. - - - - - PowerDNS neglected to chdir to the root when chrooted. This closes t110, fixed in c944. - - - - - Microsoft resolver had problems with responses we generated for CNAMEs pointing out of our bailiwick. Fixed in c983 and expedited by Locaweb.com.br. - - - - - Built-in webserver logs errors more verbosely. Closes t82, fixed in c991. - - - - - Queries containing '@' no longer flood the logs. Addressed in c1014. - - - - - The build process now looks for PostgreSQL in more places. Implemented in c998, closes t90. - - - - - Speedups in the BIND backend now mean large installations enjoy startup times up to 30 times faster than with the original BIND nameserver. Many thanks - to Massimo Bandinelli. - - - - - BIND backend now offers full support for query logging, implemented in c1026, c1029. - - - - - BIND backend named.conf parsing is now fully case-insensitive for domain names. This closes Debian bug 406461, fixed in c1027. - - - - - IPv6 and IPv4 address parsing routines have been replaced, which should result in prettier output in some cases. c962, c1012 and others. - - - - - 5 new regression tests have been added to insure old bugs do not return. - - - - - Fix small issues with very modern compilers and BOOST snapshots. Noted by Marcus Rueckert, addressed in c954, c964 c965, c1003. - - - - - - Recursor version 3.1.4 - - Released the 13th of November 2006. - - - This release contains almost no new features, but consists mostly of minor and major bug fixes. It also addresses two major security issues, which makes - this release a highly recommended upgrade. - - - Security issues: - - - - Large TCP questions followed by garbage could cause the recursor to crash. This critical security issue has been assigned CVE-2006-4251, and is fixed in - c915. More information can be found in . - - - - - CNAME loops with zero second TTLs could cause crashes in some conditions. These loops could be constructed by malicious parties, - making this issue a potential denial of service attack. This security issue has been assigned CVE-2006-4252 and is fixed by c919. - More information can be found in . Many thanks to David Gavarret for helping pin down this problem. - - - - - - Bugs: - - - - On certain error conditions, PowerDNS would neglect to close a socket, which might therefore eventually run out. Spotted by Stefan Schmidt, fixed in commits C892, C897, C899. - - - - - Some nameservers (including PowerDNS in rare circumstances) emit a SOA record in the authority section. The recursor mistakenly interpreted this as an - authoritative "NXRRSET". Spotted by Bryan Seitz, fixed in c893. - - - - - In some circumstances, PowerDNS could end up with a useless (not working, or no longer working) set of nameserver records for a domain. This release contains logic - to invalidate such broken NSSETs, without overloading authoritative servers. This problem had previously been spotted by Bryan Seitz, 'Cerb' and Darren Gamble. - Invalidations of NSSETs can be plotted using the "nsset-invalidations" metric, available through rec_control get. - Implemented in c896 and c901. - - - - - PowerDNS could crash while dumping the cache using rec_control dump-cache. Reported by Wouter of WideXS and Stefan Schmidt and many others, fixed in c900. - - - - - Under rare circumstances (depleted TCP buffers), PowerDNS might send out incomplete questions to remote servers. Additionally, on big-endian systems (non-Intel and non-AMD - generally), sending out large TCP answers questions would not work at all, and possibly crash. Brought to our attention by David Gavarret, fixed in c903. - - - - - The recursor contained the potential for a dead-lock processing an invalid domain name. It is not known how this might be triggered, - but it has been observed by 'Cerb' on #powerdns. Several dead-locks where PowerDNS consumed all CPU, but did not answer questions, - have been reported in the past few months. These might be fixed by c904. - - - - - IPv6 'allow-from' matching had problems with the least significant bits, sometimes allowing disallowed addresses, but mostly disallowing allowed addresses. Spotted by Wouter - from WideXS, fixed in c916. - - - - - Improvements: - - - - PowerDNS has support to drop answers from so called 'delegation only' zones. A statistic ("dlg-only-drops") is now available to plot how often this happens. Implemented in c890. - - - - - Hint-file parameter was mistakenly named "hints-file" in the documentation. Spotted by my Marco Davids, fixed in c898. - - - - - rec_control quit should be near instantaneous now, as it no longer meticulously cleans up memory before exiting. Problem spotted by Darren Gamble, fixed in - c914, closing t84. - - - - - init.d script no longer refers to the Recursor as the Authoritative Server. Spotted by Wouter of WideXS, fixed in c913. - - - - - A potentially serious warning for users of the GNU C Library version 2.5 was fixed. Spotted by Marcus Rueckert, fixed in c920. - - - - - - - Recursor version 3.1.3 - - Released the 12th of September 2006. - - - Compared to 3.1.2, this release again consists of a number of mostly minor bug fixes, and some slight improvements. - - - Many thanks are again due to Darren Gamble who together with his team has discovered many misconfigured domains that do work - with some other name servers. DNS has long been tolerant of misconfigurations, PowerDNS intends to uphold that tradition. Almost all of - the domains found by Darren now work as well in PowerDNS as in other name server implementations. - - - Thanks to some recent migrations, this release, or something very close to it, is powering over 40 million internet connections that - we know of. We appreciate hearing about successful as well as unsuccessful migrations, please feel free to notify pdns.bd@powerdns.com of your - experiences, good or bad. - - - Bug-fixes: - - - - The MThread default stack size was too small, which led to problems, mostly on 64-bit platforms. This stack size is now configurable - using the stack-size setting should our estimate be off. Discovered by Darren Gamble, Sten Spans and a number of others. - Fixed in c868. - - - - - Plug a small memory leak discovered by Kai and Darren Gamble, fixed in c870. - - - - - Switch from the excellent nedmalloc to dlmalloc, based on advice by the nedmalloc author. Nedmalloc is optimised for multithreaded - operation, whereas the PowerDNS recursor is single threaded. The version of nedmalloc shipped contained a number of possible bugs, - which are probably resolved by moving to dlmalloc. Some reported crashes on hitting 2G of allocated memory on 64 bit systems might - be solved by this switch, which should also increase performance. See c873 for details. - - - - - - Improvements: - - - - The cache is now explicitly aware of the difference between authoritative and unauthoritative data, allowing it to deal - with some domains that have different data in the parent zone than in the authoritative zone. Patch in c867. - - - - - No longer try to parse DNS updates as if they were queries. Discovered and fixed by Jan Gyselinck, fix in c871. - - - - - Rebalance logging priorities for less log cluttering and add IP address to a remote server error message. - Noticed and fixed by Jan Gyselinck (c877). - - - - - Add logging-facility setting, allowing syslog to send PowerDNS logging to a separate file. Added in c871. - - - - - - Recursor version 3.1.2 - - Released Monday 26th of June 2006. - - - Compared to 3.1.1, this release consists almost exclusively of bug-fixes and speedups. A quick update is recommended, as some of the bugs - impact operators of authoritative zones on the internet. This version has been tested by some of the largest internet providers on the planet, - and is expected to perform well for everybody. - - - Many thanks are due to Darren Gamble, Stefan Schmidt and Bryan Seitz who all provided excellent feedback based on their large-scale - tests of the recursor. - - - Bug-fixes: - - - - Internal authoritative server did not differentiate between 'NXDOMAIN' and 'NXRRSET', in other words, it would answer - 'no such host' when an AAAA query came in for a domain that did exist, but did not have an AAAA record. This only affects - users with auth-zones configured. Discovered by Bryan Seitz, fixed in c848. - - - - - ANY queries for hosts where nothing was present in the cache would not work. This did not cause real problems as ANY queries are - not reliable (by design) for anything other than debugging, but did slow down the nameserver and cause unnecessary load on remote - nameservers. Fixed in c854. - - - - - When exceeding the configured maximum amount of TCP sessions, TCP support would break and the nameserver would waste CPU trying to accept TCP - connections on UDP ports. Noted by Bryan Seitz, fixed in c849. - - - - - DNS queries come in two flavours: recursion desired and non-recursion desired. The latter is not very useful for a recursor, but is - sometimes (erroneously) used by monitoring software or load balancers to detect nameserver availability. A non-rd query would not only not recurse, - but also not query authoritative zones, which is confusing. Fixed in c847. - - - - - Non-standard DNS TCP queries, that did occur however, could drive the recursor to 100% CPU usage for extended periods of time. This did not disrupt service - immediately, but does waste a lot of CPU, possibly exhausting resources. Discovered by Bryan Seitz, fixed in c858, which is post-3.1.2-rc1. - - - - - The PowerDNS recursor did not honour the rare but standardised 'ANY' query class (normally 'ANY' refers to the query type, not class), upsetting the Wildfire - Jabber server. Discovered and debugged by Daniel Nauck, fixed in c859, which is post-3.1.2-rc1. - - - - - Everybody's favorite, when starting up under high load, a bogus line of statistics was sometimes logged. Fixed in c851. - - - - - Remove some spurious debugging output on dropping a packet by an unauthorized host. Discovered by Kai. Fixed in c854. - - - - - - Improvements: - - - - Misconfigured domains, with a broken nameserver in the parent zone, should now work better. Changes motivated and suggested by - Darren Gamble. This makes PowerDNS more compliant with RFC 2181 by making it prefer authoritative data over non-authoritative data. - Implemented in c856. - - - - - PowerDNS can now listen on multiple ports, using the local-address setting. Added in c845. - - - - - A number of speedups which should have a noticeable impact, implemented in commits C850, C852, C853, C855 - - - - - The recursor now works around an issue with the Linux kernel 2.6.8, as shipped by Debian. Fixed by Christof Meerwald in c860, which is post 3.1.2-rc1. - - - - - - Recursor version 3.1.1 - - - - 3.1.1 is identical to 3.1 except for a bug in the packet chaining code which would mainly manifest itself for IPv6 enabled Konqueror - users with very fast connections to their PowerDNS installation. However, all 3.1 users are urged to upgrade to 3.1.1. - Many thanks to Alessandro Bono for his quick aid in solving this problem. - - - - - Released on the 23rd of May 2006. Many thanks are due to the operators of some of the largest internet access providers in the world, - each having many millions of customers, who have tested the various 3.1 pre-releases for suitability. They have uncovered and helped - fix bugs that could impact us all, but are only (quickly) noticeable with such vast amounts of DNS traffic. - - - After version 3.0.1 has proved to hold up very well under tremendous loads, 3.1 adds important new features: - - - - Ability to serve authoritative data from 'BIND' style zone files (using auth-zones statement). - - - - - Ability to forward domains so configured to external servers (using forward-zones). - - - - - Possibility of 'serving' the contents of /etc/hosts over DNS, which is very well - suited to simple domestic router/DNS setups. Enabled using export-etc-hosts. - - - - - As recommended by recent standards documents, the PowerDNS recursor is now authoritative for RFC-1918 private IP space - zones by default (suggested by Paul Vixie). - - - - - Full outgoing IPv6 support (off by default) with IPv6 servers getting equal treatment with IPv4, nameserver - addresses are chosen based on average response speed, irrespective of protocol. - - - - - Initial Windows support, including running as a service ('NET START "POWERDNS RECURSOR"'). rec_channel is still missing, - the rest should work. Performance appears to be below that of the UNIX versions, this situation is expected to improve. - - - - - - Bug fixes: - - - - No longer send out SRV and MX record priorities as zero on big-endian platforms (UltraSPARC). Discovered by Eric Sproul, fixed in c773. - - - - - SRV records need additional processing, especially in an Active Directory setting. Reported by Kenneth Marshall, fixed in c774. - - - - - The root-records were not being refreshed, which could lead to problems under inconceivable conditions. Fixed in c780. - - - - - Fix resolving domain names for nameservers with multiple IP addresses, with one of these addresses being lame. Other nameserver implementations - were also unable to resolve these domains, so not a big bug. Fixed in c780. - - - - - For a period of 5 minutes after expiring a negative cache entry, the domain would not be re-cached negatively, leading to a lot of duplicate - outgoing queries for this short period. This fix has raised the average cache hit rate of the recursor by a few percent. Fixed in c783. - - - - - - Query throttling was not aggressive enough and not all sorts of queries were throttled. Implemented in c786. - - - - - - Fix possible crash during startup when parsing empty configuration lines (c807). - - - - - Fix possible crash when the first query after wiping a cache entry was for the just deleted entry. Rare in production servers. Fixed in c820. - - - - - Recursor would send out differing TTLs when receiving a misconfigured, standards violating, RRSET with different TTLs. Implement fix as mandated by - RFC 2181, paragraph 5.2. Reported by Stephen Harker (c819). - - - - - The top-remotes would list remotes more than once, once per source port. Discovered by Jorn Ekkelenkamp, fixed in c827, which is post 3.1-pre1. - - - - - Default allow-from allowed queries from fe80::/16, corrected to fe80::/10. Spotted by Niels Bakker, fixed in c829, which is post 3.1-pre1. - - - - - While PowerDNS blocks failing queries quickly, multiple packets could briefly be in flight for the same domain and nameserver. This situation is now - explicitly detected and queries are chained to identical queries already in flight. Fixed in c833 and c834, post 3.1-pre1. - - - - - - Improvements: - - - - ANY queries are now implemented as in other nameserver implementations, leading to a decrease in outgoing queries. The RFCs are not very - clear on desired behaviour, what is implemented now saves bandwidth and CPU and brings us in line with existing practice. Previously - ANY queries were not cached by the PowerDNS recursor. Implemented in c784. - - - - - rec_control was very sparse in its error reporting, and user unfriendly as well. Reported by Erik Bos, fixed in c818 and c820. - - - - - IPv6 addresses were printed in a non-standard way, fixed in c788. - - - - - TTLs of records are now capped at two weeks, c820. - - - - - allow-from IPv4 netmasks now automatically work for IP4-to-IPv6 mapper IPv4 addresses, which appear when running on the wildcard - :: IPv6 address. Lack of feature noted by Marcus 'darix' Rueckert. Fixed in c826, which is post 3.1-pre1. - - - - - Errors before daemonizing are now also sent to syslog. Suggested by Marcus 'darix' Rueckert. Fixed in c825, which is post 3.1-pre1. - - - - - When launching without any form of configured network connectivity, all root-servers would be cached as 'down' for some time. Detect this special case - and treat it as a resource-constraint, which is not accounted against specific nameservers. Spotted by Seth Arnold, fixed in c835, which is post 3.1-pre1. - - - - - The recursor now does not allow authoritative servers to keep supplying its own NS records into perpetuity, which causes problems - when a domain is redelegated but the old authoritative servers are not updated to this effect. Noticed and explained at length by Darren - Gamble of Shaw Communications, addressed by c837, which is post 3.1-pre2. - - - - - Some operators may want to follow RFC 2181 paragraph 5.2 and 5.4. This harms performance and does not solve any real problem, - but does make PowerDNS more compliant. If you want this, enable auth-can-lower-ttl. Implemented in c838, which is - post 3.1-pre2. - - - - - - Recursor version 3.0.1 - - Released 25th of April 2006, download. - - - This release consists of nothing but tiny fixes to 3.0, including one with security implications. An upgrade is highly recommended. - - - - - - Compilation used both cc and gcc, leading to the possibility of compiling with different compiler versions (c766). - - - - - rec_control would leave files named lsockXXXXXX around in the configured socket-dir. Operators - may wish to remove these files from their socket-dir (often /var/run), quite a few might have accumulated already (c767). - - - - - - Certain malformed packets could crash the recursor. As far as we can determine these packets could only lead to a crash, - but as always, there are no guarantees. A quick upgrade is highly recommended (commits C760, C761). Reported by David Gavarret. - - - - - - Recursor would not distinguish between NXDOMAIN and NXRRSET (c756). Reported and debugged by Jorn Ekkelenkamp. - - - - - Some error messages and trace logging statements were improved (commits C756, C758, C759). - - - - - stderr was closed during daemonizing, but not dupped to /dev/null, leading to slight chance of odd behaviour on reporting errors (c757) - - - - Operating system specific fixes: - - - - The stock Debian sarge Linux kernel, 2.6.8, claims to support epoll but fails at runtime. The epoll self-testing code has been improved, - and PowerDNS will fall back to a select based multiplexer if needed (c758) Reported by Michiel van Es. - - - - - Solaris 8 compilation and runtime issues were addressed. See the README for details (c765). Reported by Juergen Georgi and Kenneth Marshall. - - - - - Solaris 10 x86_64 compilation issues were addressed (c755). Reported and debugged by Eric Sproul. - - - - - - Recursor version 3.0 - - Released 20th of April 2006, download. - - - This is the first separate release of the PowerDNS Recursor. There are many reasons for this, one of the most important ones is that - previously we could only do a release when both the recursor and the authoritative nameserver were fully tested and in good shape. The split - allows us to release new versions when each part is ready. - - - Now for the real news. This version of the PowerDNS recursor powers the network access of over two million internet connections. Two large - access providers have been running pre-releases of 3.0 for the past few weeks and results are good. Furthermore, the various pre-releases - have been tested nearly non-stop with DNS traffic replayed at 3000 queries/second. - - - As expected, the 2 million households shook out some very rare bugs. But even a rare bug happens once in a while when there are this many users. - - - We consider this version of the PowerDNS recursor to be the most advanced resolver publicly available. Given current levels of spam, phishing - and other forms of internet crime we think no recursor should offer less than the best in spoofing protection. We urge all - operators of resolvers without proper spoofing countermeasures to consider PowerDNS, as it is a Better Internet Nameserver Daemon. - - - A good article on DNS spoofing can be found here. Some - more information, based on a previous version of PowerDNS, can be found on the - PowerDNS development blog. - - - - - Because of recent DNS based denial of service attacks, running an open recursor has become a security risk. Therefore, unless configured otherwise - this version of PowerDNS will only listen on localhost, which means it does not resolve for hosts on your network. - To fix, configure the local-address setting with all addresses you want to listen on. Additionally, by default - service is restricted to RFC 1918 private IP addresses. Use allow-from to selectively open up the recursor - for your own network. See for details. - - - - - Important new features of the PowerDNS recursor 3.0: - - - - Best spoofing protection and detection we know of. Not only is spoofing made harder by using a new network address for each query, - PowerDNS detects when an attempt is made to spoof it, and temporarily ignores the data. For details, see . - - - - - First nameserver to benefit from epoll/kqueue/Solaris completion ports event reporting framework, for stellar performance. - - - - - Best statistics of any recursing nameserver we know of, see . - - - - - Last-recently-used based cache cleanup algorithm, keeping the 'best' records in memory - - - - - First class Solaris support, built on a 'try and buy' Sun CoolThreads T 2000. - - - - - Full IPv6 support, implemented natively. - - - - - Access filtering, both for IPv4 and IPv6. - - - - - Experimental SMP support for nearly double performance. See . - - - - - - Many people helped package and test this release. Jorn Ekkelenkamp of ISP-Services helped find the '8000 SOAs' bug and spotted - many other oddities and XS4ALL internet funded a lot of the recent development. - Joaquín M López Muñoz of the boost::multi_index_container was again of great help. - - - Version 2.9.20 - - Released the 15th of March 2006 - - - Besides adding OpenDBX, this release is mostly about fixing problems and speeding up the recursor. This release has been made possible by - XS4ALL and True. Thanks! - - - Furthermore, we are very grateful for the help of Andrew Pinski, who hacks on gcc, and of Joaquín M López Muñoz, the - author of boost::multi_index_container. Without their - near-realtime help this release would've been delayed a lot. Thanks! - - - Bugs fixed in the recursor: - - - - Possible stability issues in the recursor on encountering errors (c532, c533) - - - - - Memory leaks in recursor fixed (c534, c572). In a test 800 million real life DNS packets have been sent to the - recursor, representing several days of traffic from a major ISP, memory use was high (500MB), but stable. - - - - - Prune all data in PowerDNS - previously per-nameserver and per-query performance - statistics were kept around forever (c535) - - - - - IPv6 additional processing was broken. Reported by Lionel Elie Mamane, who also provided a fix. The problem - was fixed differently in the end. c562. - - - - - pdns_recursor did not shuffle answers since 2.9.19, leading to problems sending mail to the Hotmail servers. - Reported in t54, fixed in c567. - - - - - If a single nameserver had multiple IP addresses listed, PowerDNS would only use one of them. Noted by - Mark Martin, fixed in c570, who depends on a domain with 4 nameserver IP addresses of which 2 are broken. - - - - - - - - Improvements to the recursor: - - - - Commits C535, C540, C541, C542, C543, C544, C545, C547 and C548, C574 all speed up the recursor by a large factor, - without altering the DNS algorithm. - - - - - Move recursor to the incredible boost::multi_index_container (c580). This brings a huge improvement - in cache pruning times. - - - - - c549 and c550 work around gcc bug 24704 - if requested, which speeds up the recursor a lot, but involves a dirty hack. Enable with - ./configure --enable-gcc-skip-locking. No guarantees! - - - - - Bugs fixed in the authoritative nameserver: - - - - PowerDNS would no longer allow a '/' in domain names, fixed by c537, reported in t48. - - - - - Parameters to pdns_control notify-host were not checked, leading to - possible crashes. Reported in t24, fixed in c565. - - - - - On some compilers, processing of NAPTR records could cause the server to crash. Reported by Bernd Froemel - in t29, fixed in c538. - - - - - Backend errors could make the whole nameserver exit under some circumstances, notably using the LDAP backend. Fixed in c583, reported in - t62. - - - - - Referrals were subtly broken by recent CNAME/Wildcard improvements, fixed in c539. Fix and other - improvements sponsored by True. - - - - - PowerDNS would try to insert records it has no knowledge about in slave zones, which did not work. Reported - in t60, fixed in c566. A superior fix would be to implement the relevant unknown record standard. - - - - Improvements to the authoritative nameserver: - - - - Pipebackend did not properly propagate the ABI version to its children, fixed in c546, reported by - kickdaddy@gmail.com in t45. - - - - - OpenDBX backend added - (c559, c560, c561) by Norbert Sendetzky. From the website: - - The OpenDBX backend enables it to fetch DNS information from every DBMS supported by the OpenDBX library - and combines the power of one of the best DNS server implementations with the flexibility of the OpenDBX - library. - - OpenDBX adds some other features like database failover. Thanks Norbert! - - - - - LDAP fixes as reported in t37, fixed in c558, which make pdns_control notify - work. - - - - - Arjo Hooimeijer added support for soa-refresh-default, soa-retry-default, - soa-expire-default, which were previously hardcoded. c563 and fallout in c573 (thanks to Wolfram Schlich). - - - - Miscellaneous: - - - - Fixes for g++ 4.1. Compiling with 4.1 realizes notable speedups. c568, c569. - - - - - PowerDNS now reports if it is running in 32 or 64 bit mode, useful for bi-arch users that need - to know if they are benefitting from AMD's great processor. c571. - - - - - dnsscope compiles again, c551, c564 (FreeBSD 64-bit time_t). - - - - - dnsreplay_mindex compiles again, fixed by c572. Its performance, and the performance of the recursor - was improved by c559. - - - - - Build scripts were added, mostly for internal use but we know some PowerDNS users build their - own packages too. c553, c554, c555, c556, c557. - - - - - bootstrap script was not included in release. Thanks to Stefan Arentz for noticing. Fixed in c574. - - - - - - Version 2.9.19 - - Released 29th of October 2005. - - - As with other recent releases, the usage of PowerDNS appears to have skyrocketed. Informal, though strict, measurements show - that PowerDNS now powers around 50% of all German domains, and somewhere in the order of 10-15% of the rest of the world. Furthermore, - DNS is set to take a central role in connecting Voice over IP providers, with PowerDNS offering a very good feature set for these ENUM - deployments. PowerDNS is already powering the E164.info ENUM zone and also acts as the backend for a major VoIP provisioning platform. - - - Included in this release is the now complete packet parsing/generating, record parsing/generating infrastructure. Furthermore, - this framework is used by the recursor, hopefully making it very fast, memory efficient and robust. Many records are now processed - using a single line of code. This has made the recursor a lot stricter in packet parsing, you will see some error messages - which did not appear before. Rest assured however that these only happen for queries which have no valid answer in any case. - - - Furthermore, support for DNSSEC records is available in the new infrastructure, although is should be emphasised that there is more - to DNSSEC than parsing records. There is no real support for DNSSEC (yet). - - - Additionally, the BIND Backend has been replaced by what was up to now known as the 'Bind2Backend'. Initial benchmarking appears - to show that this backend is faster, uses less memory and has shorter startup times. The code is also shorter. - - - This release fixes a number of embarrassing bugs and is a recommended upgrade. - - - Thanks are due to XS4ALL who are supporting continuing development of PowerDNS, - the fruits of which can be found in this release already. Furthermore, a remarkable number of people have helped report bugs, - validate solutions or have submitted entire patches. Many thanks! - - - Improvements: - - - - dnsreplay now has a help message and has received further massive updates, making the code substantially faster. It turns out that dnsreplay - is often 'heavier' than the PowerDNS process being benchmarked. - - - - - PowerDNS recursor no longer prints out its queries by default as most recursor deployments have too much traffic - for this to be useful. - - - - - PowerDNS recursor is now able to read its root-hints from disk, which is useful to operate with - alternate roots, like the Open Root Server Network. See - . - - - - - PowerDNS can now send out old-fashioned root-referrals when queried for domains for which it is not authoritative. Wastes some bandwidth - but may solve incoming query floods if domains are delegated to you for which you are not authoritative, but which are queried by broken - recursors. - - - - - PowerDNS now prints out a warning when running with legacy LinuxThreads implementation instead of the high performance NPTL - library. c455. - - - - - A lot of superfluous calls to gettimeofday() have been removed, making PowerDNS and especially the recursor faster. Suggested by Kai. - - - - - SPF records are now supported natively. c472, closing t22. - - - - - Improved IPv6 'bound to' messages. Thanks to Niels Bakker, Wichert Akkerman and Gerty de Wolf for suggestions. - - - - - Separate graphs can now be made of IPv6 queries and answers. c485. - - - - - Out of zone additional processing is now on by default to better comply with standards. c487. - - - - - Regression tests have been expanded to deal with more record types (SRV, NAPTR, TXT, duplicate SRV). - - - - - Improved query-logging in Bindbackend, which can be used for debugging purposes. - - - - - Dropped libpcap dependency, making compilation easier - - - - - pdns_control now has a help message. - - - - - Add RRSIG, DNSKEY, DS and NSEC records for DNSSEC-bis to new parser infrastructure. - - - - - Recursor now honours EDNS0 allowing it to send out larger answers. - - - - - - - Bugs fixed: - - - - Domain name validation has been made a lot stricter - it turns out PostgreSQL was interpreting some (corrupt) domain names - as unicode. Tested and suggested by Register.com (c451). - - - - - LDAP backend did not compile (commits C452, C453) due to partially applied patch (Norbert Sendetzky) - - - - - Incoming zone transfers work reliably again. Fixed in c460 and beyond. And c523 - closing Debian bug 330184. - - - - - Recent g++ versions exposed a mistake in the PowerDNS recursor cache pruning code, causing random crashes. Fixed in c465. Reported by - several Red Hat users. - - - - - PowerDNS recursor, and MTasker in general, did not work on Solaris. Patch by Juergen Ilse, c471. Also moved most of PowerDNS over to - uint32_t style typedefs, which eases compilation problems on Solaris, c477. - - - - - Bindbackend2 did not properly search its include path for $INCLUDE statements. Noted by Mark Bergsma, c474. - - - - - Bindbackend did not notice changed zones, this problem has been fixed by the move to Bind2. - - - - - Pipebackend did not clean up, leading to an additional pipe backend per AXFR or pdns_control reload. Discovered by Marc Jauvin, fixed by c525. - - - - - - Bindbackend (both old and current versions) did not honour 'include' statements in named.conf - on pdns_control rediscover. Noted by Marc Jauvin, fixed by c526. - - - - - Zone transfers were sometimes shuffled, which wastes useless time, c478. - - - - - CNAMEs and Wildcards now work as in Bind, fixing many complaints, c487. - - - - - NAPTR records were compressed, which would work, but was in violation of the RFC, commit 493. - - - - - NAPTR records were not always parsed correctly from BIND zone files, fixed, commit 494. - - - - - Geobackend needed additional include statement to compile on more recent Linux distributions, commit 496. - - - - - - Version 2.9.18 - - Released on the 16th of July 2005. - - - The '8 million domains' release, which also marks the battle readiness of the PowerDNS Recursor. The latest improvements have been made possible - by financial support and contributions by Register.com and - XS4ALL. Thanks! - - - This release brings a number of new features (vastly improved recursor, Generic Oracle Support, DNS analysis and replay tools, and more) - but also has a new build dependency, the Boost library (version 1.31 or higher). - - - Currently several big ISPs are evaluating the PowerDNS recursor for their resolving needs, some of them have switched already. - In the course of testing, over 350 million actual queries have been recorded and replayed, the answers turn out to be satisfactorily. - - - This testing has verified that the pdns recursor, as shipped in this release, can stand up to heavy duty ISP loads - (over 20000 queries/second) and in fact does so better than major other nameservers, giving more complete answers and being faster to boot. - - - We invite ISPs who note recursor problems to record their problematic traffic and replay it using the tools described in - to discover if PowerDNS does a better job, and to let us know the results. - - - Additionally, the bind2backend is almost ready to replace the stock bind backend. If you run with Bind zones, you are cordially invited - to substitute 'launch=bind2' for 'launch=bind'. This will happen automatically in 2.9.19! - - - In other news, the entire Wikipedia constellation now runs on PowerDNS using the Geo Backend! Thanks to Mark Bergsma - for keeping us updated. - - - There are two bugs with security implications, which only apply to installations running with the LDAP backend, or installations providing recursion - to a limited range of IP addresses. If any of these apply to you, an upgrade is highly advised: - - - - The LDAP backend did not properly escape all queries, allowing it to fail and not answer questions. We have not investigated further risks involved, - but we advise LDAP users to update as quickly as possible (Norbert Sendetzky, Jan de Groot) - - - - - Questions from clients denied recursion could blank out answers to clients who are allowed recursion services, temporarily. Reported by Wilco Baan. - This would've made it possible for outsiders to blank out a domain temporarily to your users. Luckily PowerDNS would send out SERVFAIL or Refused, and - not a denial of a domain's existence. - - - - - - General bugs fixed: - - - - TCP authoritative server would not relaunch a backend after failure (reported by Norbert Sendetzky) - - - - - Fix backend restarting logic (reported, and fix suggested by Norbert Sendetzky) - - - - - Launching identical backends multiple times, with different settings, did not work. Reported by Mario Manno. - - - - - - Master/slave queries did not honour the query-local-address setting. Spotted by David Levy of Register.com. - The fix also randomises the local port used, slightly improving security. - - - - - - Compilation fixes: - - - - Fix compile on Solaris, they define 'PC' for some reason. Reported by Eric Yiu. - - - - - PowerDNS recursor would not compile on FreeBSD due to Linux specific defines, as reported in cvstrac ticket 26 (Ralf van der Enden) - - - - - Several 64 bits issues have been fixed, especially in the Logging subsystem. - - - - - SSQLite would fail to compile on recent Debian systems (Matthijs Möhlmann) - - - - - Generic MySQL would not compile on 64-bit platforms. - - - - - - Improvements: - - - - PowerDNS now reports stray command line arguments, like when running '--local-port 5300' instead of '--local-port=5300'. Reported by Christian Welzel. - - - - - We now warn against erroneous logging-facility specification, ie specifying an unknown facility. - - - - - --version now outputs gcc version used, so we can tell people 2.95 is no longer supported. - - - - - Extended regression tests, moved them to the new 'sdig' tool (see below). - - - - - Bind2backend is now blazingly fast, and highly memory efficient to boot. As a special bonus it can read gzipped zones directly. The '.NET' zone - is hosted using 401MB of memory, the same size as the zone on disk. - - - - - The Pipe Backend has been improved such that it can send out different answers based on the IP address the question was received ON. See - for how this changed the Pipe Backend protocol. Note that you need to set - pipebackend-abi-version to benefit from this change, existing clients are not affected. Change and documentation contributed - by Marc Jauvin of Register4Less. - - - - - LDAP backend has been updated (Norbert Sendetzky). - - - - - - Recursor improvements and fixes. - See for details. The changes below mean that all of the caveats listed for the recursor have now been addressed. - - - - After half an hour of uptime, the entire cache would be pruned for each packet, which is a tad slow. It now appears - the pdns recursor is among the fastest around. - - - - - Under high loads, or when unlucky, some query mthreads would get 'stuck', and show up in the statistics as eternally running queries. - - - - - Lots of redundant gettimeofday() and time() calls were removed, which has resulted in a measurable speedup. - - - - - pdns_recursor can now listen on several addresses simultaneously. - - - - - Now supports setuid and setgid operation to allow running as a less privileged user (Bram Vandoren). - - - - - Return code of pdns_recursor binary did not make sense (Matthijs Möhlmann and Thomas Hood) - - - - - Timeouts and errors are now split out in statistics. - - - - - Many people reported broken statistics, it turned out that no statistics were being reported if there had been no questions to base them on. - We now log a message to that effect. - - - - - Add query-local-address support, which allows the recursor to send questions from a specific IP address. Useful - for anycast setups. - - - - - Add outgoing TCP query support and proper truncated answer support. Needed for Worldnic Denial of Service protection, which - sends out truncated packets to force clients to connect over TCP, which prevents spoofing. - - - - - Properly truncate our own answers. - - - - - Improve our TCP answers by using writev, which is slightly friendlier to the network. - - - - - On FreeBSD, TCP errors could cause the recursor to exit suddenly due to a SIGPIPE signal. - - - - - Maximum number of simultaneous client TCP connections can now be limited with the max-tcp-clients setting. - - - - - Add aggressive timeouts for TCP clients to make sure resources are not wasted. Defaults to two seconds, can be - configured with the client-tcp-timeout setting. - - - - - - Backend fixes: - - - - SQLite backend would not slave properly (Darron Broad) - - - - - Generic MySQL would not compile on 64-bit platforms. - - - - - - New technology: - - - - Added the new DNS parser logic, called MOADNSParser. Completely modular, every memory access checked. - - - - - 'sdig', a simple dig work-alike with 'canonical' output, which is used for the regression tests. Based on the new DNS parser logic. - - - - - dnswasher, dnsreplay and dnsscope, all DNS analysis tools. - See - for more details. - - - - - Generic Oracle Backend, sponsored by Register.COM. See . - - - - - - - Version 2.9.17 - - See the new timeline for progress reports. - - - The 'million domains' release - PowerDNS has now firmly established itself as a major player with the - unofficial count (ie, guesswork) now at over two million PowerDNS domains! Also, the GeoBackend has been tested - by a big website and may soon see wider deployment. Thanks to Mark Bergsma for spreading the word! - - - It is also a release with lots of changes and fixes. Take care when deploying! - - - Security issues: - - - - PowerDNS could be temporarily DoSed using a random stream of bytes. Reported cause of this has been fixed. - - - - - - Enhancements: - - - - Reported version can be changed, or removed - see the "version-string" setting. - - - - - Duplicate MX records are now no longer considered duplicate if their priorities differ. Some people need this feature for - spam filtering. - - - - - - Bug fixes: - - - - NAPTR records can now be slaved, patch by Lorens Kockum. - - - - - GMySQL now works on Solaris - - - - - PowerDNS could be confused by questions with a %-sign in them - fixing cvstrac ticket #16 (reported by dilinger at voxel.net) - - - - - - An authentication bug in the webserver was possibly fixed, please report if you were suffering from this. Being unable - to authenticate to the webserver was what you would've noticed. - - - - - Fix for cvstrac ticket #2, PowerDNS could lose sync when sending out a very large number of notifications. Excellent bug report - by Martin Hoffman, who also improved our original bugfix. - - - - - Fix the oldest PowerDNS bug in existence - under some circumstances, PowerDNS would log to syslog one character at a time. - This was cvstrac ticket #4 - - - - - HINFO records can now be slaved, fixing cvstrac ticket #8. - - - - - pdns_recursor could block under some circumstances, especially in case of corrupt UDP packets. Reported by Wichert Akkerman. Fix by - Christopher Meer. This was cvstrac ticket #13. - - - - - Large SOA serial numbers would sometimes be logged as a signed integer, leading to negative numbers in the log. - - - - - PowerDNS now fully supports 32 bit SOA serial numbers (thanks to Mark Bergsma), closing cvstrac ticket #5. - - - - - pdns_recursor --local-address help text was wrong. - - - - - Very devious bug - PowerDNS did not clear its cache before sending out update notifications, leading slaves - to conclude there was no update to AXFR. Excellent debugging by mkuchar at wproduction.cz. - - - - - Probably fixed cvstrac ticket #26, which caused pdns_recursor to fail on recent FreeBSD 5.3 systems. Please check, - I have no such system to test on. - - - - - Geobackend did not get built for Debian. - - - - - - Version 2.9.16 - - The 'it must still be Friday somewhere' release. Massive number of fixes, portability improvements and - the new Geobackend by Mark Bergsma & friends. - - - New: - - - - The Geobackend which makes it possible to send different answers to different IP ranges. Initial documentation - can be found in pdns/modules/geobackend/README. - - - - - qgen query generation tool. Nearly completely undocumented and hard to build too, it requires Boost. But very - spiffy. Use cd pdns; make qgen to build it. - - - - - - Bugfixes: - - - - The most reported bug ever was fixed. Zone2sql required the inclusion of unistd.h, except on Debian unstable. - - - - - PowerDNS tried to listen on its control "pipe" which does not work. Probably harmless, but might have caused some - oddities. - - - - - The Packet Cache did not always set its TTL immediately, causing some packets to be inserted, even when running - with the cache disabled (Mark Bergsma). - - - - - Valgrind found some uninitialized reads, causing bogus values in the priority field when it was not needed. - - - - - Valgrind found a bug in MTasker where we used delete instead of delete[]. - - - - - SOA serials and other parameters are unsigned. - This means that very large SOA serial numbers would be messed up (Michel Stol, Stefano Straus) - - - - - PowerDNS left its controlsocket around after exit and reported confusing errors if a socket was - already in use. - - - - - The recursor proxy did not work on big endian systems like SPARC and some MIPS processors (Remco Post) - - - - - We no longer dump core on processing LOC records on UltraSPARC (Andrew Mulholland supplied a testing machine) - - - - - - Improvements: - - - - MySQL can now connect to a specified port again (Chris Anderton). - - - - - When running chroot()ed and with master or slave support active, PowerDNS needs to resolve domain names - to find slaves. This in turn may require access to certain libraries. Previously, these needed to be available - in the chroot directory but by forcing an initial lookup, these libraries are now loaded before the chrooting. - - - - - pdns_recursor was very slow after having done a larger number of queries because of the checks - to see if a query should be throttled. This is now done using a set which is a lot faster than the previous - full sequential scan. - - - - - The throttling code may not have throttled as much as was configured. - - - - - Yet another big LDAP update. The LDAP backend now load balances connections over several hosts (Norbert Sendetzky) - - - - - Updated b.root-servers.net address in the recursor - - - - - - - Version 2.9.15 - - This release fixes up some of the shortcomings in 2.9.14, and adds some new features too. - - - Bugfixes: - - - - allow-recursion-override was on by default, it was meant to be off. - - - - - Logging was still off in daemon mode, fixed. - - - - - debian/rules forgot to build an sqlite package - - - - - Recursor accidentally linked in MySQL - this was the result of an experiment with a persistent recursor cache. - - - - - The PowerDNS recursor had stability problems. It now sorts nameservers (roughly) by responsiveness. The 'roughly' part - upset the sorting algorithm used, the speeds being sorted on changed during sorting. - - - - - The recursor now outputs the nameserver average response times in trace mode - - - - - LDAP compiles again. - - - - - - Improvements: - - - - zone2sql can now accept - as a file name which causes it to read stdin. This allows the following - to work: dig axfr example.org | zone2sql --gmysql --zone=- | mysql pdns, which is a nice way to - import a zone. - - - - - zone2sql now ignores duplicate SOA records which are identical - which also makes the above possible. - - - - - Remove libpqpp dependencies - since we now use the native C API for PostgreSQL - - - - - - Version 2.9.14 - - Big release with the fix for the all important 2^30 seconds problem and a lot of other news. - - - - - - errno problems would cause compilation problems when using LDAP (Norbert Sendetzky) - - - - - The Generic SQL backend could cause crashes on PostgreSQL when using pdns_control notify (Georg Bauer) - - - - - Debian compatible init.d script (Wichert Akkerman) - - - - - If using the master or slave features, pdns had the notion of eternity ending in 2038, except that due - to a thinko, eternity ended out to be the 10th of January 2004. This caused a loop to timeout immediately. - Many thanks to Jasper Spaans for spotting the bug within five minutes. - - - - - Parts of the SOA field were not canonicalized. - - - - - The loglevel could in fact cause nothing to be logged (Norbert Sendetzky) - - - - - - Improvements: - - - - The recursor now chooses the fastest nameserver, which causes a big speedup! - - - - - LDAP now has different lookup models - - - - - Cleanups, better load distribution, better exception handling, zone2ldap improvements - - - - - The recursor was somewhat chatty about TCP connections - - - - - PostgreSQL now only depends on the C API and not on the deprecated C++ one - - - - - PowerDNS can now fully overrule external zones when doing recursion. See . - - - - - - Version 2.9.13 - - Big news! Windows is back! Our great friend Michel Stol found the time to update the PowerDNS code so it works - again under windows. - - - Furthermore, big thanks go out to Dell who quickly repaired my trusty laptop. - - - His changes: - - - - Generic SQLite support added - - - - - Removed the ODBC backend, replaced it by the Generic ODBC Backend, which has all the cool configurability - of the Generic MySQL and PostgreSQL backends. - - - - - The PowerDNS Recursor now runs as a Service. It defaults to running on port 5300, PowerDNS itself is configured - to expect the Recursor on port 5300 now. - - - - - The PowerDNS Service is now known as 'PowerDNS' to Windows. - - - - - The Installer was redone, this time with NSIS2. - - - - - General updates and fixes. - - - - - - Other news: - - - - - There appears to be a problem with PowerDNS on Red Hat 7.3 with GCC 2.96 and self-compiled binaries. The symptoms are - that PowerDNS works on the foreground but fails as a daemon. We're working on it. - - - If you do note problems, let the list know, if you don't, please do so as well. Tell us if you use the RPM or - compiled yourself. - - - It is known that not compiling in MySQL support helps solve the problem, but then you don't have MySQL. - - - - - There have been a number of reports on MySQL connections being dropped on FreeBSD 4.x, which sometimes causes PowerDNS to give up and reload itself. - To combat this, MySQL error messages have been improved in some places in hopes of figuring out what is up. The initial indication is - that MySQL itself sometimes terminates the connection and, amazingly, that switching to a Unix domain socket instead of TCP solves - the problem. - - - Bug fixes: - - - - allow-axfr-ips did not work for individual IP addresses (bug & fix by Norbert Sendetzky) - - - - - - - Improvements: - - - - Opteron support! Thanks to Jeff Davey for providing a shell on an Opteron. The fixes should - also help PowerDNS on other platforms with a 64 bit userspace. - - - Btw, the PowerDNS team has a strong desire for an Opteron :-) - - - - - pdns_recursor jumbles answers now. This means that you can do poor man's round robin - by supplying multiple A, MX or AAAA records for a service, and get a random one on top - each time. Interestingly, this feature appeared out of nowhere, this change was made to the - authoritative code but due to the wonders of code-reuse had an effect on pdns_recursor too. - - - - - Big LDAP cleanup. Support for TLS was added. Zone2LDAP also gained the ability to - generate ldif files containing a tree or a list of entries. (Norbert Sendetzky) - - - - - Zone2sql is now somewhat clearer when reporting malformed line errors - it did not always - include the name of the file causing a problem, especially for big installations. Problem noted - by Thom May. - - - - - pdns_recursor now survives the expiration of all its root records, most often caused by prolonged - disconnection from the net. - - - - - - - Version 2.9.12 - - Release rich in features. Work on Verisign oddities, addition of SQLite backend, pdns_recursor maturity. - - - New features: - - - - --version command (requested by Mike Benoit) - - - - - delegation-only, a Verisign special. - - - - - Generic SQLite support, by Michel 'Who da man?' Stol. See . - - - - - init.d script for pdns_recursor - - - - - Recursor now actually purges its cache, saving memory. - - - - - Slave configuration now no longer falls over when presented with a NULL master - - - - - Bindbackend2 now has supermaster support (Mark Bergsma, untested) - - - - - Answers are now shuffled! It turns out a few recursors don't do shuffling (pdns_recursor, djbdns), so we do it now. Requested by Jorn Ekkelenkamp of ISP-Services. This means that if you have - multiple IP addresses for one host, they will be returned in differing order every once in a while. - - - - - - Bugs: - - - - - - 0.0.0.0/0 didn't use to work (Norbert Sendetzky) - - - - - pdns_recursor would try to resolve IP address which to bind to, potentially causing chicken/egg problem - - - - - gpgsql no longer reports as gmysql (Sherwin Daganoto) - - - - - SRV would not be parsed right from disk (Christof Meerwald) - - - - - An AXFR from a zone hosted on the LDAP backend no longer transmits all the reverse entries too (Norbert Sendetzky) - - - - - PostgreSQL backend now does error checking. It would be a bit too trusting before. - - - - - - Improvements, cleanups: - - - - PowerDNS now reports the numerical IP addresses it binds to instead of the, possibly, alphanumeric names the operator passed. - - - - - Removed only-soa hackery (noticed by Norbert Sendetzky) - - - - - Debian packaging fixes (Wichert Akkerman) - - - - - Some parameter descriptions were improved. - - - - - Cleanups by Norbert: getAuth moved to chopOff, arguments::contains massive cleanup, more. - - - - - - - Version 2.9.11 - - Yet another iteration, hopefully this will be the last silly release. - - - - - There has been a change in behaviour whereby disable-axfr does what it means now! From now - on, setting allow-axfr-ips automatically disables AXFR from unmentioned subnets. - - - - - This release enables AXFR again, disable-axfr did the opposite of what it claimed. Furthermore, the pdns_recursor now cleans its cache, which should save some memory in the long run. Norbert contributed some small LDAP work which should come in useful in the future. - - - Version 2.9.10 - - Small bugfixes, LDAP update. Released 3rd of July 2003. Apologies for the long delay, real life keeps interfering. - - - - - Do not use or try to use 2.9.9, it was a botched release! - - - - - - - There has been a change in behaviour whereby disable-axfr does what it means now! From now - on, setting allow-axfr-ips automatically disables AXFR from unmentioned subnets. - - - - - - - - 2.9.8 was prone to crash on adding additional records. Thanks to excellent debugging by PowerDNS users worldwide, the bug was found - quickly and is in fact present in all earlier PowerDNS releases, but for some reason doesn't cause crashes there. - - - - - Notifications now jump in front of the queue of domains that need to be checked for changes, giving much greater perceived performance. - This is needed if you have tens of thousands of slave domains and your master server is on a high latency link. Thanks to Mark Jeftovic - of EasyDNS for suggesting this change and testing it on their platform. - - - - - Dean Mills reported that PowerDNS does confusing logging about changing GIDs and UIDs, fixed. Cosmetic only. - - - - - pdns_recursor may have logged empty lines for some users, fixed. Solution suggested by Norbert Sendetzky. - - - - - LDAP: DNS TTLs were random values (Norbert Sendetzky, Stefan Pfetzing). New ldap-default-ttl - option. - - - - - LDAP: Now works with OpenLDAP 2.1 (Norbert Sendetzky) - - - - - LDAP: error handling for invalid MX records implemented (Norbert Sendetzky) - - - - - LDAP: better exception handling (Norbert Sendetzky) - - - - - LDAP: code cleanup of lookup() (Norbert Sendetzky) - - - - - LDAP: added support for scoped searches (Norbert Sendetzky) - - - - - - Version 2.9.8 - - Queen's day release! 30th of April 2003. - - - Added support for AIX, fixed negative SOA caching. Some other cleanups. Not a major release but enough reasons to upgrade. - - - Bugs fixed: - - - - Recursor had problems expiring negatively cached entries, which wasted memory and also led to the continued non-existence of - hosts that since had come into existence. - - - - - The Generic SQL backends did not lowercase the names of records, which led to new records not being found by case sensitive - databases (notably PostgreSQL). Found by Volker Goetz. - - - - - NS queries for zones for which we did not carry authority, but only had delegation information, had their NS records in the - wrong section. Minor detail, but a standards violation nonetheless. Spotted by Stephane Bortzmeyer. - - - - - - Improvements: - - - - Removed crypt.h dependency from powerldap.hh, which was a problem on some platforms (Richard Arends) - - - - - PowerDNS can't parse so called binary labels which we now detect and ignore, after printing a warning. - - - - - Specifying allow-axfr-ips now automatically disables AXFR for all non-mentioned addresses. - - - - - A Solaris ready init.d script is now part of the tar.gz (contributed, but I lost by whom). - - - - - Added some fixes to PowerDNS can work on AIX (spotted by Markus Heimhilcher). - - - - - Norbert Sendetzky contributed zone2ldap. - - - - - Everybody's favorite compiler warning from zone2sql.cc was removed! - - - - - Recursor now listens on TCP! - - - - - - - Version 2.9.7 - - Released on 2003-03-20. - - - This is a sweeping release in the sense of cleanup. There are some new features but mostly a lot of cleanup going on. Hiding inside is the - bind2backend, the next generation of the bind backend. A work in progress. Those of you with overlapping zones, - as mentioned in the changelog of 2.9.6, are invited to check it out by replacing launch=bind - by launch=bind2 and renaming all bind- parameters to - bind2-. Be aware that if you run with many small zones, this backend is faster, but if you run with a few large ones, it is slower. This will improve. - - - Features: - - - - Mark Bergsma contributed query-local-address which allows the operator to select which source address to - use. This is useful on servers with multiple source addresses and the operating system selecting an unintended one, leading to - remotes denying access. - - - - - PowerDNS can now perform AAAA additional processing optionally, turned on by setting do-ipv6-additional-processing. - Thanks to Stephane Bortzmeyer for pointing out the need. - - - - - Bind2backend, which is almost in compliance with the new IETF AXFR-clarify (some would say - 'redefinition') draft. - - - This backend is not ready for primetime but you may want to try it if you currently have overlapping - zones and note problems. An overlapping zone would be having "ipv6.powerdns.com" and "powerdns.com" zones - on one server. - - - - - - Improvements: - - - - Zone2sql would happily try to read from a directory and not give a useful error about this. - - - - - PowerDNS now reports the case where it can't figure out any IP address of slave nameservers for a zone - - - - - Removed receiver-threads setting which was experimental and in fact only made things worse. - - - - - LDAP backend updates from its author Norbert Sendetzky. Reverse lookups should work now too. - - - - - An error message about unparseable packets did not include the originating IP address (fixed by Mark Bergsma) - - - - - PowerDNS can now be started via path resolution while running with a guardian. Suggested by Maurice Nonnekes. - - - - - pdns_recursor moved to sbin (reported by Norbert Sendetzky) - - - - - Retuned some logger errorlevels, a lot of master/slave chatter was logged as 'Error'. Reported by Willem de Groot. - - - - - - Bugs fixed: - - - - zone2sql did not remove trailing dots in SOA records. - - - - - ldapbackend did not include utility.hh which caused compilation problems on Solaris (reported by Remco Post) - - - - - pdns_control could leave behind remnants in case PowerDNS was not running (reported by dG) - - - - - Incoming AXFR did not work on Solaris and other big-endian systems (Willem de Groot helped debugging this long standing problem). - - - - - Recursor could crash on convoluted CNAME loops. Thanks to Dan Faerch for delivering core dumps. - - - - - Silly 'wuh' debugging output in zone2sql and bindbackend removed (spotted by Ivo van der Wijk). - - - - - Recursor neglected to differentiate between negative cache of NXDOMAIN and NOERROR, leading to problems - with IPv6 enabled Windows clients. Thanks to Stuart Walsh for reporting this and testing the fix. - - - - - PowerDNS set the 'aa' bit on serving NS records in a zone for which it was authoritative. Most implementations - drop the 'aa' bit in this case and Stephane Bortzmeyer informed us of this. PowerDNS now also drops the 'aa' - bit in this case. - - - - - The webserver tended to fail after prolonged operation on FreeBSD, this was due to an uninitialised timeout, other platforms were lucky. Thanks to G.P. de Boer for helping debug this. - - - - - getAnswers() in dnspacket.cc could be forced to read bytes beyond the end of the packet, leading to crashes in the - PowerDNS recursor. This is an ongoing project that needs more work. Reported by Dan Faerch, with a core dump proving the problem. - - - - - - - Version 2.9.6 - - Two new backends - Generic ODBC (windows only) and LDAP. Furthermore, a few important bugs have been fixed which may have hampered sites seeing a lot of - outgoing zone transfers. Additionally, the pdns recursor now has 'query throttling' which is pretty cool. In short this makes sure that PowerDNS - does not send out heaps of queries if a nameserver is unable to provide an answer. Many operators of authoritative setups are all too aware of - recursing nameservers that hammer them for zones they don't have, PowerDNS won't do that anymore now, no matter what clients request of it. - - - - - There is an unresolved issue with the BIND backend and 'overlapping' slave zones. So if you have 'example.com' and also have a separate - slave zone called 'external.example.com', things may go wrong badly. Thanks to Christian Laursen for working with us a lot in finding - this issue. We hope to resolve it soon. - - - - - - - - BIND Backend now honours notifies, code to support this was accidentally left out. Thanks to Christian Laursen for noticing this. - - - - - Massive speedup for those of you using the slightly deprecated MBOXFW records. Thanks to Jorn of - ISP Services for helping and testing this improvement. - - - - - $GENERATE had an off-by-one bug where it would omit the last record to be generated (Christian Laursen) - - - - - Simultaneous AXFRs may have been problematic on some backends. Thanks to Jorn of ISP-Services again for helping us resolve this issue. - - - - - Added LDAP backend by Norbert Sendetzky, see . - - - - - Added Generic ODBC backend for Windows by Michel Stol. - - - - - Simplified 'out of zone data' detection in incoming AXFR support, hopefully removing a case sensitivity bug there. Thanks again - to Christian Laursen for reporting this issue. - - - - - $include in-zonefile was broken under some circumstances, losing the last character of a file name. Thanks to Joris Vandalon for noticing this. - - - - - The zone parser was more case-sensitive than BIND, refusing to accept 'in' as well as 'IN'. Thanks to Joris Vandalon for noticing this. - - - - - - Version 2.9.5 - - Released on 2002-02-03. - - - This version is almost entirely about recursion with major changes to both the pdns recursor, which is renamed to - 'pdns_recursor' and to the main PowerDNS binary to make it interact better with the recursing component. - - - Sadly, due to technical reasons, compiling - the pdns recursor and pdns authoritative nameserver into one binary is not immediately possible. During the release of 2.9.4 we - stated that the recursing nameserver would be integrated in the next release - this won't happen now. - - - However, this turns out to not be that bad at all. The recursor can now be restarted without having to restart the rest of the nameserver, - for example. Cooperation between the both halves of PDNS is also almost seamless. As a result, 'non-lazy recursion' has been dropped. See - for more details. - - - Furthermore, the recursor only works on Linux, Windows and Solaris (not entirely). FreeBSD does not support the required functions. - If you know any important FreeBSD people, plea with them to support set/get/swapcontext! Alternatively, FreeBSD coders could read - the solution presented here in figure 5. - - - The 'Contributor of the Month' award goes to Mark Bergsma who has responded to our plea for help with the label compressor and contributed - a wonderfully simple and right fix that allows PDNS to compress just as well as other nameservers out there. An honorary mention goes to - Ueli Heuer who, despite having no C++ experience, submitted an excellent SRV record implementation. - - - Excellent work was also performed by Michel Stol, the Windows guy, in fixing all our non-portable stuff again. Christof Meerwald has also done - wonderful work in porting MTasker to Windows, which was then used by Michel to get the recursor functioning on Windows. - - - Other changes: - - - - dnspacket.cc was cleaned up by factoring out common operations - - - - - Heaps of work on the recursing nameserver. Has now achieved *days* of uptime! - - - - - Recursor renamed from syncres to pdns_recursor - - - - - PowerDNS can now serve records it does not know about. To benefit from this slightly undocumented feature, add - 1024 to the numerical type of a record and include the record in binary form in your database. Used internally by the - recursing nameserver but you can use it too. - - - - - PowerDNS now knows about SIG and KEY records *names*. It does not support them yet but can at least report so now. - - - - - HINFO records can now be transferred from a master to PowerDNS (thanks to Ueli Heuer for noticing it didn't work). - - - - - Yet more UltraSPARC alignment issues fixed (Chris Andrews). - - - - - Dropped non-lazy recursion, nobody was using it. Lazy recursion became even more lazy after Dan Bernstein pointed out that additional - processing is not vital, so PowerDNS does its best to do additional processing on recursive queries, but does not scream murder if it does - not succeed. Due to caching, the next identical query will be successfully additionally processed. - - - - - Label compression was improved so we can now fit all . records in 436 bytes, this used to be 460! (Code & formal - proof of correctness by Mark Bergsma). - - - - - SRV support (incoming and outgoing), submitted by Ueli Heuer. - - - - - Generic backends do not support SOA serial autocalculation, it appears. Could lead to random SOA serials in case - of a serial of 0 in the database. Fixed so that 0 stays zero in that case. Don't set the SOA serial to 0 when using - Generic MySQL or Generic PostgreSQL! - - - - - J root-server address was updated to its new location. - - - - - SIGUSR1 now forces the recursor to print out statistics to the log. - - - - - Meaning of recursor logging was changed a bit - a cache hit is now a question that was answered with 0 outgoing packets needed. Used to - be a weighted average of internal cache hits. - - - - - MySQL compilation did not include -lz which causes problems on some platforms. Thanks to James H. Cloos Jr for reporting this. - - - - - After a suggestion by Daniel Meyer and Florus Both, the built in webserver now reports the configuration name when multiple PowerDNS - instances are active. - - - - - Brad Knowles noticed that zone2sql had problems with the root.zone, fixed. This also closes some other zone2sql annoyances with converting - single zones. - - - - - - - Version 2.9.4 - - Yet another grand release. Big news is the addition of a recursing nameserver which has sprung into existence - over the past week. It is in use on several computers already but it is not ready for prime time. Complete integration - with PowerDNS is expected around 2.9.5, for now the recursor is a separate program. - - - In preliminary tests, the recursor appears to be four times faster than BIND 9 on a naive benchmark starting from a cold cache. BIND 9 - managed to get through to some slower nameservers however, which were given up on by PowerDNS. We will continue to tune the recursor. - See for further details. - - - The BIND Backend has also been tested (see the bind-domain-status item below) rather heavily by several parties. After some - discussion online, one of the BIND authors ventured that the newsgroup comp.protocols.dns.bind may now in fact be an appropriate venue - for discussing PowerDNS. Since this discussion, traffic to the PowerDNS pages has increased sixfold and shows no signs of slowing down. - - - From this, it is apparent that far more people are interested in PowerDNS than yet know about it. So spread the word! - - - In other news, we now have a security page at . Furthermore, Maurice Nonnekes contributed an OpenBSD - port! See his page for more details! - - - New features and improvements: - - - - All SQL queries in the generic backends are now available for configuration. (Martin Klebermass, Bert Hubert). - See . - - - - - A recursing nameserver! See . - - - - - An incoming AXFR now only starts a backend zone replacement transaction after the first record arrived successfully, thus making - sure no work is done when a remote nameserver is unable/unwilling to AXFR a zone to us. - - - - - Zone parser error messages were improved slightly (thanks to Stef van Dessel for spotting this shortcoming) - - - - - XS4ALL's Erik Bos checked how PowerDNS reacted to a BIND installation with almost 60.000 domains, some of which - with >100.000 records, and he discovered the pdns_control bind-domain-status command - became very slow with larger numbers of domains. Fixed, 60.000 domains are now listed in under one second. - - - - - If a remote nameserver disconnects during an incoming AXFR, the update is now rolled back, unless the AXFR was - properly terminated. - - - - - The migration chapter mentioned the use of deprecated backends. - - - - - - A tremendous number of bugs were discovered and fixed: - - - - Zone parser would only accept $include and not $INCLUDE - - - - - Zone parser had problems with $lines with comments on the end - - - - - Wildcard ANY queries were broken (thanks Colemarcus for spotting this) - - - - - A connection failure with the Generic backends would lead to a powerdns reload (cast of many) - - - - - Generic backends had some semantic problems with slave support. Symptoms were oft-repeated notifications - and transfers (thanks to Mark Bergsma for helping resolve this). - - - - - Solaris version compiles again. Thanks to Mohamed Lrhazi for reporting that it didn't. - - - - - Some UltraSPARC alignment fixes. Thanks to Mohamed Lrhazi for being helpful in spotting these. - One problem is still outstanding, Mohamed sent a core dump that tells us where the problem is. Expect the - fix to be in 2.9.5. Volunteers can grep the source for 'UltraSPARC' to find where the problem is. - - - - - Our support of IPv6 on FreeBSD had phase of moon dependent bugs, fixed by Peter van Dijk. - - - - - Some crashes of and by pdns_control were fixed, thanks to Mark Bergsma for helping resolve these. - - - - - Outgoing AXFR in pdns installations with multiple loaded backends was broken (thanks to Stuart Walsh for reporting this). - - - - - A failed BIND Backend incoming AXFR would block the zone until it succeeded again. - - - - - Generic PostgreSQL backend wouldn't compile with newer libpq++, fixed by Julien Lemoine/SpeedBlue. - - - - - Potential bug (not observed) when listening on multiple interfaces fixed. - - - - - Some typos in manpages fixed (reported by Marco Davids). - - - - - - - Version 2.9.3a - - 2.9.3a is identical to 2.9.3 except that zone2sql does work - - Broad range of huge improvements. We now have an all-static .rpm and .deb for Linux users and a link to an OpenBSD port. - Major news is that work on the Bind backend has progressed to the point that we've just retired our last Bind server and - replaced it with PowerDNS in Bind mode! This server is operating a number of master and slave setups so it should stress the Bind backend - somewhat. - - - This version is rapidly approaching the point where it is a better-Bind-than-Bind and nearly a drop-in replacement for authoritative - setups. PowerDNS is now equipped with a powerful - master/slave apparatus that offers a lot of insight and control to the user, even when operating from Bind zone files and a - Bind configuration. Observe. - - - After the SOA of example.org was raised: - -pdns[17495]: All slave domains are fresh -pdns[17495]: 1 domain for which we are master needs notifications -pdns[17495]: Queued notification of domain 'example.org' to 195.193.163.3 -pdns[17495]: Queued notification of domain 'example.org' to 213.156.2.1 -pdns[17520]: AXFR of domain 'example.org' initiated by 195.193.163.3 -pdns[17520]: AXFR of domain 'example.org' to 195.193.163.3 finished -pdns[17521]: AXFR of domain 'example.org' initiated by 213.156.2.1 -pdns[17521]: AXFR of domain 'example.org' to 213.156.2.1 finished -pdns[17495]: Removed from notification list: 'example.org' to 195.193.163.3 (was acknowledged) -pdns[17495]: Removed from notification list: 'example.org' to 213.156.2.1 (was acknowledged) -pdns[17495]: No master domains need notifications - - If however our slaves would ignore us, as some are prone to do, we can send some additional notifications: - -$ sudo pdns_control notify example.org -Added to queue -pdns[17492]: Notification request for domain 'example.org' received -pdns[17492]: Queued notification of domain 'example.org' to 195.193.163.3 -pdns[17492]: Queued notification of domain 'example.org' to 213.156.2.1 -pdns[17495]: Removed from notification list: 'example.org' to 195.193.163.3 (was acknowledged) -pdns[17495]: Removed from notification list: 'example.org' to 213.156.2.1 (was acknowledged) - - Conversely, if PowerDNS needs to be reminded to retrieve a zone from a master, a command is provided: - -$ sudo pdns_control retrieve forfun.net -Added retrieval request for 'forfun.net' from master 212.187.98.67 -pdns[17495]: AXFR started for 'forfun.net', transaction started -pdns[17495]: Zone 'forfun.net' (/var/cache/bind/forfun.net) reloaded -pdns[17495]: AXFR done for 'forfun.net', zone committed - - Also, you can force PowerDNS to reload a zone from disk immediately with pdns_control bind-reload-now. - All this happens 'live', per your instructions. Without instructions, the right things also happen, but the operator is in charge. - - - For more about all this coolness, see and . - - - - - Again some changes in compilation instructions. The hybrid pgmysql backend has been split up into 'gmysql' and 'gpgsql', sharing - a common base within the PowerDNS server itself. This means that you can no longer compile - --with-modules="pgmysql" --enable-mysql --enable-pgsql but that you should now use: - --with-modules="gmysql gpgsql". The old launch-names remain available. - - - If you launch the Generic PgSQL backend as gpgsql2, all parameters will have gpgsql2 as a prefix, for example - gpgsql2-dbname. If launched as gpgsql, the regular names are in effect. - - - - - - - The pdns_control protocol was changed which means that older pdns_controls cannot talk to 2.9.3. The other way around is - broken too. This may lead to problems with automatic upgrade scripts, so pay attention if your daemon is truly restarted. - - - Also make sure no old pdns_control command is around to confuse things. - - - - - Improvements: - - - - Bind backend can now deal with missing files and try to find them later. - - - - - Bind backend is now explicitly master capable and triggers the sending of notifications. - - - - - General robustness improvements in Bind backend - many errors are now non-fatal. - - - - - Accessibility, Serviceability. New pdns_server commands like bind-list-rejects - (lists zones that could not be loaded, and the reason why), bind-reload-now (reload a zone from disk NOW), - rediscover (reread named.conf NOW). More is coming up. - - - - - Added support for retrieving RP (Responsible Person) records from remote masters. Serving them was already possible. - - - - - Added support for LOC records, which encode the geographical location of a host, both serving and retrieving (thanks to Marco Davids - using them on our last Bind server, forcing us to implement this silly record). - - - - - Configuration file parser now strips leading spaces too, allowing "chroot= /tmp" to work, as well as "chroot=/tmp" - (Thanks to Hub Dohmen for reporting this for months on end). - - - - - Added bind-domain-status command that shows the status of all domains (when/if they were parsed, any errors - encountered while parsing them). - - - - - Added bind-reload-now command that tries to reload a zone from disk NOW, and reports back errors to the operator - immediately. - - - - - Added retrieve command that queues a request to retrieve a zone from its master. - - - - - Zones retrieved from masters are now stored way smaller on disk because the domain is stripped from records, which is derived - from the configuration file. Retrieved zones are now prefixed with some information on where they came from. - - - - - - Changes: - - - - gpgsql and gmysql backends split out of the hybrid pgmysqlbackend. This again changed compilation instructions! - - - - - pdns_control now uses the rarely seen SOCK_STREAM Unix Domain socket variety so it can transport - large amounts of text, which is needed for the bind-domain-status command, for which see - . This breaks compatibility with older pdns_control and pdns_server binaries! - - - - - Bind backend now ignores 'hint' and 'forward' and other unsupported zone types. - - - - - AXFRs are now logged more heavily by default. An AXFR is a heavy operation anyhow, some more logging does not further - increase the load materially. Does help in clearing up what slaves are doing. - - - - - A lot of master/slave chatter has been silenced, making output more relevant. No more repetitive 'No master domains need notifications' etc, only changes are reported now. - - - - - - Bugfixes: - - - - Windows version did not compile without minor changes. - - - - - Confusing error reporting on Windows 98 (which does not support PowerDNS) fixed - - - - - Potential crashes with shortened packets addressed. An upgrade is advised! - - - - - notify (which was already there, just badly documented) no longer prints out debugging garbage. - - - - - pgmysql backend had problems launching when not compiled in but available as a module. Workaround for 2.9.2 is 'load-modules=pgmysql', - but even then gpgsql would not work! gmysql would then, however. These modules are now split out, removing such issues. - - - - - - Version 2.9.2 - - Bugfixes galore. Solaris porting created some issues on all platforms. Great news is that PowerDNS is now in Debian 'sid' (unstable). The 2.9.1 - packages in there currently aren't very good but the 2.9.2 ones will be. Many thanks to Wichert Akkerman, our 'downstream' for making this possible. - - - - The Generic MySQL backend, part of the Generic MySQL & PostgreSQL backend, is now the DEFAULT! The previous default, the - 'mysql' backend (note the lack of 'g') is now DEPRECATED. This was the source of much confusion. The 'mysql' backend - does not support MASTER or SLAVE operation. The Generic backends do. - - - To get back the mysql backend, add --with-modules="mysql" or --with-dynmodules="mysql" if you prefer to load your modules at runtime. - - - - Bugs fixed: - - - - Silly debugging output removed from the webserver (found by Paul Wouters) - - - - - SEVERE: due to Solaris portability fixes, qtypes<127 were broken. - These include NAPTR, ANY and AXFR. The upshot is that powerdns - wasn't performing outgoing AXFRs nor ANY queries. These were the - 'question for type -1' warnings in the log - - - - - incoming AXFR could theoretically miss some trailing records (not observed, but could happen) - - - - - incoming AXFR did not support TXT records (spotted by Paul Wouters) - - - - - with some remotes, an incoming AXFR would not terminate until a - timeout occurred (observed by Paul Wouters) - - - - - Documentation bug, pgmysql != mypgsql - - - - - - Documentation: - - - - Documented the 'random backend', see . - - - - - Wichert Akkerman contributed three manpages. - - - - - Building PowerDNS on Unix is now documented somewhat more, see . - - - - - - Features: - - - - pdns init.d script is now +x by default - - - - - OpenBSD is on its way of becoming a supported platform! As of 2.9.2, PowerDNS compiles on OpenBSD but swiftly crashes. - Help is welcome. - - - - - ODBC backend (for Windows only) was missing from the distribution, now added. - - - - - xdb backend added - see . Designed for use by root-server operators. - - - - - Dynamic modules are back which is good news for distributors who want to make a pdns packages that does not - depend one every database under the sun. - - - - - - - - Version 2.9.1 - - Thanks to the great enthusiasm from around the world, powerdns is now available for Solaris and FreeBSD users again! - Furthermore, the Windows build is back. We are very grateful for the help of: - - - - Michel Stol - Wichert Akkerman - Edvard Tuinder - Koos van den Hout - Niels Bakker - Erik Bos - Alex Bleker - Steven Stillaway - Roel van der Made - Steven Van Steen - - - - We are happy to have been able to work with the open source community to improve PowerDNS! - - - Changes: - - - - The monitor command set no longer allows the changing of non-existent variables. - - - - - IBM Universal Database DB2 backend now included in source distribution (untested!) - - - - - Oracle backend now included in source distribution (slightly tested!) - - - - - configure script now searches for postgresql and mysql includes - - - - - Bind parser now no longer dies on records with a ' in them (Erik Bos) - - - - - The pipebackend was accidentally left out of 2.9 - - - - - FreeBSD fixes (with help from Erik Bos, Alex Bleeker, Niels Bakker) - - - - - Heap of Solaris work (with help from Edvard Tuinder, Stefan Van Steen, Koos van den Hout, Roel van der Made and - especially Mark Bakker). - Now compiles in 2.7 and 2.8, haven't tried 2.9. May be a bit dysfunctional on 2.7 though - it won't do IPv6 and it won't serve AAAA. Patches - welcome! - - - - - Windows 32 build is back! Michel Stol updated his earlier work to the current version. - - - - - S/Linux (Linux on Sparc) build works now (with help from Steven Stillaway). - - - - - Silly debugging message ('sd.ttl from cache') removed - - - - - .deb files are back, hopefully in 'sid' soon! (Wichert Akkerman) - - - - - Removal of bzero and other less portable constructs. Discovered that recent Linux glibc's need -D_GNU_SOURCE (Wichert Akkerman). - - - - - Version 2.9 - - Open source release. Do not deploy unless you know what you are -doing. Stability is expected to return with 2.9.1, as are the binary builds. - - - - - - License changed to the GNU General Public License version 2. - - - - - Cleanups by Erik Bos @ xs4all. - - - - - Build improvements by Wichert Akkerman - - - - - Lots of work on the build system, entirely revamped. By PowerDNS. - - - - - - - Version 2.8 - - From this release onwards, we'll concentrate on stabilising for the 3.0 release. So if you have any must-have features, - let us know soonest. The 2.8 release fixes a bunch of small stability issues and add two new features. In the spirit of the move to - stability, this release has already been running 24 hours on our servers before release. - - - - - - pipe backend gains the ability to restricts its invocation to a limited number of requests. This allows a very busy nameserver - to still serve packets from a slow perl backend. - - - - - pipe backend now honors query-logging, which also documents which queries were blocked by the regex. - - - - - pipe backend now has its own backend chapter. - - - - - An incoming AXFR timeout at the wrong moment had the ability to crash the binary, forcing a reload. Thanks to our bug spotting - champions Mike Benoit and Simon Kirby of NetNation for reporting this. - - - - - - Version 2.7 and 2.7.1 - - This version fixes some very long standing issues and adds a few new features. If you are still running 2.6, upgrade yesterday. If you - were running 2.6.1, an upgrade is still strongly advised. - - - Features: - - - - The controlsocket is now readable and writable by the 'setgid' user. This allows for non-root - access to PDNS which is nice for mrtg or cricket graphs. - - - - - MySQL backend (the non-generic one) gains the ability to read from a different table using the - mysql-table setting. - - - - - pipe backend now has a configurable timeout using the pipe-timeout setting. Thanks to Steve Bromwich - for pointing out the need for this. - - - - - Experimental backtraces. If PowerDNS crashes, it will log a lot of numbers and sometimes more to the syslog. - If you see these, please report them to us. Only available under Linux. - - - - - - Bugs: - - - - 2.7 briefly broke the mysql backend, so don't use it if you use that. 2.7.1 fixes this. - - - - - SOA records could sometimes have the wrong TTL. Thanks to Jonas Daugaard for reporting this. - - - - - An ANY query might lead to duplicate SOA records being returned under exceptional circumstances. - Thanks to Jonas Daugaard for reporting this. - - - - - Underlying the above bug, packet compression could sometimes suddenly be turned off, leading to - overly large responses and non-removal of duplicate records. - - - - - The allow-axfr-ips setting did not accept IP ranges (192.0.2.0/24) which the - documentation claimed it did (thanks to Florus Both of Ascio technologies for being sufficiently persistent in reporting this). - - - - - Killed backends were not being respawned, leading to suboptimal behaviour on intermittent database errors. Thanks to Steve Bromwich for - reporting this. - - - - - Corrupt packets during an incoming AXFR when acting as a slave would cause a PowerDNS reload instead of just failing that AXFR. - Thanks to Mike Benoit and Simon Kirby of NetNation for reporting this. - - - - - Label compression in incoming AXFR had problems with large offsets, causing the above mentioned errors. Thanks to Mike Benoit - and Simon Kirby of NetNation for reporting this. - - - - - - - Version 2.6.1 - - Quick fix release for a big cache problem. - - - Version 2.6 - - Performance release. A lot of work has been done to raise PDNS performance to staggering levels in order to take part - in benchmarketing efforts. Together with our as yet unnamed partner, PDNS has been benchmarked at 60.000 mostly cached queries/second - on off the shelf PC hardware. Uncached performance was 17.000 uncached DNS queries/second on the .ORG domain. - - - Performance has been increased by both making PDNS itself quicker but also by lowering the number of backend queries typically needed. Operators - will typically see PDNS taking less CPU and the backend seeing less load. - - - Furthermore, some real bugs were fixed. A couple of undocumented performance switches may appear in --help output but you are advised to stay - away from these. - - - Developers: this version needs the pdns-2.5.1 development kit, available on - http://downloads.powerdns.com/releases/dev. See also . - - - Performance: - - - - A big error in latency calculations - cached packets were weighed 50 times less, leading to inflated latency reporting. Latency calculations - are now correct and way lower - often in the microseconds range. - - - - - It is now possible to run with 0 second cache TTLs. This used to cause very frequent cache cleanups, leading - to performance degradation. - - - - - Many tiny performance improvements, removing duplicate cache key calculations, etc. The cache itself has also been reworked - to be more efficient. - - - - - First 'CNAME' backend query replaced by an 'ANY' query, which most of the time returns the actual record, - preventing the need for a separate CNAME lookup, halving query load. - - - - - Much of the same for same-level-NS records on queries needing delegation. - - - - - - Bugs fixed: - - - - Incidentally, the cache count would show 'unknown' packets, which was harmless but confusing. Thanks to Mike and Simon of - NetNation for reporting this. - - - - - SOA hostmaster with a . in the local-part would be cached wrongly, leading to a stray backslash - in case of multiple successively SOA queries. Thanks to Ascio Technologies for spotting this bug. - - - - - zone2sql did not parse Verisign zone files correctly as these contained a $TTL statement in mid-record. - - - - - Sometimes packets would not be accounted, leading to 'udp-queries' and 'udp-answers' divergence. - - - - - - Features: - - - - 'cricket' command added to init.d scripts that provides unadorned output for parsing by 'Cricket'. - - - - - - Version 2.5.1 - - Brown paper bag release fixing - a huge memory leak in the new Query Cache. - - - Developers: this version needs the new pdns-2.5.1 development kit, available on - http://downloads.powerdns.com/releases/dev. See also . - - - And some small changes: - - - - Added support for RFC 2308 compliant negative-answer caching. This allows remotes to cache the fact that - a domain does not exist and will not exist for a while. Thanks to Chris Thompson for pointing out how tiny our minds are. This feature may cause a noticeable reduction - in query load. - - - - - Small speedup to non-packet-cached queries, incidentally fixing the huge memory leak. - - - - - pdns_control ccounts command outputs statistics on what is in the cache, which is - useful to help optimize your caching strategy. - - - - - - Version 2.5 - - An important release which has seen quite a lot of trial and error testing. As a result, PDNS can now run with a huge cache - and concurrent invalidations. This is useful when running of a slower database or under high traffic load with a fast database. - - - Furthermore, the gpgsql2 backend has been validated for use and will soon supplant the gpgsql backend entirely. This also bodes - well for the gmysql backend which is the same code. - - - Also, a large amount of issues biting large scale slave operators were addressed. Most of these issues would only show up - after prolonged uptime. - - - New features: - - - - Query cache. The old Packet Cache only cached entire questions and their answers. This is very CPU efficient but - does not lead to maximum hitrate. Two packets both needing to resolve smtp.you.com internally would not benefit - from any caching. Furthermore, many different DNS queries lead to the same backend queries, like 'SOA for .COM?'. - - - PDNS now also caches backend queries, but only those having no answer (the majority) and those having one answer - (almost the rest). - - - In tests, these additional caches appear to halve the database backend load numerically and perhaps even more in terms - of CPU load. Often, queries with no answer are more expensive than those having one. - - - The default ttls for the query-cache and negquery-cache are set to safe values (20 and 60 seconds - respectively), you should be seeing an improvement in behaviour without sacrificing a lot in terms of quick updates. - - - The webserver also displays the efficiency of the new Query Cache. - - - The old Packet Cache is still there (and useful) but see for more details. - - - - - There is now the ability to shut off some logging at a very early stage. High performance sites doing thousands of - queries/second may in fact spend most of their CPU time on attempting to write out logging, even though it is ignored - by syslog. The new flag log-dns-details, on by default, allows the operator to kill most - informative-only logging before it takes any cpu. - - - - - Flags which can be switched 'on' and 'off' can now also be set to 'off' instead of only to 'no' to turn them off. - - - - - - Enhancements: - - - - Packet Cache is now case insensitive, leading to a higher hitrate because identical queries only differing in case - now both match. Care is taken to restore the proper case in the answer sent out. - - - - - Packet Cache stores packets more efficiently now, savings are estimated at 50%. - - - - - The Packet Cache is now asynchronous which means that PDNS continues to answer questions while the cache - is busy being purged or queried. Incidentally this will mean a cache miss where previously the question would - wait until the cache became available again. - - - The upshot of this is that operators can call pdns_control purge as often as desired without - fearing performance loss. Especially the full, non-specific, purge was sped up tremendously. - - - This optimization is of little merit for small sites but is very important when running with a large packetcache, such - as when using recursion under high load. - - - - - AXFR log messages now all contain the word 'AXFR' to ease grepping. - - - - - Linux static version now compiled with gcc 3.2 which is known to output better and faster code than the previously - used 3.0.4. - - - - - - Bugs fixed: - - - - Packetcache would sometimes send packets back with slightly modified flags if these differed from the flags - of the cached copy. - - - - - Resolver code did bad things with file descriptors leading to fd exhaustion after prolonged uptimes and many slave - SOA currency checks. - - - - - Resolver code failed to properly log some errors, leading to operator uncertainty regarding to AXFR problems with - remote masters. - - - - - After prolonged uptime, slave code would try to use privileged ports for originating queries, leading to bad - replication efficiency. - - - - - Masters sending back answers in differing case from questions would lead to bogus - 'Master tried to sneak in out-of-zone data' errors and failing AXFRs. - - - - - - Version 2.4 - - Developers: this version is compatible with the pdns-2.1 development kit, available on - http://downloads.powerdns.com/releases/dev. See also . - - - This version fixes some stability issues with malformed or malcrafted packets. An upgrade is advised. Furthermore, there are interesting new - features. - - - New features: - - - - - - Recursive queries are now also cached, but in a separate namespace so non-recursive queries don't get recursed answers and - vice versa. This should mean way lower database load for sites running with the current default lazy-recursion. Up to now, - each and every recursive query would lead to a large amount of SQL queries. - - - To prevent the packetcache from becoming huge, a separate recursive-cache-ttl can be specified. - - - - - The ability to change parameters at runtime was added. Currently, only the new query-logging flag - can be changed. - - - - - Added query-logging flag which hints a backend that it should output a textual representation of queries - it receives. Currently only gmysql and gpgsql2 honor this flag. - - - - - Gmysql backend can now also talk to PgSQL, leading to less code. Currently, the old postgresql driver ('gpgsql') is still the default, - the new driver is available as 'gpgsql2' and has the benefit that it does query logging. In the future, gpgsql2 will become the default - gpgsql driver. - - - - - DNS recursing proxy is now more verbose in logging odd events which may be caused by buggy recursing backends. - - - - - Webserver now displays peak queries/second 1 minute average. - - - - - - Bugs fixed: - - - - Failure to connect to database in master/slave communicator thread could lead to an unclean reload, fixed. - - - - - - Documentation: added details for strict-rfc-axfrs. This feature can be used if very old clients need to be able - to do zone transfers with PDNS. Very slow. - - - - Version 2.3 - - Developers: this version is compatible with the pdns-2.1 development kit, available on - http://downloads.powerdns.com/releases/dev. See also . - - - This release adds the Generic MySQL backend which allows full master/slave semantics with MySQL and InnoDB tables (or other tables that support - transactions). See . - - - Other new features: - - - - - - Improved error messages in master/slave communicator will help down track problems. - - - - - slave-cycle-interval setting added. Very large sites with thousands of slave domains may need to raise this value - above the default of 60. Every cycle, domains in indeterminate state are checked for their condition. Depending on the health of the masters, - this may entail many SOA queries or attempted AXFRs. - - - - - - Bugs fixed: - - - - - - 'pdns_control purge domain' and 'pdns_control purge domain$' were broken in version 2.2 and - did not in fact purge the cache. There is a slight risk that domain-specific purge commands could force a reload in previous version. - Thanks to Mike Benoit of NetNation for discovering this. - - - - - Master/slave communicator thread got confused in case of delayed answers from slow masters. While not causing harm, this caused inefficient - behaviour when testing large amounts of slave domains because additional 'cycles' had to pass before all domains would have their status - ascertained. - - - - - Backends implementing special SOA semantics (currently only the undocumented 'pdns express backend', or homegrown backends) would - under some circumstances not answer the SOA record in case of an ANY query. This should put an end to the last DENIC problems. Thanks to - DENIC for helping us find the problem. - - - - - - Version 2.2 - - Developers: this version is compatible with the pdns-2.1 development kit, available on - http://downloads.powerdns.com/releases/dev. See also . - - - Again a big release. PowerDNS is seeing some larger deployments in more demanding environments and these are helping shake out remaining issues, - especially with recursing backends. - - - The big news is that wildcard CNAMEs are now supported, an oft requested feature and nearly the only part in which PDNS differed from BIND in - authoritative capabilities. - - - If you were seeing signal 6 errors in PDNS causing reloads and intermittent service disruptions, please upgrade to this version. - - - For operators of PowerDNS Express trying to host .DE domains, the very special soa-serial-offset feature has been added - to placate the new DENIC requirement that the SOA serial be at least six digits. PowerDNS Express uses the SOA serial as an actual serial and - not to insert dates and hence often has single digit soa serial numbers, causing big problems with .DE redelegations. - - - Bugs fixed: - - - - Malformed or shortened TCP recursion queries would cause a signal 6 and a reload. Same for EOF from the TCP recursing backend. - Thanks to Simon Kirby and Mike Benoit of NetNation for helping debug this. - - - - - Timeouts on the TCP recursing backend were far too long, leading to possible exhaustion of TCP resolving threads. - - - - - pdns_control purge domain accidentally cleaned all packets with that name as a prefix. Thanks to Simon Kirby - for spotting this. - - - - - Improved exception error logging - in some circumstances PDNS would not properly log the cause of an exception, which hampered problem - resolution. - - - - - - New features: - - - - Wildcard CNAMEs now work as expected! - - - - - pdns_control purge can now also purge based on suffix, allowing operators to - purge an entire domain from the packet cache instead of only specific records. See also - Thanks to Mike Benoit for this suggestion. - - - - - soa-serial-offset for installations with small SOA serial numbers wishing to register .DE domains - with DENIC which demands six-figure SOA serial numbers. See also . - - - - - - Version 2.1 - - This is a somewhat bigger release due to pressing demands from customers. An upgrade is advised for installations using Recursion. - If you are using recursion, it is vital that you are aware of changes in semantics. Basically, local data will now override data in your - recursing backend under most circumstances. Old behaviour can be restored by turning lazy-recursion off. - - - Developers: this version has a new pdns-2.1 development kit, available on - http://downloads.powerdns.com/releases/dev. See also . - - - - - Most users will run a static version of PDNS which has no dependencies on external libraries. However, some may need to run the dynamic version. - This warning applies to these users. - - - To run the dynamic version of PDNS, which is needed for backend drivers which are only available in source form, gcc 3.0 is required. - RedHat 7.2 comes with gcc 3.0 as an optional component, RedHat 7.3 does not. However, the RedHat 7.2 Update gcc rpms install just fine - on RedHat 7.3. For Debian, we suggest running 'woody' and installing the g++-3.0 package. We expect to release a FreeBSD dynamic version - shortly. - - - - - - Bugs fixed: - - - - RPM releases sometimes overwrote previous configuration files. Thanks to Jorn Ekkelenkamp of Hubris/ISP Services for reporting this. - - - - - TCP recursion sent out overly large responses due to a byte order mistake, confusing some clients. Thanks to the capable engineers - of NetNation for bringing this to our attention. - - - - - TCP recursion in combination with a recursing backend on a non-standard port did not work, leading to a - non-functioning TCP listener. Thanks to the capable engineers of NetNation for bringing this to our attention. - - - - - - Unexpected behaviour: - - - - Wildcard URL records where not implemented because they are a performance penalty. To turn these on, enable - wildcard-url in the configuration. - - - - - Unlike other nameservers, local data did not override the internet for recursing queries. This has mostly been brought into conformance - with user expectations. If a recursive question can be answered entirely from local data, it is. To restore old behaviour, disable - lazy-recursion. Also see . - - - - - - Features: - - - - Oracle support has been tuned, leading to the first public release of the Oracle backend. Zone2sql now outputs better SQL - and the backend is now fully documented. Furthermore, the queries are compatible with the PowerDNS XML-RPC product, allowing - PowerDNS express to run off Oracle. See . - - - - - Zone2sql now accepts --transactions to wrap zones in a transaction for PostgreSQL and Oracle output. This is a major speedup and also - makes for better isolation of inserts. See . - - - - - pdns_control now has the ability to purge the PowerDNS cache or parts of it. This enables operators to - raise the TTL of the Packet Cache to huge values and only to invalidate the cache when changes are made. See also and - . - - - - - - Version 2.0.1 - - Maintenance release, fixing three small issues. - - - Developers: this version is compatible with 1.99.11 backends. - - - - - - PowerDNS ignored the logging-facility setting unless it was specified on the command line. - Thanks to Karl Obermayer from WebMachine Technologies for noticing this. - - - - - Zone2sql neglected to preserve 'slaveness' of domains when converting to the slave capable PostgreSQL backend. Thanks - to Mike Benoit of NetNation for reporting this. Zone2sql now has a --slave option. - - - - - SOA Hostmaster addresses with dots in them before the @-sign were mis-encoded on the wire. - - - - - - Version 2.0 - - Two bugfixes, one stability/security related. No new features. - - - Developers: this version is compatible with 1.99.11 backends. - - - Bugfixes: - - - - - - zone2sql refused to work under some circumstances, taking 100% cpu and not functioning. Thanks to Andrew Clark and Mike Benoit - for reporting this. - - - - - Fixed a stability issue where malformed packets could force PDNS to reload. Present in all earlier 2.0 versions. - - - - - - Version 2.0 Release Candidate 2 - - Mostly bugfixes, no really new features. - - - Developers: this version is compatible with 1.99.11 backends. - - - Bugs fixed: - - - - - - chroot() works again - 2.0rc1 silently refused to chroot. Thanks to Hub Dohmen for noticing this. - - - - - setuid() and setgid() security features were silently not being performed in 2.0rc1. Thanks to Hub Dohmen for noticing this. - - - - - MX preferences over 255 now work as intended. Thanks to Jeff Crowe for noticing this. - - - - - IPv6 clients can now also benefit from the recursing backend feature. Thanks to Andy Furnell for proving beyond any doubt that this - did not work. - - - - - Extremely bogus code removed from DNS notification reception code - please test! Thanks to Jakub Jermar for working with us - in figuring out just how broken this was. - - - - - AXFR code improved to handle more of the myriad different zone transfer dialects available. Specifically, interoperability - with Bind 4 was improved, as well as Bind 8 in 'strict rfc conformance' mode. Thanks again for Jakub Jermar for running many tests for us. - If your transfers failed with 'Unknown type 14!!' or words to that effect, this was it. - - - - - - Features: - - - - Win32 version now has a zone2sql tool. - - - - - Win32 version now has support for specifying how urgent messages should be before they go to the NT event log. - - - - - - Remaining issues: - - - - One persistent report of the default 'chroot=./' configuration not working. - - - - - One report of disable-axfr and allow-axfr-ips not working as intended. - - - - - Support for relative paths in zones and in Bind configuration is not bug-for-bug compatible with bind yet. - - - - - - Version 2.0 Release Candidate 1 - - The MacOS X release! A very experimental OS X 10.2 build has been added. Furthermore, the Windows version is now in line with Unix with - respect to capabilities. The ODBC backend now has the code to function as both a master and a slave. - - - Developers: this version is compatible with 1.99.11 backends. - - - - - - Implemented native packet response parsing code, allowing Windows to perform AXFR and NS and SOA queries. - - - - - This is the first version for which we have added support for Darwin 6.0, which is part of the forthcoming Mac OS X 10.2. - Please note that although this version is marked RC1, that we have not done extensive testing yet. Consider this a technology - preview. - - - - - The Darwin version has been developed on Mac OS X 10.2 (6C35). Other versions may or may not work. - - - Currently only the random, bind, mysql and pdns backends are included. - - - - The menu based installer script does not work, you will have to edit pathconfig by hand as outlined in chapter 2. - - - - On Mac OS X Client, PDNS will fail to start because a system service is already bound to port 53. - - - - - This version is distributed as a compressed tar file. You should follow the generic UNIX installation instructions. - - - - - - Bugs fixed: - - - - Zone2sql PostgreSQL mode neglected to lowercase $ORIGIN. Thanks to Maikel Verheijen of Ladot for spotting this. - - - - - Zone2sql PostgreSQL mode neglected to remove a trailing dot from $ORIGIN if present. - Thanks to Thanks to Maikel Verheijen of Ladot for spotting this. - - - - - Zone file parser was not compatible with bind when $INCLUDING non-absolute file names. Thanks to Jeff Miller for working out - how this should work. - - - - - Bind configuration parser was not compatible with bind when including non-absolute file names. Thanks to Jeff Miller for working out - how this should work. - - - - - Documentation incorrectly listed the Bind backend as 'slave capable'. This is not yet true, now labeled 'experimental'. - - - - - - Windows changes. We are indebted to Dimitry Andric who educated us in the ways of distributing Windows software. - - - - pdns.conf is now read if available. - - - - - Console version responds to ^c now. - - - - - Default pdns.conf added to distribution - - - - - Uninstaller missed several files, leaving remnants behind - - - - - - DLLs are now installed locally, with the pdns executable. - - - - - - pdns_control is now also available on Windows - - - - - ODBC backend can now act as master and slave. Experimental. - - - - - The example zone missed indexes and had other faults. - - - - - A runtime DLL that is present on most windows systems (but not all!) was missing. - - - - - - Version 1.99.12 Prerelease - - The Windows release! See . Beware, windows support is still very fresh and untested. Feedback is very welcome. - - - Developers: this version is compatible with 1.99.11 backends. - - - - - - Windows 2000 code base merge completed. This resulted in quite some changes on the Unix end of things, so this may impact reliability. - - - - - ODBC backend added for Windows. See . - - - - - IBM DB2 Universal Database backend available for Linux. See . - - - - - Zone2sql now understands $INCLUDE. Thanks to Amaze Internet for nagging about this - - - - - The SOA Minimum TTL now has a configurable default (soa-minimum-ttl)value to placate the DENIC requirements. - - - - - Added a limit on the simultaneous numbers of TCP connections to accept (max-tcp-connections). Defaults to 10. - - - - - - Bugs fixed: - - - - When operating in virtual hosting mode (See ), the additional init.d scripts would not function correctly - and interface with other pdns instances. - - - - - PDNS neglected to conserve case on answers. So a query for WwW.PoWeRdNs.CoM would get an answer listing the address of www.powerdns.com. - While this did not confuse resolvers, it is better to conserve case. This has semantic consequences for all backends, which the documentation - now spells out. - - - - - PostgreSQL backend was case sensitive and returned only answers in case an exact match was found. The Generic PostgreSQL backend is now - officially all lower case and zone2sql in PostgreSQL mode enforces this. - Documentation has been been updated to reflect the case change. Thanks to Maikel Verheijen of Ladot for - spotting this! - - - - - Documentation bug - postgresql create/index statements created a duplicate index. If you've previously copy pasted the commands and - not noticed the error, execute CREATE INDEX rec_name_index ON records(name) to remedy. Thanks to Jeff Miller for reporting - this. This also lead to depressingly slow 'ANY' lookups for those of you doing benchmarks. - - - - - - Features: - - - - pdns_control (see ) now opens the local end of its socket in /tmp instead of next to the - remote socket (by default /var/run). This eases the way for allowing non-root access to pdns_control. When running chrooted - (see ), the local socket again moves back to /var/run. - - - - - pdns_control now has a 'version' command. See . - - - - - - - Version 1.99.11 Prerelease - - This release is important because it is the first release which is accompanied by an Open Source Backend Development Kit, allowing external - developers to write backends for PDNS. Furthermore, a few bugs have been fixed: - - - - - - Lines with only whitespace in zone files confused PDNS (thanks Henk Wevers) - - - - - PDNS did not properly parse TTLs with symbolic suffixes in zone files, ie 2H instead of 7200 (thanks Henk Wevers) - - - - - - Version 1.99.10 Prerelease - - IMPORTANT: there has been a tiny license change involving free public webbased dns hosting, check out the changes before deploying! - - - PDNS is now feature complete, or very nearly so. Besides adding features, a lot of 'fleshing out' work is done now. There is an important - performance bug fix which may have lead to disappointing benchmarks - so if you saw any of that, please try either this version or 1.99.8 which - also does not have the bug. - - - This version has been very stable for us on multiple hosts, as was 1.99.9. - - - PostgreSQL users should be aware that while 1.99.10 works with the schema as presented in earlier versions, advanced features - such as master or slave support will not work unless you create the new 'domains' table as well. - - - Bugs fixed: - - - - Wildcard AAAA queries sometimes received an NXDOMAIN error where they should have gotten an empty NO ERROR. Thanks to Jeroen Massar - for spotting this on the .TK TLD! - - - - - Do not disable the packetcache for 'recursion desired' packets unless a recursor was configured. Thanks to Greg Schueler for noticing this. - - - - - A failing backend would not be reinstated. Thanks to 'Webspider' for discovering this problem with PostgreSQL connections that die after - prolonged inactivity. - - - - - Fixed loads of IPv6 transport problems. Thanks to Marco Davids and others for testing. Considered ready for production now. - - - - - - Zone2sql printed a debugging statement on range $GENERATE commands. Thanks to Rene van Valkenburg for spotting this. - - - - - - Features: - - - - PDNS can now act as a master, sending out notifications in case of changes and allowing slaves to AXFR. Big rewording of replication support, - domains are now either 'native', 'master' or 'slave'. See for lots of details. - - - - - Zone2sql in PostgreSQL mode now populates the 'domains' table for easy master, slave or native replication support. - - - - - Ability to run on IPv6 transport only - - - - - Logging can now happen under a 'facility' so all PDNS messages appear in their own file. See . - - - - - - Different OS releases of PDNS now get different install path defaults. Thanks to Mark Lastdrager for nagging about this and to Nero Imhard and - Frederique Rijsdijk for suggesting saner defaults. - - - - - Infrastructure for 'also-notify' statements added. - - - - - - - Version 1.99.9 Early Access Prerelease - - This is again a feature and an infrastructure release. We are nearly feature complete and will soon start - work on the backends to make sure that they are all master, slave and 'superslave' capable. - - - Bugs fixed: - - - - PDNS sometimes sent out duplicate replies for packets passed to the recursing backend. Mostly a problem on SMP systems. Thanks to Mike Benoit - for noticing this. - - - - - Out-of-bailiwick CNAMEs (ie, a CNAME to a domain not in PDNS) caused a 'ServFail' packet in 1.99.8, indicating failure, leading to hosts not - resolving. Thanks to Martin Gillstrom for noticing this. - - - - - Zone2sql balked at zones edited under operating systems terminating files with ^Z (Windows). Thanks Brian Willcott for reporting this. - - - - - PostgreSQL backend logged the password used to connect. Now only does so in case of failure to connect. Thanks to 'Webspider' for noticing this. - - - - - Debian unstable distribution wrongly depended on home compiled PostgreSQL libraries. Thanks to Konrad Wojas for noticing this. - - - - - - Features: - - - - When operating as a slave, AAAA records are now supported in the zone. They were already supported in master zones. - - - - - IPv6 transport support - PDNS can now listen on an IPv6 socket using the local-ipv6 setting. - - - - - Very silly randombackend added which appears in the documentation as a sample backend. See . - - - - - When transferring a slave zone from a master, out of zone data is now rejected. Malicious operators might try to insert bad records otherwise. - - - - - 'Supermaster' support for automatic provisioning from masters. See . - - - - - Recursing backend can now live on a non-standard (!=53) port. See . - - - - - Slave zone retrieval is now queued instead of immediate, which scales better and is more resilient to temporary failures. - - - - - max-queue-length parameter. If this many packets are queued for database attention, consider the situation hopeless and - respawn. - - - - - - Internal: - - - - SOA records are now 'special' and each backend can optionally generate them in special ways. PostgreSQL backend does so - when operating as a slave. - - - - - Writing backends is now a lot easier. See . - - - - - Added Bindbackend to internal regression tests, confirming that it is compliant. - - - - - - Version 1.99.8 Early Access Prerelease - - A lot of infrastructure work gearing up to 2.0. Some stability bugs fixed and a lot of new features. - - - Bugs fixed: - - - - Bindbackend was overly complex and crashed on some systems on startup. Simplified launch code. - - - - - SOA fields were not always properly filled in, causing default values to go out on the wire - - - - - Obscure bug triggered by malicious packets (we know who you are) in SOA finding code fixed. - - - - - Magic serial number calculation contained a double free leading to instability. - - - - - Standards violation, questions for domains for which PDNS was unauthoritative now get a SERVFAIL answer. - Thanks to the IETF Namedroppers list for helping out with this. - - - - - Slowly launching backends were being relaunched at a great rate when queries were coming in while launching backends. - - - - - MySQL-on-unix-domain-socket on SMP systems was overwhelmed by the quick connection rate on launch, inserted a small 50ms delay. - - - - - Some SMP problems appear to be compiler related. Shifted to GCC 3.0.4 for Linux. - - - - - Ran ispell on documentation. - - - - - - Feature enhancements: - - - - Recursing backend. See . Allows recursive and authoritative DNS on the same IP address. - - - - - NAPTR support, which is especially useful for the ENUM/E.164 community. - - - - - Zone transfers can now be allowed per netmask instead of only per IP address. - - - - - Preliminary support for slave operation included. Only for the adventurous right now! See - - - - - All record types now documented, see . - - - - - Known bugs - - Wildcard CNAMEs do not work as they do with bind. - - - Recursion sometimes sends out duplicate packets (fixed in 1.99.9 snapshots) - - - Some stability issues which are caught by the guardian - - - Missing features - - Features present in this document, but disabled or withheld from the current release: - - - - gmysqlbackend, oraclebackend - - - - - - - - - Version 1.99.7 Early Access Prerelease - - Named.conf parsing got a lot of work and many more bind configurations can now be parsed. Furthermore, error reporting was improved. - Stability is looking good. - - - Bugs fixed: - - - - Bind parser got confused by file names with underscores and colons. - - - - - Bind parser got confused by spaces in quoted names - - - - - FreeBSD version now stops and starts when instructed to do so. - - - - - Wildcards were off by default, which violates standards. Now on by default. - - - - - --oracle was broken in zone2sql - - - - - - Feature enhancements: - - - - Line number counting goes on as it should when including files in named.conf - - - - - Added --no-config to enable users to start the pdns daemon without parsing the configuration file. - - - - - zone2sql now has --bare for unformatted output which can be used to generate insert statements for different database layouts - - - - - zone2sql now has --gpgsql, which is an alias for --mysql, to output in a format useful for the default Generic PgSQL backend - - - - - zone2sql is now documented. - - - - - Known bugs - - Wildcard CNAMEs do not work as they do with bind. - - - Missing features - - Features present in this document, but disabled or withheld from the current release: - - - - gmysqlbackend, oraclebackend - - - - - Some of these features will be present in newer releases. - - - - - Version 1.99.6 Early Access Prerelease - - This version is now running on dns-eu1.powerdns.net and working very well for us. But please remain cautious before - deploying! - - - Bugs fixed: - - - - Webserver neglected to show log messages - - - - - TCP question/answer miscounted multiple questions over one socket. Fixed misnaming of counter - - - - - Packetcache now detects clock skew and times out entries - - - - - named.conf parser now reports errors with line number and offending token - - - - - File names in named.conf can now contain : - - - - - - Feature enhancements: - - - - The webserver now by default does not print out configuration statements, which might contain database backends. Use - webserver-print-arguments to restore the old behaviour. - - - - - Generic PostgreSQL backend is now included. Still rather beta. - - - - - Known bugs - - FreeBSD version does not stop when requested to do so. - - - Wildcard CNAMEs do not work as they do with bind. - - - Missing features - - - Features present in this document, but disabled or withheld from the current release: - - - - gmysqlbackend, oraclebackend - - - - - Some of these features will be present in newer releases. - - - - - Version 1.99.5 Early Access Prerelease - - The main focus of this release is stability and TCP improvements. This is the first release PowerDNS-the-company actually considers for running - on its production servers! - - - Major bugs fixed: - - - - Zone2sql received a floating point division by zero error on named.confs with less than 100 domains. - - - - - Huffman encoder failed without specific error on illegal characters in a domain - - - - - Fixed huge memory leaks in TCP code. - - - - - Removed further file descriptor leaks in guardian respawning code - - - - - Pipebackend was too chatty. - - - - - pdns_server neglected to close fds 0, 1 & 2 when daemonizing - - - - - - Feature enhancements: - - - - bindbackend can be instructed not to check the ctime of a zone by specifying bind-check-interval=0, - which is also the new default. - - - - - pdns_server --list-modules lists all available modules. - - - - - - Performance enhancements: - - - - TCP code now only creates a new database connection for AXFR. - - - - - TCP connections timeout rather quickly now, leading to less load on the server. - - - - - Known bugs - - FreeBSD version does not stop when requested to do so. - - - Wildcard CNAMEs do not work as they do with bind. - - - Missing features - - - Features present in this document, but disabled or withheld from the current release: - - - - gmysqlbackend, oraclebackend, gpgsqlbackend - - - - - Some of these features will be present in newer releases. - - - - - Version 1.99.4 Early Access Prerelease - - A lot of new named.confs can now be parsed, zone2sql & bindbackend have gained features and stability. - - - Major bugs fixed: - - - - Label compression was not always enabled, leading to large reply packets sometimes. - - - - - Database errors on TCP server lead to a nameserver reload by the guardian. - - - - - MySQL backend neglected to close its connection properly. - - - - - BindParser miss parsed some IP addresses and netmasks. - - - - - Truncated answers were also truncated on the packetcache, leading to truncated TCP answers. - - - - - - Feature enhancements: - - - - Zone2sql and the bindbackend now understand the Bind $GENERATE{} syntax. - - - - - Zone2sql can optionally gloss over non-existing zones with --on-error-resume-next. - - - - - Zone2sql and the bindbackend now properly expand @ also on the right hand side of records. - - - - - Zone2sql now sets a default TTL. - - - - - DNS UPDATEs and NOTIFYs are now logged properly and sent the right responses. - - - - - - Performance enhancements: - - - - 'Fancy records' are no longer queried for on ANY queries - this is a big speedup. - - - - - Known bugs - - FreeBSD version does not stop when requested to do so. - - - Zone2sql refuses named.confs with less than 100 domains. - - - Wildcard CNAMEs do not work as they do with bind. - - - Missing features - - - Features present in this document, but disabled or withheld from the current release: - - - - gmysqlbackend, oraclebackend, gpgsqlbackend - - - - - Some of these features will be present in newer releases. - - - - - - Version 1.99.3 Early Access Prerelease - - The big news in this release is the BindBackend which is now capable of parsing many more named.conf Bind configurations. - Furthermore, PDNS has successfully parsed very large named.confs with large numbers of small domains, as well as small numbers of - large domains (TLD). - - - Zone transfers are now also much improved. - - - Major bugs fixed: - - - - zone2sql leaked file descriptors on each domain, used wrong Bison recursion leading to - parser stack overflows. This limited the amount of domains that could be parsed to 1024. - - - - - zone2sql can now read all known zone files, with the exception of those containing $GENERATE - - - - - Guardian relaunching a child lost two file descriptors - - - - - Don't die on a connection reset by peer during zone transfer. - - - - - Webserver does not crash anymore on ringbuffer resize - - - - - - Feature enhancements: - - - - AXFR can now be disabled, and re-enabled per IP address - - - - - --help accepts a parameter, will then show only help items with that prefix. - - - - - zone2sql now accepts a --zone-name parameter - - - - - BindBackend maturing - 9500 zones parsed in 3.5 seconds. No longer case sensitive. - - - - - - Performance enhancements: - - - - Implemented RFC-breaking AXFR format (which is the industry standard). Zone transfers now zoom along - at wire speed (many megabits/s). - - - - - Known bugs - - FreeBSD version does not stop when requested to do so. - - - BindBackend cannot parse zones with $GENERATE statements. - - - Missing features - - - Features present in this document, but disabled or withheld from the current release: - - - - gmysqlbackend, oraclebackend, gpgsqlbackend - - - - - Some of these features will be present in newer releases. - - - - - - Version 1.99.2 Early Access Prerelease - - Major bugs fixed: - - - - Database backend reload does not hang the daemon anymore - - - - - Buffer overrun in local socket address initialisation may have caused binding problems - - - - - setuid changed the uid to the gid of the selected user - - - - - zone2sql doesn't crash (dump core) on invocation anymore. Fixed lots of small issues. - - - - - Don't parse configuration file when creating configuration file. This was a problem with reinstalling. - - - - Performance improvements: - - - - removed a lot of unnecessary gettimeofday calls - - - - - removed needless select(2) call in case of listening on only one address - - - - - removed 3 useless syscalls in the fast path - - - - Having said that, more work may need to be done. Testing on a 486 saw packet rates in a simple setup - (question/wait/answer/question..) improve from 200 queries/second to over 400. - - - Usability improvements: - - - - Fixed error checking in init.d script (show, mrtg) - - - - - Added 'uptime' to the mrtg output - - - - - removed further GNUisms from installer and init.d scripts for use on FreeBSD - - - - - Debian package and apt repository, thanks to Wichert Akkerman. - - - - - FreeBSD /usr/ports, thanks to Peter van Dijk (in progress). - - - - - - - - Stability may be an issue as well as performance. This version has a tendency to log a bit too much which slows - the nameserver down a lot. - - - Known bugs - - Decreasing a ringbuffer on the website is a sure way to crash the daemon. Zone2sql, while improved, still - has problems with a zone in the following format: - - -name IN A 192.0.2.4 - IN A 192.0.2.5 - - - To fix, add 'name' to the second line. - - - Zone2sql does not close file descriptors. - - - - FreeBSD version does not stop when requested via the init.d script. - - - - Missing features - - Features present in this document, but disabled or withheld from the current release: - - - - gmysqlbackend, oraclebackend, gpgsqlbackend - - - - - fully functioning bindbackend - will try to parse named.conf, but probably fail - - - - - Some of these features will be present in newer releases. - - - - - - Version 1.99.1 Early Access Prerelease - - This is the first public release of what is going to become PDNS 2.0. As such, it is not of production quality. - Even PowerDNS-the-company does not run this yet. - - - Stability may be an issue as well as performance. This version has a tendency to log a bit too much which slows - the nameserver down a lot. - - Known bugs - - Decreasing a ringbuffer on the website is a sure way to crash the daemon. Zone2sql is very buggy. - - - Missing features - - Features present in this document, but disabled or withheld from the current release: - - - - gmysqlbackend, oraclebackend, gpgsqlbackend - - - - - fully functioning bindbackend - will not parse configuration files - - - - - Some of these features will be present in newer releases. - - - - - - - Security - - If you have a security problem to report, please email us at both security@netherlabs.nl and - ahu@ds9a.nl. Please do not mail security issues to public lists, nor file a ticket, - unless we do not get back to you in a timely manner. We fully credit reporters of security issues, and respond quickly, - but please allow us a reasonable timeframe to coordinate a response. - - - We remind PowerDNS users that under the terms of the GNU General Public License, PowerDNS comes with ABSOLUTELY NO WARRANTY. - This license is included in the distribution and in this documentation, see . - - - - As of the 25th of September 2014, no actual security problems with PowerDNS 2.9.22.5, 3.0.1, Recursor 3.1.7.2, or later are known about, with the exception of Recursor 3.6.0 specifically. This page - will be updated with all bugs which are deemed to be security problems, or could conceivably lead to those. Any such notifications - will also be sent to all PowerDNS mailing lists. - - - Version 3.6.0 of the Recursor (but not 3.5.x) can be crashed remotely with a specific packet sequence. For more detail, see . - - - Versions 2.9.22 and lower and 3.0 of the PowerDNS Authoritative Server were vulnerable to a temporary denial of service attack. For more detail, - see . - - - Version 3.1.7.1 and earlier of the PowerDNS Recursor were vulnerable to a probably exploitable buffer overflow and a spoofing attack. - For more detail, see and - . - - - Version 3.1.4 and earlier of the PowerDNS recursor were vulnerable to a spoofing attack. For more detail, see . - - - Version 3.1.3 and earlier of the PowerDNS recursor contain two security issues, both of which can lead to a denial of service, both of which can be triggered - by remote users. One of the issues might be exploited and lead to a system compromise. For more detail, see and - . - - - Version 3.0 of the PowerDNS recursor contains a denial of service bug which can be exploited remotely. This bug, which we believe to only lead to a crash, - has been fixed in 3.0.1. There are no guarantees however, so an upgrade from 3.0 is highly recommended. - - - All versions of PowerDNS before 2.9.21.1 do not respond to certain queries. This in itself is not a problem, but since the discovery by Dan Kaminsky - of a new spoofing technique, this silence for queries PowerDNS considers invalid, within a valid domain, allows attackers more chances - to feed *other* resolvers bad data. - - - All versions of PowerDNS before 2.9.18 contain the following two bugs, which only apply to installations running with the LDAP backend, or installations providing recursion - to a limited range of IP addresses. If any of these apply to you, an upgrade is highly advised: - - - - The LDAP backend did not properly escape all queries, allowing it to fail and not answer questions. We have not investigated further risks involved, - but we advise LDAP users to update as quickly as possible (Norbert Sendetzky, Jan de Groot) - - - - - Questions from clients denied recursion could blank out answers to clients who are allowed recursion services, temporarily. Reported by Wilco Baan. - This would've made it possible for outsiders to blank out a domain temporarily to your users. Luckily PowerDNS would send out SERVFAIL or Refused, and - not a denial of a domain's existence. - - - - - - All versions of PowerDNS before 2.9.17 are known to suffer from remote denial of service problems which can disrupt operation. Please upgrade - to 2.9.17 as this page will only contain detailed security information from 2.9.17 onwards. - - - - PowerDNS Security Advisory 2006-01: Malformed TCP queries can lead to a buffer overflow which might be exploitable - - - PowerDNS Security Advisory - - - - - CVE - - - CVE-2006-4251 - - - - - Date - - - 13th of November 2006 - - - - - Affects - - - PowerDNS Recursor versions 3.1.3 and earlier, on all operating systems. - - - - - Not affected - - - No versions of the PowerDNS Authoritative Server ('pdns_server') are affected. - - - - - Severity - - - Critical - - - - - Impact - - - Potential remote system compromise. - - - - - Exploit - - - As far as we know, no exploit is available as of 11th of November 2006. - - - - - Solution - - - Upgrade to PowerDNS Recursor 3.1.4, or apply the patches referred below and recompile - - - - - Workaround - - - Disable TCP access to the Recursor. This will have slight operational impact, but it is likely that this will not lead - to meaningful degradation of service. Disabling access is best performed at packet level, either by configuring a firewall, or - instructing the host operating system to drop TCP connections to port 53. - Additionally, exposure can be limited by configuring the allow-from setting so only trusted users - can query your nameserver. - - - - -
- - - PowerDNS Recursor 3.1.3 and previous miscalculate the length of incoming TCP DNS queries, and will attempt to read up to 4 gigabytes of query - into a 65535 byte buffer. - - - We have not verified if this problem might actually lead to a system compromise, but are acting on the assumption that it might. - - - For distributors, a minimal patch is available on the PowerDNS wiki. - Additionally, those shipping very old versions of the PowerDNS Recursor might benefit from this - patch. - - - The impact of these and other security problems can be lessened by considering the advice in . - - - - PowerDNS Security Advisory 2006-02: Zero second CNAME TTLs can make PowerDNS exhaust allocated stack space, and crash - - - PowerDNS Security Advisory - - - - - CVE - - - CVE-2006-4252 - - - - - Date - - - 13th of November 2006 - - - - - Affects - - - PowerDNS Recursor versions 3.1.3 and earlier, on all operating systems. - - - - - Not affected - - - No versions of the PowerDNS Authoritative Server ('pdns_server') are affected. - - - - - Severity - - - Moderate - - - - - Impact - - - Denial of service - - - - - Exploit - - - This problem can be triggered by sending queries for specifically configured domains - - - - - Solution - - - Upgrade to PowerDNS Recursor 3.1.4, or apply c919. - - - - - Workaround - - - None known. Exposure can be limited by configuring the allow-from setting so only trusted users - can query your nameserver. - - - - -
- - - PowerDNS would recurse endlessly on encountering a CNAME loop consisting entirely of zero second CNAME records, eventually exceeding resources and crashing. - - - - PowerDNS Security Advisory 2008-01: System random generator can be predicted, leading to the potential to 'spoof' PowerDNS Recursor - - - PowerDNS Security Advisory - - - - - CVE - - - Not yet assigned - - - - - Date - - - 31st of March 2008 - - - - - Affects - - - PowerDNS Recursor versions 3.1.4 and earlier, on most operating systems - - - - - Not affected - - - No versions of the PowerDNS Authoritative Server ('pdns_server') are affected. - - - - - Severity - - - Moderate - - - - - Impact - - - Data manipulation; client redirection - - - - - Exploit - - - This problem can be triggered by sending queries for specifically configured domains, sending - spoofed answer packets immediately afterwards. - - - - - Solution - - - Upgrade to PowerDNS Recursor 3.1.5, or apply changesets C1159, C1160 and C1164. - - - - - Workaround - - - None known. Exposure can be limited by configuring the allow-from setting so only trusted users - can query your nameserver. - - - - -
- - - We would like to thank Amit Klein of Trusteer for bringing a serious - vulnerability to our attention which would enable a smart attacker to - 'spoof' previous versions of the PowerDNS Recursor into accepting possibly - malicious data. - - - Details can be found on - this Trusteer page. - - - This security problem was announced in this email message. - - - It is recommended that all users of the PowerDNS Recursor upgrade to 3.1.5 - as soon as practicable, while we simultaneously note that busy servers are - less susceptible to the attack, but not immune. - - - The vulnerability is present on all operating systems where the behaviour - of the libc random() function can be predicted based on its past output. - This includes at least all known versions of Linux, as well as Microsoft - Windows, and probably FreeBSD and Solaris. - - - The magnitude of this vulnerability depends on internal details of the - system random() generator. For Linux, the mathematics of the random - generator are complex, but well understood and Amit Klein has written and - published a proof of concept that can successfully predict its output after - uninterrupted observation of 40-50 DNS queries. - - - Because the observation needs to be uninterrupted, busy PowerDNS Recursor - instances are harder to subvert - other data is highly likely to be - interleaved with traffic generated by an attacker. - - - Nevertheless, operators are urged to update at their earliest convenience. - - - - PowerDNS Security Advisory 2008-02: By not responding to certain queries, domains become easier to spoof - - - PowerDNS Security Advisory - - - - - CVE - - - CVE-2008-3337 - - - - - Date - - - 6th of August 2008 - - - - - Affects - - - PowerDNS Authoritative Server 2.9.21 and earlier - - - - - Not affected - - - No versions of the PowerDNS Recursor ('pdns_recursor') are affected. - - - - - Severity - - - Moderate - - - - - Impact - - - Data manipulation; client redirection - - - - - Exploit - - - Domains with servers that drop certain queries can be spoofed using simpler measures than would - usually be required - - - - - Solution - - - Upgrade to PowerDNS Authoritative Server 2.9.21.1, or apply c1239. - - - - - Workaround - - - None known. - - - - -
- - - Brian J. Dowling of Simplicity Communications has discovered a security implication of - the previous PowerDNS behaviour to drop queries it considers malformed. We are grateful that - Brian notified us quickly about this problem. - - - The implication is that while the PowerDNS Authoritative server itself does not face a security risk because - of dropping these malformed queries, other resolving nameservers run a higher risk of accepting spoofed - answers for domains being hosted by PowerDNS Authoritative Servers before 2.9.21.1. - - - While the dropping of queries does not aid sophisticated spoofing attempts, it does facilitate simpler attacks. - - - - PowerDNS Security Advisory 2008-03: Some PowerDNS Configurations can be forced to restart remotely - - - PowerDNS Security Advisory - - - - - CVE - - - Not yet assigned - - - - - Date - - - 18th of November 2008 - - - - - Affects - - - PowerDNS Authoritative Server 2.9.21.1 and earlier - - - - - Not affected - - - No versions of the PowerDNS Recursor ('pdns_recursor') are affected. Versions not running in single threaded mode ('distributor-threads=1') are probably not affected. - - - - - Severity - - - Moderate - - - - - Impact - - - Denial of Service - - - - - Exploit - - - Send PowerDNS an CH HINFO query. - - - - - Solution - - - Upgrade to PowerDNS Authoritative Server 2.9.21.2, or wait for 2.9.22. - - - - - Workaround - - - Remove 'distributor-threads=1' if this is set. - - - - -
- - - Daniel Drown discovered that his PowerDNS 2.9.21.1 installation crashed on receiving a HINFO CH query. In his enthusiasm, he shared - his discovery with the world, forcing a rapid over the weekend release cycle. - - - While we thank Daniel for his discovery, please study our security policy as outlined in before making vulnerabilities public. - - - It is believed that this issue only impacts PowerDNS Authoritative Servers operating with 'distributor-threads=1', but even on other configurations a database reconnect - occurs on receiving a CH HINFO query. - - - - PowerDNS Security Advisory 2010-01: PowerDNS Recursor up to and including 3.1.7.1 can be brought down and probably exploited - - - PowerDNS Security Advisory - - - - - CVE - - - CVE-2009-4009 - - - - - Date - - - 6th of January 2010 - - - - - Affects - - - PowerDNS Recursor 3.1.7.1 and earlier - - - - - Not affected - - - No versions of the PowerDNS Authoritative ('pdns_server') are affected. - - - - - Severity - - - Critical - - - - - Impact - - - Denial of Service, possible full system compromise - - - - - Exploit - - - Withheld - - - - - Solution - - - Upgrade to PowerDNS Recursor 3.1.7.2 or higher - - - - - Workaround - - - None. The risk of exploitation or denial of service can be decreased slightly by using the 'allow-from' setting to only provide service to known users. The risk of a full system - compromise can be reduced by running with a suitable reduced privilege user and group settings, and possibly chroot environment. - - - - -
- - - Using specially crafted packets, it is possible to force a buffer overflow in the PowerDNS Recursor, leading to a crash. - - - This vulnerability was discovered by a third party that (for now) prefers not to be named. PowerDNS is very grateful however for their help in - improving PowerDNS security. - - - - PowerDNS Security Advisory 2010-02: PowerDNS Recursor up to and including 3.1.7.1 can be spoofed into accepting bogus data - - - PowerDNS Security Advisory - - - - - CVE - - - CVE-2009-4010 - - - - - Date - - - 6th of January 2010 - - - - - Affects - - - PowerDNS Recursor 3.1.7.1 and earlier - - - - - Not affected - - - No versions of the PowerDNS Authoritative ('pdns_server') are affected. - - - - - Severity - - - High - - - - - Impact - - - Using smart techniques, it is possible to fool the PowerDNS Recursor into accepting unauthorized data - - - - - Exploit - - - Withheld - - - - - Solution - - - Upgrade to PowerDNS Recursor 3.1.7.2 or higher - - - - - Workaround - - - None. - - - - -
- - - Using specially crafted zones, it is possible to fool the PowerDNS Recursor into accepting bogus data. This data might be harmful to your users. - An attacker would be able to divert data from, say, bigbank.com to an IP address of his choosing. - - - This vulnerability was discovered by a third party that (for now) prefers not to be named. PowerDNS is very grateful however for their help in - improving PowerDNS security. - - - - PowerDNS Security Advisory 2012-01: PowerDNS Authoritative Server can be caused to generate a traffic loop - - - PowerDNS Security Advisory - - - - - CVE - - - CVE-2012-0206 - - - - - Date - - - 10th of January 2012 - - - - - Credit - - - Ray Morris of BetterCGI.com. - - - - - Affects - - - Most PowerDNS Authoritative Server versions < 3.0.1 (with the exception of 2.9.22.5 and 2.9.22.6) - - - - - Not affected - - - No versions of the PowerDNS Recursor ('pdns_recursor') are affected. - - - - - Severity - - - High - - - - - Impact - - - Using well crafted UDP packets, one or more PowerDNS servers could be made to enter a tight packet loop, causing temporary denial of service - - - - - Exploit - - - Proof of concept - - - - - Risk of system compromise - - - No - - - - - Solution - - - Upgrade to PowerDNS Authoritative Server 2.9.22.5 or 3.0.1 - - - - - Workaround - - - Several, the easiest is setting: cache-ttl=0, which does have a performance impact. Please see below. - - - - -
- - - Affected versions of the PowerDNS Authoritative Server can be made to respond to DNS responses, thus enabling - an attacker to setup a packet loop between two PowerDNS servers, perpetually answering each other's answers. In some scenarios, - a server could also be made to talk to itself, achieving the same effect. - - - If enough bouncing traffic is generated, this will overwhelm the server or network and disrupt service. - - - As a workaround, if upgrading to a non-affected version is not possible, several options are available. The issue is caused by the packet-cache, which can be disabled by setting 'cache-ttl=0', - although this does incur a performance penalty. This can be partially addressed by raising the query-cache-ttl to a (far) higher value. - - - Alternatively, on Linux systems with a working iptables setup, 'responses' sent to the PowerDNS Authoritative Server 'question' address can be - blocked by issuing: - - iptables -I INPUT -p udp --dst $AUTHIP --dport 53 \! -f -m u32 --u32 "0>>22&0x3C@8>>15&0x01=1" -j DROP - - If this command is used on a router or firewall, substitute FORWARD for INPUT. - - - To solve this issue, we recommend upgrading to the latest packages available for your system. - Tarballs and new static builds (32/64bit, RPM/DEB) of 2.9.22.5 and 3.0.1 have been uploaded to - our download site. - Kees Monshouwer has provided updated CentOS/RHEL packages in his repository. Debian, Fedora and SuSE should have packages available shortly after this announcement. - - - For those running custom PowerDNS versions, just applying this patch may be easier: - ---- pdns/common_startup.cc (revision 2326) -+++ pdns/common_startup.cc (working copy) -@@ -253,7 +253,9 @@ - numreceived4++; - else - numreceived6++; -- -+ if(P->d.qr) -+ continue; -+ - S.ringAccount("queries", P->qdomain+"/"+P->qtype.getName()); - S.ringAccount("remotes",P->getRemote()); - if(logDNSQueries) { - - It should apply cleanly to 3.0 and with little trouble to several older releases, including 2.9.22 and 2.9.21. - - - This bug resurfaced because over time, the check for 'not responding to responses' moved to the wrong place, allowing certain responses - to be processed anyhow. - - - We would like to thank Ray Morris of BetterCGI.com for bringing this issue to our attention and - Aki Tuomi for helping us reproduce the problem. - - - - PowerDNS Security Advisory 2014-01: PowerDNS Recursor 3.6.0 can be crashed remotely - - - PowerDNS Security Advisory - - - - - CVE - - - CVE-2014-3614 - - - - - Date - - - 10th of September 2014 - - - - - Credit - - - Dedicated PowerDNS users willing to study a crash that happens once every few months (thanks) - - - - - Affects - - - Only PowerDNS Recursor version 3.6.0. - - - - - Not affected - - - No other versions of PowerDNS Recursor, no versions of PowerDNS Authoritative Server - - - - - Severity - - - High - - - - - Impact - - - Crash - - - - - Exploit - - - The sequence of packets required is known - - - - - Risk of system compromise - - - No - - - - - Solution - - - Upgrade to PowerDNS Recursor 3.6.1 - - - - - Workaround - - - Restrict service using allow-from, install script that restarts PowerDNS - - - - -
- - -Recently, we've discovered that PowerDNS Recursor 3.6.0 (but NOT earlier) -can crash when exposed to a specific sequence of malformed packets. This -sequence happened spontaneously with one of our largest deployments, and -the packets did not appear to have a malicious origin. - -Yet, this crash can be triggered remotely, leading to a denial of service -attack. There appears to be no way to use this crash for system compromise -or stack overflow. - - -Upgrading to 3.6.1 solves the issue. - - -In addition, if you want to apply a minimal fix to your own tree, it can be found -here - - -As for workarounds, only clients in allow-from are able to trigger the crash, -so this should be limited to your userbase. Secondly, -this -and -this -can be used to enable Upstart and Systemd to restart the PowerDNS Recursor -automatically. - - - - - Acknowledgements - - PowerDNS is grateful for the help of the following people or institutions: - - Dave Aaldering - Wichert Akkerman - Antony Antony - Mike Benoit (NetNation Communication Inc) - Peter van Dijk - Koos van den Hout - Andre Koopal - Eric Veldhuyzen - Paul Wouters - Thomas Wouters - IETF Namedroppers mailing list - - Thanks! - - - (these people don't share the blame for any errors or mistakes in powerdns - those are all ours) - - - - - - Installing on Unix - - You will typically install PDNS > 2.9 via source or via a package. Earlier versions used a clumsy binary installer. - - - Possible problems at this point - - At this point some things may have gone wrong. Typical errors include: - - - error while loading shared libraries: libstdc++.so.x: cannot open shared object file: No such file or directory - - - Errors looking like this indicate a mismatch between your PDNS distribution and your Unix operating system. Download the static PDNS - distribution for your operating system and try again. Please contact pdns@powerdns.com if this is impractical. - - - - - - - - -Testing your install - - After installing, it is a good idea to test the basic functionality of the software before configuring database backends. - For this purpose, PowerDNS contains the 'bindbackend' which has a domain built in example.com, which is - officially reserved for testing. - - To test, edit pdns.conf and add the following if not already present: - - - launch=bind - bind-example-zones - - - - - As of 2.9.21, the BIND backend no longer features the 'bind-example-zones' command. - - - - This configures powerdns to 'launch' the bindbackend, and enable the example zones. To fire up PDNS in testing mode, execute: - /etc/init.d/pdns monitor, where you may have to substitute the location of your SysV init.d location you - specified earlier. - - In monitor mode, the pdns process runs in the foreground and is very verbose, which is perfect for testing your install. - - If everything went all right, you can query the example.com domain like this: - - host www.example.com 127.0.0.1 - - www.example.com should now have IP address 192.0.2.4. The host command can usually be found in the dnsutils - package of your operating system. Alternate command is: dig www.example.com A @127.0.0.1 or even - nslookup www.example.com 127.0.0.1, although nslookup is not advised for DNS diagnostics. - - - - - example.com SOA record - - - - - example.com NS record pointing to ns1.example.com - - - - - example.com NS record pointing to ns2.example.com - - - - - example.com MX record pointing to mail.example.com - - - - - example.com MX record pointing to mail1.example.com - - - - - mail.example.com A record pointing to 4.3.2.1 - - - - - mail1.example.com A record pointing to 5.4.3.2 - - - - - ns1.example.com A record pointing to 4.3.2.1 - - - - - ns2.example.com A record pointing to 5.4.3.2 - - - - - host-0 to host-9999.example.com A record pointing to 2.3.4.5 - - - - - - When satisfied that basic functionality is there, type QUIT to exit the monitor mode. - The adventurous may also type SHOW * to see some internal statistics. - - In case of problems, you will want to read the following section. - - - - Typical errors - - At this point some things may have gone wrong. Typical errors include: - - - binding to UDP socket: Address already in use - - - This means that another nameserver is listening on port 53 already. You can resolve this problem - by determining if it is safe to shutdown the nameserver already present, and doing so. If uncertain, - it is also possible to run PDNS on another port. To do so, add local-port=5300 to - pdns.conf, and try again. This however implies that you can only test your nameserver - as clients expect the nameserver to live on port 53. - - - - - binding to UDP socket: Permission denied - - - You must be superuser in order to be able to bind to port 53. If this is not a possibility, - it is also possible to run PDNS on another port. To do so, add local-port=5300 to - pdns.conf, and try again. This however implies that you can only test your nameserver - as clients expect the nameserver to live on port 53. - - - - - Unable to launch, no backends configured for querying - - - PDNS did not find the launch=bind instruction in pdns.conf. - - - - - Multiple IP addresses on your server, PDNS sending out answers on the wrong one - Massive amounts of 'recvfrom gave error, ignoring: Connection refused' - - - If you have multiple IP addresses on the internet on one machine, UNIX often sends out answers over another interface - than which the packet came in on. In such cases, use local-address to bind to specific IP addresses, which - can be comma separated. The second error comes from remotes disregarding answers to questions it didn't ask to that IP address - and sending back ICMP errors. - - - - - - - - - - - Running PDNS on unix - - - PDNS is normally controlled via a SysV-style init.d script, often located in /etc/init.d or - /etc/rc.d/init.d. This script accepts the following commands: - - - monitor - - - Monitor is a special way to view the daemon. It executes PDNS in the foreground with - a lot of logging turned on, which helps in determining startup problems. - - Besides running in the foreground, the raw PDNS control socket is made available. All external - communication with the daemon is normally sent over this socket. While useful, the control console - is not an officially supported feature. Commands which work are: QUIT, SHOW *, - SHOW varname, RPING. - - - - - start - - - Start PDNS in the background. Launches the daemon but makes no special effort to determine success, - as making database connections may take a while. Use status to query success. You - can safely run start many times, it will not start additional PDNS instances. - - - - - restart - - - Restarts PDNS if it was running, starts it otherwise. - - - - - status - - - Query PDNS for status. This can be used to figure out if a launch was successful. - The status found is prefixed by the PID of the main PDNS process. - - - - - stop - - - Requests that PDNS stop. Again, does not confirm success. Success can be ascertained with the status command. - - - - - - dump - - - Dumps a lot of statistics of a running PDNS daemon. It is also possible to single out specific variable by using - the show command. - - - - - - show variable - - - Show a single statistic, as present in the output of the dump. - - - - - - mrtg - - - See the performance monitoring . - - - - - - - - - - - Installing on Microsoft Windows - - - - Starting with version 3.0, Windows is no longer supportd. - - - - - - - Basic setup: configuring database connectivity - - This chapter shows you how to configure the Generic MySQL backend, which we like a lot. But feel free to use any of the myriad - other backends. - This backend is called 'gmysql', and needs to be configured - in pdns.conf. Add the following lines, adjusted for your local setup: - - - launch=gmysql - gmysql-host=127.0.0.1 - gmysql-user=root - gmysql-dbname=pdns - gmysql-password=mysecretpassword - - - Remove any earlier launch statements. Also remove the bind-example-zones - statement as the bind module is no longer launched. - - - - - Make sure that you can actually resolve the hostname of your database without accessing the database! It is advised to supply - an IP address here to prevent chicken/egg problems! - - - - - Be very very sure that you configure the *g*mysql backend and not the mysql backend. See - . If you use the 'mysql' backend things will only appear to work. - (The 'mysql' backend was removed in version 3.1). - - - - - Now start PDNS using the monitor command: - - # /etc/init.d/pdns monitor - (...) - 15:31:30 About to create 3 backend threads - 15:31:30 [gMySQLbackend] Failed to connect to database: Error: Unknown database 'pdns' - 15:31:30 [gMySQLbackend] Failed to connect to database: Error: Unknown database 'pdns' - 15:31:30 [gMySQLbackend] Failed to connect to database: Error: Unknown database 'pdns' - - - This is as to be expected - we did not yet add anything to MySQL for PDNS to read from. At this point you may also see - other errors which indicate that PDNS either could not find your MySQL server or was unable to connect to it. Fix these - before proceeding. - - - General MySQL knowledge is assumed in this chapter, please do not interpret these commands as DBA advice! - - Example: configuring MySQL - - Connect to MySQL as a user with sufficient privileges and issue the following commands: - - - Now we have a database and an empty table. PDNS should now be able to launch in monitor mode and display no errors: - - - # /etc/init.d/pdns monitor - (...) - 15:31:30 PowerDNS 1.99.0 (Mar 12 2002, 15:00:28) starting up - 15:31:30 About to create 3 backend threads - 15:39:55 [gMySQLbackend] MySQL connection succeeded - 15:39:55 [gMySQLbackend] MySQL connection succeeded - 15:39:55 [gMySQLbackend] MySQL connection succeeded - - - A sample query sent to the database should now return quickly without data: - - $ host www.example.com 127.0.0.1 - www.example.com A record currently not present at localhost - - - And indeed, the control console now shows: - - Mar 12 15:41:12 We're not authoritative for 'www.example.com', sending unauth normal response - - - Now we need to add some records to our database: - - # mysql pdnstest - mysql> INSERT INTO domains (name, type) values ('example.com', 'NATIVE'); - INSERT INTO records (domain_id, name, content, type,ttl,prio) - VALUES (1,'example.com','localhost ahu@ds9a.nl 1','SOA',86400,NULL); - INSERT INTO records (domain_id, name, content, type,ttl,prio) - VALUES (1,'example.com','dns-us1.powerdns.net','NS',86400,NULL); - INSERT INTO records (domain_id, name, content, type,ttl,prio) - VALUES (1,'example.com','dns-eu1.powerdns.net','NS',86400,NULL); - INSERT INTO records (domain_id, name, content, type,ttl,prio) - VALUES (1,'www.example.com','192.0.2.10','A',120,NULL); - INSERT INTO records (domain_id, name, content, type,ttl,prio) - VALUES (1,'mail.example.com','192.0.2.12','A',120,NULL); - INSERT INTO records (domain_id, name, content, type,ttl,prio) - VALUES (1,'localhost.example.com','127.0.0.1','A',120,NULL); - INSERT INTO records (domain_id, name, content, type,ttl,prio) - VALUES (1,'example.com','mail.example.com','MX',120,25); - - Host names and the MNAME of a SOA records are NEVER terminated with a '.' in PowerDNS storage! If a trailing '.' is present - it will inevitably cause problems, problems that may be hard to debug. - If we now requery our database, www.example.com should be present: - - $ host www.example.com 127.0.0.1 - www.example.com A 192.0.2.10 - - $ host -v -t mx example.com 127.0.0.1 - Address: 127.0.0.1 - Aliases: localhost - - Query about example.com for record types MX - Trying example.com ... - Query done, 1 answer, authoritative status: no error - example.com 120 IN MX 25 mail.example.com - Additional information: - mail.example.com 120 IN A 192.0.2.12 - - - To confirm what happened, issue the command SHOW * to the control console: - - % show * - corrupt-packets=0,latency=0,packetcache-hit=2,packetcache-miss=5,packetcache-size=0, - qsize-a=0,qsize-q=0,servfail-packets=0,tcp-answers=0,tcp-queries=0, - timedout-packets=0,udp-answers=7,udp-queries=7, - % - - The actual numbers will vary somewhat. Now enter QUIT and start PDNS as a regular daemon, and check launch status: - - - # /etc/init.d/pdns start - pdns: started - # /etc/init.d/pdns status - pdns: 8239: Child running - # /etc/init.d/pdns dump - pdns: corrupt-packets=0,latency=0,packetcache-hit=0,packetcache-miss=0, - packetcache-size=0,qsize-a=0,qsize-q=0,servfail-packets=0,tcp-answers=0, - tcp-queries=0,timedout-packets=0,udp-answers=0,udp-queries=0, - - - You now have a working database driven nameserver! To convert other zones already present, use the zone2sql - described in Appendix A. - - Common problems - - Most problems involve PDNS not being able to connect to the database. - - - Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2) - - - Your MySQL installation is probably defaulting to another location for its socket. Can be resolved - by figuring out this location (often /var/run/mysqld.sock), and specifying it - in the configuration file with the gmysql-socket parameter. - - - Another solution is to not connect to the socket, but to 127.0.0.1, which can be achieved by specifying - gmysql-host=127.0.0.1. - - - - - Host 'x.y.z.w' is not allowed to connect to this MySQL server - - - These errors are generic MySQL errors. Solve them by trying to connect to your MySQL database with the MySQL - console utility mysql with the parameters specified to PDNS. Consult the MySQL documentation. - - - - - - - - - - - Dynamic resolution using the PipeBackend - - Also included in the PDNS distribution is the PipeBackend. The PipeBackend is primarily meant for - allowing rapid development of new backends without tight integration with PowerDNS. It allows - end-users to write PDNS backends in any language. A perl sample is provided. - - The PipeBackend is also very well suited for dynamic resolution of queries. Example applications include - DNS based load balancing, geo-direction, DNS based failover with low TTLs. - - - The Pipe Backend also has a separate chapter in the backends appendix, see . - - - - - The Pipe Backend currently does not function under FreeBSD 4.x and 5.x, probably due to unfavorable interactions between - its threading implementation and the fork system call. - - - Interestingly, the Linux PowerDNS binary running under the Linuxulator on FreeBSD does work. - - - - Deploying the PipeBackend with the BindBackend - - Included with the PDNS distribution is the example.pl backend which has knowledge of the example.com zone, just like - the BindBackend. To install both, add the following to your pdns.conf: - - launch=pipe,bind - bind-example-zones - pipe-command=location/of/backend.pl - - Please adjust the pipe-command statement to the location of the unpacked PDNS distribution. If your backend is slow, - raise pipe-timeout from its default of 2000ms. - - Now launch PDNS in monitor mode, and perform some queries. Note the difference with the earlier experiment where only the - BindBackend was loaded. The PipeBackend is launched first and thus gets queried first. - - The sample backend.pl script knows about: - - - - webserver.example.com A records pointing to 192.0.2.4, 192.0.2.5, 192.0.2.6 - - - - - www.example.com CNAME pointing to webserver.example.com - - - - - MBOXFW (mailbox forward) records pointing to powerdns@example.com. - See the smtpredir documentation for information about MBOXFW. - - - - - For more information about how to write exciting backends with the PipeBackend, see . - - - - - - Logging & Monitoring Authoritative Server performance - - In a production environment, you will want to be able to monitor PDNS performance. For this purpose, currently - two methods are available, the webserver and the init.d -dump, show and - mrtg, commands. Furthermore, PDNS can perform a configurable amount of operational logging. This chapter - also explains how to configure syslog for best results. - - Webserver - - To launch the internal webserver, add a webserver statement to the pdns.conf. This - will instruct the PDNS daemon to start a webserver on localhost at port 8081, without password protection. - Only local users (on the same host) will be able to access the webserver by default. - - The webserver lists a lot of information about the PDNS process, including frequent queries, frequently failing queries, - lists of remote hosts sending queries, hosts sending corrupt queries etc. The webserver does not allow - remote management of the daemon. - - The following webserver related configuration items are available: - - - webserver - - - If set to anything but 'no', a webserver is launched. - - - - - webserver-address - - - Address to bind the webserver to. Defaults to 127.0.0.1, which implies that only the local computer - is able to connect to the nameserver! To allow remote hosts to connect, change to 0.0.0.0 or the - physical IP address of your nameserver. - - - - - webserver-password - - - If set, viewers will have to enter this plaintext password in order to gain access to the statistics. - - - - - webserver-port - - - Port to bind the webserver to. Defaults to 8081. - - - - - - - - Via init.d commands - - As mentioned before, the init.d commands dump, show and - mrtg fetch data from a running PDNS process. Especially mrtg is powerful - - it outputs data in a format that is ready for processing by the MRTG graphing tool. - - - MRTG can make insightful graphics on the performance of your nameserver, enabling the operator to easily spot trends. - MRTG can be found on - - http://people.ee.ethz.ch/~oetiker/webtools/mrtg/mrtg.html - - - - A sample mrtg.conf: - -Interval: 5 -WorkDir: /var/www/mrtg -WriteExpires: yes -Options[_]: growright,nopercent -XSize[_]: 600 - -#--------------------------------------------------------------- - -Target[udp-queries]: `/etc/init.d/pdns mrtg udp-queries udp-answers` -Options[udp-queries]: growright,nopercent,perminute -MaxBytes[udp-queries]: 600000 -AbsMax[udp-queries]: 600000 -Title[udp-queries]: Queries per minute -PageTop[udp-queries]: <H2>Queries per minute</H2> -WithPeak[udp-queries]: ymwd -YLegend[udp-queries]: queries/minute -ShortLegend[udp-queries]: q/m -LegendI[udp-queries]: udp-questions -LegendO[udp-queries]: udp-answers - - -Target[perc-failed]: `/etc/init.d/pdns mrtg udp-queries udp-answers` -Options[perc-failed]: growright,dorelpercent,perminute -MaxBytes[perc-failed]: 600000 -AbsMax[perc-failed]: 600000 -Title[perc-failed]: Queries per minute, with percentage success -PageTop[perc-failed]: <H2>Queries per minute, with percentage success</H2> -WithPeak[perc-failed]: ymwd -YLegend[perc-failed]: queries/minute -ShortLegend[perc-failed]: q/m -LegendI[perc-failed]: udp-questions -LegendO[perc-failed]: udp-answers - - -Target[packetcache-rate]: `/etc/init.d/pdns mrtg packetcache-hit udp-queries` -Options[packetcache-rate]: growright,dorelpercent,perminute -Title[packetcache-rate]: packetcache hitrate -MaxBytes[packetcache-rate]: 600000 -AbsMax[packetcache-rate]: 600000 -PageTop[packetcache-rate]: <H2>packetcache hitrate</H2> -WithPeak[packetcache-rate]: ymwd -YLegend[packetcache-rate]: queries/minute -ShortLegend[packetcache-rate]: q/m -LegendO[packetcache-rate]: total -LegendI[packetcache-rate]: hit - -Target[packetcache-missrate]: `/etc/init.d/pdns mrtg packetcache-miss udp-queries` -Options[packetcache-missrate]: growright,dorelpercent,perminute -Title[packetcache-missrate]: packetcache MISSrate -MaxBytes[packetcache-missrate]: 600000 -AbsMax[packetcache-missrate]: 600000 -PageTop[packetcache-missrate]: <H2>packetcache MISSrate</H2> -WithPeak[packetcache-missrate]: ymwd -YLegend[packetcache-missrate]: queries/minute -ShortLegend[packetcache-missrate]: q/m -LegendO[packetcache-missrate]: total -LegendI[packetcache-missrate]: MISS - -Target[latency]: `/etc/init.d/pdns mrtg latency` -Options[latency]: growright,nopercent,gauge -MaxBytes[latency]: 600000 -AbsMax[latency]: 600000 -Title[latency]: Query/answer latency -PageTop[latency]: <H2>Query/answer latency</H2> -WithPeak[latency]: ymwd -YLegend[latency]: usec -ShortLegend[latency]: usec -LegendO[latency]: latency -LegendI[latency]: latency - -Target[recursing]: `/etc/init.d/pdns mrtg recursing-questions recursing-answers` -Options[recursing]: growright,nopercent,gauge -MaxBytes[recursing]: 600000 -AbsMax[recursing]: 600000 -Title[recursing]: Recursive questions/answers -PageTop[recursing]: <H2>Recursing questions/answers</H2> -WithPeak[recursing]: ymwd -YLegend[recursing]: queries/minute -ShortLegend[recursing]: q/m -LegendO[recursing]: recursing-questions -LegendI[recursing]: recursing-answers - - - - - Operational logging using syslog - (logging-facility is available from 1.99.10 and onwards) - - This chapter assumes familiarity with syslog, the unix logging device. PDNS logs messages with different levels. The more urgent the - message, the lower the 'priority'. By default, PDNS will only log messages with an urgency of 3 or lower, but this can be changed - using the loglevel setting in the configuration file. Setting it to 0 will eliminate all logging, 9 will log - everything. - - - By default, logging is performed under the 'DAEMON' facility which is shared with lots of other programs. If you regard nameserving - as important, you may want to have it under a dedicated facility so PDNS can log to its own files, and not clutter generic files. - - - For this purpose, syslog knows about 'local' facilities, numbered from LOCAL0 to LOCAL7. To move PDNS logging to LOCAL0, add - logging-facility=0 to your configuration. - - - Furthermore, you may want to have separate files for the differing priorities - preventing lower priority messages from obscuring - important ones. - - - A sample syslog.conf might be: - -local0.info -/var/log/pdns.info -local0.warn -/var/log/pdns.warn -local0.err /var/log/pdns.err - - - - Where local0.err would store the really important messages. For performance and disk space reasons, it is advised - to audit your syslog.conf for statements also logging PDNS activities. Many syslog.confs have a '*.*' statement to - /var/log/syslog, which you may want to remove. - - - For performance reasons, be especially certain that no large amounts of synchronous logging take place. Under Linux, this - is indicated by file names not starting with a '-' - indicating a synchronous log, which hurts performance. - - - Be aware that syslog by default logs messages at the configured priority and higher! To log only info messages, use - local0.=info. - - - - Security settings & considerations - Settings - PDNS has several options to easily allow it to run more securely. Most notable are the chroot, - setuid and setgid options which can be specified. - - For additional information on PowerDNS security, PowerDNS security incidents and PowerDNS security policy, see . - - Running as a less privileged identity - - By specifying setuid and setgid, PDNS changes to this identity shortly after - binding to the privileged DNS ports. These options are highly recommended. It is suggested that a separate identity - is created for PDNS as the user 'nobody' is in fact quite powerful on most systems. - - - - Both these parameters can be specified either numerically or as real names. - You should set these parameters immediately if they are not set! - - - Jailing the process in a chroot - - The chroot option secures PDNS to its own directory so that even if it should become compromised and - under control of external influences, it will have a hard time affecting the rest of the system. - - - Even though this will hamper hackers a lot, chroot jails have been known to be broken. - - - - - When chrooting PDNS, take care that backends will be able to get to their files. Many databases need access to a UNIX - domain socket which should live within the chroot. It is often possible to hardlink such a socket into the chroot dir. - - - When running with master or slave support, be aware that many operating systems need access to specific libraries - (often /lib/libnss*) in order to support resolution of domain names! You can also hardlink these. - - - In addition, make sure that /dev/log is available from within the chroot. Logging will silently fail - over time otherwise (on logrotate). - - - - The default PDNS configuration is best chrooted to ./, which boils down to the configured location - of the controlsocket. - - This is achieved by adding the following to pdns.conf: chroot=./, and restarting PDNS. - - - - Security polling - - As of Authoritative Server 3.4.1 and Recursor 3.6.2, PowerDNS products can poll the security status - of their respective versions. This polling, naturally, happens over DNS. If the result is that a given - version has a security problem, the software will report this at level 'Error' during startup, and - repeatedly during operations. - - - By default, security polling happens on the domain 'secpoll.powerdns.com', but this can be changed with the - security-poll-suffix. If this setting is made empty, no polling will take place. Organizations - wanting to host their own security zones can do so by changing this setting to a domain name under their control. - - - To make this easier, the zone used to host secpoll.powerdns.com is available here. - - - To enable distributors of PowerDNS to signal that they have backported versions, the PACKAGEVERSION compilation-time - macro can be used to set a distributor suffix. - - - Further implementation detail on this feature can be found here. Furthermore, there is a post about it on our blog. - - - - Considerations - - In general, make sure that the PDNS process is unable to execute commands on your backend database. - Most database backends will only need SELECT privilege. Take care to not connect to your database as the 'root' - or 'sa' user, and configure the chosen user to have very slight privileges. - - - Databases empathically do not need to run on the same machine that runs PDNS! In fact, in benchmarks - it has been discovered that having a separate database machine actually improves performance. - - - Separation will enhance your database security highly. Recommended. - - - - - Virtual hosting - - It may be advantageous to run multiple separate PDNS installations on a single host, for example to make sure - that different customers cannot affect each others zones. PDNS fully supports running multiple instances on one host. - - - To generate additional PDNS instances, copy the init.d script pdns to pdns-name, - where name is the name of your virtual configuration. Must not contain a - as this will confuse the - script. - - - When you launch PDNS via this renamed script, it will seek configuration instructions not in pdns.conf - but in pdns-name.conf, allowing for separate specification of parameters. - - - Be aware however that the init.d force-stop will kill all PDNS instances! - - - - Authoritative Server Performance - General advice - - In general, best performance is achieved on recent Linux 3.x kernels and using MySQL, although many of the largest PowerDNS - installations are based on PostgreSQL. FreeBSD also performs very well. - - - Database servers can require configuration to achieve decent performance. It is especially worth noting that - several vendors ship PostgreSQL with a slow default configuration. - - - When deploying (large scale) IPv6, please be aware some - Linux distributions leave IPv6 routing cache tables at very small - default values. Please check and if necessary raise 'sysctl - net.ipv6.route.max_size'. - - - - Performance related settings - - When PowerDNS starts up it creates a number of threads to listen for - packets. This is configurable with the - receiver-threads setting which defines how many - sockets will be opened by the powerdns process. In versions of linux - before kernel 3.9 having too many receiver threads set up resulted in - decreased performance due to socket contention between multiple CPUs - - the typical sweet spot was 3 or 4. For optimal performance on kernel 3.9 - and following with reuseport enabled you'll typically - want a receiver thread for each core on your box if backend - latency/performance is not an issue and you want top performance. - - - Different backends will have different characteristics - some will want to have more parallel - instances than others. In general, if your backend is latency bound, like most relational databases are, - it pays to open more backends. - - - This is done with the distributor-threads setting - which says how many distributors will be opened for each receiver thread. - Of special importance is the choice between 1 or more backends. In case - of only 1 thread, PDNS reverts to unthreaded operation which may be a lot - faster, depending on your operating system and architecture. - - - Another very important setting is cache-ttl. PDNS caches entire packets it sends out so as to save the - time to query backends to assemble all data. The default setting of 20 seconds may be low for high traffic sites, a value of - 60 seconds rarely leads to problems. - - - Some PDNS operators set cache-ttl to many hours or even days, and use pdns_control purge to selectively - or globally notify PDNS of changes made in the backend. Also look at the Query Cache described in this chapter. It may - materially improve your performance. - - - To determine if PDNS is unable to keep up with packets, determine the value of the qsize-q variable. - This represents the number of packets waiting for database attention. During normal operations the queue should be small. - - - - Logging truly kills performance as answering a question from the cache is an order of magnitude less work than logging a - line about it. Busy sites will prefer to turn log-dns-details off. - - Packet Cache - - PDNS by default uses the 'Packet Cache' to recognise identical questions and supply them with identical answers, without any further - processing. The default time to live is 10 seconds. It has been observed that the utility of the packet cache increases with the load on - your nameserver. - - - Not all backends may benefit from the packetcache. If your backend is memory based and does not lead to context switches, the packetcache - may actually hurt performance. - - - The size of the packetcache can be observed with /etc/init.d/pdns show packetcache-size - - - Query Cache - - Besides entire packets, PDNS can also cache individual backend queries. Each DNS query leads to a number of backend queries, - the most obvious additional backend query is the check for a possible CNAME. So, when a query comes in for the 'A' record for - 'www.powerdns.com', PDNS must first check for a CNAME for 'www.powerdns.com'. - - - The Query Cache caches these backend queries, many of which are quite repetitive. PDNS only caches queries with no answer, - or with exactly one. In the future this may be expanded but this lightweight solution is very simple and therefore fast. - - - Most gain is made from caching negative entries, ie, queries that have no answer. As these take little memory to store and - are typically not a real problem in terms of speed-of-propagation, the default TTL for negative queries is a rather high 60 seconds. - - - This only is a problem when first doing a query for a record, adding it, and immediately doing a query for that record again. It may - then take up to 60 seconds to appear. Changes to existing records however do not fall under the negative query ttl - (negquery-cache-ttl), but under the generic query-cache-ttl which defaults to 20 seconds. - - - The default values should work fine for many sites. When tuning, keep in mind that the Query Cache mostly saves database access - but that the Packet Cache also saves a lot of CPU because 0 internal processing is done when answering a question from the - Packet Cache. - - - - - Migrating to PowerDNS - - Before migrating to PowerDNS a few things should be considered. - - - PowerDNS does not operate as a 'slave' or 'master' server with all backends - - - Only the Generic SQL, OpenDBX and BIND backends have the ability to act as master or slave. - - - - - To migrate, the zone2sql tool is provided. - - - Additionally, the PowerDNS source comes with a number of diagnostic tools, which can be helpful in verifying proper - PowerDNS operation, versus incumbent nameservers. See for more details. - - Zone2sql - - Zone2sql parses Bind named.conf files and zone files and outputs SQL - on standard out, which can then be fed to your database. - - - Zone2sql understands the Bind master file extension '$GENERATE' and will also honour '$ORIGIN' and '$TTL'. - - - For backends supporting slave operation (currently only the Generic PostgreSQL, Generic MySQL and BIND backend), there is also an option to - keep slave zones as slaves, and not convert them to native operation. - - - zone2sql can generate SQL for the Generic PostgreSQL, Generic MySQL and - Oracle backends. - The following commands are available: - - - - - - --bare - - - Output in a bare format, suitable for further parsing. The output is formatted as follows: - - domain_id<TAB>'qname'<TAB>'qtype'<TAB>'content'<TAB>prio<TAB>ttl - - - - - - --gmysql - - - Output in format suitable for the default configuration of the Generic MySQL backend. - - - - - --gpgsql - - - Output in format suitable for the default configuration of the Generic PostgreSQL backend. - - - - - --help - - - List options. - - - - - --named-conf=... - - - Parse this named.conf to find locations of zones. - - - - - --on-error-resume-next - - - Ignore missing files during parsing. Dangerous. - - - - - --oracle - - - Output in format suitable for the default configuration of the Generic Oracle backend. - - - - - --slave - - - Maintain slave status of zones listed in named.conf as being slaves. The default behaviour is to convert all zones - to native operation. - - - - - --transactions - - - For Oracle and PostgreSQL output, wrap each domain in a transaction for higher speed and integrity. - - - - - --verbose - - - Be verbose during conversion. - - - - - --zone=... - - - Parse only this zone file. Conflicts with --named-conf parameter. - - - - - --zone-name=... - - - When parsing a single zone without $ORIGIN statement, set this as the zone name. - - - - - - - - Notes on upgrading - From PowerDNS Authoritative Server 2.9.x to 3.0 - - The 3.0 release of the PowerDNS Authoritative Server is significantly different from previous 2.9.x versions. This section lists - important things to be aware of. - - - Version 3.0 of the PowerDNS Authoritative Server is the biggest change in PowerDNS history. In some senses, this means that - it behaves somewhat like a '1.0' version. We advise operators to carefully perform the upgrade process from 2.9.x, and - if possible test on a copy of the database beforehand. - - - In addition, it may also be useful to have a support agreement in place during such upgrades. - For first class and rapid support, please contact powerdns-support@netherlabs.nl, or see . Alternatively, - the PowerDNS Community can be very helpful too. - - - - With similar settings, version 3.0 will most likely use a lot more memory than 2.9. This is due to the new DNSSEC key & signature caches, but - also because the database query cache will now store multiple row answers, which it did not do previously. Memory use can be brought down again - by tuning the cache-ttl settings. - - - Performance may be up, or it may be down. We appreciate that this is spotty guidance, but depending on your setup, lookups may be a lot faster or a - lot slower. The improved database cache may prove to be a big benefit, and improve performance dramatically. This could be offset by a near - duplication of database queries needed because of more strict interpretation of DNS standards. - - - PowerDNS Authoritative Server 3.0 contains a completely renewed implementation of the core DNS 'Algorithm', loosely specified in RFC 1034. - As stated above, our new implementation is a lot closer to the original standard. This may mean that version 3.0 may interpret the contents - of your database differently from how 2.9.x interpreted them. For fully standards confirming zones, there should not be a problem, - but if zones were misconfigured (no SOA record, for example), things will be different. - - - When compiling version 3.0, there are now more dependencies than there used to be. Whereas previously, only Boost header files were needed, - PowerDNS now needs a number of Boost libraries to be installed (like boost-program-options, boost-serialization). In addition, for now Lua 5.1 is - a dependency. - - - PowerDNS Authoritative Server 3.0 comes with DNSSEC support, but this has required big changes to database schemas. - Each backend lists the changes required. To facilitate a smooth upgrade, the old, non-DNSSEC schema is used by default. - Features like per-domain metadata, TSIG and DNSSEC itself however need the new schema. Consult your backend documentation - for the correct 'alter table' statements. Afterwards, set the relevant '-dnssec' setting for your backend (for example: gmysql-dnssec). - - - In version 3.0, "Fancy Records", like URL, CURL and MBOXFW are no longer supported. Support may come back in later versions. - In addition, the LDAP Backend has moved to 'unmaintained' status. - - Frequently Asked Questions about 3.0 - - - - Q: Can 2.9.x versions read the 3.0 DNSSEC database schema? - - - A: Yes, every database can be altered to the new schema without impact on 2.9. The new fields and tables - are ignored. - - - - - Q: Can 3.x versions read the 2.9 pre-DNSSEC database schema? - - - A: Yes, as long as the relevant '-dnssec' setting is not enabled. These settings - are typically called 'gmysql-dnssec', 'gpgsql-dnssec', 'gsqlite3-dnssec'. If this setting IS - enabled, 3.x expects the new schema to be in place. - - - - - Q: If I run 3.0 with the new schema, and I have set '-dnssec', do I need to rectify my zones? - - - A: Yes. If the '-dnssec' setting is enabled, PowerDNS expects the 'auth' field to be filled out correctly. - When slaving zones this happens automatically. For other zones, run 'pdnssec rectify-zone zonename'. Even if - a zone is not DNSSEC secured, as long as the new schema is in place, the zone must be rectified (or at least - have the 'auth' field set correctly). - - - - - Q: I want to fill out the 'auth' and 'ordername' fields directly, how do I do this? - - - A: The 'auth' field should be '1' or 'true' for all records that are within your zone. For a zone without delegations, - this means 'auth' should always be set. If you have delegations, both the NS records for that delegation and possible glue - records for it should not have 'auth' set. - - - For more details on 'auth' and 'ordername', please see . - - - - - Q: If I don't update to the new DNSSEC schema, will 3.0 give identical answers as 2.9.x? - - - A: Not always. The core DNS logic of 3.0 was changed, so even if no changes are made to the database, - you may get different answers. This might happen for zones without SOA records for example, which used - to (more or less) work. An upgrade from 2.9.x to 3.0 should always be monitored carefully. - - - - - - - - From PowerDNS Authoritative Server 3.0 to 3.1 - - - If you are coming from 2.9.x, please also read . - - - - PowerDNS 3.1 introduces native SQLite3 support for storing key material for DNSSEC in the bindbackend. With this change, - support for bind+gsql-setups ('hybrid mode') has been dropped. If you were using this mode, you will need to switch to - bind-dnssec-db and migrate your keying material. - - - There have been changes to the SQL schemas for the generic backends. - - - For MySQL: - -mysql> ALTER TABLE records MODIFY content VARCHAR(64000); -mysql> ALTER TABLE tsigkeys MODIFY algorithm VARCHAR(50); - - For PostgreSQL: - -postgres=# ALTER TABLE records ALTER COLUMN content TYPE VARCHAR(65535); -postgres=# ALTER TABLE tsigkeys alter column algorithm type VARCHAR(50); - - - - The definition of 'auth' and 'ordername' in backends has changed slightly, see . - - - PowerDNS 3.0 and 3.1 will only fetch DNSSEC metadata and key material from the first DNSSEC-capable backend in the launch line. In 3.1, the bindbackend supports DNSSEC storage. This means that setups using launch=bind,gsqlite3 or launch=gsqlite3,bind may break. Please tread carefully! - - - From PowerDNS Authoritative Server 3.1 to 3.2 - - - If you are coming from 2.9.x, please also read and . - - - - Previously, on Linux, if the PowerDNS Authoritative Server was configured to bind to the IPv6 address ::, the server would answer - questions that came in via IPv6 *and* IPv4. - - - As of 3.2, binding to :: on Linux now does the same thing as binding to :: on other operating systems: perform IPv6 service. To continue - the old behaviour, use 'local-address=0.0.0.0' and 'local-ipv6=::'. - - - 3.2 again involves some SQL schema changes, to make sure 'ordername' is ordered correctly for NSEC generation. For MySQL: - -alter table records modify ordername VARCHAR(255) BINARY; -drop index orderindex on records; -create index recordorder on records (domain_id, ordername); - - - You can test the BINARY change with the new and experimental 'pdnssec test-schema' command. - - For PostgreSQL, there are no real schema changes, but our indexes turned out to be inefficient, especially given the changed ordername queries in 3.2. - Changes: - -drop index orderindex; -create index recordorder on records (domain_id, ordername text_pattern_ops); - - - Additionally, with 3.2 supporting empty non-terminals (see ), your frontend may need some changes. - - - Due to a bug, in 3.1 and earlier releases, the pipebackend would default to a 1000 second timeout for - responses from scripts, instead of the intended and documented 1000 milliseconds (1 second). In 3.2, - pipe-timeout is in fact in milliseconds. To avoid some surprise, the default is now 2000 (2 seconds). If you - have slow pipebackend scripts, make sure to increase pipe-timeout. - - - Some configuration settings (that did not do anything, anyway) have been removed. You need to remove - them from your configuration to start pdns_server. They are: lazy-recursion, use-logfile, logfile. - - - - From PowerDNS Authoritative Server 3.2 to 3.3 - - - If you are coming from 2.9.x, please also read , and . - - - - The `ip' field in the supermasters table (for the various gsql backends) has been stretched to 64 characters - to support IPv6. - For MySQL: - - alter table supermasters modify ip VARCHAR(64); - - For PostgreSQL: - - alter table supermasters alter column ip type VARCHAR(64); - - - - pdnssec secure-zone now creates one KSK and one ZSK, instead of two ZSKs. - - - The `rec_name_index' index was dropped from the gmysql schema, as it was superfluous. - - - - From PowerDNS Authoritative Server 3.3 to 3.3.1 - - - If you are coming from 2.9.x, please also read , , and . - - - - Constraints were added to the PostgreSQL schema: - - alter table domains add constraint c_lowercase_name CHECK (((name)::text = lower((name)::text))); - alter table tsigkeys add constraint c_lowercase_name check (((name)::text = lower((name)::text))); - - - - The (gmysql-)innodb-read-committed flag was added to the gmysql backend, and enabled by default. - This interferes with statement replication. Please set your binlog_format to MIXED or ROW, or disable binlog. - Alternatively, disable (gmysql-)innodb-read-committed but be aware that this may cause deadlocks during AXFRs. - - - - From PowerDNS Authoritative Server 3.3.1 to 3.4.0 - - - If you are coming from 2.9.x, please also read , , and and . - - - Database schema - - - - The default database schema has changed. The database update below is mandatory. - - - If custom queries are in use, they probably need an update. - - - - - For gmysql backend with nodnssec schema: - - For gmysql backend with dnssec schema: - - For gpgsql backend with nodnssec schema: - - For gpgsql backend with dnssec schema: - - For gsqlite3 backend with nodnssec schema: - - For gsqlite3 backend with dnssec schema: - - For goracle backend: - -ALTER TABLE records ADD disabled INT DEFAULT 0; -ALTER TABLE records MODIFY auth INT DEFAULT 1; - -UPDATE records SET auth=1 WHERE auth IS NULL; - -ALTER TABLE domainmetadata MODIFY kind VARCHAR2(32); - - - - Configuration option changes - New options - - - allow-dnsupdate-from - - - A global setting to allow DNS update from these IP ranges. - - - - - also-notify - - - When notifying a domain, also notify these nameservers - - - - - carbon-interval - - - Number of seconds between carbon (graphite) updates - - - - - carbon-ourname - - - If set, overrides our reported hostname for carbon stats - - - - - carbon-server - - - If set, send metrics in carbon (graphite) format to this server - - - - - disable-axfr-rectify - - - Disable the rectify step during an outgoing AXFR. Only required for regression testing. - - - - - experimental-api-readonly - - - If the JSON API should disallow data modification - - - - - experimental-api-key - - - Static API authentication key, must be sent in the X-API-Key header. Required for any API usage. - - - - - experimental-dname-processing - - - If we should support DNAME records - - - - - experimental-dnsupdate - - - Enable/Disable DNS update (RFC2136) support. Default is no. - - - - - forward-dnsupdate - - - A global setting to allow DNS update packages that are for a Slave domain, to be forwarded to the master. - - - - - max-signature-cache-entries - - - Maximum number of signatures cache entries - - - - - local-address-nonexist-fail - - - Fail to start if one or more of the local-address's do not exist on this server - - - - - local-ipv6-nonexist-fail - - - Fail to start if one or more of the local-ipv6 addresses do not exist on this server - - - - - max-nsec3-iterations - - - Limit the number of NSEC3 hash iterations - - - - - only-notify - - - Only send AXFR NOTIFY to these IP addresses or netmasks - - - - - reuseport - - - Enable higher performance on compliant kernels by using SO_REUSEPORT allowing each receiver thread to open its own socket - - - - - udp-truncation-threshold - - - Maximum UDP response size before we truncate - - - - - webserver-allow-from - - - Webserver access is only allowed from these subnets - - - - - - Removed options - - - add-superfluous-nsec3-for-old-bind - - - Add superfluous NSEC3 record to positive wildcard response - - - - - edns-subnet-option-number - - - EDNS option number to use - - - - - fancy-records - - - Process URL and MBOXFW records - - - - - log-failed-updates - - - If PDNS should log failed update requests - - - - - smtpredirector - - - Our smtpredir MX host - - - - - urlredirector - - - Where we send hosts to that need to be url redirected - - - - - wildcard-url - - - Process URL and MBOXFW records - - - - - soa-serial-offset=... - - - If your database contains single-digit SOA serials and you need to host .DE domains, this setting can help - placate their 6-digit SOA serial requirements. Suggested value is to set this to 1000000 which adds 1000000 to all SOA Serials - under that offset. - - - - - - Options with changed default values - - - allow-axfr-ips - - - Allow zonetransfers only to these subnets - - - old value: 0.0.0.0/0,::/0 - - - new value: 127.0.0.0/8,::1 - - - - - gpgsql-dbname, gpgsql-user - - - These now default to empty, instead of 'powerdns'. - - - - - log-dns-details - - - If PDNS should log DNS non-erroneous details - - - old value: - - - new value: no - - - - - module-dir - - - The default location has changed from libdir to pkglibdir. pkglibdir is defined as '$(libdir)/pdns' - - - - - - - - - - - Serving authoritative DNSSEC data - - (only available in PowerDNS 3.0 and beyond, not yet available in the PowerDNS Recursor) - - - PowerDNS contains support for DNSSEC, enabling the easy serving of DNSSEC secured data, - with minimal administrative overhead. - - - In PowerDNSSEC, DNS and signatures and keys are (usually) treated as separate entities. The domain & record - storage is thus almost completely devoid of DNSSEC record types. - - - Instead, keying material is stored separately, allowing operators to focus on the already complicated task - of keeping DNS data correct. In practice, DNSSEC related material is often stored within the same database, - but within separate tables. - - - If a DNSSEC configuration is found for a domain, the PowerDNS daemon will provide keys, signatures and (hashed) - denials of existence automatically. - - - As an example, securing an existing zone can be as simple as: - -$ pdnssec secure-zone powerdnssec.org -$ pdnssec rectify-zone powerdnssec.org - - - - Alternatively, PowerDNS can serve pre-signed zones, without knowledge of private keys. - -
- A brief introduction to DNSSEC - - DNSSEC is a complicated subject, but it is not required to know all the ins and outs of this protocol to be able to use PowerDNSSEC. - In this section, we explain the core concepts that are needed to operate a PowerDNSSEC installation. - - - Zone material is enhanced with signatures using 'keys'. Such a signature (called an RRSIG) is a cryptographic guarantee that the data served - is the original data. DNSSEC keys are asymmetric (RSA, DSA or GOST), the public part is published over DNS and is called a - DNSKEY record, and is used for verification. The private part is used for signing and is never published. - - - To make sure that the internet knows that the key that is used for signing is the authentic key, confirmation can be gotten from - the parent zone. This means that to become operational, a zone operator will have to publish a representation of the signing key to - the parent zone, often a ccTLD or a gTLD. This representation is called a DS record, and is a shorter (hashed) version of the DNSKEY. - - - Once the parent zone has the DS, and the zone is signed with the DNSSEC key, we are done in theory. - - - However, for a variety of reasons, most DNSSEC operations run with another layer of keys. The so called 'Key Signing Key' is sent to the - parent zone, and this Key Signing Key is used to sign a new set of keys called the Zone Signing Keys. - - - This setup allows us to change our keys without having to tell the zone operator about it. - - - A final challenge is how to DNSSEC sign the answer 'no such domain'. In the language of DNS, the way to say 'there is no such domain' (NXDOMAIN) - or there is no such record type is to send an empty answer. Such empty answers are universal, and can't be signed. - - - In DNSSEC parlance we therefore sign a record that says 'there are no domains between A.powerdnssec.org and C.powerdnssec.org'. This - securely tells the world that B.powerdnssec.org does not exist. This solution is called NSEC, and is simple but has downsides - it also - tells the world exactly which records DO exist. - - - So alternatively, we can say that if a certain mathematical operation (an 'iterated salted hash') is performed on a question, that - no valid answers exist that have as outcome of this operation an answer between two very large numbers. This leads to the same 'proof of - non-existence'. This solution is called NSEC3. - - - A PowerDNSSEC zone can either be operated in NSEC or in one of two NSEC3 modes ('inclusive' and 'narrow'). - -
-
- Profile, Supported Algorithms, Record Types & Modes of operation - - PowerDNSSEC aims to serve unexciting, standards compliant, DNSSEC information. One goal is to have - relevant parts of our output be identical or equivalent to important fellow-traveller software like NLNetLabs' - NSD. - - - Particularly, if a PowerDNSSEC secured zone is transferred via AXFR, it should be able to contain the same records - as when that zone was signed using 'ldns-signzone' using the same keys and settings. - - - PowerDNS supports serving pre-signed zones, as well as online ('live') signed operations. In the last case, Signature Rollover - and Key Maintenance are fully managed by PowerDNS. - - - In addition to the above, PowerDNSSEC also supports modes of operation which may not have an equivalent in other - pieces of software, for example NSEC3-narrow mode. - - - PowerDNSSEC supports: - - - NSEC - - - NSEC3 - - - NSEC3-narrow - - - DS (digest type 1, 2, 3 and provisional point 4) - - - RSASHA1 (algorithm 5, algorithm 7) - - - RSASHA256 (algorithm 8) - - - RSASHA512 (algorithm 10) - - - ECC-GOST (algorithm 12) - - - ECDSA (no codepoints assigned, provisional 13 and 14) - - - - - This corresponds to: - - - RFC 4033: DNS Security Introduction and Requirements - - - RFC 4034: Resource Records for the DNS Security Extensions, Protocol Modifications for the DNS Security Extensions - - - RFC 4035: Protocol Modifications for the DNS Security Extensions - - - RFC 4509: Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs) - - - RFC 5155: DNS Security (DNSSEC) Hashed Authenticated Denial of Existence - - - RFC 5702: Use of SHA-2 Algorithms with RSA in DNSKEY and RRSIG Resource Records for DNSSEC - - - - RFC 5933: Use of GOST Signature Algorithms in DNSKEY and RRSIG Resource Records for DNSSEC - - - - draft-ietf-dnsext-ecdsa: Elliptic Curve DSA for DNSSEC - - - - -
DNSSEC: live-signed vs orthodox 'pre-signed' mode - - Traditionally, DNSSEC signatures have been added to unsigned zones, and then this signed zone - could be served by any DNSSEC capable authoritative server. PowerDNS supports this mode fully. - - - In addition, PowerDNS supports taking care of the signing itself, in which case PowerDNS operates differently - from most tutorials and handbooks. This mode is easier however. - - - For relevant tradeoffs, please see and . - -
-
-
- Migration - - This chapter discusses various migration strategies, from existing PowerDNS setups, from existing unsigned installations - and finally from previous non-PowerDNS DNSSEC deployments. - -
From an existing PowerDNS installation - - To migrate an existing database-backed PowerDNS installation, a few changes must be made to the database schema. - First, the records table gains two new fields: 'auth' and 'ordername'. Some data in a zone, like glue records, should - not be signed, and this is signified by setting 'auth' to 0. - - - Once the database schema has been updated, and the relevant 'gsql-dnssec' switch has been set, stricter - rules apply for filling out the database! The short version is: run pdnssec rectify-zone on all zones, even - those not secured with DNSSEC! - - - Additionally, NSEC and NSEC3 in non-narrow mode require ordering data in order to perform (hashed) denial of existence. The 'ordername' - field is used for this purpose. - - - Finally, two new tables are needed. DNSSEC keying material is stored in the 'cryptokeys' table (in a portable standard format). - Domain metadata is stored in the 'domainmetadata' table. This includes NSEC3 settings. - - - Once the database schema has been changed for DNSSEC usage (see the relevant backend chapters or the PowerDNSSEC wiki for the update statements), the 'pdnssec' - tool can be used to fill out keying details, and 'rectify' the auth and ordername fields. - - - In short, 'pdnssec secure-zone powerdnssec.org ; pdnssec rectify-zone powerdnssec.org' will deliver a correctly NSEC signed zone. - - - In addition, so will the 'zone2sql' import tool when run with the '--dnssec' flag. - -
-
From existing non-DNSSEC non-PowerDNS setups - TBD -
-
From existing DNSSEC non-PowerDNS setups, pre-signed - - Industry standard signed zones can be served natively by PowerDNS, without changes. In such cases, signing - happens externally to PowerDNS, possibly via OpenDNSSEC, ldns-sign or dnssec-sign. - - - PowerDNS needs to know if a zone should receive DNSSEC processing. To configure, run 'pdnssec set-presigned zone'. - - Right now, you will also need to configure NSEC(3) settings for pre-signed zones using 'pdnssec set-nsec3'. Default - is NSEC, in which case no further configuration is necessary. -
-
From existing DNSSEC non-PowerDNS setups, live signing - - The 'pdnssec' tool features the option to import zone keys in the industry standard private key format, - version 1.2. To import an existing KSK, use 'pdnssec import-zone-key zonename filename KSK', replace KSK - by ZSK for a Zone Signing Key. - - - If all keys are imported using this tool, a zone will serve mostly identical records to before, with - the important change that the RRSIG inception dates will be different. - - Within PowerDNS, the 'algorithm' for RSASHA1 keys is modulated based on the NSEC3 setting. So - if an algorithm=7 key is imported in a zone with no configured NSEC3, it will appear as algorithm 5! -
-
-
- Records, Keys, signatures, hashes within PowerDNSSEC in online signing mode - - Within PowerDNSSEC live signing, keys are stored separately from the zone records. Zone data are only - combined with signatures and keys when requests come in over the internet. - - - Each zone can have a number of keys associated with it, with varying key lengths. Typically 1 or at most 2 of these - keys are employed as actual Zone Signing Keys (ZSKs). During normal operations, this means that only 1 ZSK is 'active', and - the other is passive. - - - Should it be desired to 'roll over' to a new key, both keys can temporarily be active (and used for signing), and after a while the - old key can be inactivated. Subsequently it can be removed. - - - As elucidated above, there are several ways in which DNSSEC can deny the existence of a record, and this setting too is stored - away from zone records, and lives with the DNSSEC keying material. - - - In order to facilitate interoperability with existing technologies, PowerDNSSEC keys can be imported and exported in industry standard formats. - - - Keys and hashes are configured using the 'pdnssec' tool, which is described next. - -
(Hashed) Denial of Existence - - PowerDNS supports unhashed secure denial of existence using NSEC records. These are generated - with the help of the (database) backend, which needs to be able to supply the 'previous' and 'next' records - in canonical ordering. - - - The Generic SQL Backends have fields that allow them to supply these relative record names. - - - In addition, hashed secure denial of existence is supported using NSEC3 records, in two modes, one - with help from the database, the other with the help of some additional calculations. - - - NSEC3 in 'broad' or 'inclusive' mode works with the aid of the backend, where the backend should - be able to supply the previous and next domain names in hashed order. - - - NSEC3 in 'narrow' mode uses additional hashing calculations to provide hashed secure denial of existence 'on the fly', - without further involving the database. - -
- -
Signatures - - In PowerDNS live signing mode, signatures, as served through RRSIG records, are calculated on the fly, and heavily cached. All CPU cores - are used for the calculation. - - - RRSIGs have a validity period, in PowerDNS by default this period starts at most a week in the past, and continues - at least a week into the future. - - - Precisely speaking, the time period used is always from the start of the previous Thursday until the Thursday two weeks later. - This two-week interval jumps with one-week increments every Thursday. - - Why Thursday? POSIX-based operating systems count the time since GMT midnight January 1st of 1970, - which was a Thursday. PowerDNS inception/expiration times are generated based on an integral number of weeks having passed - since the start of the 'epoch'. - -
- -
-
- 'pdnssec' for PowerDNSSEC command & control - - 'pdnssec' is a powerful command that is the operator-friendly gateway into PowerDNSSEC configuration. Behind the scenes, - 'pdnssec' manipulates a PowerDNS backend database, which also means that for many databases, 'pdnssec' can be run remotely, - and can configure key material on different servers. - - - The following pdnssec commands are available: - - - - activate-zone-key ZONE KEY-ID - - - Activate a key with id KEY-ID within a zone called ZONE. - - - - - add-zone-key ZONE [ksk|zsk] [bits] [rsasha1|rsasha256|rsasha512|gost|ecdsa256|ecdsa384] - - - Create a new key for zone ZONE, and make it a KSK or a ZSK, with the specified algorithm. - - - - - check-zone ZONE - - - Check a zone for DNSSEC correctness. Main goals is to check if the auth flag is set correctly. - - - - - check-all-zones - - - Check all zones for DNSSEC correctness. Added in 3.1. - - - - - deactivate-zone-key ZONE KEY-ID - - - Deactivate a key with id KEY-ID within a zone called ZONE. - - - - - export-zone-dnskey ZONE KEY-ID - - - Export to standard output DNSKEY and DS of key with key id KEY-ID within zone called ZONE. - - - - - export-zone-key ZONE KEY-ID - - - Export to standard output full (private) key with key id KEY-ID within zone called ZONE. The format - used is compatible with BIND and NSD/LDNS. - - - - - hash-zone-record ZONE RECORDNAME - - - This convenience command hashes the name 'recordname' according to the NSEC3 settings of ZONE. - Refuses to hash for zones with no NSEC3 settings. - - - - - import-zone-key ZONE filename [ksk|zsk] - - - Import from 'filename' a full (private) key for zone called ZONE. The format - used is compatible with BIND and NSD/LDNS. KSK or ZSK specifies the flags this - key should have on import. - - - - - import-zone-key-pem ZONE filename algorithm [ksk|zsk] - - - Import from 'filename' a full (private) key in PEM format for zone called ZONE, and - assign it an algorithm number. KSK or ZSK specifies the flags this - key should have on import. The format used is compatible with 'openssl genrsa', - which is also called PEM. - - - - - generate-zone-key [ksk|zsk] [algorithm] [bits] - - - Generate and display a zone key. Can be used when you need to generate a key for some script backend. - Does not store the key. - - - - - rectify-zone ZONE [ZONE ..] - - - Calculates the 'ordername' and 'auth' fields for a zone called ZONE so they comply with DNSSEC settings. - Can be used to fix up migrated data. Can always safely be run, it does no harm. Multiple zones can be supplied. - - - - - rectify-all-zones - - - Do a rectify-zone for all the zones. Be careful when running this. Only - bind and gmysql backends are supported. Added in 3.1. - - - - - remove-zone-key ZONE KEY-ID - - - Remove a key with id KEY-ID from a zone called ZONE. - - - - - secure-zone ZONE - - - Configures a zone called ZONE with reasonable DNSSEC settings. You should manually run 'rectify-zone' afterwards. - - - - - secure-all-zones - - - Add keymaterial to all zones. You should manually run 'rectify-all-zones' afterwards. The 'increase-serial' option - increases the SOA serial for new secured zones. - - - - - set-nsec3 ZONE 'parameters' [narrow] - - - Sets NSEC3 parameters for this zone. A sample command line is: "pdnssec set-nsec3 powerdnssec.org '1 0 1 ab' narrow". - The NSEC3 parameters must be quoted on the command line. - If running in RSASHA1 mode (algorithm 5 or 7), switching from NSEC to NSEC3 will require a DS update at the parent zone! - The NSEC3 fields are: 'algorithm flags iterations salt'. For 'algorithm', currently '1' is the only supported value. Setting 'flags' to 1 enables opt-out operation. Only do this if you know you need it. The salt is hexadecimal. - - - - - set-presigned ZONE - - - Switches zone to presigned operation, utilizing in-zone RRSIGs. - - - - - show-zone ZONE - - - Shows all DNSSEC related settings of a zone called ZONE. - - - - - unset-nsec3 ZONE - - - Converts a zone to NSEC operations. - If running in RSASHA1 mode (algorithm 5 or 7), switching from NSEC to NSEC3 will require a DS update at the parent zone! - - - - - unset-presigned ZONE - - - Disables presigned operation for ZONE. - - - - - import-tsig-key name algorithm key - - - Imports a named TSIG key. Use enable/disable-tsig-key to map it to a zone. - - - - - generate-tsig-key name algorithm - - - Creates and stores a named tsig key. - - - - - delete-tsig-key name - - - Deletes a named TSIG key. WARNING! Does not unmap it from zones. - - - - - list-tsig-keys - - - Shows all TSIG keys from all backends. - - - - - activate-tsig-key zone name [master|slave] - - - activate TSIG key for a zone. Use master on master server, slave on slave server. - - - - - deactivate-tsig-key zone name [master|slave] - - - Deactivate TSIG key for a zone. Use master on master server, slave on slave server. - - - - - get-meta ZONE [kind kind..] - - - Gets one or more meta items for domain ZONE. If no meta keys defined, it retrieves well known meta keys. - - - - - set-meta ZONE kind [value value ..] - - - Clears or sets meta for domain ZONE. You can provide one or more value(s). - - - - - -
-
- DNSSEC advice & precautions - - DNSSEC is a major change in the way DNS works. Furthermore, there is a bewildering array of settings - that can be configured. - - - It is well possible to configure DNSSEC in such a way that your domain will not operate reliably, or even, at all. - - - We advise operators to stick to the keying defaults of 'pdnssec secure-zone': RSASHA256 (algorithm 8), - 1 Key Signing Key of 2048 bits, 1 active Zone Signing Key of 1024 bits, 1 passive Zone Signing Key of 1024 bits. - - - While the 'GOST' and 'ECDSA' algorithms are better choices in theory, not many DNSSEC resolvers can validate answers - signed with such keys. Much the same goes for RSASHA512, except that it does not offer better performance either. - - - GOST may be more widely available in Russia, because it might be mandatory to implement this regional standard there. - - - It is possible to operate a zone with different keying algorithms simultaneously, but it has also been observed that this is not reliable. - - - Depending on your master/slave setup, you may need to tinker with SOA-EDIT on your master. - -
Packet sizes, fragments, TCP/IP service - - DNSSEC answers contain (bulky) keying material and signatures, and are therefore a lot larger than regular DNS answers. - Normal DNS responses almost always fit in the 'magical' 512 byte limit previously imposed on DNS. - - - In order to support DNSSEC, operators must make sure that their network allows for: - - >512 byte UDP packets on port 53 - Fragmented UDP packets - ICMP packets related to fragmentation - TCP queries on port 53 - EDNS0 queries/responses (filtered by some firewalls) - - - - If any of the conditions outlined above is not met, DNSSEC service will suffer or be completely unavailable. - - - In addition, the larger your DNS answers, the more critical the above becomes. It is therefore advised not to provision too many keys, - or keys that are unnecessarily large. - -
-
-
- Operational instructions - - In this chapter various DNSSEC transitions are discussed, and how to execute them within PowerDNSSEC. - -
Publishing a DS - - To publish a DS to a parent zone, utilize 'pdnssec show-zone' and take the DS from its output, and transfer it securely - to your parent zone. - -
-
ZSK rollover - - .. pdnssec activate-zone-key ZONE next-key-id .. - .. pdnssec deactivate-zone-key ZONE prev-key-id .. - .. pdnssec remove-zone-key ZONE prev-key-id .. - -
-
KSK rollover - - .. pdnssec add-zone-key ZONE ksk .. - .. pdnssec show-zone ZONE and communicate duplicate DS .. - .. pdnssec activate-zone-key ZONE next-key-id .. - .. pdnssec deactivate-zone-key ZONE prev-key-id .. - .. pdnssec remove-zone-key ZONE prev-key-id .. - -
-
Going insecure - - .. pdnssec disable-dnssec .. - -
-
NSEC(3) change - This section describes how to change NSEC(3) parameters when they are already set. - The following instructions might not be correct or complete! - - .. pdnssec set-nsec3 ZONE 'parameters' - .. pdnssec show-zone ZONE and communicate duplicate DS .. - - - For further details, please see . - -
-
-
- Modes of operation - - PowerDNSSEC can operate in several modes. In the simplest situation, there is a single "SQL" database - that contains, in separate tables, all domain data, keying material and other DNSSEC related settings. - - - This database is then replicated to all PowerDNS instances, which all serve identical records, keys - and signatures. - - - In this mode of operation, care should be taken that the database replication occurs over a secure network, - or over an encrypted connection. This is because keying material, if intercepted, could be used to counterfeit - DNSSEC data using the original keys. - - - Such a single replicated database requires no further attention beyond monitoring already required during - non-DNSSEC operations. - -
PowerDNSSEC Pre-signed records - - In this mode, PowerDNS serves zones that already contain DNSSEC records. Such zones can either be slaved from - a remote master, or can be signed using tools like OpenDNSSEC, ldns-signzone or dnssec-signzone. - -
-
PowerDNSSEC Front-signing - - As a special feature, PowerDNSSEC can operate as a signing server which operates as a slave - to an unsigned master. - - - In this way, if keying material is available for an unsigned zone that is retrieved from a master server, - this keying material will be used when serving data from this zone. - - - As part of the zone retrieval, the equivalent of 'pdnssec rectify-zone' is run to make sure - that all DNSSEC-related fields are set correctly. - -
-
PowerDNSSEC BIND-mode operation - - Starting with PowerDNS 3.1, the bindbackend can manage keys in an SQLite3 database without launching - a separate gsqlite3 backend. - - - To use this mode, add "bind-dnssec-db=/var/db/bind-dnssec-db.sqlite3" to pdns.conf, and run - "pdnssec create-bind-db /var/db/bind-dnssec-db.sqlite3". Then, restart PowerDNS. - - - After this, you can use "pdnssec secure-zone" and all other pdnssec commands on your BIND zones - without trouble. - -
-
PowerDNSSEC hybrid BIND-mode operation - - - This mode is only supported in 3.0, 3.0.1 and 3.4.0 and up! In 3.1 to 3.3.1, the bindbackend - always did its own key storage. - In 3.4.0 and up hybrid bind mode operation is optional and enabled with the bindbackend hybrid config option. - - - - PowerDNS can also operate based on 'BIND'-style zone & configuration files. This 'bindbackend' - has full knowledge of DNSSEC, but has no native way of storing keying material. - - - However, since PowerDNS supports operation with multiple simultaneous backends, this is not a problem. - - - In hybrid mode, keying material and zone records are stored in different backends. This allows for - 'bindbackend' operation in full DNSSEC mode. - - - To benefit from this mode, include at least one database-based backend in the 'launch' statement. The Generic SQLite backend - version 3 (gsqlite3) probably complements BIND mode best, since it does not require a database server process. - - - - For now, it is necessary to execute a manual SQL 'insert' into the domains table of the backend hosting - the keying material. This is needed to generate a zone-id for the relevant domain. Sample SQL statement: - insert into domains (name, type) values ('powerdnssec.org', 'NATIVE');. - - -
-
- Rules for filling out fields in database backends - - The BIND Backend automates all the steps outlined below, and does not need 'manual' help - - - In PowerDNS 3.0 and up, two additional fields are important: 'auth' and 'ordername'. These fields are set correctly - on an incoming zone transfer, and also by running 'pdnssec rectify-zone'. zone2sql with the --dnssec flag aims to - do this too but there are minor bugs in there, so please run 'pdnssec rectify-zone' after zone2sql. - - The 'auth' field should be set to '1' for - data for which the zone itself is authoritative, which includes the SOA record and its own NS records. - - - The 'auth' field should be 0 however for NS records which are used for delegation, and also for any glue (A, AAAA) records - present for this purpose. Do note that the DS record for a secure delegation should be authoritative! - - - The 'ordername' field needs to be filled out depending on the NSEC/NSEC3 mode. When running in NSEC3 'Narrow' mode, the - ordername field is ignored and best left empty. In NSEC/NSEC3 mode, the ordername field should be NULL for any glue but filled in - for all delegation NS records and all authoritative records. In NSEC3 opt-out mode, ordername is NULL for any glue and insecure - delegation NS records, but filled in for secure delegation NS records and all authoritative records. - - - In 'NSEC' mode, it should contain the relative part of a domain name, in reverse order, with dots replaced - by spaces. So 'www.uk.powerdnssec.org' in the 'powerdnssec.org' zone should have 'uk www' as its ordername. - - - In 'NSEC3' non-narrow mode, the ordername should contain a lowercase base32hex encoded representation of the salted & iterated hash - of the full record name. pdnssec hash-zone-record zone record can be used to calculate this hash. - - - In addition, from 3.2 and up, PowerDNS fully supports empty non-terminals. If you have a zone example.com, and a host a.b.c.example.com in it, - rectify-zone (and the AXFR client code) will insert b.c.example.com and c.example.com in the records table with type NULL (SQL NULL, not 'NULL'). - Having these entries provides several benefits. We no longer reply NXDOMAIN for these shorter names (this was an RFC violation but not one that caused trouble). - But more importantly, to do NSEC3 correctly, we need to be able to prove existence of these shorter names. The type=NULL records entry gives us a place - to store the NSEC3 hash of these names. - - - If your frontend does not add empty non-terminal names to records, you will get DNSSEC replies of 3.1-quality, which has served many people well, but we - suggest you update your code as soon as possible! - - - If you import presigned zones into your database, please do not import the NSEC or NSEC3 records. PowerDNS will synthesize these itself. Putting - them in the database might cause duplicate records in responses. zone2sql filters NSEC and NSEC3 automatically. - -
-
-
PKCS#11 support - - NB! This feature is experimental, and not ready for production. Use at your own risk! - - - To enable it, compile PowerDNS Authoritative Server using --experimental-pkcs11-support flag. This requires you to have p11-kit libraries and headers. - - - Instructions on how to setup SoftHSM to work with the feature after compilation on ubuntu/debian. - - apt-get install softhsm p11-kit - create directory /etc/pkcs11/modules - Add file called 'softhsm' there with (on some versions, use softhsm.module) - -module: /home/cmouse/softhsm/lib/softhsm/libsofthsm.so -managed: yes - - - Run p11-kit -l to verify it worked (you should see softhsm there) - Create at least two tokens (ksk and zsk) with (slot-number starts from 0) - -softhsm --init-token --slot slot-number --label zone-ksk|zone-zsk --pin some-pin --so-pin another-pin - - - Run p11-kit -l to verify it worked (you should see softhsm there and tokens) - Assign the keys using - -pdnssec hsm assign zone rsasha256 ksk|zsk softhsm slot-id pin zone-ksk|zsk - - - Take note of the generated key id, if it always shows up 1, run pdnssec show-zone zone to retrieve them - Generate the keys using - -pdnssec hsm create-key zone key-id - - - Verify that everything worked with pdnssec show-zone zone, you should see valid data there - Enjoy using PKCS#11! - - -
-
Secure transfers - - From 3.3.1 and up, PowerDNS support secure DNSSEC transfers as described in draft-koch-dnsop-dnssec-operator-change-05. - If the direct-dnskey option is enabled the foreign DNSKEY records stored in the database are added to the keyset and signed - with the KSK. Without the direct-dnskey option DNSKEY records in the database are silently ignored. - -
-
Security - - During typical PowerDNSSEC operation, the private part of the signing keys are 'online', which can be compared - to operating an HTTPS server, where the certificate is available on the webserver for cryptographic purposes. - - - In some settings, having such (private) keying material available online is considered undesirable. In this case, - consider running in pre-signed mode. - -
-
Performance - - DNSSEC has a performance impact, mostly measured in terms of - additional memory used for the signature caches. In addition, on - startup or AXFR-serving, a lot of signing needs to happen. - - - Please see Large - Scale DNSSEC Best Current Practices for the most up to date - information. - -
-
Thanks to, acknowledgements - - PowerDNSSEC has been made possible by the help & contributions of many people. - We would like to thank: - - Peter Koch (DENIC) - Olaf Kolkman (NLNetLabs) - Wouter Wijngaards (NLNetLabs) - Marco Davids (SIDN) - Markus Travaille (SIDN) - Antoin Verschuren (SIDN) - Olafur Guðmundsson (IETF) - Dan Kaminsky (Recursion Ventures) - Roy Arends (Nominet) - Miek Gieben - Stephane Bortzmeyer (AFNIC) - Michael Braunoeder (nic.at) - Peter van Dijk - Maik Zumstrull - Jose Arthur Benetasso Villanova - Stefan Schmidt (CCC ;-)) - Roland van Rijswijk (Surfnet) - Paul Bakker (Brainspark/Fox-IT) - Mathew Hennessy - Johannes Kuehrer (Austrian World4You GmbH) - Marc van de Geijn (bHosted.nl) - Stefan Arentz - Martin van Hensbergen (Fox-IT) - Christoph Meerwald - Leen Besselink - Detlef Peeters - Christof Meerwald - Jack Lloyd - Frank Altpeter - Fredrik Danerklint - Vasiliy G Tolstov - Brielle Bruns - Evan Hunt (ISC) - Ralf van der Enden - Jan-Piet Mens - Justin Clift - Kees Monshouwer - Aki Tuomi - Ruben Kerkhof - Christian Hofstaedtler - Ruben d'Arco - Morten Stevens - Pieter Lexis - .. this list is far from complete yet .. - - -
- - TSIG: shared secret authorization and authentication - Available since PowerDNS Authoritative Server 3.0! - - TSIG, as defined in RFC 2845, is a method for signing DNS messages using shared secrets. - Each TSIG shared secret has a name, and PowerDNS can be told to allow zone transfer of a domain - if the request is signed with an authorized name. - - - In PowerDNS, TSIG shared secrets are stored by the various backends. In case of the popular - Generic backends, they can be found in the 'tsigkeys' table. The name can be chosen freely, but - the algorithm name will typically be 'hmac-md5'. Other supported algorithms are 'hmac-sha1', 'hmac-shaX' where X is 224, 256, 384 or 512. The content is a Base64-encoded secret. - - - Most backends require DNSSEC support enabled to support TSIG. For the Generic SQL Backend make sure to use the DNSSEC enabled schema and to turn on the relevant '-dnssec' flag (for example, gmysql-dnssec)! - -
Provisioning outbound AXFR access - - To actually provision a named secret permission to AXFR a zone, set a metadata item in the 'domainmetadata' table - called 'TSIG-ALLOW-AXFR' with the key name in the content field. - - - As an example: - -sql> insert into tsigkeys (name, algorithm, secret) values ('test', 'hmac-md5', 'kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys='); -sql> select id from domains where name='powerdnssec.org'; -5 -sql> insert into domainmetadata (domain_id, kind, content) values (5, 'TSIG-ALLOW-AXFR', 'test'); - -$ dig -t axfr powerdnssec.org @127.0.0.1 -y 'test:kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys=' - - - - To ease interoperability, the equivalent configuration above in BIND would look like this: - -key test. { - algorithm hmac-md5; - secret "kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys="; -}; - -zone "powerdnssec.org" { - type master; - file "powerdnssec.org"; - allow-transfer { key test.; }; -}; - - - - A packet authorized and authenticated by a TSIG signature will gain access to a zone even - if the remote IP address is not otherwise allowed to AXFR a zone. - -
-
Provisioning signed notification and AXFR requests - - To configure PowerDNS to send out TSIG signed AXFR requests for a zone to its master(s), set the - AXFR-MASTER-TSIG metadata item for the relevant domain to the key that must be used. - - - The actual TSIG key must also be provisioned, as outlined in the previous section. - - - For the popular Generic SQL backends, configuring the use of TSIG for AXFR requests could be achieved as follows: - -sql> insert into tsigkeys (name, algorithm, secret) values ('test', 'hmac-md5', 'kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys='); -sql> select id from domains where name='powerdnssec.org'; -5 -sql> insert into domainmetadata (domain_id, kind, content) values (5, 'AXFR-MASTER-TSIG', 'test'); - - - - This setup corresponds to the TSIG-ALLOW-AXFR access rule defined in the previous section. - - - In the interest of interoperability, the configuration above is (not quite) similar to the following BIND statements: - -key test. { - algorithm hmac-md5; - secret "kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys="; -}; - -server 127.0.0.1 { - keys { test.; }; -}; - -zone "powerdnssec.org" { - type slave; - masters { 127.0.0.1; }; - file "powerdnssec.org"; -}; - - Except that in this case, TSIG will be used for all communications with the master, not just those about AXFR requests. - -
- - AXFR ACLs - - Starting with the PowerDNS Authoritative Server 3.1, per-zone AXFR ACLs can be stored in the domainmetadata table. - - - Each ACL row can list one subnet (v4 or v6), or the magical value 'AUTO-NS' that tries to allow all potential slaves in. - - - Example: - -sql> select id from domains where name='example.com'; -7 -sql> insert into domainmetadata (domain_id, kind, content) values (7,'ALLOW-AXFR-FROM','AUTO-NS'); -sql> insert into domainmetadata (domain_id, kind, content) values (7,'ALLOW-AXFR-FROM','2001:db8::/48'); - - - - Per zone settings aka Domain Metadata - - Starting with the PowerDNS Authoritative Server 3.0, each served zone can have "metadata". Such metadata determines - how this zone behaves in certain circumstances. - - Domain metadata is only available for DNSSEC capable backends! Make sure to enable the proper '-dnssec' setting to benefit, and - to have performed the DNSSEC schema update. - - Most of these metadata items are described elsewhere in the documentation. The following settings are available: - - - ALLOW-AXFR-FROM - - - Per-zone AXFR ACLs (see ). - - - - - ALLOW-DNSUPDATE-FROM - - - See - - - - - TSIG-ALLOW-DNSUPDATE - - - See - - - - - FORWARD-DNSUPDATE - - - See - - - - - SOA-EDIT-DNSUPDATE - - - See - - - - - ALSO-NOTIFY - - - When notifying this domain, also notify this nameserver (can occur multiple times). - - - - - AXFR-MASTER-TSIG - - - Use this named TSIG key to retrieve this zone from its master (see ). - - - - - LUA-AXFR-SCRIPT - - - Script to be used to edit incoming AXFRs (see ). - - - - - NSEC3NARROW - - - Set to "1" to tell PowerDNS this zone operates in NSEC3 'narrow' mode (see 'set-nsec3' in ). - - - - - NSEC3PARAM - - - NSEC3 parameters of a DNSSEC zone. Will be used to synthesize the NSEC3PARAM record. If present, NSEC3 is used, if not - present, zones default to NSEC (see 'set-nsec3' in ). Example content: "1 0 1 ab". - - - - - - PRESIGNED - - - This zone carries DNSSEC RRSIGs (signatures), and is presigned (see 'set-presigned' in ). - - - - - - SOA-EDIT - - - When serving this zone, modify the SOA serial number in one of several ways. Mostly useful to get slaves - to re-transfer a zone regularly to get fresh RRSIGs. - - - Inception refers to the time the RRSIGs got updated in live mode. This happens every week (see ). The inception time does not depend on local timezone, but some modes below will use localtime for representation. - - - Available modes are: - - - INCREMENT-WEEKS - - - Increments the serial with the number of weeks since the epoch. - - - This should work in every setup; but the result won't look like YYYYMMDDSS anymore. - - - - - INCEPTION-EPOCH (available since 3.1) - - - Sets the new SOA serial number to the maximum of the old SOA serial number, and age in seconds of the last inception. - - - This requires your backend zone to use age in seconds as SOA serial. The result is still the age in seconds of the last change. - - - - - INCEPTION-INCREMENT (available since 3.3) - - - Uses YYYYMMDDSS format for SOA serial numbers. If the SOA serial from the backend is within two days after inception, it gets incremented by two (the backend should keep SS below 98). Otherwise it uses the maximum of the backend SOA serial number and inception time in YYYYMMDD01 format. - - - This requires your backend zone to use YYYYMMDDSS as SOA serial format. Uses localtime to find the day for inception time. - - - - - INCEPTION (not recommended) - - - Sets the SOA serial to the last inception time in YYYYMMDD01 format. Uses localtime to find the day for inception time. - - - The SOA serial will only change on inception day, so changes to the zone will get visible on slaves only on the following inception day. - - - - - INCEPTION-WEEK (not recommended) - - - Sets the SOA serial to the number of weeks since the epoch, which is the last inception time in weeks. - - Same problem as INCEPTION - - - - EPOCH - - - Sets the SOA serial to the number of seconds since the epoch. - - Don't combine this with AXFR - the slaves would keep refreshing all the time. If you need fast updates, sync the backend databases directly with incremental updates (or use the same database server on the slaves) - - - - - - - - TSIG-ALLOW-AXFR - - - Allow these named TSIG keys to AXFR this zone (see ). - - - - - - - - Dynamic DNS Update (RFC2136) - Starting with the PowerDNS Authoritative Server 3.4.0, DNS update support is available. There are a number of items NOT supported: - - There is no support for GSS-TSIG and SIG (TSIG is supported); - WKS records are specifically mentioned in the RFC, we don't specifically care about WKS records; - Anything we forgot.... - - - The implementation requires the backend to support a number of new oparations. Currently, the following backends have been modified to support DNS update: - - gmysql - gpgsql - gsqlite3 - - - Configuration options - There are two configuration parameters that can be used within the powerdns configuration file. - - - experimental-dnsupdate [=no] - - - A setting to enable/disable DNS update support completely. The default is no, which means that DNS updates are ignored by PowerDNS (no message is logged about this!). - Change the setting to experimental-dnsupdate=yes to enable DNS update support. - - - - - allow-dnsupdate-from - - - A list of IP ranges that are allowed to perform updates on any domain. The default is 0.0.0.0/0, which means that all ranges are accepted. - Multiple entries can be used on this line (allow-dnsupdate-from=10.0.0.0/8 192.168.1.2/32). - The option can be left empty to disallow everything, this then should be used in combination with the allow-dnsupdate-from domainmetadata - setting per zone. - - - - - forward-dnsupdate [=yes] - - - Tell PowerDNS to forward to the master server if the zone is configured as slave. Masters are determined by the masters field in the domains table. - The default behaviour is enabled (yes), which means that it will try to forward. In the processing of the update packet, the allow-dnsupdate-from and - TSIG-2136-ALLOW are processed first, so those permissions apply before the forward-dnsupdate is used. - It will try all masters that you have configured until one is successful. - - - - - - - The semantics are that first a dynamic update has to be allowed - either by the global allow-dnsupdate-from setting, or by a per-zone - ALLOW-DNSUPDATE-FROM metadata setting. - - - Secondly, if a zone has a TSIG-ALLOW-DNSUPDATE metadata setting, - that must match too. - - - So to only allow dynamic DNS updates to a zone based on TSIG key, and - regardless of IP address, set allow-dns-update-from to empty, set - ALLOW-DNSUPDATE-FROM to "0.0.0.0/0" and "::/0" and set the - TSIG-ALLOW-DNSUPDATE to the proper key name. - - - Further information can be found in . - - - - Per zone settings - For permissions, a number of per zone settings are available via the domain metadata (See ). - - - ALLOW-DNSUPDATE-FROM - - - This setting has the same function as described in the configuration options (See ). - Only one item is allowed per row, but multiple rows can be added. - An example: - -sql> select id from domains where name='powerdnssec.org'; -5 -sql> insert into domainmetadata(domain_id, kind, content) values(5, ‘ALLOW-DNSUPDATE-FROM’,’10.0.0.0/8’); -sql> insert into domainmetadata(domain_id, kind, content) values(5, ‘ALLOW-DNSUPDATE-FROM’,’192.168.1.2/32’); - - - This will allow 10.0.0.0/8 and 192.168.1.2/32 to send DNS update messages for the powerdnssec.org domain. - - - - - TSIG-ALLOW-DNSUPDATE - - - This setting allows you to set the TSIG key required to do an DNS update. - An example: - - -sql> insert into tsigkeys (name, algorithm, secret) values ('test', 'hmac-md5', 'kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys='); -sql> select id from domains where name='powerdnssec.org'; -5 -sql> insert into domainmetadata (domain_id, kind, content) values (5, 'TSIG-ALLOW-DNSUPDATE', 'test'); - - - An example of how to use a TSIG key with the nsupdate command: - -nsupdate <<! -server <ip> <port> -zone powerdnssec.org -update add test1.powerdnssec.org 3600 A 192.168.1.1 -key test kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys= -send -! - - - If a TSIG key is set for the domain, it is required to be used for the update. - The TSIG is extra security on top of the ALLOW-DNSUPDATE-FROM setting. - If a TSIG key is set, the IP(-range) still needs to be allowed via ALLOW-DNSUPDATE-FROM. - - - - - FORWARD-DNSUPDATE - - - See for what it does, but per domain. - -sql> select id from domains where name='powerdnssec.org'; -5 -sql> insert into domainmetadata(domain_id, kind, content) values(5, ‘FORWARD-DNSUPDATE’,’’); - - - There is no content, the existence of the entry enables the forwarding. - This domain-specific setting is only useful when the configuration option forward-dnsupdate is set to 'no', as that will disable it globally. - Using the domainmetadata setting than allows you to enable it per domain. - - - - - SOA-EDIT-DNSUPDATE - - This configures how the soa serial should be updated. See . - - - - - SOA Serial Updates - - After every update, the soa serial is updated as this is required by section 3.7 of RFC2136. - The behaviour is configurable via domainmetadata with the SOA-EDIT-DNSUPDATE option. It has a number of - options listed below. If no behaviour is specified, DEFAULT is used. - - - RFC2136 (Section 3.6) defines some specific behaviour for updates of SOA records. Whenever the SOA record is updated - via the update message, the logic to change the SOA is not executed. - - - Powerdns will always use SOA-EDIT when serving SOA records, thus a query for the SOA record of - the recently update domain, might have an unexpected result due to a SOA-EDIT setting. - - - An example: - -sql> select id from domains where name='powerdnssec.org'; -5 -sql> insert into domainmetadata(domain_id, kind, content) values(5, ‘SOA-EDIT-DNSUPDATE’,’INCREASE’); - - This will make the SOA Serial increase by one, for every successful update. - - SOA-EDIT-DNSUPDATE settings - These are the settings available for SOA-EDIT-DNSUPDATE. - - - DEFAULT - - - Generate a soa serial of YYYYMMDD01. If the current serial is lower than the generated serial, - use the generated serial. If the current serial is higher or equal to the generated serial, increase the - current serial by 1. - - - - - INCREASE - - Increase the current serial by 1. - - - - EPOCH - - Change the serial to the number of seconds since the EPOCH, aka unixtime. - - - - SOA-EDIT - - Change the serial to whatever SOA-EDIT would provide. See - - - - SOA-EDIT-INCREASE - - - Change the serial to whatever SOA-EDIT would provide. If what SOA-EDIT provides is lower than the current serial, - increase the current serial by 1. - - - - - - - DNS update How-to: Setup dyndns/rfc2136 with dhcpd - - DNS update is often used with DHCP to automatically provide a hostname whenever a new IP-address is assigned by the DHCP server. - This section describes how you can setup PowerDNS to receive DNS updates from ISC's dhcpd (version 4.1.1-P1). - - Setting up dhcpd - - We're going to use a TSIG key for security. We're going to generate a key using the following command: - -dnssec-keygen -a hmac-md5 -b 128 -n USER dhcpdupdate - - This generates two files (Kdhcpdupdate.*.key and Kdhcpdupdate.*.private). You're interested in the .key file: - -# ls -l Kdhcp* --rw------- 1 root root 53 Aug 26 19:29 Kdhcpdupdate.+157+20493.key --rw------- 1 root root 165 Aug 26 19:29 Kdhcpdupdate.+157+20493.private - -# cat Kdhcpdupdate.+157+20493.key -dhcpdupdate. IN KEY 0 3 157 FYhvwsW1ZtFZqWzsMpqhbg== - - The important bits are the name of the key (dhcpdupdate) and the hash of the key (FYhvwsW1ZtFZqWzsMpqhbg== - - - Using the details from the key you've just generated. Add the following to your dhcpd.conf: - -key "dhcpdupdate" { - algorithm hmac-md5; - secret "FYhvwsW1ZtFZqWzsMpqhbg=="; -}; - - - - You must also tell dhcpd that you want dynamic dns to work, add the following section: - -ddns-updates on; -ddns-update-style interim; -update-static-leases on; - - This tells dhcpd to: - - Enable Dynamic DNS - Which style it must use (interim) - Update static leases as well - - For more information on this, consult the dhcpd.conf manual. - - - Per subnet, you also have to tell dhcpd which (reverse-)domain it should update and - on which master domain server it is running. - -ddns-domainname "powerdnssec.org"; -ddns-rev-domainname "in-addr.arpa."; - -zone powerdnssec.org { - primary 127.0.0.1; - key dhcpdupdate; -} - -zone 1.168.192.in-addr.arpa. { - primary 127.0.0.1; - key dhcpdupdate; -} - - This tells dhcpd a number of things: - - Which domain to use (ddns-domainname "powerdnssec.org";) - Which reverse-domain to use (dnssec-rev-domainname "in-addr.arpa.";) - For the zones, where the primary master is located (primary 127.0.0.1;) - Which TSIG key to use (key dhcpdupdate;). We defined the key earlier. - - - This concludes the changes that are needed to the dhcpd configuration file. - - Setting up PowerDNS - A number of small changes are needed to powerdns to make it accept dynamic updates from dhcpd. - - Enabled DNS update (RFC2136) support functionality in PowerDNS by adding the following to the - PowerDNS configuration file (pdns.conf). - -experimental-dnsupdate=yes -allow-dnsupdate-from= - - This tells PowerDNS to: - - Enable DNS update support(experimental-dnsupdate) - Allow updates from NO ip-address (allow-dnsupdate-from=) - - - - We just told powerdns (via the configuration file) that we accept updates from nobody via the - allow-dnsupdate-from parameter. That's not very useful, so we're going to give permissions - per zone, via the domainmetadata table. - -sql> select id from domains where name='powerdnssec.org'; -5 -sql> insert into domainmetadata(domain_id, kind, content) values(5, ‘ALLOW-DNSUPDATE-FROM’,’127.0.0.1’); - - This gives the ip '127.0.0.1' access to send update messages. Make sure you use the ip address of the machine that - runs dhcpd. - - - Another thing we want to do, is add TSIG security. This can only be done via the domainmetadata table: - -sql> insert into tsigkeys (name, algorithm, secret) values ('dhcpdupdate', 'hmac-md5', 'FYhvwsW1ZtFZqWzsMpqhbg=='); -sql> select id from domains where name='powerdnssec.org'; -5 -sql> insert into domainmetadata (domain_id, kind, content) values (5, 'TSIG-ALLOW-DNSUPDATE', 'dhcpdupdate'); -sql> select id from domains where name='1.168.192.in-addr.arpa'; -6 -sql> insert into domainmetadata (domain_id, kind, content) values (6, 'TSIG-ALLOW-DNSUPDATE', 'dhcpdupdate'); - - This will: - - Add the 'dhcpdupdate' key to our PowerDNSinstallation - Associate the domains with the given TSIG key - - - Restart PowerDNS and you should be ready to go! - - - - How it works - This is a short description of how DNS update messages are processed by PowerDNS. - - - - The DNS update message is received. If it is TSIG signed, the TSIG is validated against the tsigkeys table. - If it is not valid, Refused is returned to the requestor. - - A check is performed on the zone to see if it is a valid zone. ServFail is returned when not valid. - The experimental-dnsupdate setting is checked. Refused is returned when the setting is 'no'. - - If the ALLOW-DNSUPDATE-FROM has a value (from both domainmetadata and the configuration file), a check on the value is performed. - If the requestor (sender of the update message) does not match the values in ALLOW-DNSUPDATE-FROM, Refused is returned. - - - If the message is TSIG signed, the TSIG keyname is compared with the TSIG keyname in domainmetadata. If they do not match, a Refused is send. - The TSIG-ALLOW-DNSUPDATE domainmetadata setting is used to find which key belongs to the domain. - - The backends are queried to find the backend for the given domain. - - If the domain is a slave domain, the forward-dnsupdate option and domainmetadata settings are checked. - If forwarding to a master is enabled, the message is forward to the master. If that fails, the next master is tried until all masters are tried. - If all masters fail, ServFail is returned. If a master succeeds, the result from that master is returned. - - - A check is performed to make sure all updates/prerequisites are for the given zone. NotZone is returned if this is not the case. - - The transaction with the backend is started. - - The prerequisite checks are performed (section 3.2 of RFC2136). - If a check fails, the corresponding RCode is returned. No further processing will happen. - - - Per record in the update message, a the prescan checks are performed. If the prescan fails, the corresponding RCode is returned. - If the prescan for the record is correct, the actual update/delete/modify of the record is performed. - If the update fails (for whatever reason), ServFail is returned. - After changes to the records have been applied, the ordername and auth flag are set to make sure DNSSEC remains working. - The cache for that record is purged. - - - If there are records updated and the SOA record was not modified, the SOA serial is updated. See . - The cache for this record is purged. - - The transaction with the backend is committed. If this fails, ServFail is returned. - NoError is returned. - - - - - - Recursion - (only available from 1.99.8 and onwards, recursing component available since 2.9.5) - - From 2.9.5 onwards, PowerDNS offers both authoritative nameserving capabilities and a recursive nameserver component. These two halves - are normally separate but many users insist on combining both recursion and authoritative service on one IP address. This can be likened - to running Apache and Squid both on port 80. - - - However, many sites want to do this anyhow and some with good reason. For example, a setup like this allows the creation of fake domains - which only exist for local users. Such domains often don't end on ".com" or ".org" but on ".intern" or ".name-of-isp". - - - PowerDNS can cooperate with either its own recursor or any other you have available to deliver recursive service on its port. - - - By specifying the recursor option in the configuration file, questions requiring recursive treatment will be handed over - to the IP address specified. An example configuration might be recursor=130.161.180.1, which designates 130.161.180.1 as - the nameserver to handle recursive queries. - - Using 'recursor=' is NOT RECOMMENDED as it comes with many potentially nasty surprises. - - Take care not to point recursor to the PowerDNS Authoritative Server itself, which leads to a very tight packet loop! - - - By specifying allow-recursion, recursion can be restricted to netmasks specified. The default is to allow - recursion from everywhere. Example: allow-recursion=192.168.0.0/24, 10.0.0.0/8, 192.0.2.4. - - Details - - Questions carry a number of flags. One of these is called 'Recursion Desired'. If PDNS is configured to allow recursion, AND such a flag - is seen, AND the IP address of the client is allowed to recurse via PDNS, then the packet may be handed to the recursing backend. - - - If a Recursion Desired packet arrives and PDNS is configured to allow recursion, but not to the IP address of the client, resolution will proceed - as if the RD flag were unset and the answer will indicate that recursion was not available. - - - It is also possible to use a resolver living on a different port. To do so, specify a recursor like this: - recursor=192.0.2.1:5300. - - - If the backend does not answer a question within a large amount of time, this is logged as 'Recursive query for remote 10.96.0.2 with internal id 0 - was not answered by backend within timeout, reusing id'. This may happen when using 'BIND' as a recursor as it is prone to drop queries which it can't - answer immediately. - - - To make sure that the local authoritative database overrides recursive information, PowerDNS first tries to answer a question from its own database. - If that succeeds, the answer packet is sent back immediately without involving the recursor in any way. This means that for questions for which there is no answer, PowerDNS will consult the recursor for an recursive query, even if PowerDNS is authoritative for a domain! This will only cause problems if you 'fake' domains which don't really exist. - - - If you want to create such fake domains or override existing domains, please set the allow-recursion-override feature (available from 2.9.14 until 2.9.22.6). - - - Some packets, like those asking for MX records which are needed for SMTP transport of email, can be subject to 'additional processing'. This means - that a recursing nameserver is obliged to try to add A records (IP addresses) for any of the mail servers mentioned in the packet, should it have - these addresses available. - - - If PowerDNS encounters records needing such processing and finds that it does not have the data in its authoritative database, it will send - an opportunistic quick query to the recursing component to see if it perhaps has such data. This question is worded such that the recursing nameserver - should return immediately such as not to block the authoritative nameserver. - - - This marks a change from pre-2.9.5 behaviour where a packet was handed wholesale to the recursor in case it needed additional processing which could - not proceed from the authoritative database. - - - - PowerDNS Recursor: a high performance resolving nameserver - - The PowerDNS recursor is part of the source tarball of the main PowerDNS distribution, but it is released separately. Starting from - the version 3.0 pre-releases, there are zero known bugs or issues with the recursor. It is known to power the resolving needs of over 100 million - internet connections. - - - The documentation below is only for the 3.0 series, users of older versions are urged to upgrade! - - - Notable features: - - - Uses MTasker (homepage) - - - Can handle thousands of concurrent questions. A quad Xeon 3GHz has been measured functioning very well at 40000 real life replayed - packets per second, with 40% cpu idle. More testing equipment is needed to max out the recursor. - - - Powered by a highly modern DNS packet parser that should be resistant against many forms of buffer overflows. - - - Best spoofing protection that we know about, involving both source port randomisation and spoofing detection. - - - Uses 'connected' UDP sockets which allow the recursor to react quickly to unreachable hosts or hosts for which - the server is running, but the nameserver is down. This makes the recursor faster to respond in case of misconfigured domains, - which are sadly very frequent. - - - Special support for FreeBSD, Linux and Solaris stateful multiplexing (kqueue, epoll, completion ports, /dev/poll). - - - Very fast, and contains innovative query-throttling code to save time talking to obsolete or broken nameservers. - - - Code is written linearly, sequentially, which means that there are no problems with 'query restart' or anything. - - - Relies heavily on Standard C++ Library infrastructure, which makes for little code (406 core lines). - - - Is very verbose in showing how recursion actually works, when enabled to do so with --verbose. - - - The algorithm is simple and quite nifty. - - - - - The PowerDNS recursor is controlled and queried using the rec_control tool. - - pdns_recursor settings - - At startup, the recursing nameserver reads the file recursor.conf from the configuration directory, - often /etc/powerdns or /usr/local/etc. Each setting below can appear on the command line, - prefixed by '--', or in the configuration file. The command line overrides the configuration file. - - - A switch can be set to on simply by passing it, like '--daemon', and turned off explicitly by '--daemon=off' or '--daemon=no'. - - - The following settings can be configured: - - - aaaa-additional-processing - - - If turned on, the recursor will attempt to add AAAA IPv6 records to questions for MX records and NS records. - Can be quite slow as absence of these records in earlier answers does not guarantee their non-existence. Can double - the amount of queries needed. Off by default. - - - - - allow-from - - - Comma separated netmasks (both IPv4 and IPv6) that are allowed to use the server. The default allows access only from RFC 1918 - private IP addresses, like 10.0.0.0/8. Due to the aggressive nature of the internet these days, it is highly recommended - to not open up the recursor for the entire internet. Questions from IP addresses not listed here are ignored and do - not get an answer. - - - - - allow-from-file - - - Like allow-from, except reading from file. Overrides the 'allow-from' setting. - To use this feature, supply one netmask per line, with optional comments preceded by a #. - Available since version 3.1.5. - - - - - any-to-tcp | any-to-tcp=yes | any-to-tcp=no - - - Answer questions for the ANY type on UDP with a truncated packet that refers the - remote server to TCP. Useful for mitigating ANY reflection attacks. Defaults to off. - - - - - - auth-can-lower-ttl - - - Authoritative zones can transmit a TTL value that is lower than that specified in the parent zone. This is called a - 'delegation inconsistency'. To follow RFC 2181 paragraphs 5.2 and 5.4 to the letter, enable this feature. - This will mean a slight deterioration of performance, and it will not solve any problems, but does make - the recursor more standards compliant. Not recommended unless you have to tick an 'RFC 2181 compliant' box. Off by default. - - - - - auth-zones - - - Comma separated list of 'zonename=filename' pairs. Zones read from these files (in BIND format) are served authoritatively. Example: - auth-zones=example.org=/var/zones/example.org, powerdns.com=/var/zones/powerdns.com. Available since version 3.1. - - - - carbon-ourname=... - - If sending carbon updates, if set, this will override our hostname. See . Available beyond 3.5.3. - - carbon-server=... - - If set to an IP or IPv6 address, will send all available metrics to this server - via the carbon protocol, which is used by graphite and metronome. See . Available beyond 3.5.3. - - carbon-interval=... - - If sending carbon updates, this is the interval between them in seconds. See . Available beyond 3.5.3. - - - chroot - - If set, chroot to this directory for more security. See . - - - Make sure that /dev/log is available from within the chroot. Logging will silently fail - over time otherwise (on logrotate). - - - client-tcp-timeout - - - Time to wait for data from TCP clients. Defaults to 2 seconds. - - - - - config-dir - - - Directory where the configuration file can be found. - - - - - daemon - - - Operate in the background, which is the default. - - - - - delegation-only - - - A Verisign special. - - - - - disable-packetcache - - - Turn off the packet cache. Useful when running with Lua scripts that can not be cached. Available since version 3.2. - - - - - dont-query - - - The DNS is a public database, but sometimes contains delegations to private IP addresses, like for example 127.0.0.1. This can have odd effects, - depending on your network, and may even be a security risk. Therefore, since version 3.1.5, the PowerDNS recursor by default does not query - private space IP addresses. This setting can be used to expand or reduce the limitations. - - - - - entropy-source - - - From version 3.1.5 onwards, PowerDNS can read entropy from a (hardware) source. This is used for generating random numbers - which are very hard to predict. Generally on UNIX platforms, this source will be - /dev/urandom, which will always supply random numbers, even if entropy is lacking. - Change to /dev/random if PowerDNS should block waiting for enough entropy to arrive. - - - - - export-etc-hosts - - - If set, this flag will export the host names and IP addresses mentioned in /etc/hosts. Available since version 3.1. - - - - - export-etc-hosts-search-suffix - - - If set, all hostnames in the export-etc-hosts file are - loaded in canonical form, based on this suffix, unless the - name contain a '.', in which case the name is unchanged. - So an entry called 'pc' with - export-etc-hosts-search-suffix='home.com' will lead to the - generation of 'pc.home.com' within the recursor. An entry - called 'server1.home' will be stored as 'server1.home', - regardless of the export-etc-hosts setting. Available - in since version 3.4. - - - - - - fork - - - If running on an SMP system with enough memory, this feature forks PowerDNS so it benefits from two processors. Experimental. Renames - controlsockets, so care is needed to connect to the right one using rec_control, using --socket-pid. - Available in versions of the Recursor before 3.2, replaced by the 'threads' setting. - - - - - forward-zones - - - Comma separated list of 'zonename=IP' pairs. Queries for zones listed here will be forwarded to the IP address listed. - forward-zones=example.org=203.0.113.210, powerdns.com=127.0.0.1. Available since version 3.1. - - - Since version 3.1.5, multiple IP addresses can be specified. Additionally, port numbers other than 53 can be configured. - Sample syntax: forward-zones=example.org=203.0.113.210:5300;127.0.0.1, powerdns.com=127.0.0.1;198.51.100.10:530, - or on the command line: --forward-zones="example.org=203.0.113.210:5300;127.0.0.1, powerdns.com=127.0.0.1;9.8.7.6:530", - - - Forwarded queries have the 'recursion desired' bit set to 0, meaning that this setting is intended to forward queries to authoritative servers. - - - - - forward-zones-file - - - Same as forward-zones, parsed from a file. Only 1 zone is allowed per line, specified as follows: - example.org=203.0.113.210, 192.0.2.4:5300. No comments are allowed. Available since version 3.1.5. - - - Since version 3.2, zones prefixed with a '+' are forwarded with the recursion-desired bit set to one, for which see 'forward-zones-recurse'. Default behaviour without '+' - is as with 'forward-zones'. - - - - - forward-zones-recurse - - - Like regular 'forward-zones' (see above), but forwarded queries have the 'recursion desired' bit set to 1, meaning that this setting is intended to forward queries - to authoritative servers or to resolving servers. Available since version 3.2. - - - - - hint-file - - - If set, the root-hints are read from this file. If unset, default root hints are used. Available since version 2.9.19. - - - - - latency-statistic-size - - - Indication of how many queries will be averaged to get the average latency reported by the 'qa-latency' metric. Since 3.6. - - - - - - local-address - - - Local IPv4 or IPv6 addresses to bind to, comma separated. Defaults to only loopback. Addresses can also contain port numbers, - for IPv4 specify like this: 192.0.2.4:5300, for IPv6: [::1]:5300. Port specifications are available since - version 3.1.2. - - When binding to wildcard addresses, UNIX semantics mean that answers may not be sent - from the address a query was received on. It is highly recommended to bind to explicit addresses. - - - - - local-port - - - Local port (singular) to bind to. Defaults to 53. - - - - - - loglevel - - - Amount of logging. Higher is more, more logging may destroy performance. Available since 3.6. - - - - - - log-common-errors - - - Some DNS errors occur rather frequently and are no cause for alarm. Logging these is on by default. - - - - - logging-facility - - - If set to a digit, logging is performed under this LOCAL facility. See . Available from 3.1.3 and onwards. Do not pass names like 'local0'! - - - - - - - max-cache-entries - - - Maximum number of DNS cache entries. 1 million per thread will generally suffice for most installations. - - - - - - max-packetcache-entries - - - Maximum number of Packet Cache entries. 1 million per thread will generally suffice for most installations. Available since version 3.2. - - - - - max-cache-ttl - - - Maximum number of seconds to cache an item in the DNS cache, no matter what the original TTL specified. Available since version 3.2. - - - - - max-negative-ttl - - - A query for which there is authoritatively no answer is cached to quickly deny a record's existence later on, without - putting a heavy load on the remote server. In practice, caches can become saturated with hundreds of thousands of hosts - which are tried only once. This setting, which defaults to 3600 seconds, puts a maximum on the amount of time negative - entries are cached. - - - - - max-tcp-clients - - - Maximum number of simultaneous incoming TCP connections allowed. Defaults to 128. Available since version 2.9.18. - - - - - max-tcp-per-client - - - Maximum number of simultaneous incoming TCP connections allowed per client (remote IP address). Defaults to 0, which means unlimited. - - - - - minimum-ttl-override - - - Available since 3.6, this setting artificially raises all TTLs to be at least this long. While this is a gross hack, - and violates RFCs, under conditions of DoS, it may enable you to continue serving your customers. Can be set at runtime using - 'rec_control set-minimum-ttl 3600'. To disable, set to 0 (the default). - - - - - - network-timeout - - - Number of milliseconds to wait for a remote authoritative server to respond. Defaults to 1500 msec, available since version 3.2. - - - - - packetcache-ttl - - - Maximum number of seconds to cache an item in the packet cache, no matter what the original TTL specified. Available since version 3.2. - - - - - packetcache-servfail-ttl - - - Maximum number of seconds to cache a 'server failure' answer in the packet cache. Available since version 3.2. - - - - - pdns-distributes-queries - - - If set, PowerDNS will have only 1 thread listening on client sockets, and distribute work by itself over threads. Improves - performance on Linux. Do not use on Recursor versions before 3.6 as the feature was experimental back then, and not that stable. - - - - - - query-local-address - - - Send out local queries from this address, or addresses. Since version 3.2, by adding multiple addresses, increased spoofing resilience is achieved. Addresses can be separated by a comma. - - - - - query-local-address6 - - - Send out local IPv6 queries from this address or addresses. Disabled by default, which also disables - outgoing IPv6 support. Since version 3.2, multiple addresses can be specified, separated by a comma. - - - - - - quiet - - - Don't log queries. On by default. - - - - - remotes-ringbuffer-entries - - - Number of entries in the remotes ringbuffer, which keeps statistics on who is querying your server. Can be read out using - rec_control top-remotes. Defaults to 0. - - - - - serve-rfc1918 - - - On by default, this makes the server authoritatively aware of: 10.in-addr.arpa, - 168.192.in-addr.arpa, 16-31.172.in-addr.arpa, which saves - load on the AS112 servers. Individual parts of these zones can still be loaded or forwarded. - - - - - server-down-max-fails - server-down-throttle-time - - - If a server has not responded in any way this many times in a row, no longer send it any queries - for server-down-throttle-time seconds. Afterwards, we will try a new packet, and if that also - gets no response at all, we again throttle for server-down-throttle-time-seconds. Even a single - response packet will drop the block. Available and on by default since 3.6. - - - - - - server-id - - - The PowerDNS recursor by replies to a query for 'id.server' with its hostname, useful for in clusters. Use this setting to override - the answer it gives. - - - - - setgid - setuid - - - PowerDNS can change its user and group id after binding to its socket. Can be used for better security. - - - - - socket-dir - - - Where to store the control socket. This option also works with the controller, rec_control. - - - - - socket-owner, socket-group, socket-mode - - - Owner, group and mode of the controlsocket. Owner and group can be specified by name, mode is in octal. - - - - - - spoof-nearmiss-max - - - If set to non-zero, PowerDNS will assume it is being spoofed after seeing this many answers with the wrong id. Defaults to 20. - - - - - trace - - - If turned on, output impressive heaps of logging. May destroy performance under load. - - - - - udp-truncation-threshold=... - - - EDNS0 allows for large UDP response datagrams, which can potentially raise performance. Large responses however - also have downsides in terms of reflection attacks. This setting limits the - accepted size. Maximum value is 65535, but values above 4096 should probably not be attempted. Default is 1680. - - - - - version - - - Print version of this binary. Useful for checking which version of the PowerDNS recursor is installed on a system. Available since version 3.1.5. - - - - - version-string - - - By default, PowerDNS replies to the 'version.bind' query with its version number. Security conscious users may wish to override - the reply PowerDNS issues. - - - - - - - pdns_recursor command line - - All configuration settings from the previous section can also be passed on the command line, and - will override the configuration file. In addition, the following options make sense on the command line: - - - --config - - - Emit a default configuration file. - - - - - --help - - - Output all configuration settings and command line flags. - - - - - - - Controlling and querying the recursor - - To control and query the PowerDNS recursor, the tool rec_control is provided. This program - talks to the recursor over the 'controlsocket', often stored in /var/run. - - - As a sample command, try: - - # rec_control ping - pong - - - - When not running as root, --socket-dir=/tmp might be appropriate. - - - All rec_control commands are documented below: - - - dump-cache filename - - - Dumps the entire cache to the filename mentioned. This file should not exist already, PowerDNS - will refuse to overwrite it. While dumping, the recursor will not answer questions. - - - - - get statistic - - - Retrieve a statistic. For items that can be queried, see below. - - - - - get-all - - - Retrieve all statistics in one go. Available since version 3.2. - - - - - get-parameter parameter1 parameter2 .. - - - Retrieve a configuration parameter. All parameters from the configuration and command line can be queried. Available since version 3.2. - - - - - ping - - - Check if server is alive. - - - - - quit - - - Request shutdown of the recursor. - - - - - - reload-acls - - - Reload access control lists. - - - - - reload-zones - - - Reload data about all authoritative and forward zones. The configuration file is also scanned - to see if the auth-domain, forward-domain and export-etc-hosts - statements have changed, and if so, these changes are incorporated. - - - - - set-minimum-ttl - - - Available since 3.6, this setting artificially raises all TTLs to be at least this long. While this is a gross hack, - and violates RFCs, under conditions of DoS, it may enable you to continue serving your customers. Corresponds - to the configuration file setting 'minimum-ttl-override'. - - - - - - top-remotes - - - Shows the top-20 most active remote hosts. Statistics are over the last 'remotes-ringbuffer-entries' queries, which - defaults to 0. - - - - - trace-regex regex - - Available since 3.5. - - Queries matching this regular expression will generate - voluminous tracing output. Be aware that matches from the - packet cache will still not generate tracing. To unset the - regex, pass 'trace-regex' without a new regex. - - - The regular expression is matched against domain queries - terminated with a '.'. So, for example the regex - 'powerdns.com$' will not match a query for - 'www.powerdns.com', since the attempted match will be with - 'www.powerdns.com.'. - - - In addition, since this is a regular expression, to - exclusively match queries for 'www.powerdns.com', one - should escape the dots: '^www\.powerdns\.com\.$'. - - - Multiple matches can be chained with the | operator. For - example, to match all queries for Dutch (.nl) and German - (.de) domain names, use: '\.nl\.$|\.de\.$'. - - - - - version - - - Available after 3.6.1, report currently running version - - - - - - wipe-cache domain0. [domain1. domain2.] - - - Wipe entries from the cache. This is useful if, for example, an important server has a new IP address, but the TTL has not - yet expired. Multiple domain names can be passed. For versions before 3.1, you must terminate a domain with a .! So to wipe powerdns.org, - issue 'rec_control wipe-cache powerdns.org.'. For later versions, the dot is optional. - - - Note that deletion is exact, wiping 'com.' will leave 'www.powerdns.com.' untouched! - - - - - As of 3.1.7, this command also wipes the negative query cache for the specified domain. - - - - - Don't just wipe 'www.somedomain.com', its NS records or CNAME target may still be undesired, so wipe 'somedomain.com' as well. - - - - - - - - - The command 'get' can query a large number of statistics, which are detailed in . - - - - More details on what 'throttled' queries and the like are can be found below in . - - - PowerDNS Recursor performance - - To get the best out of the PowerDNS recursor, which is important if you are doing thousands of queries per second, please - consider the following. - - - - Limit the size of the caches to a sensible value. Cache hit rate does not improve meaningfully beyond 4 million max-cache-entries per thread, - reducing the memory footprint reduces CPU cache misses. See below for more information about the various caches. - - - - - Compile using g++ 4.1 or later. This compiler really does a good job on PowerDNS, much better than 3.4 or 4.0. - - - - - On AMD/Intel hardware, wherever possible, run a 64-bit binary. This delivers a nearly twofold performance increase. On UltraSPARC, there is no need to run with 64 bits. - - - - - Consider performing a 'profiled build' as described in the README. This is good for a 20% performance boost in some cases. - - - - - When running with >3000 queries per second, and running Linux versions prior to 2.6.17 on some motherboards, your computer may - spend an inordinate amount of time working around an ACPI bug for each call to gettimeofday. This is solved by rebooting with 'clock=tsc' - or upgrading to a 2.6.17 kernel. - - - The above is relevant if dmesg shows Using pmtmr for high-res timesource - - - - - A busy server may need hundreds of file descriptors on startup, and deals with spikes better if it has that many available - later on. Linux by default restricts processes to 1024 file descriptors, which should suffice most of the time, but Solaris - has a default limit of 256. This can be raised using the ulimit command. FreeBSD has a default limit that is high enough for even - very heavy duty use. - - - - When deploying (large scale) IPv6, please be aware some - Linux distributions leave IPv6 routing cache tables at very small - default values. Please check and if necessary raise 'sysctl - net.ipv6.route.max_size'. - - - - For older versions <3.2: If you need it, try --fork, this will fork the daemon into two halves, allowing it to benefit from a second CPU. - This feature almost doubles performance, but is a bit of a hack. - - - - - for 3.2 and higher, set 'threads' to your number of CPUs. - - - - - For best PowerDNS Recursor performance, use a recent version of your operating system, since this generally - offers the best event multiplexer implementation available (kqueue, epoll, ports or /dev/poll). - - - - - A Recursor under high load puts a severe stress on any stateful (connection tracking) firewall, so much - so that the firewall may fail. - - - Specifically, many Linux distributions run with a connection tracking firewall configured. For high load operation (thousands of queries/second), - It is advised to either turn off iptables - completely, or use the 'NOTRACK' feature to make sure DNS traffic bypasses the connection tracking. - - - Sample Linux command lines would be: - - # iptables -t raw -I OUTPUT -p udp --dport 53 -j NOTRACK - # iptables -t raw -I OUTPUT -p udp --sport 53 -j NOTRACK - # iptables -t raw -I PREROUTING -p udp --dport 53 -j NOTRACK - # iptables -t raw -I PREROUTING -p udp --sport 53 -j NOTRACK - # iptables -I INPUT -p udp --dport 53 -j ACCEPT - # iptables -I INPUT -p udp --sport 53 -j ACCEPT - # iptables -I OUTPUT -p udp --dport 53 -j ACCEPT - - # # optionally - # ip6tables -t raw -I OUTPUT -p udp --dport 53 -j NOTRACK - # ip6tables -t raw -I OUTPUT -p udp --sport 53 -j NOTRACK - # ip6tables -t raw -I PREROUTING -p udp --sport 53 -j NOTRACK - # ip6tables -t raw -I PREROUTING -p udp --dport 53 -j NOTRACK - # ip6tables -I INPUT -p udp --dport 53 -j ACCEPT - # ip6tables -I INPUT -p udp --sport 53 -j ACCEPT - # ip6tables -I OUTPUT -p udp --dport 53 -j ACCEPT - - - - - Following the instructions above, you should be able to attain very high query rates. - - Recursor Caches - - The PowerDNS Recursor contains a number of caches, or information stores: - - - Nameserver speeds cache - - - The "NSSpeeds" cache contains the average latency to all remote authoritative servers. - - - - - Negative cache - - - The "Negcache" contains all domains known not to exist, or record types not to exist for a domain. - - - - - Recursor Cache - - - The Recursor Cache contains all DNS knowledge gathered over time. - - - - - Packet Cache - - - The Packet Cache contains previous answers sent to clients. If a question comes in that matches a previous answer, this is sent back directly. - - - - - - - The Packet Cache is consulted first, immediately after receiving a packet. This means that a high hitrate for the Packet Cache automatically lowers the cache hitrate of - subsequent caches. This explains why releases 3.2 and beyond see dramatically lower DNS cache hitrates, since this is the first version with a Packet Cache. - - - - Details - Anti-spoofing - - The PowerDNS recursor 3.0 uses a fresh UDP source port for each outgoing query, making spoofing around 64000 times harder. This - raises the bar from 'easily doable given some time' to 'very hard'. Under some circumstances, 'some time' has been measured at 2 seconds. - This technique was first used by dnscache by Dan J. Bernstein. - - - In addition, PowerDNS detects when it is being sent too many unexpected answers, and mistrusts a proper answer if found within - a clutch of unexpected ones. - - - This behaviour can be tuned using the spoof-nearmiss-max. - - - Throttling - - PowerDNS implements a very simple but effective nameserver. Care has been taken not to overload remote servers in case - of overly active clients. - - - This is implemented using the 'throttle'. This accounts all recent traffic and prevents queries that have been sent out - recently from going out again. - - - There are three levels of throttling. - - - - If a remote server indicates that it is lame for a zone, the exact question won't - be repeated in the next 60 seconds. - - - - - After 4 ServFail responses in 60 seconds, the query gets throttled too. - - - - - 5 timeouts in 20 seconds also lead to query suppression. - - - - - - - - Statistics - - The rec_control get command can be used to query the following statistics, either single keys or multiple statistics - at once: - -all-outqueries counts the number of outgoing UDP queries since starting -answers0-1 counts the number of queries answered within 1 millisecond -answers100-1000 counts the number of queries answered within 1 second -answers10-100 counts the number of queries answered within 100 milliseconds -answers1-10 counts the number of queries answered within 10 milliseconds -answers-slow counts the number of queries answered after 1 second -cache-bytes Size of the cache in bytes (since 3.3.1) -cache-entries shows the number of entries in the cache -cache-hits counts the number of cache hits since starting -cache-misses counts the number of cache misses since starting -chain-resends number of queries chained to existing outstanding query -client-parse-errors counts number of client packets that could not be parsed -concurrent-queries shows the number of MThreads currently running -dlg-only-drops number of records dropped because of delegation only setting -dont-outqueries number of outgoing queries dropped because of 'dont-query' setting (since 3.3) -ipv6-outqueries number of outgoing queries over IPv6 -max-mthread-stack maximum amount of thread stack ever used -negcache-entries shows the number of entries in the Negative answer cache -noerror-answers counts the number of times it answered NOERROR since starting -nsspeeds-entries shows the number of entries in the NS speeds map -nsset-invalidations number of times an nsset was dropped because it no longer worked -nxdomain-answers counts the number of times it answered NXDOMAIN since starting -outgoing-timeouts counts the number of timeouts on outgoing UDP queries since starting -over-capacity-drops Questions dropped because over maximum concurrent query limit (since 3.2) -packetcache-bytes Size of the packet cache in bytes (since 3.3.1) -packetcache-entries Size of packet cache (since 3.2) -packetcache-hits Packet cache hits (since 3.2) -packetcache-misses Packet cache misses (since 3.2) -policy-drops Packets dropped because of (Lua) policy decision -qa-latency shows the current latency average, in microseconds -questions counts all End-user initiated queries with the RD bit set -ipv6-questions counts all End-user initiated queries with the RD bit set, received over IPv6 UDP -resource-limits counts number of queries that could not be performed because of resource limits -server-parse-errors counts number of server replied packets that could not be parsed -servfail-answers counts the number of times it answered SERVFAIL since starting -spoof-prevents number of times PowerDNS considered itself spoofed, and dropped the data -sys-msec number of CPU milliseconds spent in 'system' mode -tcp-client-overflow number of times an IP address was denied TCP access because it already had too many connections -tcp-outqueries counts the number of outgoing TCP queries since starting -tcp-questions counts all incoming TCP queries (since starting) -throttled-out counts the number of throttled outgoing UDP queries since starting -throttle-entries shows the number of entries in the throttle map -unauthorized-tcp number of TCP questions denied because of allow-from restrictions -unauthorized-udp number of UDP questions denied because of allow-from restrictions -unexpected-packets number of answers from remote servers that were unexpected (might point to spoofing) -uptime number of seconds process has been running (since 3.1.5) -user-msec number of CPU milliseconds spent in 'user' mode - - In the rrd/ subdirectory a number of rrdtool scripts is provided to make nice - graphs of all these numbers. Use rec_control get-all to get all statistics in one go. - - - It should be noted that answers0-1 + answers1-10 + answers10-100 + answers100-1000 + answers-slow + packetcache-hits + over-capacity-drops + policy-drops = questions. - - - Also note that unauthorized-tcp and unauthorized-udp packets do not end up in the 'questions' count. - - - Every half our or so, the recursor outputs a line with statistics. More infrastructure is planned so as to allow - for Cricket or MRTG graphs. To force the output of statistics, send the process a SIGUSR1. A line of statistics looks - like this: - -Feb 10 14:16:03 stats: 125784 questions, 13971 cache entries, 309 negative entries, 84% cache hits, outpacket/query ratio 37%, 12% throttled - - This means that there are 13791 different names cached, which each may have multiple records attached to them. There are 309 items - in the negative cache, items of which it is known that don't exist and won't do so for the near future. 84% of incoming questions - could be answered without any additional queries going out to the net. - - - The outpacket/query ratio means that on average, 0.37 packets were needed to answer a question. Initially this ratio may be well over 100% - as additional queries may be needed to actually recurse the DNS and figure out the addresses of nameservers. - - - Finally, 12% of queries were not performed because identical queries had gone out previously, saving load servers worldwide. - - - Scripting - - As of version 3.1.7 of the PowerDNS Recursor, it is possible to modify resolving behaviour using simple scripts written in the Lua - programming language. - - - These scripts can be used to quickly override dangerous domains, fix things that are wrong, for load balancing or for legal or commercial purposes. - - - As of 3.1.7, queries can be intercepted in two places: before the resolving logic starts to work, plus after the resolving process failed to find - a correct answer for a domain. - - - Configuring Lua scripts - - In order to load scripts, the PowerDNS Recursor must have Lua support built in. The packages distributed from the PowerDNS website have this language - enabled, other distributions may differ. To compile with Lua support, use: LUA=1 make or LUA=1 gmake - as the case may be. Paths to the Lua include files and binaries may be found near the top of the Makefile. - - - If Lua support is available, a script can be configured either via the configuration file, or at runtime via the rec_control tool. - Scripts can be reloaded or unloaded at runtime with no interruption in operations. If a new script contains syntax errors, the old script remains in force. - - - On the command line, or in the configuration file, the setting lua-dns-script can be used to supply a full path to a 'lua' script. - - - At runtime, rec_control reload-lua-script can be used to either reload the script from its current location, or, when passed - a new file name, load one from a new location. A failure to parse the new script will leave the old script in working order. - - - Finally, rec_control unload-lua-script can be used to remove the currently installed script, and revert to unmodified behaviour. - - - Writing Lua PowerDNS Recursor scripts - - Once a script is loaded, PowerDNS looks for several functions, as detailed below. All of these functions are optional. - - - preresolve ( remoteip, domain, qtype ) is called before any DNS resolution is attempted, and if this function indicates it, it can supply a direct answer to the - DNS query, overriding the internet. This is useful to combat botnets, or to disable domains unacceptable to an organization for whatever reason. - - - postresolve ( remoteip, domain, qtype, records, origrcode ) is called right before returning a response to a client (and, unless setvariable() is called, to the packet cache too). It allows inspection and modification of almost any detail in the return packet. Available since version 3.4. - - - function nxdomain ( remoteip, domain, qtype ) is called after the DNS resolution process has run its course, but ended in an 'NXDOMAIN' situation, indicating that the domain - or the specific record does not exist. This can be used for various purposes. - - - function nodata ( remoteip, domain, qtype, records ) is just like nxdomain, except it gets called when a domain exists, but the requested type does not. This is where one would implement DNS64. Available since version 3.4. - - - All these functions are passed the IP address of the requester, plus the name and type being requested. In return, these functions indicate if they - have taken over the request, or want to let normal proceedings take their course. - - - - - In development versions of the PowerDNS Recursor, versions which were never released except as for testing purposes, these functions had a fourth parameter: localip - This parameter has been replaced by getlocaladdress(), for which see below. - - - - - If a function has taken over a request, it should return an rcode (usually 0), and specify a table with records to be put in the answer section - of a packet. An interesting rcode is NXDOMAIN (3, or pdns.NXDOMAIN), which specifies the non-existence of a domain. - Returning -1 and an empty table signifies that the function chose not to intervene. - - - A minimal sample script: - - - -function nxdomain ( ip, domain, qtype ) - print ("nxhandler called for: ", ip, domain, qtype) - - ret={} - if qtype ~= pdns.A then return pdns.PASS, ret end -- only A records - if not string.find(domain, "^www%.") then return pdns.PASS, ret end -- only things that start with www. - if not matchnetmask(ip, "10.0.0.0/8", "192.168.0.0/16") then return pdns.PASS, ret end -- only interfere with local queries - ret[1]={qtype=pdns.A, content="192.0.2.13"} -- add IN A 192.0.2.13 - ret[2]={qtype=pdns.A, content="192.0.2.21"} -- add IN A 192.0.2.21 - setvariable() - return 0, ret -- return no error, plus records -end - - - - - - Please do NOT use the above sample script in production! Responsible NXDomain redirection requires more attention to detail. - - - - - Note that the domain is passed to the Lua function terminated by a '.'. - A more complete sample script is provided as powerdns-example-script.lua in the PowerDNS Recursor distribution. - - - The answer content format is (nearly) identical to the storage in the PowerDNS Authoritative Server database, or as in zone files. - The exception is that, unlike in the database, there is no 'prio' field, which means that an MX record with priority 25 pointing to 'smtp.example.net' would be encoded as - '25 smtp.example.net.'. - - - Useful return 'rcodes' include 0 for "no error", pdns.NXDOMAIN for "NXDOMAIN", pdns.DROP to drop the question - from further processing (since 3.6, and such a drop is accounted in the 'policy-drops' metric). - - - Fields that can be set in the return table include: - - - content - - - Content of the record, as specified above in 'zone file format'. No default, mandatory field. - - - - - place - - - Place of this record. Defaults to 1, indicating 'Answer' section. Can also be 2, for Authority of 3 for Additional. - When using this rare feature, always emit records with 'Place' in ascending order. This field is usually not needed. - - - - - qname - - - qname of the answer, the 'name' of the record. Defaults to the name of the query, which is almost always correct except when - specifying additional records or rolling out a CNAME chain. - - - - - qtype - - - Currently the numerical qtype of the answer, defaulting to '1' which is an A record. Can be also be specified as - pdns.A, or pdns.CNAME etc. - - - - - ttl - - - Time to live of a record. Defaults to 3600. Be sure not to specify differing TTLs within answers with an identical qname. While this - will be encoded in DNS, actual results may be undesired. - - - - - qclass - - - Query-Class of a record. Defaults to 1 (IN). Be sure to always return the correct qclass in each record! Valid query-classes are 1 (IN), 3 (CHAOS), 254 (NONE) and 255 (ANY). - - - Only the IN class (1) is fully supported! - - - - - - - - - - - The result table must have indexes that start at 1! Otherwise the first or confusingly the last entry of the table will - be ignored. A useful technique is to return data using: - return 0, {{qtype=1, content="192.0.2.4"}, {qtype=1, content="4.3.2.1"}} as this will get the numbering - right automatically. - - - - - The function matchnetmask(ip, netmask1, netmask2..) (or matchnetmask(ip, {netmask1, netmask2})) is available to match incoming queries against - a number of netmasks. If any of these match, the function returns true. - - - To log messages with the main PowerDNS Recursor process, use pdnslog(message). Available since version 3.2. - pdnslog can also write out to a syslog loglevel if specified. Use pdnslog(message, pdns.loglevels.LEVEL) with the correct pdns.loglevels entry. Entries are listed in the following table: - - pdnslog() loglevels - - - Allpdns.loglevels.All - NTLogpdns.loglevels.NTLog - Alertpdns.loglevels.Alert - Criticalpdns.loglevels.Critical - Errorpdns.loglevels.Error - Warningpdns.loglevels.Warning - Noticepdns.loglevels.Notice - Infopdns.loglevels.Info - Debugpdns.loglevels.Debug - Nonepdns.loglevels.None - - -
- pdnslog(message) will write out to Info by default. - - - To retrieve the IP address on which a query was received, use getlocaladdress(). Available since version 3.2. - - - To indicate that an answer should not be cached in the packet cache, use setvariable(). Available since version 3.3. - - - To get fake AAAA records for DNS64 usage, use return "getFakeAAAARecords", domain, "fe80::21b:77ff:0:0". Available since version 3.4. - - CNAME chain resolution - - It may be useful to return a CNAME record for Lua, and then have the PowerDNS Recursor continue resolving that CNAME. - This can be achieved by returning: "followCNAMERecords", 0, {{qtype=pdns.CNAME, content="www.powerdns.com"}}. This indicates - an rcode of 0 and the records to put in the record. But the first string instruct PowerDNS to complete the CNAME chain. Available since 3.6. - - - - - DNS64 support in the PowerDNS Recursor - - DNS64 is a technology to allow IPv6-only clients to receive special IPv6 addresses that are proxied to - IPv4 addresses. This proxy service is then called NAT64. - - - So, as an example, let's say an IPv6 only client would want to connect to www.example.com, it would request the AAAA records - for that name. However, if example.com does not actually have an IPv6 address, what we do is 'fake up' an IPv6 address. We do this - by retrieving the A records for www.example.com, and translating them to AAAA records. - - - Elsewhere, a NAT64 device listens on these IPv6 addresses, and extracts the IPv4 address from each packet, and proxies it on - - - DNS64 is described in RFC 6147, and is supported by the PowerDNS Recursor since version 3.4. - - - For maximum flexibility, DNS64 support is included in the Lua scripting engine. This allows for example to hand out - custom IPv6 gateway ranges depending on the location of the requestor, enabling the use of NAT64 services close to the user. - - - To setup DNS64, create the following Lua script and save it to a file called dns64.lua: - - function nodata ( remoteip, domain, qtype, records ) - if qtype ~= pdns.AAAA then return pdns.PASS, {} end -- only AAAA records - setvariable() - return "getFakeAAAARecords", domain, "fe80::21b:77ff:0:0" - end - - Where fe80::21b::77ff:0:0 is your "Pref64" translation prefix. Next, make sure your script gets loaded - by specifying it with "lua-pdns-script=dns64.lua". - - - In addition, since PowerDNS Recursor 3.6, it is also possible to also generate the associated PTR records. - This makes sure that reverse lookup of DNS64-generated IPv6 addresses generate the right name. The procedure is similar, - a request for an IPv6 PTR is converted into one for the corresponding IPv4 address. - - - To hook up the generation of PTR records, include: - - function endswith(s, send) - return #s >= #send and s:find(send, #s-#send+1, true) and true or false - end - - function preresolve ( remoteip, domain, qtype ) - if qtype ==pdns.PTR and endswith(domain, "f.f.7.7.b.1.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa.") - then - return "getFakePTRRecords", domain, "fe80::21b::77ff:0:0" - end - return pdns.PASS, {} - end - - Where the "ip6.arpa" string is the reversed form of your Pref64 address. - - - - - Design and Engineering of the PowerDNS Recursor - - - - This section is aimed at programmers wanting to contribute to the recursor, or to help fix bugs. It is not required - reading for a PowerDNS operator, although it might prove interesting. - - - - The PowerDNS Recursor consists of very little code, the core DNS logic is less than a thousand lines. - - This smallness is achieved through the use of some fine infrastructure: MTasker, MOADNSParser, MPlexer and the C++ Standard Library/Boost. This page will explain the conceptual relation between these components, and the route of a packet through the program. - - - The PowerDNS Recursor - The Recursor started out as a tiny project, mostly a technology demonstration. These days it consists of the core plus 9000 lines of features. This combined with a need for very high performance has made the recursor code less accessible than it was. The page you are reading hopes to rectify this situation. - - - - Synchronous code using MTasker - The original name of the program was syncres, which is still reflected in the file name syncres.cc, and the class SyncRes. This means that PowerDNS is written naively, with one thread of execution per query, synchronously waiting for packets, Normally this would lead to very bad performance (unless running on a computer with very fast threading, like possibly the Sun CoolThreads family), so PowerDNS employs MTasker for very fast userspace threading. - - MTasker, which was developed separately from PowerDNS, does not provide a full multithreading system but restricts itself to those features a nameserver needs. It offers cooperative multitasking, which means there is no forced preemption of threads. This in turn means that no two MThreads ever really run at the same time. - - This is both good and bad, but mostly good. It means PowerDNS does not have to think about locking. No two threads will ever be talking to the DNS cache at the same time, for example. - - It also means that the recursor could block if any operation takes too long. - - The core interaction with MTasker are the waitEvent() and sendEvent() functions. These pass around PacketID objects. Everything PowerDNS needs to wait for is described by a PacketID event, so the name is a bit misleading. Waiting for a TCP socket to have data available is also passed via a PacketID, for example. - - The version of MTasker in PowerDNS is newer than that described at the MTasker site, with a vital difference being that the waitEvent() structure passes along a copy of the exact PacketID sendEvent() transmitted. Furthermore, threads can trawl through the list of events being waited for and modify the respective PacketIDs. This is used for example with near miss packets: packets that appear to answer questions we asked, but differ in the DNS id. On seeing such a packet, the recursor trawls through all PacketIDs and if it finds any nearmisses, it updates the PacketID::nearMisses counter. The actual PacketID thus lives inside MTasker while any thread is waiting for it. - - - - MPlexer - The Recursor uses a separate socket per outgoing query. This has the important benefit of making spoofing 64000 times harder, and additionally means that ICMP errors are reported back to the program. In measurements this appears to happen to one in ten queries, which would otherwise take a two-second timeout before PowerDNS moves on to another nameserver. - - However, this means that the program routinely needs to wait on hundreds or even thousands of sockets. Different operating systems offer various ways to monitor the state of sockets or more generally, file descriptors. To abstract out the differing strategies (select, epoll, kqueue, completion ports), PowerDNS contains MPlexer classes, all of which descend from the FDMultiplexer class. - - This class is very simple and offers only five important methods: addReadFD(), addWriteFD(), removeReadFD(), removeWriteFD() and run. - - The arguments to the add functions consist of an fd, a callback, and a boost::any variable that is passed as a reference to the callback. - - This might remind you of the MTasker above, and it is indeed the same trick: state is stored within the MPlexer. As long as a file descriptor remains within either the Read or Write active list, its state will remain stored. - - On arrival of a packet (or more generally, when an FD becomes readable or writable, which for example might mean a new TCP connection), the callback is called with the aforementioned reference to its parameter. - - The callback is free to call removeReadFD() or removeWriteFD() to remove itself from the active list. - - PowerDNS defines such callbacks as newUDPQuestion(), newTCPConnection(), handleRunningTCPConnection(). - - Finally, the run() method needs to be called whenever the program is ready for new data. This happens in the main loop in pdns_recursor.cc. This loop is what MTasker refers to as the kernel. In this loop, any packets or other MPlexer events get translated either into new MThreads within MTasker, or into calls to sendEvent(), which in turn wakes up other MThreads. - - - - MOADNSParser - Yes, this does stand for the Mother of All DNS Parsers. And even that name does not do it justice! The MOADNSParser is the third attempt I've made at writing DNS packet parser and after two miserable failures, I think I've finally gotten it right. - - Writing and parsing DNS packets, and the DNS records it contains, consists of four things: - - - - Parsing a DNS record (from packet) into memory - - - - - Generating a DNS record from memory (to packet) - - - - - Writing out memory to user-readable zone format - - - - - Reading said zone format into memory - - - - - - This gets tedious very quickly, as one needs to implement all four operations for each new record type, and there are dozens of them. - - While writing the MOADNSParser, it was discovered there is a remarkable symmetry between these four transitions. DNS Records are nearly always laid out in the same order in memory as in their zone format representation. And reading is nothing but inverse writing. - - So, the MOADNSParser is built around the notion of a Conversion, and we write all Conversion types once. So we have a Conversion from IP address in memory to an IP address in a DNS packet, and vice versa. And we have a Conversion from an IP address in zone format to memory, and vice versa. - - This in turn means that the entire implementation of the ARecordContent is as follows (wait for it!) - - conv.xfrIP(d_ip); - Through the use of the magic called c++ Templates, this one line does everything needed to perform the four operations mentioned above. - - At one point, I got really obsessed with PowerDNS memory use. So, how do we store DNS data in the PowerDNS recursor? I mentioned memory above a lot - this means we could just store the DNSRecordContent objects. However, this would be wasteful. - - For example, storing the following: - - www.example.org 3600 IN CNAME outpost.example.org. - Would duplicate a lot of data. So, what is actually stored is a partial DNS packet. To store the CNAMEDNSRecordContent that corresponds to the above, we generate a DNS packet that has www.example.org IN CNAME as its question. Then we add 3600 IN CNAME outpost.example.org. as its answer. Then we chop off the question part, and store the rest in the www.example.org IN CNAME key in our cache. - - When we need to retrieve www.example.org IN CNAME, the inverse happens. We find the proper partial packet, prefix it with a question for www.example.org IN CNAME, and expand the resulting packet into the answer 3600 IN CNAME outpost.example.org.. - - Why do we go through all these motions? Because of DNS compression, which allows us to omit the whole .example.org. part, saving us 9 bytes. This is amplified when storing multiple MX records which all look more or less alike. This optimization is not performed yet though. - - Even without compression, it makes sense as all records are automatically stored very compactly. - - The PowerDNS recursor only parses a number of well known record types and passes all other information across verbatim - it doesn't have to know about the content it is serving. - - - - The C++ Standard Library / Boost - C++ is a powerful language. Perhaps a bit too powerful at times, you can turn a program into a real freakshow if you so desire. - - PowerDNS generally tries not to go overboard in this respect, but we do build upon a very advanced part of the Boost C++ library: - boost::multi index container. - - This container provides the equivalent of SQL indexes on multiple keys. It also implements compound keys, which PowerDNS uses as well. - - The main DNS cache is implemented as a multi index container object, with a compound key on the name and type of a record. Furthermore, the cache is sequenced, each time a record is accessed it is moved to the end of the list. When cleanup is performed, we start at the beginning. New records also get inserted at the end. For DNS correctness, the sort order of the cache is case insensitive. - - The multi index container appears in other parts of PowerDNS, and MTasker as well. - - - - Actual DNS Algorithm - The DNS RFCs do define the DNS algorithm, but you can't actually implement it exactly that way, it was written in 1987. - - Also, like what happened to HTML, it is expected that even non-standards conforming domains work, and a sizable fraction of them is misconfigured these days. - - Everything begins with SyncRes::beginResolve(), which knows nothing about sockets, and needs to be passed a domain name, dns type and dns class which we are interested in. It returns a vector of DNSResourceRecord objects, ready for writing either into an answer packet, or for internal use. - - After checking if the query is for any of the hardcoded domains (localhost, version.bind, id.server), the query is passed to SyncRes::doResolve, together with two vital parameters: the depth and beenthere set. As the word recursor implies, we will need to recurse for answers. The depth parameter documents how deep we've recursed already. - - The beenthere set prevents loops. At each step, when a nameserver is queried, it is added to the beenthere set. No nameserver in the set will ever be queried again for the same question in the recursion process - we know for a fact it won't help us further. This prevents the process from getting stuck in loops. - - SyncRes::doResolve first checks if there is a CNAME in cache, using SyncRes::doCNAMECacheCheck, for the domain name and type queried and if so, changes the query (which is passed by reference) to the domain the CNAME points to. This is the cause of many DNS problems, a CNAME record really means start over with this query. - - This is followed by a call do SyncRes::doCacheCheck, which consults the cache for a straight answer to the question (as possibly rerouted by a CNAME). This function also consults the so called negative cache, but we won't go into that just yet. - - If this function finds the correct answer, and the answer hasn't expired yet, it gets returned and we are (almost) done. This happens in 80 to 90% of all queries. Which is good, as what follows is a lot of work. - - To recap: - - - - beginResolve() - entry point, does checks for hardcoded domains - - - - - doResolve() - start of recursion process, gets passed depth of 0 and empty beenthere set - - - - - doCNAMECacheCheck() - check if there is a CNAME in cache which would reroute the query - - - - - doCacheCheck() - see if cache contains straight answer to possibly rerouted query. - - - - - If the data we were queried for was in the cache, we are almost done. One final step, which might as well be optional as nobody benefits from it, is SyncRes::addCruft. This function does additional processing, which means that if the query was for the MX record of a domain, we also add the IP address of the mail exchanger. - - - - The non-cached case - This is where things get interesting, because we start out with a nearly empty cache and have to go out to the net to get answers to fill it. - - The way DNS works, if you don't know the answer to a question, you find somebody who does. Initially you have no other place to go than the root servers. This is embodied in the SyncRes::getBestNSNamesFromCache method, which gets passed the domain we are interested in, as well as the depth and beenthere parameters mentioned earlier. - - From now on, assume our query will be for www.powerdns.com.. SyncRes::getBestNSNamesFromCache will first check if there are NS records in cache for www.powerdns.com., but there won't be. It then checks powerdns.com. NS, and while these records do exist on the internet, the recursor doesn't know about them yet. So, we go on to check the cache for com. NS, for which the same holds. Finally we end up checking for . NS, and these we do know about: they are the root servers and were loaded into PowerDNS on startup. - - So, SyncRes::getBestNSNamesFromCache fills out a set with the names of nameservers it knows about for the . zone. - - This set, together with the original query www.powerdns.com gets passed to SyncRes::doResolveAt. This function can't yet go to work immediately though, it only knows the names of nameservers it can try. This is like asking for directions and instead of hearing take the third right you are told go to 123 Fifth Avenue, and take a right - the answer doesn't help you further unless you know where 123 Fifth Avenue is. - - SyncRes::doResolveAt first shuffles the nameservers both randomly and on performance order. If it knows a nameserver was fast in the past, it will get queried first. More about this later. - - Ok, here is the part where things get a bit scary. How does SyncRes::doResolveAt find the IP address of a nameserver? Well, by calling SyncRes::getAs (get A records), which in turn calls.. SyncRes::doResolve. Hang on! That's where we came from! Massive potential for loops here. Well, it turns out that for any domain which can be resolved, this loop terminates. We do pass the beenthere set again, which makes sure we don't keep on asking the same questions to the same nameservers. - - Ok, SyncRes::getAs will give us the IP addresses of the chosen root-server, because these IP addresses were loaded on startup. We then ask these IP addresses (nameservers can have several) for its best answer for www.powerdns.com.. This is done using the LWRes class and specifically LWRes::asyncresolve, which gets passed domain name, type and IP address. This function interacts with MTasker and MPlexer above in ways which needn't concern us now. When it returns, the LWRes object contains the best answers the queried server had for our domain, which in this case means it tells us about the nameservers of com., and their IP addresses. - - All the relevant answers it gives are stored in the cache (or actually, merged), after which SyncRes::doResolveAt (which we are still in) evaluates what to do now. - - There are 6 options: - - - - The final answer is in, we are done, return to SyncRes::doResolve and SyncRes::beginResolve - - - - - The nameserver we queried tells us the domain we asked for authoritatively does not exist. In case of the root-servers, this happens when we query for www.powerdns.kom. for example, there is no kom.. Return to SyncRes::beginResolve, we are done. - - - - - A lesser form - it tells us it is authoritative for the query we asked about, but there is no record matching our type. This happens when querying for the IPv6 address of a host which only has an IPv4 address. Return to SyncRes::beginResolve, we are done. - - - - - The nameserver passed us a CNAME to another domain, and we need to reroute. Go to SyncRes::doResolve for the new domain. - - - - - The nameserver did not know about the domain, but does know who does, a referral. Stay within doResolveAt and loop to these new nameservers. - - - - - The nameserver replied saying no idea. This is called a lame delegation. Stay within SyncRes::doResolveAt and try the other nameservers we have for this domain. - - - - - When not redirected using a CNAME, this function will loop until it has exhausted all nameservers and all their IP addresses. DNS is surprisingly resilient that there is often only a single non-broken nameserver left to answer queries, and we need to be prepared for that. - - This is the whole DNS algorithm in PowerDNS, all in less than 700 lines of code. It contains a lot of tricky bits though, related to the cache. - - - - Some of the things we glossed over - Whenever a packet is sent to a remote nameserver, the response time is stored in the SyncRes::s_nsSpeeds map, using an exponentially weighted moving average. This EWMA averages out different response times, and also makes them decrease over time. This means that a nameserver that hasn't been queried recently gradually becomes faster in the eyes of PowerDNS, giving it a chance again. - - A timeout is accounted as a 1s response time, which should take that server out of the running for a while. - - Furthermore, queries are throttled. This means that each query to a nameserver that has failed is accounted in the s_throttle object. Before performing a new query, the query and the nameserver are looked up via shouldThrottle. If so, the query is assumed to have failed without even being performed. This saves a lot of network traffic and makes PowerDNS quick to respond to lame servers. - - It also offers a modicum of protection against birthday attack powered spoofing attempts, as PowerDNS will not inundate a broken server with queries. - - The negative query cache we mentioned earlier caches the cases 2 and 3 in the enumeration above. This data needs to be stored separately, as it represents non-data. Each negcache query entry is the name of the SOA record that was presented with the evidence of non-existence. This SOA record is then retrieved from the regular cache, but with the TTL that originally came with the NXDOMAIN (case 2) or NXRRSET (case 3). - - - - The Recursor Cache - As mentioned before, the cache stores partial packets. It also stores not the Time To Live of records, but in fact the Time To Die. If the cache contains data, but it is expired, that data should not be deemed present. This bit of PowerDNS has proven tricky, leading to deadlocks in the past. - - There are some other very tricky things to deal with. For example, through a process called more details, a domain might have more nameservers than listed in its parent zone. So, there might only be two nameservers for powerdns.com. in the com. zone, but the powerdns.com zone might list more. - - This means that the cache should not, when talking to the com. servers later on, overwrite these four nameservers with only the two copies the com. servers pass us. - - However, in other cases (like for example for SOA and CNAME records), new data should overwrite old data. - Note that PowerDNS deviates from RFC 2181 (section 5.4.1) in this respect. - - - - Some small things - The server-side part of PowerDNS (pdns_recursor.cc), which listens to queries by end-users, is fully IPv6 capable using the ComboAddress class. This class is in fact a union of a struct sockaddr_in and a struct sockaddr_in6. As long as the sin_family (or sin6_family) and sin_port members are in the same place, this works just fine, allowing us to pass a ComboAddress*, cast to a sockaddr* to the socket functions. For convenience, the ComboAddress also offers a length() method which can be used to indicate the length - either sizeof(sockaddr_in) or sizeof(sockaddr_in6). - - Access to the recursor is governed through the NetmaskGroup class, which internally contains Netmask, which in turn contain a ComboAddress. - - - - Master/Slave operation & replication - - - PDNS offers full master and slave semantics for replicating domain information. Furthermore, PDNS can benefit from native - database replication. - - Native replication - - Native replication is the default, unless other operation is specifically configured. Native replication basically means that PDNS will - not send out DNS update notifications, nor will react to them. PDNS assumes that the backend is taking care of replication unaided. - - - MySQL replication has proven to be very robust and well suited, even over transatlantic connections between badly peering ISPs. Other PDNS - users employ Oracle replication which also works very well. - - - To use native replication, configure your backend storage to do the replication and do not configure PDNS to do so. - - - Slave operation - - On launch, PDNS requests from all backends a list of domains which have not been checked recently for changes. This should happen every - 'refresh' seconds, as specified in the SOA record. All domains that are unfresh are then checked for changes over at their - master. If the SOA serial number there is higher, the domain is retrieved and inserted into the database. In - any case, after the check the domain is declared 'fresh', and will only be checked again after 'refresh' seconds have passed. - - - - - Slave support is OFF by default, turn it on by adding slave to the configuration. The same - holds for master operation. Both can be on simultaneously. - - - - - - PDNS also reacts to notifies by immediately checking if the zone has updated and if so, retransfering it. - - - All backends which implement this feature must make sure that they can handle transactions so as to not leave the zone in a half updated state. - MySQL configured with either BerkeleyDB or InnoDB meets this requirement, as do PostgreSQL and Oracle. The Bindbackend implements transaction - semantics by renaming files if and only if they have been retrieved completely and parsed correctly. - - - Slave operation can also be programmed using several pdns_control commands, see . The 'retrieve' command - is especially useful as it triggers an immediate retrieval of the zone from the configured master. - - - Since version 2.9.21, PowerDNS supports multiple masters. For the BIND backend, the native BIND configuration language suffices to specify - multiple masters, for SQL based backends, list all master servers separated by commas in the 'master' field of the domains table. - - Supermaster automatic provisioning of slaves - - PDNS can recognize so called 'supermasters'. A supermaster is a host which is master for domains and for which we are to be a slave. When - a master (re)loads a domain, it sends out a notification to its slaves. Normally, such a notification is only accepted if PDNS already - knows that it is a slave for a domain. - - - However, a notification from a supermaster carries more persuasion. When PDNS determines that a notification comes from a supermaster and it - is bonafide, PDNS can provision the domain automatically, and configure itself as a slave for that zone. - - - Before a supermaster notification succeeds, the following conditions must be met: - - - The supermaster must carry a SOA record for the notified domain - - - The supermaster IP must be present in the 'supermaster' table - - - The set of NS records for the domain, as retrieved by the slave from the supermaster, must include the name that - goes with the IP address in the supermaster table - - - - - - If you use another PowerDNS server as master and have DNSSEC enabled on that server please don't forget to rectify the domains after every change. - If you don't do this there is no SOA record available and one requirement will fail. - - - - So, to benefit from this feature, a backend needs to know about the IP address of the supermaster, and how PDNS will be listed in the set of - NS records remotely, and the 'account' name of your supermaster. There is no need to fill the account name out but it does help keep track of - where a domain comes from. - - - Modifying a slave zone using a script - - As of version 3.0, the PowerDNS Authoritative Server can invoke a Lua script on an incoming AXFR zone transfer. - The user-defined function axfrfilter within your script is invoked for each resource record read during the transfer, - and the outcome of the function defines what PowerDNS does with the records. - - (idea and documentation contributed by Jan-Piet Mens) - - What you can accomplish using a Lua script: - - Ensure consistent values on SOA - Change incoming SOA serial number to a YYYYMMDDnn format - Ensure consistent NS RRset - Timestamp the zone transfer with a TXT record - - - -To enable a Lua script for a particular slave zone, determine the domain_id for the zone from the `domains` table, and add a row to the `domainmetadata` table for the domain. Supposing the domain we want has an `id` of 3, the following SQL statement will enable the Lua script `my.lua` for that domain: - - INSERT INTO domainmetadata (domain_id, kind, content) VALUES (3, "LUA-AXFR-SCRIPT", "/lua/my.lua"); - - - - The Lua script must both exist and be syntactically correct; if not, the zone transfer is not performed. - - Your Lua functions have access to the query codes through a pre-defined Lua table called `pdns`. - For example if you want to check for a CNAME record you can either compare `qtype` to the numeric constant 5 or the value - `pdns.CNAME` -- they are equivalent. - - If your function decides to handle a resource record it must return a result code of 0 together with a Lua table - containing one or more replacement records to be stored in the back-end database. If, on the other hand, your - function decides not to modify a record, it must return pdns.PASS and an empty table indicating that PowerDNS should - handle the incoming record as normal. If your function decides to drop a query and not respond whatsoever, it must return - pdns.DROP and an empty table indicating that the recursor does not want to process the packet in Lua nor in the core recursor logic. - - - Consider the following simple example: - - function axfrfilter(remoteip, zone, qname, qtype, ttl, prio, content) - - -- Replace each HINFO records with this TXT - if qtype == pdns.HINFO then - resp = {} - resp[1] = { qname = qname, - qtype = pdns.TXT, - ttl = 99, - content = "Hello Ahu!" - } - return 0, resp - end - - -- Grab each _tstamp TXT record and add a time stamp - if qtype == pdns.TXT and string.starts(qname, "_tstamp.") then - resp = {} - resp[1] = { - qname = qname, - qtype = qtype, - ttl = ttl, - content = os.date("Ver %Y%m%d-%H:%M") - } - return 0, resp - end - - resp = {} - return pdns.PASS, resp - end - - function string.starts(s, start) - return s.sub(s, 1, s.len(start)) == start - end - - Upon an incoming AXFR, PowerDNS calls our `axfrfilter` function for each record. All HINFO records - are replaced by a TXT record with a TTL of 99 seconds and the specified string. TXT Records with - names starting with `_tstamp.` get their value (_rdata_) set to the current time stamp. - All other records are unhandled. - - - - - Master operation - - When operating as a master, PDNS sends out notifications of changes to slaves, which react to these notifications by querying PDNS to see - if the zone changed, and transferring its contents if it has. Notifications are a way to promptly propagate zone changes to slaves, as - described in RFC 1996. - - - - - Master support is OFF by default, turn it on by adding master to the configuration. The same - holds for slave operation. Both can be on simultaneously. - - - - - If you have DNSSEC-signed zones and non-PowerDNS slaves, please check your SOA-EDIT settings. - - - - - Notifications are only sent for domains with type MASTER in your backend. - - - - - - Left open by RFC 1996 is who is to be notified - which is harder to figure out than it sounds. All slaves for this domain must receive a notification - but the nameserver only knows the names of the slaves - not the IP addresses, which is where the problem lies. The nameserver itself might - be authoritative for the name of its secondary, but not have the data available. - - - To resolve this issue, PDNS tries multiple tactics to figure out the IP addresses of the slaves, and notifies everybody. In contrived configurations - this may lead to duplicate notifications being sent out, which shouldn't hurt. - - - Some backends may be able to detect zone changes, others may chose to let the operator indicate which zones have changed and which haven't. - Consult the documentation for your backend to see how it processes changes in zones. - - - To help deal with slaves that may have missed notifications, or have failed to respond to them, several override commands are available via - the pdns_control tool (): - - - - - pdns_control notify domain - - - This instructs PDNS to notify all IP addresses it considers to be slaves of this domain. - - - - - pdns_control notify-host domain ip-address - - - This is truly an override and sends a notification to an arbitrary IP address. Can be used in 'also-notify' situations - or when PDNS has trouble figuring out who to notify - which may happen in contrived configurations. - - - - - - - - Fancy records for seamless email and URL integration - - - - As of PowerDNS Authoritative Server 3.0, fancy records are no longer supported! - - - - - PDNS also supports so called 'fancy' records. A Fancy Record is actually not a DNS record, but it is translated into one. Currently, - two fancy records are implemented, but not very useful without additional unreleased software. For completeness, they are listed here. - The software will become available later on and is part of the Express and PowerMail suite of programs. - - - These records imply extra database lookups which has a performance impact. Therefore fancy records are only queried for if they are enabled - with the fancy-records command in pdns.conf. - - - - - MBOXFW - - - This record denotes an email forward. A typical entry looks like this: - - support@yourdomain.com MBOXFW you@yourcompany.com - - When PDNS encounters a request for an MX record for yourdomain.com it will, if fancy records are enabled, also check for the existence - of an MBOXFW record ending on '@yourdomain.com', in which case it will hand out a record containing the configured - smtpredirector. This server should then also be able to access the PDNS database to figure out where mail to - support@yourdomain.com should go to. - - - - - URL - - - URL records work in much the same way, but for HTTP. A sample record: - - yourdomain.com URL http://somewhere.else.com/yourdomain - - A URL record is converted into an A record containing the IP address configured with the urlredirector - setting. On that IP address a webserver should live that knows how to redirect yourdomain.com to - http://somewhere.else.com/yourdomain. - - - - - - - Index of all Authoritative Server settings - - All PDNS Authoritative Server settings are listed here, excluding those that originate from backends, which are documented in the relevant chapters. You can use += syntax to set some - variables incrementally, but this requires you to have at least one non-incremental setting for the variable to act as base setting. This is mostly useful for include-dir directive. - - - allow-axfr-ips=... - - Behaviour pre 2.9.10: When not allowing AXFR (disable-axfr), DO allow from these IP addresses or netmasks. - - Behaviour post 2.9.10: If set, only these IP addresses or netmasks will be able to perform AXFR. - - - - allow-recursion=... - - - By specifying allow-recursion, recursion can be restricted to netmasks specified. The default is to allow - recursion from everywhere. Example: allow-recursion=192.168.0.0/24, 10.0.0.0/8, 192.0.2.4. - - - - - also-notify=... - - - When notifying a domain, also notify these nameservers. Example: also-notify=192.168.0.1, 10.0.0.1. The IP adresses listed in - also-notify always receive a notification. Even if they do not mach the list in only-notify. - - - - any-to-tcp | any-to-tcp=yes | any-to-tcp=no - - Answer questions for the ANY and RRSIG types on UDP with a truncated packet that refers the - remote server to TCP. Useful for mitigating reflection attacks. Defaults to off. Available since 3.3. - - cache-ttl=... - - Seconds to store packets in the PacketCache. See . - - carbon-ourname=... - - If sending carbon updates, if set, this will override our hostname. See . Available beyond 3.3.1. - - carbon-server=... - - If set to an IP or IPv6 address, will send all available metrics to this server - via the carbon protocol, which is used by graphite and metronome. See . Available beyond 3.3.1. - - carbon-interval=... - - If sending carbon updates, this is the interval between them in seconds. See . Available beyond 3.3.1. - - - chroot=... - - If set, chroot to this directory for more security. See . - - config-dir=... - - Location of configuration directory (pdns.conf) - - config-name=... - - Name of this virtual configuration - will rename the binary image. See . - - control-console=... - - Debugging switch - don't use. - - daemon=... - - Operate as a daemon - - default-soa-name=... - - name to insert in the SOA record if none set in the backend - - default-soa-mail=... - - mail address to insert in the SOA record if none set in the backend - - default-ttl=... - - TTL to use when none is provided. - - direct-dnskey=... - - Read additional ZSKs from the records table/your BIND zonefile - - disable-axfr=... - - Do not allow zone transfers. Before 2.9.10, this could be overridden by allow-axfr-ips. - - disable-axfr-rectify=... - - Disable the rectify step during an outgoing AXFR. Only required for regression testing. - Default is no. - - disable-tcp=... - - Do not listen to TCP queries. Breaks RFC compliance. - - distributor-threads=... - - Number of Distributor (backend) threads to start per receiver thread. See . - - do-ipv6-additional-processing=... - - Perform AAAA additional processing. - - edns-subnet-option-number=... - - If edns-subnet-processing is enabled, this option allows the user to override the option number. - - edns-subnet-processing=... - - Enables EDNS subnet processing, for backends that support it. - - entropy-source=... - - Entropy source (like /dev/urandom). - - experimental-dname-processing=... - - Synthesise CNAME records from DNAME records as required. This approximately doubles query load. Do not combine - with DNSSEC! - - fancy-records=... - - Process URL and MBOXFW records. See . - - guardian | --guardian=yes | --guardian=no - - Run within a guardian process. See . - - help - - Provide a helpful message - - include-dir - - Directory to scan for additional config files. All files that end with .conf are loaded in order. - - launch=... - - Which backends to launch and order to query them in. See . - - lazy-recursion=... - - On by default as of 2.1. Checks local data first before recursing. See . - - load-modules=... - - Load this module - supply absolute or relative path. See . - - local-address=... - - Local IP address to which we bind. You can specify multiple addresses separated by commas or whitespace. It is highly - advised to bind to specific interfaces and not use the default 'bind to any'. This causes big problems if you have multiple - IP addresses. Unix does not provide a way of figuring out what IP address a packet was sent to when binding to any. - - local-ipv6=... - - Local IPv6 address to which we bind. You can specify multiple addresses separated by commas or whitespace. - - local-port=... - - The port on which we listen. Only one port possible. - - log-dns-details=... - - If set to 'no', informative-only DNS details will not even be sent to syslog, improving performance. Available from 2.5 - and onwards. - - logging-facility=... - - If set to a digit, logging is performed under this LOCAL facility. See . Available from 1.99.9 and onwards. Do not pass names like 'local0'! - - loglevel=... - - Amount of logging. Higher is more. Do not set below 3 - - log-dns-queries [,=no] - -Tell PowerDNS to log all incoming DNS queries. This will lead to a lot of logging! Only enable for debugging! - - - - lua-prequery-script=... - - - Lua script to run before answering a query. This is a - feature used internally for regression testing. The API of - this functionality is not guaranteed to be stable, and is in - fact likely to change. - - - - - - - master [,=on]. - - Turn on master support. Boolean. - - - max-cache-entries=... - - - Maximum number of cache entries. 1 million will generally suffice for most installations. Available since version 2.9.22. - - - - - - - max-ent-entries=... - - - Maximum number of empty non-terminals to add to a zone. This is a protection measure to avoid database explosion due to long names. - - - - - max-queue-length=... - - If this many packets are waiting for database attention, consider the situation hopeless and respawn. - - max-tcp-connections=... - - Allow this many incoming TCP DNS connections simultaneously. - - module-dir=... - - Default directory for modules. See . - - negquery-cache-ttl=... - - Seconds to store queries with no answer in the Query Cache. See . - - no-config - - Do not attempt to read the configuration file. - - no-shuffle - - Do not attempt to shuffle query results. - - overload-queue-length=... - - If this many packets are waiting for database attention, answer any new questions strictly from the packet cache. - - reuseport=[yes|no] - - On Linux 3.9 and some BSD kernels the SO_REUSEPORT option allows each - receiver-thread to open a new socket on the same port which allows - for much higher performance on multi-core boxes. Setting this option - will enable use of SO_REUSEPORT when available and seamlessly fall - back to a single socket when it is not available. A side-effect is - that you can start multiple servers on the same IP/port combination - which may or may not be a good idea. You could use this to enable - transparent restarts, but it may also mask configuration issues and - for this reason it is disabled by default. - - - server-id - - - This is the server ID that will be returned on an EDNS NSID query. Defaults to the host name. - - - - - only-notify=... - - - Only send AXFR NOTIFY to these IP addresses or netmasks. The default is to notify the world. The IP addresses or netmasks in - also-notify or ALSO-NOTIFY metadata always receive AXFR NOTIFY. Example (and default): only-notify=0.0.0.0/0, ::/0. - - - - out-of-zone-additional-processing | --out-of-zone-additional-processing=yes | --out-of-zone-additional-processing=no - - Do out of zone additional processing. This means that if a malicious user adds a '.com' zone to your server, it is not used for - other domains and will not contaminate answers. Do not enable this setting if you run a public DNS service with untrusted users. Off by default. - - pipebackend-abi-version=... - - ABI version to use for the pipe backend. See . - - prevent-self-notification | prevent-self-notification = yes | prevent-self-notification = no - - Available as of 3.3. PowerDNS Authoritative Server attempts to not send out notifications to itself in master mode. - In very complicated situations we could guess wrong and not notify a server that should be notified. In that case, - set prevent-self-notification to "no". - - - query-cache-ttl=... - - Seconds to store queries with an answer in the Query Cache. See . - - query-local-address=... - - The IP address to use as a source address for sending queries. Useful if you have multiple IPs and pdns is not bound to the IP address your operating system uses by default for outgoing packets. - - query-local-address6=... - - Source IP address for sending IPv6 queries. - - query-logging | query-logging=yes | query-logging=no - - Hints to a backend that it should log a textual representation of queries it performs. Can be set at runtime. - - queue-limit=... - - Maximum number of milliseconds to queue a query. See . - - receiver-threads=... - - Number of receiver (listening) threads to start. See for tuning details. - - recursive-cache-ttl=... - - Seconds to store recursive packets in the PacketCache. See . - - recursor=... - - If set, recursive queries will be handed to the recursor specified here. See . - - retrieval-threads=... - - Number of AXFR slave threads to start. - - - send-root-referral | --send-root-referral=yes | --send-root-referral=no | --send-root-referral=lean - - If set, PowerDNS will send out old-fashioned root-referrals when queried for domains for which it is not authoritative. Wastes some bandwidth - but may solve incoming query floods if domains are delegated to you for which you are not authoritative, but which are queried by broken - recursors. Available since version 2.9.19. - - - Since version 2.9.21, it is possible to specify 'lean' root referrals, which waste less bandwidth. - - setgid=... - - If set, change group id to this gid for more security. See . - - setuid=... - - If set, change user id to this uid for more security. See . - - - slave [,=on]. - - Turn on slave support. Boolean. - - - slave-cycle-interval=60 - - Schedule slave up-to-date checks of domains whose status is unknown every .. seconds. - - slave-renotify [,=no] - -This setting will make PowerDNS renotify the slaves after an AXFR is *received* from a master. This is useful when using when running a signing-slave. - - signing-threads=3 - - Tell PowerDNS how many threads to use for signing. It might help improve signing speed by changing this number. - - smtpredirector=... - - Our smtpredir MX host. See . - - soa-expire-default=604800 - - Default SOA expire. - - soa-minimum-ttl=3600 - - Default SOA minimum ttl. - - soa-refresh-default=10800 - - Default SOA refresh. - - soa-retry-default=3600 - - Default SOA retry. - - socket-dir=... - - Where the controlsocket will live. See . - - strict-rfc-axfrs | --strict-rfc-axfrs=yes | --strict-rfc-axfrs=no - - Perform strictly RFC-conforming AXFRs, which are slow, but may be necessary to placate some old client tools. - - tcp-control-address=... - - Address to bind to for TCP control. - - tcp-control-port=... - - Port to bind to for TCP control. - - tcp-control-range=... - - Limit TCP control to a specific client range. - - tcp-control-secret=... - - Password for TCP control. - - traceback-handler=... - - Enable the Linux-only traceback handler (default on). - - - trusted-notification-proxy=... - - IP address of incoming notification proxy - - udp-truncation-threshold=... - - EDNS0 allows for large UDP response datagrams, which can potentially raise performance. Large responses however - also have downsides in terms of reflection attacks. Up till PowerDNS Authoritative Server 3.3, the truncation limit - was set at 1680 bytes, regardless of EDNS0 buffer size indications from the client. Beyond 3.3, this setting makes - our truncation limit configurable. Maximum value is 65535, but values above 4096 should probably not be attempted. - - urlredirector=... - - Where we send hosts to that need to be url redirected. See . - - version-string=anonymous|powerdns|full|custom - - When queried for its version over DNS (dig chaos txt version.bind @pdns.ip.address), PowerDNS normally - responds truthfully. With this setting you can overrule what will be returned. Set the version-string - to 'full' to get the default behaviour, to 'powerdns' to just make it state 'served by PowerDNS - http://www.powerdns.com'. - The 'anonymous' setting will return a ServFail, much like Microsoft nameservers do. You can set this response - to a custom value as well. - - - webserver | --webserver=yes | --webserver=no - - Start a webserver for monitoring. See . - - webserver-address=... - - IP Address of webserver to listen on. See . - - webserver-password=... - - Password required for accessing the webserver. See . - - webserver-port=... - - Port of webserver to listen on. See . - - webserver-print-arguments=... - - If the webserver should print arguments. See . - - wildcard-url=... - - Check for wildcard URL records. - - - - - Index of all Authoritative Server metrics - Counters & variables - - A number of counters and variables are set during PDNS Authoritative Server operation. These can be queried with the init.d - dump, show and mrtg commands, or viewed with the - webserver. - - - Counters - - - - corrupt-packets - Number of corrupt packets received - - - latency - Average number of microseconds a packet spends within PDNS - - - packetcache-hit - Number of packets which were answered out of the cache - - - packetcache-miss - Number of times a packet could not be answered out of the cache - - - packetcache-size - Amount of packets in the packetcache - - - qsize-a - Size of the queue before the transmitting socket. - - - qsize-q - Number of packets waiting for database attention - - - rd-queries - Number of packets sent by clients requesting recursion (regardless of if we'll be providing them with recursion). Since 3.4.0. - - - recursing-questions - Number of packets we supplied an answer to after recursive processing - - - - recursing-questions - Number of packets we performed recursive processing for - - - - recursion-unanswered - Number of packets we sent to our recursor, but did not get a timely answer for. Since 3.4.0. - - - - servfail-packets - Amount of packets that could not be answered due to database problems - - - tcp-answers - Number of answers sent out over TCP - - - tcp-questions - Number of questions received over TCP - - - timedout-questions - Amount of packets that were dropped because they had to wait too long internally - - - udp-answers - Number of answers sent out over UDP - - - udp-queries - Number of questions received over UDP - - - udp4-answers - Number of answers sent out over UDPv4 - - - udp4-queries - Number of questions received over UDPv4 - - - udp6-answers - Number of answers sent out over UDPv6 - - - udp6-queries - Number of questions received over UDPv6 - - - - - - - Ring buffers - - Besides counters, PDNS also maintains the ringbuffers. A ringbuffer records events, each new event gets a place - in the buffer until it is full. When full, earlier entries get overwritten, hence the name 'ring'. - - - By counting the entries in the buffer, statistics can be generated. These statistics can currently only be viewed - using the webserver and are in fact not even collected without the webserver running. - - - The following ringbuffers are available: - - - - - Log messages (logmessages) - All messages logged - - - Queries for existing records but for a type we don't have (noerror-queries) - Queries for, say, the AAAA record of a domain, when only an A is available. - Queries are listed in the following format: name/type. So an AAA query for pdns.powerdns.com looks like - pdns.powerdns.com/AAAA. - - - Queries for non-existing records within existing domains(nxdomain-queries) - If PDNS knows it is authoritative over a domain, and it sees a question for a record in that domain - that does not exist, it is able to send out an authoritative 'no such domain' message. Indicates that hosts are - trying to connect to services really not in your zone. - - - - UDP queries received (udp-queries) - - All UDP queries seen. - - - - Remote server IP addresses (remotes) - - Hosts querying PDNS. Be aware that UDP is anonymous - person A can send queries that appear to be coming from - person B. - - - - Remotes sending corrupt packets (remote-corrupts) - - Hosts sending PDNS broken packets, possibly meant to disrupt service. Be aware that UDP is - anonymous - person A can send queries that appear to be coming from person B. - - - - Remotes querying domains for which we are not auth (remote-unauth) - - It may happen that there are misconfigured hosts on the internet which are configured to - think that a PDNS installation is in fact a resolving nameserver. These hosts will not - get useful answers from PDNS. This buffer lists hosts sending queries for domains which - PDNS does not know about. - - - - Queries that could not be answered due to backend errors (servfail-queries) - - For one reason or another, a backend may be unable to extract answers for a certain domain from - its storage. This may be due to a corrupt database or to inconsistent data. When this happens, - PDNS sends out a 'servfail' packet indicating that it was unable to answer the question. This buffer - shows which queries have been causing servfails. - - - - Queries for domains that we are not authoritative for (unauth-queries) - - If a domain is delegated to a PDNS instance, but the backend is not made aware of this fact, questions come - in for which no answer is available, nor is the authority. Use this ringbuffer to spot such queries. - - - - - - - - - Supported record types and their storage - - This chapter lists all record types PDNS supports, and how they are stored in backends. The list is mostly alphabetical but - some types are grouped. - - Host names and the MNAME of a SOA records are NEVER terminated with a '.' in PowerDNS storage! If a trailing '.' is present - it will inevitably cause problems, problems that may be hard to debug. - - The PowerDNS Recursor can serve and store all record types, regardless of whether these are explicitly supported. - - - A - - - The A record contains an IP address. It is stored as a decimal dotted quad string, - for example: '203.0.113.210'. - - - - - AAAA - - - The AAAA record contains an IPv6 address. An example: '2001:DB8:2000:bf0::1'. - - - - - AFSDB (since 2.9.21) - - - Specialised record type for the 'Andrew Filesystem'. Stored as: '#subtype hostname', where subtype is a number. - - - - - CERT (since 2.9.21) - - - Specialised record type for storing certificates, defined in RFC 2538. - - - - - CNAME - - - The CNAME record specifies the canonical name of a record. It is stored plainly. Like all other records, it is not - terminated by a dot. A sample might be 'webserver-01.yourcompany.com'. - - - - - DNSKEY (since 2.9.21) - - - The DNSKEY DNSSEC record type is fully supported, as described in RFC 3757. Before 3.0 PowerDNS didn't do any DNSSEC processing, since 3.0 PowerDNS - is able to fully process DNSSEC. This can be done with pdnssec. - - - - - DS (since 2.9.21) - - - The DS DNSSEC record type is fully supported, as described in RFC 3757. Before 3.0 PowerDNS didn't do any DNSSEC processing, since 3.0 PowerDNS - is able to fully process DNSSEC. This can be done with pdnssec. - - - - - HINFO - - - Hardware Info record, used to specify CPU and operating system. Stored with a single space separating these two, - example: 'i386 Linux'. - - - - - KEY (since 2.9.21) - - - The KEY record is fully supported. For its syntax, see RFC 2535. - - - - - LOC - - - The LOC record is fully supported. For its syntax, see RFC 1876. A sample content would be: '51 56 0.123 N 5 54 0.000 E 4.00m 1.00m 10000.00m 10.00m' - - - - - MX - - - The MX record specifies a mail exchanger host for a domain. Each mail exchanger also has a priority or preference. - This should be specified in the separate field dedicated for that purpose, often called 'prio'. - - - - - NAPTR - - - - Naming Authority Pointer, RFC 2915. Stored as follows: - - '100 50 "s" "z3950+I2L+I2C" "" _z3950._tcp.gatech.edu'. - - The fields are: order, preference, flags, service, regex, - replacement. Note that the replacement is not enclosed in quotes, and should not be. The replacement may be omitted, in which - case it is empty. See also RFC 2916 for how to use NAPTR for ENUM (E.164) purposes. - - - - - NS - - - Nameserver record. Specifies nameservers for a domain. Stored plainly: 'ns1.powerdns.com', as always without a terminating dot. - - - - - NSEC (since 2.9.21) - - - The NSEC DNSSEC record type is fully supported, as described in RFC 3757. Before 3.0 PowerDNS didn't do any DNSSEC processing, since 3.0 PowerDNS - is able to fully process DNSSEC. This can be done with pdnssec. - - - - - PTR - - - Reverse pointer, used to specify the host name belonging to an IP or IPv6 address. Name is stored plainly: 'www.powerdns.com'. - As always, no terminating dot. - - - - - RP - - - Responsible Person record, as described in RFC 1183. Stored with a single space between the mailbox name and the more-information - pointer. Example 'peter.powerdns.com peter.people.powerdns.com', to indicate that peter@powerdns.com is responsible and that more - information about peter is available by querying the TXT record of peter.people.powerdns.com. - - - - - RRSIG (since 2.9.21) - - - The RRSIG DNSSEC record type is fully supported, as described in RFC 3757. Before 3.0 PowerDNS didn't do any DNSSEC prcessing, since 3.0 PowerDNS - is able to fully process DNSSEC. This can be done with pdnssec. - - - - - SOA - - - The Start of Authority record is one of the most complex available. It specifies a lot about a domain: the name - of the master nameserver ('the primary'), the hostmaster and a set of numbers indicating how the data in this domain - expires and how often it needs to be checked. Further more, it contains a serial number which should rise on each change - of the domain. - - - The stored format is: - - primary hostmaster serial refresh retry expire default_ttl - - Besides the primary and the hostmaster, all fields are numerical. PDNS has a set of default values: - - SOA fields - - - - primarydefault-soa-name configuration option - - - hostmasterhostmaster@domain-name - - - serial0 - - - refresh10800 (3 hours) - - - retry3600 (1 hour) - - - expire604800 (1 week) - - - default_ttl3600 (1 hour) - - - -
- - - The fields have complicated and sometimes controversial meanings. The 'serial' field is special. If left at 0, the default, - PDNS will perform an internal list of the domain to determine highest change_date field of all records within the zone, and use - that as the zone serial number. This means that the serial number is always raised when changes are made to the zone, as long - as the change_date field is being set. Make sure to check whether your backend of choice supports Autoserial. - - - - - SPF (since 2.9.21) - - - SPF records can be used to store Sender Policy Framework details (RFC 4408). - - - - - SSHFP (since 2.9.21) - - - The SSHFP record type, used for storing Secure Shell (SSH) fingerprints, is fully supported. A sample from RFC 4255 is: - '2 1 123456789abcdef67890123456789abcdef67890'. - - - - - SRV - - - SRV records can be used to encode the location and port of services on a domain name. When encoding, the priority field - is used to encode the priority. For example, '_ldap._tcp.dc._msdcs.conaxis.ch SRV 0 100 389 mars.conaxis.ch' would be - encoded with 0 in the priority field and '100 389 mars.conaxis.ch' in the content field. - - - - - TXT - - - The TXT field can be used to attach textual data to a domain. Text is stored plainly. - - - - - - - HOWTO & Frequently Asked Questions - - This chapter contains a number of FAQs and HOWTOs. - - Getting support, free and paid FAQ - - PowerDNS is an open source program so you may get help from the PowerDNS users' community or from its authors. - You may also help others (please do). - - - The PowerDNS company provides free support on the public mailing lists, and can help or support you in private as well. - For first class and rapid support, please contact powerdns-support@netherlabs.nl, or see www.powerdns.com - - - More information about the PowerDNS community, and its mailing lists, can be found on its Wiki. - On the wiki, you will also find information on how to file bugs. - - - Below, please find a list of common questions asked on our public mailing lists. - - - - Q: Help! - - - A: Please try harder :-) Specifically, before people will be able to help you, they need to know a lot about your system. If you - list more details, chances are you'll get better answers. - - - - - Q: I have a question, what details should I supply? - - - A: Start out with stating what you think should be happening. Quite often, wrong expectations are the actual problem. - Furthermore, which database backend you use, your operating system, which version of PowerDNS you use and where you - got it from (RPM, .DEB, tar.bz2). If you compiled it yourself, what were the ./configure parameters. - - - If at *all* possible, supply the actual name of your domain and the IP address of your server(s). - - - - - - Q: Where should I send my question? - - - A: To a mailing list. Please email the authors directly only if you previously entered a support contract with them, or - are considering doing so. - For mailing list details, see the mailing lists page. - - - Questions about using PowerDNS should be sent to the pdns-users list, questions about compiler errors or feature requests - to pdns-dev. - - - Before posting, read all FAQs. - - - - - Q: My information is confidential, must I send it to the mailing list? - - - If you desire privacy, please consider entering a support relationship with us, - in which case we invite you to contact powerdns.support.sales@netherlabs.eu. - - - - - - Using and Compiling PowerDNS FAQ - - In the course of compiling and using PowerDNS, many questions may arise. Here are some we've heard earlier or questions - we expect people may have. Please read this list before mailing us! - - - If you don't see your question answered here, please check out - the Wiki FAQ, but do note that it is user-editable and not under our constant control. - - - - - Q: I get this entry a lot of times in my log file: Authoritative empty NO ERROR to 192.0.2.4 for 'powerdns.nl' (AAAA).. - - - As the name implies, this is not an error. It tells you there are questions for a domain which exists in your database, but for - which no record of the requested type exists. To get rid of this error, add log-dns-details=off to your - configuration. - - - - - Q: Can I launch multiple backends simultaneously? - - - A: You can. This might for example be useful to keep an existing BIND configuration around but to store new zones in, say - MySQL. The syntax to use is 'launch=bind,gmysql'. - - - - - Q: PowerDNS does not give authoritative answers, how come? - - - A: This is almost always not the case. An authoritative answer is recognized by the 'AA' bit being set. Many tools - prominently print the number of Authority records included in an answer, leading users to conclude that the - absence or presence of these records indicates the authority of an answer. This is not the case. - - - Verily, many misguided country code domain operators have fallen into this trap and demand authority records, even though - these are fluff and quite often misleading. Invite such operators to look at section 6.2.1 of RFC 1034, which shows a correct - authoritative answer without authority records. In fact, none of the non-deprecated authoritative answers shown have authority - records! - - - Sorry for sounding like DJB on this, but we get so many misguided questions about authority.. - - - - - - Q: Which backend should I use? There are so many! - - - A: If you have no external constraints, the Generic MySQL (gmysql) and Generic PostgreSQL (gpgsql) ones are probably the - most used and complete. - - - The Oracle backend also has happy users, we know of no deployments of the DB2 backend. The BIND backend is pretty capable - too in fact, but many prefer a relational database. - - - - - Q: I'm trying to build from Git but I get lots of weird errors! - - - A: Read the 'README' file, it lists the build requirements (mostly autoconf, automake, libtool). In many cases, - it may be easier to build from the source distribution though. More information for developers - is available on the PowerDNS Open Source Community Wiki. - - - - - Q: When compiling I get errors about 'sstream' and 'ostringstream', or BITSPERCHAR - - - A: Your gcc is too old. Versions 2.95.2 and older are not supported. Many distributions have improved gcc 2.95.2 - with an ostringstream implementation, in which case their 2.95.2 is also supported. - - - - - Q: PowerDNS crashes when I install the pdns-static .deb on Debian SID - - - A: Indeed. Install the .deb files that come with Debian or recompile PowerDNS yourself. If not using MySQL, the crashes - will go away if you remove setuid and setgid statements from the configuration. - - - - - Q: Why don't my slaves act on notifications and transfer my updated zone? - - - A: Raise the serial number of your zone. In most backends, this is the first digit of the SOA contents field. If this number - is lower to equal to that on a slave, it will not consider your zone updated. - - - - - Q: Master or Slave support is not working, PDNS is not picking up changes - - - A: The Master/Slave apparatus is off by default. Turn it on by adding a slave and/or - master statement to the configuration file. Also, check that the configured backend is master or slave capable. - - - - - Q: My masters won't allow PowerDNS to access zones as it is using the wrong local IP address - - - A: Mark Bergsma contributed the query-local-address setting to tell PowerDNS which local IP address to use. - - - - - Q: I compiled PowerDNS myself and I see weird problems, especially on SMP - - - A: There are known issues between gcc <3.2 and PowerDNS on Linux SMP systems. The exact cause is not known but - moving to our precompiled version always fixes the problems. If you compile yourself, use a recent gcc! - - - - - Q: I see this a lot: Backend error: Failed to execute mysql_query, perhaps connection died? - - - A: Check your MySQL timeout, it may be set too low. This can be changed in the my.cnf file. - - - - - Q: PowerDNS does not answer queries on all my IP addresses and I've ignored the warning I got about that at startup - - - A: Please don't ignore what PowerDNS says to you. Furthermore, read about the local-address - setting, and use it to specify which IP addresses PowerDNS should listen on. - - - - - Q: Can I use a MySQL database with the Windows version of PowerDNS? - - - A: You can. MySQL support is supplied through the ODBC backend, which is compiled into the main binary. - So if you want to use MySQL you can change the pdns.conf file, which is located in the PowerDNS for Windows directory, to use the - correct ODBC data sources. - - If you don't know how to use ODBC with MySQL: - - - Download MyODBC from http://www.mysql.com/ - - - Install the MySQL ODBC driver. - - - Then you can follow the instructions located in . - But instead of selecting the Microsoft Access Driver you select the MySQL ODBC Driver and configure it to use your MySQL database. - - For other databases for which an ODBC driver is available, the procedure is the same as this example. - - - - - - - Backend developer HOWTO - - Writing backends without access to the full PDNS source means that you need to write code that can be loaded by PDNS at runtime. - This in turn means that you need to use the same compiler that we do. - - - Furthermore, your pdns_server executable must be dynamically linked. The default .rpm PDNS contains a static binary so you need to retrieve the - dynamic rpm or the dynamic tar.gz or the Debian unstable ('Woody') deb. FreeBSD dynamic releases are forthcoming. - - - - Q: Will PDNS drivers work with other PDNS versions than they were compiled for? - - - A: 'Probably'. We make no guarantees. Efforts have been made to keep the interface between the backend and PDNS as thin - as possible. For example, a backend compiled with the 1.99.11 backend development kit works with 1.99.10. But don't count on it. - We will notify when we think an incompatible API change has occurred but you are best off recompiling your driver for each - new PDNS release. - - - - - Q: What is in that DNSPacket * pointer passed to lookup! - - - A: For reasons outlined above, you should treat that pointer as opaque and only access it via the getRemote() - functions made available and documented above. The DNSPacket class changes a lot and this level of indirection allows for greater - changes to be made without changing the API to the backend coder. - - - - - Q: How is the PowerDNS Open Source Backend Development Kit licensed? - - - A: MIT X11, a very liberal license permitting basically everything. - - - - - Q: Can I release the backend I wrote? - - - A: Please do! If you tell us about it we will list you on our page. - - - - - Q: Can I sell backends I wrote? - - - A: You can. Again, if you tell us about them we will list your backend on the site. You can keep the source of your backend - secret if you want, or you can share it with the world under any license of your choosing. - - - - - Q: Will PowerDNS use my code in the PDNS distribution? - - - A: If your license permits it and we like your backend, we sure will. If your license does not permit it but we like your - backend anyway we may contact you. - - - - - Q: My backend compiles but when I try to load it, it says 'undefined symbol: BackendMakers__Fv' - - - A: You compiled with the wrong GCC. Use GCC 3.x for Linux, 2.95.x for FreeBSD. You may want to change g++ to g++-3.0 in the Makefile, - or change your path so that 3.x is used. - - - - - Q: I downloaded a dynamic copy of pdns_server but it doesn't run, even without my backend - - - A: Run 'ldd' on the pdns_server binary and figure out what libraries you are missing. Most likely you need to install gcc 3.0 libraries, - RedHat 7.1 and 7.2 have packages available, Debian installs these by default if you use the 'unstable deb' of PDNS. - - - - - Q: I need a backend but I can't write it, can you help? - - - A: Yes, we also do custom development. Contact us at powerdns.support.sales@netherlabs.eu, or visit - www.powerdns.com - - - - - - - About PowerDNS.COM BV, 'the company' - - As of 25 November 2002, the PowerDNS nameserver and its modules are open source. This has led to a lot of questions on the future - of both PowerDNS, the company and the products. This FAQ attempts to address these questions. - - - - - Q: Is PowerDNS 2.9 really open source? What license? - - - A: PowerDNS 2.9 is licensed under the GNU General Public License version two, the same license that covers the Linux kernel. - - - - - Q: Is the open source version crippled? - - - A: It is not. Not a single byte has been omitted. - - - - - Q: Is the nameserver abandoned? - - - A: Far from it. In fact, we expect development to speed up now that we have joined the open source community. - - - - - Q: Can I buy support contracts for PowerDNS? - - - Sure, to do so, please contact us at sales@powerdns.com - - - - - Q: Will you accept patches? We've added a feature - - - Probably - in general, it is best to discuss your intentions and needs on the pdns-dev@mailman.powerdns.com (subscribe) - mailing list - before doing the work. We may have suggestions or guidelines on how you should implement the feature. - - - - - Q: PowerDNS doesn't work on my platform, will you port it? - Q: PowerDNS doesn't have feature I need, will you add it? - - - Be sure to ask on the pdns-dev@mailman.powerdns.com (subscribe) mailing list. You can even hire us to do work on PowerDNS - if plain asking is not persuasive enough. This might be the case if we don't currently have time for your feature, but you - need it quickly anyhow, and are not in a position to submit a patch implementing it. - - - - - Q: Will PowerDNS Express be open sourced? - - - Perhaps, we're not yet sure. - - - - - - Q: We are a Linux/Unix vendor, can we include PowerDNS? - - - A: Please do. In fact, we'd be very happy to work with you to make this happen. Contact ahu@ds9a.nl - if you have specific upstream needs. - - - - - - - - Other tools included with PowerDNS - - PowerDNS comes with several tools that can be used to do various DNS related things. - - Notification proxy (nproxy) - - Available in PowerDNS 2.9.22 and later. - - - For additional security, operators may prefer to have a 'hidden slave' that sits behind a strong firewall. This slave pulls - in zones from the outside world, and stores them in a database. This database is then used by publicly accessible nameservers - to publish zone data. - - - For proper slave operation, master nameservers send out notifications to inform slaves of updates. This is not normally a problem, - but when operating with a hidden slave behind a firewall, notification packets can't reach the slave. - - - For this purpose, the PowerDNS also supplies a notification proxy. It sits outside the firewall, and accepts notifications from - remote master servers. It interprets and validates these packets, and then sends on a new notification to the hidden slave. - - - The hidden slave then promptly retrieves an updated zone from the master. - - - The notification proxy, called nproxy, can be configured using the following settings: - - - - - chroot - - - Change root to this directory for additional security. - - - - - daemon - - - Run in the background. Defaults to true, can be turned off using '--daemon=no'. - - - - - listen-address - - - Public addresses (IPv4 and IPv6) to listen on for incoming notification packets. Defaults to "all addresses", but it is highly recommended to specify - addresses here. - - - - - origin-address - - - Can be used to pin the address the nproxy uses to communicate with the hidden slave. Highly recommended. Corresponds to the PowerDNS setting - trusted-notification-proxy. - - - - - powerdns-address - - - IP address (IPv4 or IPv6) of the hidden slave, to which notifications should be relayed. This setting is mandatory, and has no default. - - - - - setuid and setgid - - - Change to these numerical user-id and/or group-id, dropping root privileges, for additional security. - - - - - - - - Tools to analyse DNS traffic - - DNS is highly mission critical, it is therefore necessary to be able to study and compare DNS traffic. Since version 2.9.18, PowerDNS comes - with various tools to aid in analysis. These tools are best documented by their manpages, and their --help output. - - - dnsreplay pcapfile [ipaddress] [port number] - - - This program takes recorded questions and answers and replays them to a specified nameserver and reporting afterwards - which percentage of answers matched, were worse or better. - - - - - dnswasher pcapfile output - - - Anonymises recorded traffic, making sure it only contains DNS, and that the originating IP addresses of queries are stripped, which may - allow you to send traces to our company or mailing list without violating obligations towards your customers or privacy laws. - - - - - dnsscope pcapfile - - - Calculates statistics without replaying traffic. - - - - - dnsbulktest - - - Send out thousands of queries in parallel from Alexa top list to stress out resolvers. - - - - - dnsdist - - - Simple but high performance UDP and TCP DNS load balancer/distributor. - - - - - - dnstcpbench - - - Stress out DNS servers with TCP based queries, as read from a file. - - - - - - - PowerDNS Metrics, and how to display them - - - Available in releases after PowerDNS Authoritative Server 3.3.1 and PowerDNS Recursor 3.5.3. - - - - Both PowerDNS daemons generate ample metrics which can be used to monitor performance. These metrics - can be polled using the rec_control and pdns_control commands, and they are also available via the http-based API. - Finally, they can be pushed to a Carbon/Graphite server, either native carbon, or our own Metronome implementation. - - - For carbon/graphite/metronome, we use the following namespace. Everything starts with 'pdns.', which is then followed - by the local hostname. Thirdly, we add either 'auth' or 'recursor' to siginify the daemon generating the metrics. - This is then rounded off with the actual name of the metric. As an example: 'pdns.ns1.recursor.questions'. - - - Care has been taken to make the sending of statistics as unobtrusive as possible, the daemons will not be - hindered by an unreachable carbon server, timeouts or connection refused situations. - - - To benefit from our carbon/graphite support, either install Graphite, or use our own lightweight - statistics daemon, Metronome, currently available on GitHub. - - - Secondly, set carbon-server, possibly carbon-interval, possibly carbon-ourname in the configuration. - - - - - Backends in detail - - This appendix lists several of the available backends in more detail - - - - PipeBackend - - - PipeBackend capabilities - - - NativeYes - MasterNo - SlaveNo - SuperslaveNo - AutoserialNo - CaseDepends - DNSSECPartial, no delegation, no key storage - Disabled dataNo - CommentsNo - Module namepipe - Launch namepipe - - -
- - - The PipeBackend allows for easy dynamic resolution based on a 'Coprocess' which can be written in any - programming language that can read a question on standard input and answer on standard output. - - - To configure, the following settings are available: - - - pipe-command - - - Command to launch as backend. Mandatory. - - - Or the path to a unix domain socket file. The socket should already be open and listening before pdns starts. - Available since version 3.3. - - - - - pipe-timeout - - - Number of milliseconds to wait for an answer from the backend. If this time is ever exceeded, the backend - is declared dead and a new process is spawned. Available since version 2.7. - - - - - pipe-regex - - - If set, only questions matching this regular expression are even sent to the backend. This makes sure that - most of PowerDNS does not slow down if you you deploy a slow backend. A query for the A record of 'www.powerdns.com' - would be presented to the regex as 'www.powerdns.com;A'. A matching regex would be '^www.powerdns.com;.*$'. - - - To match only ANY and A queries for www.powerdns.com, use '^www.powerdns.com;(A|ANY)$'. Please be aware that the - single quotes used in this document should not be present in the configuration file, and only on the command line. - In the configuration file, the previous example would be stored as: pipe-regex=^www.powerdns.com;(A|ANY)$ - - - Available since version 2.8. - - - - - pipebackend-abi-version - - - This is the version of the question format that is sent to the co-process (pipe-command) for the pipe backend. - - - If not set the default pipebackend-abi-version is 1. When set to 2, the local-ip-address field is added - after the remote-ip-address. (the local-ip-address refers to the IP address the question was received on). When - set to 3, the real remote IP/subnet is added based on edns-subnet support (this also requires enabling 'edns-subnet-processing'). - When set to 4 it sends zone name in AXFR request. - - - - - - - PipeBackend protocol - - Questions come in over a file descriptor, by default standard input. Answers - are sent out over another file descriptor, standard output by default. Questions - and answers are terminated by single newline ('\n') characters. - - - Handshake - - PowerDNS sends out 'HELO\t1', indicating that it wants to speak the - protocol as defined in this document, version 1. For abi-version 2 or 3, PowerDNS - sends 'HELO\t2' or 'HELO\t3'. - - A PowerDNS Coprocess must then send out a banner, prefixed by 'OK\t', - indicating it launched successfully. If it does not support the indicated - version, it should respond with FAIL, but not exit. Suggested behaviour is - to try and read a further line, and wait to be terminated. - - Questions - - Questions come in three forms and are prefixed by a tag indicating the type: - - - Q - - - Regular queries - - - - - AXFR - - - List requests, which mean that an entire zone should be listed - - - - - PING - - - Check if the coprocess is functioning - - - - - - -The question format, for type Q questions: - - - -pipebackend-abi-version = 1 [default] - -Q qname qclass qtype id remote-ip-address - - - -pipebackend-abi-version = 2 - -Q qname qclass qtype id remote-ip-address local-ip-address - - - - -pipebackend-abi-version = 3 - -Q qname qclass qtype id remote-ip-address local-ip-address edns-subnet-address - - - - -Fields are tab separated, and terminated with a single \n. The remote-ip-address is the IP address -of the nameserver asking the question; the local-ip-address is the IP address on which the question -was received. - - - -Type is the tag above, qname is the domain the question is about. qclass is -always 'IN' currently, denoting an INternet question. qtype is the kind of -information desired, the record type, like A, CNAME or AAAA. id can be -specified to help your backend find an answer if the id is already known -from an earlier query. You can ignore it unless you want to support AXFR. - - - -remote-ip-address is the ip-address of the nameserver asking the question. -local-ip-address is the ip-address that was queried locally. edns-subnet-address -is the actual client subnet as provided via edns-subnet support. Note that for the SOA -query that precedes an AXFR, edns-subnet is always set to 0.0.0.0/0. - -Queries for wildcard names should be answered literally, without expansion. So, - if a backend gets a question for "*.powerdns.com", it should only answer with data if there is - an actual "*.powerdns.com" name - -AXFR-queries look like this: - -AXFR id zoneName - -The id is gathered from the answer to a SOA query. ZoneName is given in ABI version 4. - - - - Answers - - - Each answer starts with a tag, possibly followed by a TAB and more data. - - - DATA - - - Indicating a successful line of DATA. - - - - - END - - - Indicating the end of an answer - no further data. - - - - - FAIL - - - Indicating a lookup failure. Also serves as 'END'. No further data. - - - - - LOG - - - For specifying things that should be logged. Can only be sent after - a query and before an END line. After the tab, the message to be - logged. - - - - - - - - So, letting it be known that there is no data consists of sending 'END' - without anything else. - - -The answer format (for abi-version 1 and 2): - -DATA qname qclass qtype ttl id content - - -'content' is as specified in . For MX and SRV, content consists of the priority, followed by a tab, followed by the actual content. - - -A sample dialogue may look like this (note that in reality, -almost all queries will actually be for the ANY qtype): - -Q www.example.org IN CNAME -1 203.0.113.210 -DATA www.example.org IN CNAME 3600 1 ws1.example.org -END -Q ws1.example.org IN CNAME -1 203.0.113.210 -END -Q wd1.example.org IN A -1 203.0.113.210 -DATA ws1.example.org IN A 3600 1 192.0.2.4 -DATA ws1.example.org IN A 3600 1 192.0.2.5 -DATA ws1.example.org IN A 3600 1 192.0.2.6 -END - - -This would correspond to a remote webserver 203.0.113.210 wanting to -resolve the IP address of www.example.org, and PowerDNS traversing the CNAMEs to -find the IP addresses of ws1.example.org - -Another dialogue might be: - -Q example.org IN SOA -1 203.0.113.210 -DATA example.org IN SOA 86400 1 ahu.example.org ... -END -AXFR 1 -DATA example.org IN SOA 86400 1 ahu.example.org ... -DATA example.org IN NS 86400 1 ns1.example.org -DATA example.org IN NS 86400 1 ns2.example.org -DATA ns1.example.org IN A 86400 1 203.0.113.210 -DATA ns2.example.org IN A 86400 1 63.123.33.135 -. -. -END - - -This is a typical zone transfer. - - - For abi-version 3, DATA-responses get two extra fields: - -DATA scopebits auth qname qclass qtype ttl id content - - -scopebits indicates how many bits from the subnet provided in the question -(originally from edns-subnet) were used in determining this answer. This can -aid caching (although PowerDNS does not currently use this value). The auth -field indicates whether this response is authoritative; this is for DNSSEC. -In the auth field, use 0 for non-authoritative or 1 for authoritative. - - -For api-versions 1 and 2, the two new fields fall back to default values. -The default value for scopebits is 0. The default for auth is 1 (meaning -authoritative). - - - - Sample perl backend - - - - Notes - - Besides regular query types, the DNS also knows the 'ANY' query type. When a server receives - a question for this ANY type, it should reply with all record types available. - - - Backends should therefore implement being able to answer 'ANY' queries in this way, and supply all - record types they have when they receive such an 'ANY' query. This is reflected in the sample script above, - which for every qtype answers if the type matches, or if the query is for 'ANY'. - - - However, since backends need to implement the ANY query anyhow, PowerDNS makes use of this. Since almost all - DNS queries internally need to be translated first into a CNAME query and then into the actual query, possibly - followed by a SOA or NS query (this is how DNS works internally), it makes sense for PowerDNS to speed this up, - and just ask the ANY query of a backend. - - - When it has done so, it gets the data about SOA, CNAME and NS records in one go. This speeds things up tremendously. - - - The upshot of the above is that for any backend, including the PIPE backend, implementing the ANY query is NOT optional. - And in fact, a backend may see almost exclusively ANY queries. This is not a bug. - - - - Random Backend - - - Random Backend capabilities - - - NativeYes - MasterNo - SlaveNo - SuperslaveNo - AutoserialNo - CaseDepends - DNSSECYes, no key storage - Disabled dataNo - CommentsNo - Module namebuilt in - Launch namerandom - - -
- - - This is a very silly backend which is discussed in as a demonstration on - how to write a PowerDNS backend. - - - This backend knows about only one hostname, and only about its IP address at that. With every query, - a new random IP address is generated. - - - It only makes sense to load the random backend in combination with a regular backend. This can be done by prepending - it to the launch= instruction, such as launch=random,gmysql. - - - Variables: - - - - - random-hostname - - - Hostname for which to supply a random IP address. - - - - - - - - Generic MySQL and PgSQL backends - - - Generic PgSQL and MySQL backend capabilities - - - NativeYes - MasterYes - SlaveYes - SuperslaveYes - AutoserialYes (v3.1 and up) - CaseAll lower - DNSSECYes (set gmysql-dnssec or gpgsql-dnssec) - Disabled dataYes (v3.4.0 and up) - CommentsYes (v3.4.0 and up) - Module name < 2.9.3pgmysql - Module name > 2.9.2gmysql and gpgsql - Launch namegmysql and gpgsql2 and gpgsql - - -
- - - PostgreSQL and MySQL backend with easily configurable SQL statements, allowing you to graft PDNS on any PostgreSQL or MySQL database of your choosing. - Because all database schemas will be different, a generic backend is needed to cover all needs. - - Host names and the MNAME of a SOA records are NEVER terminated with a '.' in PowerDNS storage! If a trailing '.' is present - it will inevitably cause problems, problems that may be hard to debug. - - The template queries are expanded using the C function 'snprintf' which implies that substitutions are performed on the basis of %-place holders. - To place a % in a query which will not be substituted, use %%. Make sure to fill out the search key, often called 'name' in lower case! - - - There are in fact two backends, one for PostgreSQL and one for MySQL but they accept the same settings and use almost exactly the same database schema. - - MySQL specifics - - - - If using MySQL with 'slave' support enabled in PowerDNS you must run MySQL with a table engine that supports transactions. - - - - - In practice, great results are achieved with the 'InnoDB' tables. PowerDNS will silently function with non-transaction aware MySQLs but at one point - this is going to harm your database, for example when an incoming zone transfer fails. - - - The default setup conforms to the following schema: - - - - Zone2sql with the --gmysql flag also assumes this layout is in place. - - - For full migration notes, please see . - - - - This schema contains all elements needed for master, slave and superslave operation. - - - When using the InnoDB storage engine, we suggest adding the following lines to the 'create table records' command above: - -CONSTRAINT `records_ibfk_1` FOREIGN KEY (`domain_id`) REFERENCES `domains` -(`id`) ON DELETE CASCADE - - Or, if you have already created the tables, execute: - -ALTER TABLE `records` ADD CONSTRAINT `records_ibfk_1` FOREIGN KEY (`domain_id`) -REFERENCES `domains` (`id`) ON DELETE CASCADE; - - - - This automates deletion of records on deletion of a domain from the domains table. - - - PostgreSQL specifics - - The default setup conforms to the following schema, which you should add to a PostgreSQL database. - - - - Zone2sql with the --gpgsql flag also assumes this layout is in place. - - - This schema contains all elements needed for master, slave and superslave operation. - - - For full migration notes, please see . - - - - With PostgreSQL, you may have to run 'createdb powerdns' first and then connect to that database with 'psql powerdns', and - feed it the schema above. - - - Oracle specifics - - Generic Oracle support is only available since version 2.9.18. - The default setup conforms to the following schema, which you should add to an Oracle database. You may need or want to add 'namespace' statements. - - - - This schema contains all elements needed for master, slave and superslave operation. - - - Inserting records is a bit different compared to MySQL and PostgreSQL, you should use: - -insert into domains (id,name,type) values (domains_id_sequence.nextval,'example.net','NATIVE'); - - - - Furthermore, use the goracle-tnsname setting to specify which TNSNAME the Generic Oracle Backend - should be connecting to. There are no goracle-dbname, goracle-host or - goracle-port settings, their equivalent is in /etc/tnsnames.ora. - - - - Basic functionality - - 4 queries are needed for regular lookups, 4 for 'fancy records' which are disabled by default and 1 is needed for zone transfers. - - The 4+4 regular queries must return the following 6 fields, in this exact order: - - - content - - - This is the 'right hand side' of a DNS record. For an A record, this is the IP address for example. - - - - - ttl - - - TTL of this record, in seconds. Must be a real value, no checking is performed. - - - - - prio - - - For MX records, this should be the priority of the mail exchanger specified. - - - - - qtype - - - The ASCII representation of the qtype of this record. Examples are 'A', 'MX', 'SOA', 'AAAA'. Make sure that this - field returns an exact answer - PDNS won't recognise 'A ' as 'A'. This can be achieved by using a VARCHAR instead - of a CHAR. - - - - - - domain_id - - - Each domain must have a unique domain_id. No two domains may share a domain_id, all records in a domain should have the same. A number. - - - - - name - - - Actual name of a record. Must not end in a '.' and be fully qualified - it is not relative to the name of the domain! - - - - - disabled - - - If set to true, this record is hidden from DNS clients, but can still be modified from the REST API. See . (Available since version 3.4.0.) - - - - - Please note that the names of the fields are not relevant, but the order is! - - - As said earlier, there are 8 SQL queries for regular lookups. To configure them, set 'gmysql-basic-query' or 'gpgsql-basic-query', depending on your - choice of backend. If so called 'MBOXFW' fancy records are not used, four queries remain: - - - basic-query - - - Default: select content,ttl,prio,type,domain_id,name from records where type='%s' and name='%s' - This is the most used query, needed for doing 1:1 lookups of qtype/name values. First %s is replaced by the ASCII representation - of the qtype of the question, the second by the name. - - - - - id-query - - - Default: select content,ttl,prio,type,domain_id,name from records where type='%s' and name='%s' and domain_id=%d - Used for doing lookups within a domain. First %s is replaced by the qtype, the %d which should appear after the %s by the numeric - domain_id. - - - - - - any-query - - - For doing ANY queries. Also used internally. - Default: select content,ttl,prio,type,domain_id,name from records where name='%s' - The %s is replaced by the qname of the question. - - - - - any-id-query - - - For doing ANY queries within a domain. Also used internally. - Default: select content,ttl,prio,type,domain_id,name from records where name='%s' and domain_id=%d - The %s is replaced by the name of the domain, the %d by the numerical domain id. - - - - - - - The last query is for listing the entire contents of a zone. This is needed when performing a zone transfer, but sometimes also internally: - - - list-query - - - To list an entire zone. - Default: select content,ttl,prio,type,domain_id,name from records where domain_id=%d - - - - - - - DNSSEC queries - - If DNSSEC is enabled (through the -dnssec flag on a gsql backend), many queries are replaced by slightly - extended variants that also query the auth column. The auth column is always added as the rightmost column. These are the -auth defaults: - - basic-query-authBasic query. Default: select content,ttl,prio,type,domain_id,name, auth from records where type='%s' and name='%s' - id-query-authBasic with ID query. Default: select content,ttl,prio,type,domain_id,name, auth from records where type='%s' and name='%s' and domain_id=%d - wildcard-query-authWildcard query. Default: select content,ttl,prio,type,domain_id,name, auth from records where type='%s' and name like '%s' - wildcard-id-query-authWildcard with ID query. Default: select content,ttl,prio,type,domain_id,name, auth from records where type='%s' and name like '%s' and domain_id='%d' - any-query-authAny query. Default: select content,ttl,prio,type,domain_id,name, auth from records where name='%s' - any-id-query-authAny with ID query. Default: select content,ttl,prio,type,domain_id,name, auth from records where name='%s' and domain_id=%d - wildcard-any-query-authWildcard ANY query. Default: select content,ttl,prio,type,domain_id,name, auth from records where name like '%s' - wildcard-any-id-query-authWildcard ANY with ID query. Default: select content,ttl,prio,type,domain_id,name, auth from records where name like '%s' and domain_id='%d' - list-query-authAXFR query. Default: select content,ttl,prio,type,domain_id,name, auth from records where domain_id='%d' order by name, type - - Additionally, there are some new queries to determine NSEC(3) order: - - get-order-first-queryDNSSEC Ordering Query, first. Default: select ordername, name from records where domain_id=%d and ordername is not null order by 1 asc limit 1 - get-order-before-queryDNSSEC Ordering Query, before. Default: select ordername, name from records where ordername <= '%s' and domain_id=%d and ordername is not null order by 1 desc limit 1 - get-order-after-queryDNSSEC Ordering Query, after. Default: select min(ordername) from records where ordername > '%s' and domain_id=%d and ordername is not null - get-order-last-queryDNSSEC Ordering Query, last. Default: select ordername, name from records where ordername != '' and domain_id=%d and ordername is not null order by 1 desc limit 1 - - - Finally, these two queries are used to set ordername and auth correctly in a database: - - set-order-and-auth-queryDNSSEC set ordering query. Default: update records set ordername='%s',auth=%d where name='%s' and domain_id='%d' - nullify-ordername-and-auth-queryDNSSEC nullify ordername query. Default: update records set ordername=NULL,auth=0 where name='%s' and type='%s' and domain_id='%d' - - - Make sure to read if you wish to calculate ordername and auth without - using pdns-rectify. - - - Master/slave queries - - Most installations will have zero need to change the following settings, but should the need arise, here they are: - - - master-zone-query - - - Called to determine the master of a zone. - Default: select master from domains where name='%s' and type='SLAVE' - - - - - info-zone-query - - - Called to retrieve (nearly) all information for a domain: - Default: select id,name,master,last_check,notified_serial,type from domains where name='%s' - - - - - info-all-slaves-query - - - Called to retrieve all slave domains - Default: select id,name,master,last_check,type from domains where type='SLAVE' - - - - - supermaster-query - - - Called to determine if a certain host is a supermaster for a certain domain name. - Default: - select account from supermasters where ip='%s' and nameserver='%s'; - - - - - - insert-slave-query - - - Called to add a domain as slave after a supermaster notification. - Default: - insert into domains (type,name,master,account) values('SLAVE','%s','%s','%s') - - - - - - insert-record-query - - - Called during incoming AXFR. - Default: - insert into records (content,ttl,prio,type,domain_id,name) values ('%s',%d,%d,'%s',%d,'%s') - - - - - - update-serial-query - - - Called to update the last notified serial of a master domain. - Default: - update domains set notified_serial=%d where id=%d - - - - - - update-lastcheck-query - - - Called to update the last time a slave domain was checked for freshness. - Default: - update domains set last_check=%d where id=%d - - - - - - info-all-master-query - - - Called to get data on all domains for which the server is master. - Default: - select id,name,master,last_check,notified_serial,type from domains where type='MASTER' - - - - - - delete-zone-query - - - Called to delete all records of a zone. Used before an incoming AXFR. - Default: - delete from records where domain_id=%d - - - - - - - - Comments queries - - For listing/modifying comments. For defaults, please see pdns_server --load=BACKEND --config. - - - list-comments-query - - - Called to get all comments in a zone. - Returns fields: domain_id, name, type, modified_at, account, comment. - - - - - insert-comment-query - - - Called to create a single comment for a specific RRSet. - Given fields: domain_id, name, type, modified_at, account, comment - - - - - delete-comment-rrset-query - - - Called to delete all comments for a specific RRset. - Given fields: domain_id, name, type - - - - - delete-comments-query - - - Called to delete all comments for a zone. Usually called before deleting the entire zone. - Given fields: domain_id - - - - - - - Fancy records - Fancy records are unsupported as of version 3.0 - - If PDNS is used with so called 'Fancy Records', the 'MBOXFW' record exists which specifies an email address forwarding instruction, - wildcard queries are sometimes needed. This is not enabled by default. A wildcard query is - an internal concept - it has no relation to *.domain-type lookups. You can safely leave these queries blank. - - - wildcard-query - - - Can be left blank. See above for an explanation. - Default: select content,ttl,prio,type,domain_id,name from records where type='%s' and name like '%s' - - - - - wildcard-id-query - - - Can be left blank. See above for an explanation. - Default: select content,ttl,prio,type,domain_id,name from records where type='%s' and name like '%s' and domain_id=%d - Used for doing lookups within a domain. - - - - - wildcard-any-query - - - For doing wildcard ANY queries. - Default: select content,ttl,prio,type,domain_id,name from records where name like '%s' - - - - - wildcard-any-id-query - - - For doing wildcard ANY queries within a domain. - Default: select content,ttl,prio,type,domain_id,name from records where name like '%s' and domain_id=%d - - - - - - - - Settings and specifying queries - - The queries above are specified in pdns.conf. For example, the basic-query would appear as: - - gpgsql-basic-query=select content,ttl,prio,type,domain_id,name from records where type='%s' and name='%s' - - When using the Generic PostgreSQL backend, they appear as above. When using the generic MySQL backend, change the - "gpgsql-" prefix to "gmysql-". - - - Queries can span multiple lines, like this: - - gpgsql-basic-query=select content,ttl,prio,type,domain_id,name from records \ - where type='%s' and name='%s' - - Do not wrap statements in quotes as this will not work. - Besides the query related settings, the following configuration - options are available, where one should substitute 'gmysql', - 'gpgsql', or 'goracle' for the prefix 'backend'. So - 'backend-dbname' can stand for 'gpgsql-dbname' or 'gmysql-dbname' - etc. - - - - - backend-dbname - - - Database name to connect to - - - - - backend-host - - - Database host to connect to. WARNING: When specified as a hostname a chicken/egg situation might arise where the database - is needed to resolve the IP address of the database. It is best to supply an IP address of the database here. - - - Only for postgres: - - - If host begins with a slash, it specifies Unix-domain communication rather than TCP/IP communication; the value is the name - of the directory in which the socket file is stored. - - - - - backend-port - - - Database port to connect to. - - - - - gmysql-socket (only for MySQL!) - - - File name where the MySQL connection socket resides. Often /tmp/mysql.sock or /var/run/mysqld/mysqld.sock. - - - - - backend-password - - - Password to connect with - - - - - backend-user - - - User to connect as - - - - - backend-group (MySQL only, since 3.2) - - - MySQL 'group' to connect as, defaults to 'client'. - - - - - - - Native operation - - To add a domain, issue the following: - - insert into domains (name,type) values ('powerdns.com','NATIVE'); - - The records table can now be filled by with the domain_id set to the id of the domains table row just inserted. - - - Slave operation - - These backends are fully slave capable. To become a slave of the 'powerdns.com' domain, execute this: - - insert into domains (name,master,type) values ('powerdns.com','213.244.168.217','SLAVE'); - - And wait a while for PDNS to pick up the addition - which happens within one minute. There is no need to inform PDNS that a new domain - was added. - Typical output is: - - Apr 09 13:34:29 All slave domains are fresh - Apr 09 13:35:29 1 slave domain needs checking - Apr 09 13:35:29 Domain powerdns.com is stale, master serial 1, our serial 0 - Apr 09 13:35:30 [gPgSQLBackend] Connected to database - Apr 09 13:35:30 AXFR started for 'powerdns.com' - Apr 09 13:35:30 AXFR done for 'powerdns.com' - Apr 09 13:35:30 [gPgSQLBackend] Closing connection - - - - From now on, PDNS is authoritative for the 'powerdns.com' zone and will respond accordingly for queries within that zone. - - - Periodically, PDNS schedules checks to see if domains are still fresh. The default slave-cycle-interval is 60 seconds, large installations may need to raise this value. Once a domain has been checked, it will not be checked before its SOA refresh timer has expired. Domains whose status is unknown get checked every 60 seconds by default. - - - Superslave operation - - To configure a supermaster with IP address 10.0.0.11 which lists this installation as 'autoslave.powerdns.com', issue the following: - - insert into supermasters values ('10.0.0.11','autoslave.powerdns.com','internal'); - - From now on, valid notifies from 10.0.0.11 that list a NS record containing 'autoslave.powerdns.com' will lead to the - provisioning of a slave domain under the account 'internal'. See for details. - - - Master operation - - The PostgreSQL backend is fully master capable with automatic discovery of serial changes. Raising the serial number of a domain - suffices to trigger PDNS to send out notifications. To configure a domain for master operation instead of the default native replication, - issue: - - insert into domains (name,type) values ('powerdns.com','MASTER'); - - Make sure that the assigned id in the domains table matches the domain_id field in the records table! - - - Disabled data - - PowerDNS understands the notion of disabled records. They are marked by setting "disabled" to 1 (for PostgreSQL: true). - By extension, when the SOA record for a domain is disabled, the entire domain is considered to be disabled. - - - Effects: the record (or domain, respectively) will not be visible to DNS clients. The REST API will still see the record (or domain). - Even if a domain is disabled, slaving still works. Slaving considers a disabled domain to have a serial of 0; this implies that a slaved domain will not stay disabled. - - - - - Oracle backend - - - Oracle backend capabilities - - - NativeYes - MasterYes - SlaveYes - SuperslaveYes - AutoserialYes - DNSSECYes - CommentsNo - Module nameoracle - Launch nameoracle - - -
- - - This is the Oracle Database backend, completely rewritten for the 3.0 release, with easily - configurable SQL statements, allowing you to graft PowerDNS functionality onto any Oracle - database of your choosing. - - - The Oracle backend is difficult, and possibly illegal, to distribute in binary form. To use it, - you will probably need to compile PowerDNS from source. OCI headers are expected in - $ORACLE_HOME/rdbms/public, and OCI libraries in - $ORACLE_HOME/lib. That is where they should be with a working installation - of the full Oracle Database client. Oracle InstantClient should work as well, but you will need - to make the libraries and headers available in appropriate paths. - - - This backend uses two kinds of database connections. First, it opens a session pool. - Connections from this pool are used only for queries reading DNS data from the database. - Second, it opens normal (non-pooled) connections on demand for any kind of write access. - The reason for this split is to allow redundancy by replication. Each DNS frontend - server can have a local read-only replicated instance of your database. Open the session - pool to the local replicated copy, and all data will be available with high performance, - even if the main database goes down. The writing connections should go directly to the - main database. - - - Of course, if you do not require this kind of redundancy, or want to avoid the substantial - Oracle Database licensing costs, all connections can just go to the same database with the - same credentials. Also, the write connections should be entirely unnecessary if you - do not plan to use either master or slave mode. - - - The following configuration settings are available: - - - - - oracle-pool-database, oracle-pool-username, oracle-pool-password - - - The database to use for read access. OracleBackend will try to create a session - pool, so make sure this database user has the necessary permissions. If your - connection requires environment variables to be set, e.g. - ORACLE_HOME, NLS_LANG, or - LD_LIBRARY_PATH, make sure these are set when PowerDNS runs. - /etc/default/pdns might help. - - - - - oracle-master-database, oracle-master-username, oracle-master-password - - - The database to use for write access. These are normal connections, not a - session pool. The backend may open more than one at a time. - - - - - oracle-session-min, oracle-session-max, oracle-session-inc - - - Parameters for the connection pool underlying the session pool. OCI will open - session-min connections at startup, and open more connections as - needed, session-inc at a time, until session-max - connections are open. - - - - - oracle-nameserver-name - - - This can be set to an arbitrary string that will be made available in the optional bind - variable :nsname for all SQL statements. You can use this to run - multiple PowerDNS instances off the same database, while serving different zones. - - - - - - - There are many more options that are used to define the different SQL statements. These will be - discussed after the reference database schema has been explained. - - - The Database Schema - - You can find an example database schema in schema.sql in the PowerDNS - source distribution. It is intended more as a starting point to come up with a schema that - works well for your organisation, than as something you should run as it is. As long as the - semantics of the SQL statements still work out, you can store your DNS data any way you like. - - - You should read this while having schema.sql to hand. Columns will not be - specifically explained where their meaning is obvious. - - - - All FQDNs should be specified in lower case and without a trailing dot. Where things are - lexicographically compared or sorted, make sure a sane ordering is used. - NLS_LANG=AMERICAN_AMERICA.AL32UTF8 should generally work well enough; - when in doubt, enforce a plain ordering with - NLSSORT(value, 'NLS_SORT = BINARY'). - - - - Zones Table - - This table lists the zones for which PowerDNS is supposed to be an authoritative nameserver, - plus a small amount of information related to master/slave mode. - - - - name - - - The FQDN of the zone apex, e.g. example.com. - - - - - type - - - Describes how PowerDNS should host the zone. Valid values are - NATIVE, MASTER, and - SLAVE. PowerDNS acts as an authoritative nameserver for the zone - in all modes. In slave mode, it will additionally attempt to acquire the zone's - content from a master server. In master mode, it will additionally send - NOTIFY packets to other nameservers for the zone when its content - changes. - - - - There is a global setting to make PowerDNS send NOTIFY packets - in slave mode. - - - - - - last_check - - - This value, updated by PowerDNS, is the unix timestamp of the last successful attempt - to check this zone for freshness on the master. - - - - - refresh - - - The number of seconds PowerDNS should wait after a successful freshness check before - performing another one. This value is also found in the zone's SOA record. You may - want to make sure to put the same thing in both places. - - - - - serial - - - The serial of the version of the zone's content we are hosting now. This value is also - found in the zone's SOA record. You may want to make sure to put the same thing in - both places. - - - - - notified_serial - - - The latest serial for which we have sent NOTIFY packets. Updated - by PowerDNS. - - - - - - - - - - - - - - The Zonemasters and ZoneAlsoNotify Tables - - These are lists of hosts PowerDNS will interact with for a zone in master/slave mode. - Zonemasters lists the hosts PowerDNS will attempt to pull zone - transfers from, and accept NOTIFY packets from. - ZoneAlsoNotify lists hosts PowerDNS will send - NOTIFY packets to, in addition to any hosts that have NS records. - - - Host entries can be IPv4 or IPv6 addresses, in string representation. If you need to specify - a port, use 192.0.2.4:5300 notation for IPv4 and brackets for IPv6: - [2001:db8::1234]:5300. - - - - The Supermasters Table - - In superslave mode, PowerDNS can accept NOTIFY packets for zones that - have not been defined in the zone table yet. PowerDNS will then create an entry for the zone - and attempt a zone transfer. This table defines the list of acceptable sources for - supernotifications. - - - - name - - - An identifying string for this entry. Only used for logging. - - - - - ip - - - The alleged originating IP address of the notification. - - - - - nameserver - - - The FQDN of an authoritative nameserver. - - - - - - A supernotification will be accepted if an entry is found such that the notification came - from ip and nameserver appears in an NS record for that zone. - - - - The ZoneMetadata Table - - This is a per-zone key-value store for various things PowerDNS needs to know that are not - part of the zone's content or handled by other tables. Depending on your needs, you may not - want this to exist as an actual table, but simulate this in PL/SQL instead. - - - The currently defined metadata types are: - - - PRESIGNED - - - If set to 1, PowerDNS should assume that DNSSEC signatures for this zone exist in - the database and use them instead of signing records itself. For a slave zone, this - will also signal to the master that we want DNSSEC records when attempting a zone - transfer. - - - - - NSEC3PARAM - - - The NSEC3 hashing parameters for the zone. - - - - - TSIG-ALLOW-AXFR - - - The value is the name of a TSIG key. A client will be allowed to AXFR from us if the - request is signed with that key. - - - - - AXFR-MASTER-TSIG - - - The value is the name of a TSIG key. Outgoing NOTIFY packets - for this zone will be signed with that key. - - - - - - - - The Tables for Cryptographic Keys - - We have two of them: TSIGKeys for symmetric TSIG keys, and - ZoneDNSKeys for DNSSEC signing keys. - - - - The Records Table - - The actual DNS zone contents are stored here. - - - - zone_id - - - The zone this records belongs to. Normally, this is obvious. When you are dealing with - zone delegations, you have to insert some records into the parent zone of their actual - zone. See also auth. - - - - - fqdn - - - The owner name of this record. Again, this is lower case and without a trailing dot. - - - - - revfqdn - - - This should be a string that consists of the labels of the owner name, in reverse - order, with spaces instead of dots separating them, for example: - 'www.example.com' => 'com example www' - This is used as a quick and dirty way to get canonical zone ordering. You can chose - a more correct and much more complicated implementation instead if you prefer. - In the reference schema, this is automatically set by a trigger. - - - - - fqdnhash - - - The NSEC3 hash of the owner name. The reference schema provides code and a trigger to - calculate this, but they are not production quality. The recommendation is to load the - dnsjava classes into your database and use their facilities for dealing with DNS names - and NSEC3 hashes. - - - - - ttl - - - The TTL for the record set. This should be the same for all members of a record set, - but PowerDNS will quietly use the minimum if it encounters different values. - - - - - type - - - The type of the record, as a canonical identification string, e.g. - AAAA or MX. You can set this and - content NULL to indicate a name that exists, but doesn't carry any - record (a so called empty non-terminal) for NSEC/NSEC3 ordering purposes. - - - - - content - - - The data part of the DNS record, in canonical string representation, except that if - this includes FQDNs, they should be specified without a trailing dot. - - - - - last_change - - - The unix timestamp of the last change to this record. Used only for the deprecated - autoserial feature. You can omit this unless you want to use that feature. - - - - - auth - - - 0 or 1 depending on whether this record is an authoritative member of the zone - specified in zone_id. These are the rules for determining that: A - record is an authoritative member of the zone its owner name belongs to, except for DS - records, which are authoritative members of the parent zone. Delegation records, that - is, NS records and related A/AAAA glue records, are additionally non-authoritative - members of the parent zone. - - - PowerDNS has a function to automatically set this. OracleBackend doesn't support that. - Do it in the database. - - - - - - - - The SQL Statements - Fetching DNS records - - There are five queries to do this. They all share the same set of return columns: - - - fqdn - - - The owner name of the record. - - - - - ttl - - - The TTL of the record set. - - - - - type - - - The type of the record. - - - - - content - - - The content of the record. - - - - - zone_id - - - The numerical identifier of the zone the record belongs to. A record can belong to - two zones (delegations/glue), in which case it may be returned twice. - - - - - last_change - - - The unix timestamp of the last time this record was changed. Can safely be set as - a constant 0, unless you use the autoserial feature. - - - - - auth - - - 1 or 0 depending on the zone membership (authoritative or not). - - - - - Record sets (records for the same name of the same type) must appear consecutively, which - means ORDER BY clauses are needed in some places. Empty non-terminals - should be suppressed. - - - The queries differ in which columns are restricted by WHERE clauses: - - - oracle-basic-query - - - Looking for records based on owner name and type. Default: - - -SELECT fqdn, ttl, type, content, zone_id, last_change, auth -FROM Records -WHERE type = :type AND fqdn = lower(:name) - - - - - oracle-basic-id-query - - - Looking for records from one zone based on owner name and type. Default: - - -SELECT fqdn, ttl, type, content, zone_id, last_change, auth -FROM Records -WHERE type = :type AND fqdn = lower(:name) AND zone_id = :zoneid - - - - - oracle-any-query - - - Looking for records based on owner name. Default: - - -SELECT fqdn, ttl, type, content, zone_id, last_change, auth -FROM Records -WHERE fqdn = lower(:name) - AND type IS NOT NULL -ORDER BY type - - - - - oracle-any-id-query - - - Looking for records from one zone based on owner name. Default: - - -SELECT fqdn, ttl, type, content, zone_id, last_change, auth -FROM Records -WHERE fqdn = lower(:name) - AND zone_id = :zoneid - AND type IS NOT NULL -ORDER BY type - - - - - oracle-list-query - - - Looking for all records from one zone. Default: - - -SELECT fqdn, ttl, type, content, zone_id, last_change, auth -FROM Records -WHERE zone_id = :zoneid - AND type IS NOT NULL -ORDER BY fqdn, type - - - - - - - - Zone Metadata and TSIG - - - oracle-get-zone-metadata-query - - - Fetch the content of the metadata entries of type :kind for the - zone called :name, in their original order. Default: - - -SELECT md.meta_content -FROM Zones z JOIN ZoneMetadata md ON z.id = md.zone_id -WHERE z.name = lower(:name) AND md.meta_type = :kind -ORDER BY md.meta_ind - - - - - oracle-del-zone-metadata-query - - - Delete all metadata entries of type :kind for the zone called - :name. You can skip this if you do not plan to manage zones with the - pdnssec tool. Default: - - -DELETE FROM ZoneMetadata md -WHERE zone_id = (SELECT id FROM Zones z WHERE z.name = lower(:name)) -AND md.meta_type = :kind - - - - - oracle-set-zone-metadata-query - - - Create a metadata entry. You can skip this if you do not plan to manage zones with - the pdnssec tool. Default: - - -INSERT INTO ZoneMetadata (zone_id, meta_type, meta_ind, meta_content) -VALUES ( - (SELECT id FROM Zones WHERE name = lower(:name)), - :kind, :i, :content -) - - - - - oracle-get-tsig-key-query - - - Retrieved the TSIG key specified by :name. Default: - - -SELECT algorithm, secret -FROM TSIGKeys -WHERE name = :name - - - - - - - DNSSEC - - - oracle-get-zone-keys-query - - - Retrieve the DNSSEC signing keys for a zone. Default: - - -SELECT k.id, k.flags, k.active, k.keydata -FROM ZoneDNSKeys k JOIN Zones z ON z.id = k.zone_id -WHERE z.name = lower(:name) - - - - - oracle-del-zone-key-query - - - Delete a DNSSEC signing key. You can skip this if you do not plan to manage zones with - the pdnssec tool. Default: - - -DELETE FROM ZoneDNSKeys WHERE id = :keyid - - - - - oracle-add-zone-key-query - - - Add a DNSSEC signing key. You can skip this if you do not plan to manage zones with - the pdnssec tool. Default: - - -INSERT INTO ZoneDNSKeys (id, zone_id, flags, active, keydata) " -VALUES ( - zonednskeys_id_seq.NEXTVAL, - (SELECT id FROM Zones WHERE name = lower(:name)), - :flags, - :active, - :content -) RETURNING id INTO :keyid - - - - - oracle-set-zone-key-state-query - - - Enable or disable a DNSSEC signing key. You can skip this if you do not plan to manage zones with - the pdnssec tool. Default: - - -UPDATE ZoneDNSKeys SET active = :active WHERE id = :keyid - - - - - oracle-prev-next-name-query - - - Determine the predecessor and successor of an owner name, in canonical zone ordering. - See the reference implementation for the quick and dirty way, and the RFCs for the - full definition of canonical zone ordering. - - - This statement is a PL/SQL block that writes into two of the bind variables, not a query. - - - Default: - - -BEGIN - get_canonical_prev_next(:zoneid, :name, :prev, :next); -END; - - - - - oracle-prev-next-hash-query - - - Given an NSEC3 hash, this call needs to return its predecessor and successor in NSEC3 - zone ordering into :prev and :next, and the - FQDN of the predecessor into :unhashed. Default: - - -BEGIN - get_hashed_prev_next(:zoneid, :hash, :unhashed, :prev, :next); -END; - - - - - - - Incoming AXFR - - - oracle-zone-info-query - - - Get some basic information about the named zone before doing master/slave things. Default: - - -SELECT id, name, type, last_check, serial, notified_serial -FROM Zones -WHERE name = lower(:name) - - - - - oracle-delete-zone-query - - - Delete all records for a zone in preparation for an incoming zone transfer. This - happens inside a transaction, so if the transfer fails, the old zone content will - still be there. Default: - - -DELETE FROM Records WHERE zone_id = :zoneid - - - - - oracle-insert-record-query - - - Insert a record into the zone during an incoming zone transfer. This happens inside - the same transaction as delete-zone, so we will not end up with a partially - transferred zone. Default: - - -INSERT INTO Records (id, fqdn, zone_id, ttl, type, content) -VALUES (records_id_seq.NEXTVAL, lower(:name), :zoneid, :ttl, :type, :content) - - - - - oracle-finalize-axfr-query - - - A block of PL/SQL to be executed after a zone transfer has successfully completed, but - before committing the transaction. A good place to locate empty non-terminals, set the - auth bit and NSEC3 hashes, and generally do any post-processing - your schema requires. The do-nothing default: - - -DECLARE - zone_id INTEGER := :zoneid; -BEGIN - NULL; -END; - - - - - - - Master/Slave Stuff - - - oracle-unfresh-zones-query - - - Return a list of zones that need to be checked and their master servers. Return - multiple rows, identical except for the master address, for zones with more than one - master. Default: - - -SELECT z.id, z.name, z.last_check, z.serial, zm.master -FROM Zones z JOIN Zonemasters zm ON z.id = zm.zone_id -WHERE z.type = 'SLAVE' - AND (z.last_check IS NULL OR z.last_check + z.refresh < :ts) -ORDER BY z.id - - - - - oracle-zone-set-last-check-query - - - Set the last check timestamp after a successful check. Default: - - -UPDATE Zones SET last_check = :lastcheck WHERE id = :zoneid - - - - - oracle-updated-masters-query - - - Return a list of zones that need to have NOTIFY packets sent out. - Default: - - -SELECT id, name, serial, notified_serial -FROM Zones -WHERE type = 'MASTER' -AND (notified_serial IS NULL OR notified_serial < serial) - - - - - oracle-zone-set-notified-serial-query - - - Set the last notified serial after packets have been sent. Default: - - -UPDATE Zones SET notified_serial = :serial WHERE id = :zoneid - - - - - oracle-also-notify-query - - - Return a list of hosts that should be notified, in addition to any nameservers in the - NS records, when sending NOTIFY packets for the named zone. - Default: - - -SELECT an.hostaddr -FROM Zones z JOIN ZoneAlsoNotify an ON z.id = an.zone_id -WHERE z.name = lower(:name) - - - - - oracle-zone-masters-query - - - Return a list of masters for the zone specified by id. Default: - - -SELECT master -FROM Zonemasters -WHERE zone_id = :zoneid - - - - - oracle-is-zone-master-query - - - Return a row if the specified host is a registered master for the named zone. Default: - - -SELECT zm.master -FROM Zones z JOIN Zonemasters zm ON z.id = zm.zone_id -WHERE z.name = lower(:name) AND zm.master = :master - - - - - - - Superslave Stuff - - - oracle-accept-supernotification-query - - - If a supernotification should be accepted from :ip, for the master - nameserver :ns, return a label for this supermaster. Default: - - -SELECT name -FROM Supermasters -WHERE ip = :ip AND nameserver = lower(:ns) - - - - - oracle-insert-slave-query - - - A supernotification has just been accepted, and we need to create an entry for the new - zone. Default: - - -INSERT INTO Zones (id, name, type) -VALUES (zones_id_seq.NEXTVAL, lower(:zone), 'SLAVE') -RETURNING id INTO :zoneid - - - - - oracle-insert-master-query - - - We need to register the first master server for the newly created zone. Default: - - -INSERT INTO Zonemasters (zone_id, master) -VALUES (:zoneid, :ip) - - - - - - - - - - Generic SQLite backend (2 and 3) - - - Generic SQLite backend capabilities - - - NativeYes - MasterYes - SlaveYes - SuperslaveYes - DNSSECgsqlite3 only (set gsqlite3-dnssec) - Disabled datagsqlite3 only - Commentsgsqlite3 only - Module namegsqlite and gsqlite3 - Launch namegsqlite and gsqlite3 - - -
- - When importing large amounts of data, be sure to run 'analyze;' afterwards as SQLite3 - has a tendency to use sub-optimal indexes otherwise. - - This backend retrieves all data from a SQLite database, which is an RDBMS that's embedded into the application itself, so you won't need to be running a separate server process. - It also reduces overhead, and simplifies installation. - At http://www.sqlite.org you can find more information about SQLite. - - - As this is a generic backend, built on top of the gSql framework, you can specify all queries as documented in Generic MySQL and PgSQL backends. - - - SQLite exists in two incompatible versions, numbered 2 and 3, and from 2.9.21 onwards, PowerDNS supports both. It is recommended to go with version 3 - as it is newer, has better performance and is actively maintained. To use version 3, choose 'launch=gsqlite3'. - - - Compiling the SQLite backend - - Before you can begin compiling PowerDNS with the SQLite backend you need to have the SQLite utility and library installed on your system. - You can download these from http://www.sqlite.org/download.html, or you can use packages (if your distribution provides those). - - - When you've installed the library you can use: ./configure --with-modules="gsqlite" or - ./configure --with-modules="gsqlite3" to configure PowerDNS to use the SQLite backend. - Compilation can then proceed as usual. - - - SQLite is included in most PowerDNS binary releases. - - - - Setting up the database - - Before you can use this backend you first have to set it up and fill it with data. - The default setup conforms to the following schema: - - - - - This schema contains all elements needed for master, slave and superslave operation. - - - After you have created the database you probably want to fill it with data. - If you have a BIND zone file it's as easy as: zone2sql --zone=myzonefile --gmysql | sqlite powerdns.sqlite, but - you can also use AXFR (or insert data manually). - - - To communicate with a SQLite database, use either the 'sqlite' or 'sqlite3' program, and feed it SQL. - - - - Using the SQLite backend - - The last thing you need to do is telling PowerDNS to use the SQLite backend. - - - - # in pdns.conf - launch=gsqlite # or gsqlite3 - gsqlite-database=<path to your SQLite database> # or gsqlite3-database - - - - Then you can start PowerDNS and it should notify you that a connection to the database was made. - - - - - DB2 backend - This backend is unsupported. - - - DB2 backend capabilities - - - NativeYes - MasterNo - SlaveNo - SuperslaveNo - AutoserialYes - DNSSECNo - Disabled dataNo - CommentsNo - Module namedb2 - Launch namedb2 - - - -
- - - PowerDNS is currently ascertaining if this backend can be distributed in binary form without violating IBM DB2 licensing. - - - The DB2 backend executes the following queries: - - - Forward Query - - - select Content, TimeToLive, Priority, Type, ZoneId, 0 as ChangeDate, Name from Records where Name = ? and type = ? - - - - - Forward By Zone Query - - - select Content, TimeToLive, Priority, Type, ZoneId, 0 as ChangeDate, Name from Records where Name = ? and Type = ? and ZoneId = ? - - - - - Forward Any Query - - - select Content, TimeToLive, Priority, Type, ZoneId, 0 as ChangeDate, Name from Records where Name = ? - - - - - List Query - - - select Content, TimeToLive, Priority, Type, ZoneId, 0 as ChangeDate, Name from Records where ZoneId = ? - - - - - - - Configuration settings: - - - db2-server - - - Server name to connect to. Defaults to 'powerdns'. Make sure that your nameserver is not needed to resolve an IP address needed to connect as - this might lead to a chicken/egg situation. - - - - - db2-user - - - Username to connect as. Defaults to 'powerdns'. - - - - - db2-password - - - Password to connect with. Defaults to 'powerdns'. - - - - - - - - Bind zone file backend - - - Bind zone file backend capabilities - - - NativeYes - MasterYes - SlaveYes - SuperslaveExperimental - AutoserialNo - DNSSECYes - Disabled dataNo - CommentsNo - Module namebind - Launchbind - - -
- - - The BindBackend started life as a demonstration of the versatility of PDNS but quickly gained in importance when there appeared to be demand - for a Bind 'work-alike'. - - - The BindBackend parses a Bind-style named.conf and extracts information about zones from it. It makes no attempt to honour other configuration flags, - which you should configure (when available) using the PDNS native configuration. - - - - - --help=bind - - - Outputs all known parameters related to the bindbackend - - - - - bind-example-zones - - - Loads the 'example.com' zone which can be queried to determine if PowerDNS is functioning without configuring - database backends. This feature is no longer supported from 2.9.21 onwards. - - - - - bind-config= - - - Location of the Bind configuration file to parse. - - - - - bind-check-interval= - - - How often to check for zone changes. See 'Operation' section. - - - - - bind-dnssec-db= - - - Filename to store and access our DNSSEC metadatabase, empty for none. - - - - - bind-hybrid= - - - Store DNSSEC keys and metadata storage in an other backend. - - - - - - - Operation - - On launch, the BindBackend first parses the named.conf to determine which zones need to be loaded. These will then be parsed - and made available for serving, as they are parsed. So a named.conf with 100.000 zones may take 20 seconds to load, but after 10 seconds, - 50.000 zones will already be available. While a domain is being loaded, it is not yet available, to prevent incomplete answers. - - - Reloading is currently done only when a request for a zone comes in, and then only after bind-check-interval seconds have passed - after the last check. If a change occurred, access to the zone is disabled, the file is reloaded, access is restored, and the question is answered. - For regular zones, reloading is fast enough to answer the question which lead to the reload within the DNS timeout. - - - If bind-check-interval is specified as zero, no checks will be performed until the pdns_control reload - is given. - - - Pdns_control commands - - - - bind-add-zone domain filename - - - Add zone <domain> from <filename> to PDNS's bind backend. Zone will be loaded at first request. - - - - - bind-domain-status domain [domain] - - - Output status of domain or domains. Can be one of 'seen in named.conf, not parsed', 'parsed successfully at <time;>' or - 'error parsing at line ... at <time>'. - - - - - bind-list-rejects - - - Lists all zones that have problems, and what those problems are. - - - - - bind-reload-now domain - - - Reloads a zone from disk NOW, reporting back results. - - - - - - - Performance - - The BindBackend does not benefit from the packet cache as it is fast enough on its own. Furthermore, on most systems, there will - be no benefit in using multiple CPUs for the packetcache, so a noticeable speedup can be attained by specifying - distributor-threads=1 in pdns.conf. - - - Master/slave configuration - Master - - Works as expected. At startup, no notification storm is performed as this is generally not useful. Perhaps in the future the Bind Backend - will attempt to store zone metadata in the zone, allowing it to determine if a zone has changed its serial since the last time - notifications were sent out. - - - Changes which are discovered when reloading zones do lead to notifications however. - - - Slave - - Also works as expected. The Bind backend expects to be able to write to a directory where a slave domain lives. The incoming zone is stored - as 'zonename.RANDOM' and atomically renamed if it is retrieved successfully, and parsed only then. - - - In the future, this may be improved so the old zone remains available should parsing fail. - - - - Commands - - pdns_control offers commands to communicate instructions to PowerDNS. These are detailed here. - - - rediscover - - - Reread the bind configuration file (named.conf). If parsing fails, the old configuration - remains in force and pdns_control reports the error. Any newly discovered domains are read, discarded domains - are removed from memory. - - - Except that with 2.9.3, they are not removed from memory. - - - - - - - reload - - - All zones with a changed timestamp are reloaded at the next incoming query for them. - - - - - - - - - LMDB (high performance) backend - - - LMDB backend capabilities - - - NativeYes - MasterNo - SlaveNo - SuperslaveNo - AutoserialNo - DNSSECNo - Module namelmdb - Launchlmdb - - -
- - - Based on the LMDB key-value - database, the LMDB backend turns powerdns into a very high - performance and DDOS-resilient authoritative DNS server. Testing on a - 32-core server shows the ability to answer up to 400,000 queries per second - with instant startup and real-time updates independent of database size. - - - - - lmdb-datapath= - - - Location of the database to load - - - - - - - Operation - - Unlike other backends LMDB does not require any special configuration. - New or updated zones are available the next query after the update - transaction is committed. If the underlying database is removed or - recreated then the reload command should be sent through to powerdns to - get it to close and reopen the database. - - - Database Format - - A full example script for generating a database can be found in - pdns/modules/lmdbbackend/lmdb-example.pl. Basically the database - environment is comprised of three databases to store the data: - - zone database - - Each key in the zone database is the reversed lower-cased name of - the zone without - leading or trailing dots (ie for example.com the key would be moc.elpmaxe). - - - Each value in the database must contain the following data (tab-separated): - - - Zone ID - - The Zone's unique integer ID in ASCII (32-bit) - - - - TTL - - The TTL for the zone's SOA record - - - - SOA data - - space-separated SOA data eg - - ns.foo.com. hostmaster.foo.com. <serial> <refresh> <retry> <expire> <minimum> - - If refresh, retry, expire or minimum are not specified then the powerdns defaults will be used - - - - - - - data database - - This database is required to have been created with the MDB_DUPSORT flag enabled. It stores the records for each domain. - Each key must contain the following data (tab-separated): - - - Record name - - The reversed lower-cased name of the record and zone without leading or trailing dots - - - - Record type - - The type of record A, NS, PTR etc. SOA is not allowed as it is automatically created from the zone database records. - - - - - - The value for each entry must contain the following data - (tab-separated). If the length of this record is greater than the - LMDB limit of 510 bytes (for DUPSORT databases) an entry of "REF" - followed by the tab character and a unique 32-bit ASCII integer - which contains a reference into . - - - Zone ID - - The Zone's unique integer ID in ASCII (32-bit) - - - - TTL - - The TTL for the SOA record - - - - Record data - - - The record's data entry. For MX/SRV records the - priority is the first field and space-separated from the rest - of the data. Care must be taken to escape the data - appropriately for PowerDNS. As in the Pipe backend " and \ - characters are not allowed and any it is advised that any - characters outside of ASCII 32-126 are escaped using the \ - character. - - - - - - - extended_data database - - If the length of the value that you wish to insert into is longer than 510 bytes you need to create the - REF entry as described above linked in to this table. The value is a - unique 32-bit integer value formatted in ASCII and the value is the - exact same format as it would have been in - but can be however long you require. - - - - Example database structure - - (as output by the pdns/modules/lmdbbackend/lmdb-example.pl example script and shown by pdns/modules/lmdbbackend/dumpdb.pl) - - # perl dumpdb.pl /var/tmp/lmdb zone - key: moc.elpmaxe; value: 1 300 ns.example.com. hostmaster.example.com. 2012021101 86400 7200 604800 86400 - # perl dumpdb.pl /var/tmp/lmdb data - key: moc.elpmaxe MX; value: 1 300 10 mail.hotmail.com - key: moc.elpmaxe NS; value: 1 300 ns.example.com - key: moc.elpmaxe.tset A; value: 1 300 1.2.3.4 - key: moc.elpmaxe.txet TXT; value: 1 300 test\010123 - key: moc.elpmaxe.txetgnol TXT; value: REF 1 - # perl dumpdb.pl /var/tmp/lmdb extended_data - key: 1; value: 1 300 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - - - - - - - - ODBC backend - - This backend was removed in version 3.1. - - ODBC backend capabilities - - - NativeYes - MasterYes (experimental) - SlaveYes (experimental) - SuperslaveNo - AutoserialYes - - -
- - - The ODBC backend can retrieve zone information from any source that has a ODBC driver available. - This backend is only available on PowerDNS for Windows. - - - - The ODBC backend needs data in a fixed schema which is the same as the data needed by the MySQL backend. The create statement - will resemble this: - - CREATE TABLE records ( - id int(11) NOT NULL auto_increment, - domain_id int(11) default NULL, - name varchar(255) default NULL, - type varchar(10) default NULL, - content varchar(255) default NULL, - ttl int(11) default NULL, - prio int(11) default NULL, - change_date int(11) default NULL, - PRIMARY KEY (id), - KEY name_index(name), - KEY nametype_index(name,type), - KEY domainid_index(domain_id) - ); - - - - - To use the ODBC backend an ODBC source has to be created, to do this see the section Installing PowerDNS on Microsoft Windows, . - - - - The following configuration settings are available: - - - - odbc-datasource - - - Specifies the name of the data source to use. - - - - - odbc-user - - - Specifies the username that has to be used to log into the data source. - - - - - odbc-pass - - - Specifies the user's password. - - - - - odbc-table - - - Specifies the name of the table containing the zone information. - - - - - - - The ODBC backend has been tested with Microsoft Access, MySQL (via MyODBC) and Microsoft SQLServer. As the SQL statements used are very basic, - it is expected to work with many ODBC drivers. - - - XDB Backend - - No longer part of PowerDNS. - - - LDAP backend - - - - As of PowerDNS Authoritative Server 3.0, the LDAP backend is unmaintained. While care will be taken that this backend still compiles, - this backend is known to have problems in version 3.0 and beyond! Please contact powerdns.support@netherlabs.nl or visit www.powerdns.com - to rectify this situation. - - - - - Grégory Oestreicher has forked the LDAP backend shortly before our 3.2 release. Please visit his - repository for the latest code. - - - - - - - This documentation has moved to its own page. The information in this chapter - may be outdated! - - - - - The main author for this module is Norbert Sendetzky. - - - He also maintains the LDAP backends documentation there. The information - below may be outdated! - - Host names and the MNAME of a SOA records are NEVER terminated with a '.' in PowerDNS storage! If a trailing '.' is present - it will inevitably cause problems, problems that may be hard to debug. - - - LDAP backend capabilities - - - NativeYes - MasterNo - SlaveNo - SuperslaveNo - AutoserialNo - DNSSECNo - - -
- - - - OpenDBX backend - - - - The full OpenDBX documentation can be found on its own page. The information in this chapter - may be outdated! - - - - - The main author for this module is Norbert Sendetzky. - - - - OpenDBX backend capabilities - - - NativeYes - MasterYes - SlaveYes - SuperslaveYes - AutoserialYes (since 2.9.22) - DNSSECNo - - -
- - - Geo backend - - - - This section is a subset of the full documentation which can be found in modules/geobackend/README of - the PowerDNS distribution. - - - - - The main author for this module is Mark Bergsma. - - - - Geo backend capabilities - - - NativePartial - MasterNo - SlaveNo - SuperslaveNo - AutoserialNo - DNSSECYes (no key storage) - - -
- - - The Geo Backend can be used to distribute queries globally using an IP-address/country mapping table, several of which are freely available - online or can be acquired for a small fee. - - - This allows visitors to be sent to a server close to them, with no appreciable delay, as would otherwise be incurred with a protocol level redirect. - Additionally, the Geo Backend can be used to provide service over several clusters, any of which can be taken out of use easily, for example - for maintenance purposes. - - - The Geo Backend is in wide use, for example by the Wikimedia foundation, which uses it to power the Wikipedia global load balancing. - - - More details can be found here, or in - modules/geobackend/README, part of the PowerDNS Authoritative Server distribution. - - - GeoIP backend - - - GeoIP backend capabilities - - - NativeYes - MasterNo - SlaveNo - SuperslaveNo - AutoserialNo - DNSSECYes - - -
- - - The GeoIP backend can be used to distribute queries globally using an MaxMind IP-address/country mapping table, currently avaible for debian and ubuntu for free. Other formats - are not yet supported but will be in the future. The only format supported at the moment is country listing. - - - This allows visitors to be sent to a server close to them, with no appreciable delay, as would otherwise be incurred with a protocol level redirect. - Additionally, the Geo Backend can be used to provide service over several clusters, any of which can be taken out of use easily, for example - for maintenance purposes. - - Prerequisites - - To compile the backend, you need libyaml-cpp 0.5 or later and libgeoip. - - - You must have geoip database available. As of writing, on debian/ubuntu systems, you can use apt-get install geoip-database to get one, and the backend is - configured to use the location where these files are installed as source. On other systems you might need to alter the database-file and database-file6 attribute. - If you don't need ipv4 or ipv6 support, set the respective setting to "". Leaving it unset leaves it pointing to default location, preventing the software from - starting up. - - - Configuration Parameters - - These are the configuration file parameters that are available for the GeoIP backend. geoip-zones-files is the only thing you must set, if the defaults suite you. - - - geoip-database-file - - Specifies the full path of the data file for IPv4 to use. - - - - geoip-database-file6 - - Specifies the full path of the data file for IPv6 to use. - - - - geoip-zones-file - - Specifies the full path of the zone configuration file to use. - - - - geoip-dnssec-keydir - - Specifies the full path of a directory that will contain DNSSEC keys. - - - - - - Zonefile format - - Zone configuration file uses YAML syntax. Here is simple example. Note that the ‐ before certain keys is part of the syntax. - -domains: -- domain: geo.example.com - ttl: 30 - records: - geo.example.com: - - soa: ns1.example.com hostmaster.example.com 2014090125 7200 3600 1209600 3600 - - ns: ns1.example.com - - ns: ns2.example.com - - mx: 10 mx.example.com - fin.eu.service.geo.example.com: - - a: 62.236.200.4 - - txt: hello world - services: - service.geo.example.com: '%co.%cn.service.geo.example.com' - - - - - Keys explained - - - domains - - Mandatory root key. All configuration is below this - - - - domain - - Defines a domain. You need ttl, records, services under this. - - - - ttl - - TTL value for all records - - - - records - - Put fully qualified name as subkey, under which you must define at least soa: key. Note that this is an array of records, so ‐ is needed for the values. - - - - services - - Defines one or more services for querying. The format supports following placeholders, %% = %, %co = 3-letter country, %cn = continent, %af = v4 or v6. There are also other specifiers that will only work with suitable database and currently are untested. These are %re = region, %na = Name (such as, organisation), %ci = City. - - - - - - - - Lua Backend - - - - This section is a subset of the full documentation which can be found in modules/luabackend/README of - the PowerDNS distribution. - - - - - The most up to date version of this backend can be found at Fredrik's github. - - - - - - The main author for this module is Fredrik Danerklint. - - - - Lua backend capabilities - - - NativeYes - MasterYes - SlaveNo - SuperslaveNo - AutoserialNo - DNSSECYes - - -
- - - The Lua Backend is available since PowerDNS Authoritative Server 3.0. In 3.0 and 3.1, this backend is marked as - Experimental! - - - The Lua backend is a full service that can allows a Lua script to provide answers to DNS queries. - - - More details can be found here, or in - modules/luabackend/README, part of the PowerDNS Authoritative Server distribution. - - - TinyDNS Backend - - - - The TinyDNS Backend is available since PowerDNS Authoritative Server 3.1. This backend is marked as experimental! - - - - - TinyDNS backend capabilities - - - NativeYes - MasterYes - SlaveNo - SuperslaveNo - AutoserialNo - DNSSECNo - Multiple instancesYes - - -
- -The TinyDNS backend allows you to use djbdns's data.cdb file format as -the storage of your DNS records. The data.cdb file is created using -tinydns-data. The backend is designed to be able to use -the data.cdb files without any changes. - - Configuration Parameters - - These are the configuration file parameters that are available for the TinyDNS backend. It is recommended to set the tinydns-dbfile. - - - tinydns-dbfile - - Specifies the name of the data file to use. The default is 'data.cdb'. - - - - tinydns-tai-adjust - - -This adjusts the TAI value if timestamps are used. -These seconds will be added to the start point (1970) and will allow you to adjust for leap seconds. The current default is 11. -The last update was on june 30th 2012. - - - - - tinydns-notify-on-startup - - Tell the TinyDNSBackend to notify all the slave nameservers on startup. This might cause broadcast storms. Default is no. - - - - tinydns-ignore-bogus-records - - - The tinydns-data program can create data.cdb files that have bad/corrupt RDATA. - PowerDNS will crash when it tries to read that bad/corrupt data. This option (change to yes), allows you to ignore that bad RDATA - to make PowerDNS operate when bad data is in your CDB file. Be aware that the records are then ignored, where tinydns would - still send out the bogus data. - The option is primarily useful in master mode, as that reads all the packets in the zone to find all the SOA records. - - - - - tinydns-locations - - Enable or Disable location support in the backend. Changing the value to 'no' will make the backend ignore the locations. This then returns all records. When the setting is changed to 'no' an AXFR will also return all the records. With the setting on 'yes' an AXFR will only return records without a location. - - - - - - Location and Timestamp support - -Both timestamp and location are supported in the backend. Locations support can be changed using the tinydns-locations setting. -Timestamp and location only work as expected when cache-ttl and query-cache-ttl are set to 0 -(which disables these caches). Timestamp can operate with cache-ttl if cache is needed, but the TTL returned for the -timestamped racked will not be totally correct. The record will expire once the cache is expired and the backend is queried again. -Please note that cache-ttl is a performance related setting. See . -Location support only exists for IPv4! - - - - Master mode - -The TinyDNSBackend supports master mode. This allows it to notify slave nameservers of updates to a zone. -You simply need to rewrite the data.cdb file with an updated/increased serial and PowerDNS will notify the slave nameservers -of that domain. The tinydns-notify-on-startup configuration setting tells the backend if it should -notify all the slave nameservers just after startup. - - -The CDB datafile does not allow PowerDNS to easily query for newly added domains or updated serial numbers. -The CDB datafile requires us to do a full scan of all the records. When running with verbose logging, this could -lead to a lot of output. The scanning of the CDB file may also take a while on systems with large files. The scan happens -at an interval set by the slave-cycle-interval. It might be useful to raise -this value to limit the amount of scans on the CDB file. - - -The TinyDNSBackend also keeps a list of all the zones. This is needed to detect an updated serial and to give -every zone a unique id. The list is updated when a zone is added, but not when a zone is removed. This leads to some -memory loss. - - - Useful implementation notes - -This backend might solve some issues you have with the current tinydns noted on -Jonathan de Boyne Pollard's -djbdns known problems page. - - -The data.cdb file format support all types of records. They are sometimes difficult to create because you need to specify the -actual content of the rdata. Tinydns.org provides a number of links to tools/cgi-scripts -that allow you to create records. Anders Brownworth also privides a number of useful -record building scripts on his djbdnsRecordBuilder. - - Compiling the TinyDNS backend requires you to have tinycdb version 0.77. - - - Remote Backend - - - - The Remote Backend is available since PowerDNS Authoritative Server 3.2. This backend is stable on version 3.3, not before. - - - - - Remote backend capabilities - - - NativeYes - MasterYes* - SlaveYes* - SuperslaveYes* - AutoserialYes* - DNSSECYes* - Multiple instancesYes - - -
- - * If provided by the responder (your script). - - - This backend provides unix socket / pipe / http remoting for powerdns. You should think this as normal RPC thin client, which converts native C++ calls into JSON/RPC and passes them to you via connector. - - Important notices - Please do not use remotebackend shipped before version 3.3. This version has severe bug that can crash the entire process. - - Compiling - - To compile this backend, you need to configure --with-modules="remote". - - - For versions prior to 3.4.0, if you want to use http connector, you need libcurl and use --enable-remotebackend-http. - - - If you want to use ZeroMQ connector, you need libzmq-dev or libzmq3-dev and use --enable-remotebackend-zeromq. - - - Usage - - The only configuration options for backend are remote-connection-string and remote-dnssec. - - - -remote-connection-string=<type>:<param>=<value>,<param>=<value>... - - - - You can pass as many parameters as you want. For unix and pipe connectors, these - are passed along to the remote end as initialization. See . - Initialize is not called for http connector. - - - Unix connector - - parameters: path, timeout (default 2000ms) - - - -remote-connection-string=unix:path=/path/to/socket - - - - - Pipe connector - - parameters: command,timeout (default 2000ms) - - - -remote-connection-string=pipe:command=/path/to/executable,timeout=2000 - - - - - - HTTP connector - - parameters: url, url-suffix, post, post_json, cafile, capath, timeout (default 2000) - - - -remote-connection-string=http:url=http://localhost:63636/dns,url-suffix=.php - - - - HTTP connector tries to do RESTful requests to your server. See examples. You can also - use post to change behaviour so that it will send POST request to url/method + url_suffix - with parameters=json-formatted-parameters. If you use post and post_json, it will POST - url with text/javascript containing JSON formatted RPC request, just like for pipe and unix. - You can use '1', 'yes', 'on' or 'true' to turn these features on. - - - URL should not end with /, and url-suffix is optional, but if you define it, it's - up to you to write the ".php" or ".json". Lack of dot causes lack of dot in - URL. Timeout is divided by 1000 because libcurl only supports seconds, but this is - given in milliseconds for consistency with other connectors. - - - You can use HTTPS requests. If cafile and capath is left empty, remote SSL certificate is not checked. - HTTP Authentication is not supported. SSL support requires that your cURL is compiled with it. - - - - ZeroMQ connector - - parameters: endpoint, timeout (default 2000ms) - - - -remote-connection-string=zmq:endpoint=ipc:///tmp/tmp.sock - - - - 0MQ connector implements a REQ/REP RPC model. Please see http://zeromq.org/ for more information. - - - - - - API - Queries - - Unix and Pipe connector sends JSON formatted string to the remote end. Each - JSON query has two sections, 'method' and 'parameters'. - - - HTTP connector calls methods based on URL and has parameters in the query string. - Most calls are GET; see the methods listing for details. You can change this with post and post_json attributes. - - - Replies - - You *must* always reply with JSON hash with at least one key, 'result'. This - must be boolean false if the query failed. Otherwise it must conform to the expected - result. For HTTP connector, to signal bare success, you can just reply with HTTP 200 OK, and omit any output. This will result in same outcome as sending {"result":true}. - - - You can optionally add 'log' array, each line in this array will be logged in - PowerDNS. - - - Methods - -Method: initialize - - - Mandatory: - Yes (except HTTP connector) - - - Parameters: - all parameters in connection string - - - Reply: - true on success / false on failure - - - Description - Called to initialize the backend. This is not called for HTTP connector. You should -do your initializations here. - - - Example JSON/RPC: - - -Query: - -{"method":"initialize", "parameters":{"command":"/path/to/something", "timeout":"2000", "something":"else"}} - - - -Response: - -{"result":true} - - - - - - - -Method: lookup - - - Mandatory: - Yes - - - Parameters: - qtype, qname, zone_id - - - Optional parameters: - remote, local, real-remote - - - Reply: - array of <qtype,qname,content,ttl,domain_id,scopeMask,auth> - - - Optional values: - domain_id, scopeMask and auth - - - Description -This method is used to do the basic query. You can omit auth, but if you - are using DNSSEC this can lead into trouble. - - - Example JSON/RPC: - - -Query: - -{"method":"lookup", "parameters":{"qtype":"ANY", "qname":"www.example.com", "remote":"192.168.0.24", "local":"192.168.0.1", "real-remote":"192.168.0.24", "zone-id":-1}} - - - -Response: - -{"result":[{"qtype":"A", "qname":"www.example.com", "content":"192.168.1.2", "ttl": 60}]} - - - - - - Example HTTP/RPC: - - -Query: - -GET /dnsapi/lookup/www.example.com/ANY HTTP/1.1 -X-RemoteBackend-remote: 192.168.0.24 -X-RemoteBackend-local: 192.168.0.1 -X-RemoteBackend-real-remote: 192.168.0.24 -X-RemoteBackend-zone-id: -1 - - - -Response: - -HTTP/1.1 200 OK -Content-Type: text/javascript; charset=utf-8 - -{"result":[{"qtype":"A", "qname":"www.example.com", "content":"192.168.1.2", "ttl": 60}]} - - - - - - - -Method: list - - - Mandatory: - No (Gives AXFR support) - - - Parameters: - zonename, domain_id - - - Optional parameters: - domain_id - - - Reply: - array of <qtype,qname,content,ttl,domain_id,scopeMask,auth> - - - Optional values: - domain_id, scopeMask and auth - - - Description - -Lists all records for the zonename. If you are running dnssec, you should take care of setting auth -to appropriate value, otherwise things can go wrong. - - - - Example JSON/RPC: - - - Query: - -{"method":"list", "parameters":{"zonename":"example.com","domain_id":-1}} - - - - Response (split into lines for ease of reading) - -{"result":[ - {"qtype":"SOA", "qname":"example.com", "content":"dns1.icann.org. hostmaster.icann.org. 2012081600 7200 3600 1209600 3600", "ttl": 3600}, - {"qtype":"NS", "qname":"example.com", "content":"ns1.example.com", "ttl": 60}, - {"qtype":"MX", "qname":"example.com", "content":"10 mx1.example.com.", "ttl": 60}, - {"qtype":"A", "qname":"www.example.com", "content":"192.168.1.2", "ttl": 60}, - {"qtype":"A", "qname":"ns1.example.com", "content":"192.168.0.2", "ttl": 60}, - {"qtype":"A", "qname":"mx1.example.com", "content":"192.168.0.3", "ttl": 60} -]} - - - - - - Example HTTP/RPC: - - - Query: - -GET /dnsapi/list/-1/example.com HTTP/1.1 -X-RemoteBackend-domain-id: -1 - - - - Response: - -HTTP/1.1 200 OK -Content-Type: text/javascript; charset=utf-8 - -{"result":[{"qtype":"SOA", "qname":"example.com", "content":"dns1.icann.org. hostmaster.icann.org. 2012081600 7200 3600 1209600 3600", "ttl": 3600},{"qtype":"NS", "qname":"example.com", "content":"ns1.example.com", "ttl": 60},{"qtype":"MX", "qname":"example.com", "content":"10 mx1.example.com.", "ttl": 60},{"qtype":"A", "qname":"www.example.com", "content":"192.168.1.2", "ttl": 60},{"qtype":"A", "qname":"ns1.example.com", "content":"192.168.0.2", "ttl": 60},{"qtype":"A", "qname":"mx1.example.com", "content":"192.168.0.3", "ttl": 60}]} - - - - - - - -Method: getBeforeAndAfterNamesAbsolute - - - Mandatory: - for NSEC/NSEC3 non-narrow - - - Parameters: - id, qname - - - Reply: - before, after - - - Description - -Asks the names before and after qname. qname is given without dots or domain part. The query -will be hashed when using NSEC3. Care must be taken to handle wrap-around when qname is first or last in -the ordered list. Do not return nil for either one. - - - - Example JSON/RPC: - - - Query: - -{"method":"getbeforeandafternamesabsolute", "params":{"id":0,"qname":"www.example.com"}} - - - - Response: - -{”result":{"before":"ns1","after":""}} - - - - - - Example HTTP/RPC: - - - Query: - -/dnsapi/getbeforeandafternamesabsolute/0/www.example.com - - - - Response: - -{”result":{"before":"ns1","after":""}} - - - - - - - -Method: getAllDomainMetadata - - - Mandatory: - No - - - Parameters: - name - - - Reply: - hash of key to array of strings - - - Description - -Returns the value(s) for variable kind for zone name. You *must* always return -something, if there are no values, you shall return empty set or false. - - - - Example JSON/RPC: - - - Query: - -{"method":"getalldomainmetadata", "parameters":{"name":"example.com"}} - - - - Response: - -{"result":{"PRESIGNED":["NO"]}} - - - - - - Example HTTP/RPC: - - - Query: - -GET /dnsapi/getalldomainmetadata/example.com HTTP/1.1 - - - - Response: - -HTTP/1.1 200 OK -Content-Type: text/javascript; charset=utf-8 - -{"result":{"PRESIGNED":["NO"]}} - - - - - - - -Method: getDomainMetadata - - - Mandatory: - No - - - Parameters: - name, kind - - - Reply: - array of strings - - - Description - -Returns the value(s) for variable kind for zone name. Most commonly it's one of -NSEC3PARAM, PRESIGNED, SOA-EDIT. Can be others, too. You *must* always return -something, if there are no values, you shall return empty array or false. - - - - Example JSON/RPC: - - - Query: - -{"method":"getdomainmetadata", "parameters":{"name":"example.com","kind":"PRESIGNED"}} - - - - Response: - -{"result":["NO"]} - - - - - - Example HTTP/RPC: - - - Query: - -GET /dnsapi/getdomainmetadata/example.com/PRESIGNED HTTP/1.1 - - - - Response: - -HTTP/1.1 200 OK -Content-Type: text/javascript; charset=utf-8 - -{"result":["NO"]} - - - - - - - -Method: setDomainMetadata - - - Mandatory: - No - - - Parameters: - name, kind, value - - - Reply: - true on success, false on failure - - - Description - -Replaces the value(s) on domain name for variable kind to string(s) on array value. The -old value is discarded. Value can be an empty array, which can be interprepted as -deletion request. - - - - Example JSON/RPC: - - - Query: - -{"method":"setdomainmetadata","parameters":{"name":"example.com","kind":"PRESIGNED","value":["YES"]}} - - - - Response: - -{"result":true} - - - - - - Example HTTP/RPC: - - - Query: - -PATCH /dnsapi/setdomainmetadata/example.com/PRESIGNED HTTP/1.1 -Content-Type: application/x-www-form-urlencoded -Content-Length: 12 - -value[]=YES& - - - - Response: - -HTTP/1.1 200 OK -Content-Type: text/javascript; charset=utf-8 - -{"result":true} - - - - - - - -Method: getDomainKeys - - - Mandatory: - for DNSSEC - - - Parameters: - name, kind - - - Reply: - array of <id, flags, active, content> - - - Description - -Retrieves any keys of kind. The id, flags are unsigned integers, and active is boolean. Content must be valid key record in format that PowerDNS understands. You are encouraged to implement , as you can use to provision keys. - - - - Example JSON/RPC: - - - Query: - -{"method":"getdomainkeys","parameters":{"name":"example.com","kind":0}} - - - - Response: - -{"result":[{"id":1,"flags":256,"active":true,"content":"Private-key-format: v1.2 -Algorithm: 8 (RSASHA256) -Modulus: r+vmQll38ndQqNSCx9eqRBUbSOLcH4PZFX824sGhY2NSQChqt1G4ZfndzRwgjXMUwiE7GkkqU2Vbt/g4iP67V/+MYecMV9YHkCRnEzb47nBXvs9JCf8AHMCnma567GQjPECh4HevPE9wmcOfpy/u7UN1oHKSKRWuZJadUwcjbp8= -PublicExponent: AQAB -PrivateExponent: CYC93UtVnOM6wrFJZ+qA9+Yx+p5yk0CSi0Q7c+/6EVMuABQ5gNyTuu0j65lU3X81bwUk2wHPx6smfgoVDRAW5jjO4jgIFV6nE4inzk5YQKycQSL8YG3Nm9GciLFya1KUXs81sHsQpkvK7MNaSbvkaHZQ6iv16bZ4t73Wascwa/E= -Prime1: 6a165cIC0nNsGlTW/s2jRu7idq5+U203iE1HzSIddmWgx5KIKE/s3I+pwfmXYRUmq+4H9ASd/Yot1lSYW98szw== -Prime2: wLoCPKxxnuxDx6/9IKOYz8t9ZNLY74iCeQ85koqvTctkFmB9jpOUHTU9BhecaFY2euP9CuHV7z3PLtCoO8s1MQ== -Exponent1: CuzJaiR/7UboLvL4ekEy+QYCIHpX/Z6FkiHK0ZRevEJUGgCHzRqvgEBXN3Jr2WYbwL4IMShmGoxzSCn8VY9BkQ== -Exponent2: LDR9/tyu0vzuLwc20B22FzNdd5rFF2wAQTQ0yF/3Baj5NAi9w84l0u07KgKQZX4g0N8qUyypnU5YDyzc6ZoagQ== -Coefficient: 6S0vhIQITWzqfQSLj+wwRzs6qCvJckHb1+SD1XpwYjSgMTEUlZhf96m8WiaE1/fIt4Zl2PC3fF7YIBoFLln22w=="}]} - - - - - - Example HTTP/RPC: - - - Query: - -GET /dnsapi/getdomainkeys/example.com/0 HTTP/1.1 - - - - Response: - -HTTP/1.1 200 OK -Content-Type: text/javascript; charset=utf-8 - -{"result":[{"id":1,"flags":256,"active":true,"content":"Private-key-format: v1.2 -Algorithm: 8 (RSASHA256) -Modulus: r+vmQll38ndQqNSCx9eqRBUbSOLcH4PZFX824sGhY2NSQChqt1G4ZfndzRwgjXMUwiE7GkkqU2Vbt/g4iP67V/+MYecMV9YHkCRnEzb47nBXvs9JCf8AHMCnma567GQjPECh4HevPE9wmcOfpy/u7UN1oHKSKRWuZJadUwcjbp8= -PublicExponent: AQAB -PrivateExponent: CYC93UtVnOM6wrFJZ+qA9+Yx+p5yk0CSi0Q7c+/6EVMuABQ5gNyTuu0j65lU3X81bwUk2wHPx6smfgoVDRAW5jjO4jgIFV6nE4inzk5YQKycQSL8YG3Nm9GciLFya1KUXs81sHsQpkvK7MNaSbvkaHZQ6iv16bZ4t73Wascwa/E= -Prime1: 6a165cIC0nNsGlTW/s2jRu7idq5+U203iE1HzSIddmWgx5KIKE/s3I+pwfmXYRUmq+4H9ASd/Yot1lSYW98szw== -Prime2: wLoCPKxxnuxDx6/9IKOYz8t9ZNLY74iCeQ85koqvTctkFmB9jpOUHTU9BhecaFY2euP9CuHV7z3PLtCoO8s1MQ== -Exponent1: CuzJaiR/7UboLvL4ekEy+QYCIHpX/Z6FkiHK0ZRevEJUGgCHzRqvgEBXN3Jr2WYbwL4IMShmGoxzSCn8VY9BkQ== -Exponent2: LDR9/tyu0vzuLwc20B22FzNdd5rFF2wAQTQ0yF/3Baj5NAi9w84l0u07KgKQZX4g0N8qUyypnU5YDyzc6ZoagQ== -Coefficient: 6S0vhIQITWzqfQSLj+wwRzs6qCvJckHb1+SD1XpwYjSgMTEUlZhf96m8WiaE1/fIt4Zl2PC3fF7YIBoFLln22w=="}]} - - - - - - - -Method: addDomainKey - - - Mandatory: - No - - - Parameters: - name, key=<flags,active,content> - - - Reply: - true for success, false for failure - - - Description - -Adds key into local storage. See for more information. - - - - Example JSON/RPC: - - - Query: - -{"method":"adddomainkey", "parameters":{"key":{"id":1,"flags":256,"active":true,"content":"Private-key-format: v1.2 -Algorithm: 8 (RSASHA256) -Modulus: r+vmQll38ndQqNSCx9eqRBUbSOLcH4PZFX824sGhY2NSQChqt1G4ZfndzRwgjXMUwiE7GkkqU2Vbt/g4iP67V/+MYecMV9YHkCRnEzb47nBXvs9JCf8AHMCnma567GQjPECh4HevPE9wmcOfpy/u7UN1oHKSKRWuZJadUwcjbp8= -PublicExponent: AQAB -PrivateExponent: CYC93UtVnOM6wrFJZ+qA9+Yx+p5yk0CSi0Q7c+/6EVMuABQ5gNyTuu0j65lU3X81bwUk2wHPx6smfgoVDRAW5jjO4jgIFV6nE4inzk5YQKycQSL8YG3Nm9GciLFya1KUXs81sHsQpkvK7MNaSbvkaHZQ6iv16bZ4t73Wascwa/E= -Prime1: 6a165cIC0nNsGlTW/s2jRu7idq5+U203iE1HzSIddmWgx5KIKE/s3I+pwfmXYRUmq+4H9ASd/Yot1lSYW98szw== -Prime2: wLoCPKxxnuxDx6/9IKOYz8t9ZNLY74iCeQ85koqvTctkFmB9jpOUHTU9BhecaFY2euP9CuHV7z3PLtCoO8s1MQ== -Exponent1: CuzJaiR/7UboLvL4ekEy+QYCIHpX/Z6FkiHK0ZRevEJUGgCHzRqvgEBXN3Jr2WYbwL4IMShmGoxzSCn8VY9BkQ== -Exponent2: LDR9/tyu0vzuLwc20B22FzNdd5rFF2wAQTQ0yF/3Baj5NAi9w84l0u07KgKQZX4g0N8qUyypnU5YDyzc6ZoagQ== -Coefficient: 6S0vhIQITWzqfQSLj+wwRzs6qCvJckHb1+SD1XpwYjSgMTEUlZhf96m8WiaE1/fIt4Zl2PC3fF7YIBoFLln22w=="}}} - - - - Response: - -{"result":true} - - - - - - Example HTTP/RPC: - - - Query: - -PUT /dnsapi/adddomainkey/example.com -Content-Type: application/x-www-form-urlencoded -Content-Length: 965 - -flags=256&active=1&content=Private-key-format: v1.2 -Algorithm: 8 (RSASHA256) -Modulus: r+vmQll38ndQqNSCx9eqRBUbSOLcH4PZFX824sGhY2NSQChqt1G4ZfndzRwgjXMUwiE7GkkqU2Vbt/g4iP67V/+MYecMV9YHkCRnEzb47nBXvs9JCf8AHMCnma567GQjPECh4HevPE9wmcOfpy/u7UN1oHKSKRWuZJadUwcjbp8= -PublicExponent: AQAB -PrivateExponent: CYC93UtVnOM6wrFJZ+qA9+Yx+p5yk0CSi0Q7c+/6EVMuABQ5gNyTuu0j65lU3X81bwUk2wHPx6smfgoVDRAW5jjO4jgIFV6nE4inzk5YQKycQSL8YG3Nm9GciLFya1KUXs81sHsQpkvK7MNaSbvkaHZQ6iv16bZ4t73Wascwa/E= -Prime1: 6a165cIC0nNsGlTW/s2jRu7idq5+U203iE1HzSIddmWgx5KIKE/s3I+pwfmXYRUmq+4H9ASd/Yot1lSYW98szw== -Prime2: wLoCPKxxnuxDx6/9IKOYz8t9ZNLY74iCeQ85koqvTctkFmB9jpOUHTU9BhecaFY2euP9CuHV7z3PLtCoO8s1MQ== -Exponent1: CuzJaiR/7UboLvL4ekEy+QYCIHpX/Z6FkiHK0ZRevEJUGgCHzRqvgEBXN3Jr2WYbwL4IMShmGoxzSCn8VY9BkQ== -Exponent2: LDR9/tyu0vzuLwc20B22FzNdd5rFF2wAQTQ0yF/3Baj5NAi9w84l0u07KgKQZX4g0N8qUyypnU5YDyzc6ZoagQ== -Coefficient: 6S0vhIQITWzqfQSLj+wwRzs6qCvJckHb1+SD1XpwYjSgMTEUlZhf96m8WiaE1/fIt4Zl2PC3fF7YIBoFLln22w== - - - - Response: - -HTTP/1.1 200 OK -Content-Type: text/javascript; charset=utf-8 - -{"result":true} - - - - - - - -Method: removeDomainKey - - - Mandatory: - No - - - Parameters: - name, id - - - Reply: - true for success, false for failure - - - Description - -Removes key id from domain name. - - - - Example JSON/RPC: - - - Query: - -{"method":"removedomainkey","parameters":"{"name":"example.com","id":1}} - - - - Response: - -{"result":true} - - - - - - Example HTTP/RPC: - - - Query: - -DELETE /dnsapi/removedomainkey/example.com/1 HTTP/1.1 - - - - Response: - -HTTP/1.1 200 OK -Content-Type: text/javascript; charset=utf-8 - -{"result":true} - - - - - - - -Method: activateDomainKey - - - Mandatory: - No - - - Parameters: - name, id - - - Reply: - true for success, false for failure - - - Description - -Activates key id for domain name. - - - - Example JSON/RPC: - - - Query: - -{"method":"activatedomainkey","parameters":{"name":"example.com","id":1}} - - - - Response: - -{"result":true} - - - - - - Example HTTP/RPC: - - - Query: - -POST /dnsapi/activatedomainkey/example.com/1 HTTP/1.1 - - - - Response: - -HTTP/1.1 200 OK -Content-Type: text/javascript; utf-8 - -{"result": true} - - - - - - - -Method deactivateDomainKey - - - Mandatory: - No - - - Parameters: - name, id - - - Reply: - true for success, false for failure - - - Description -Deactivates key id for domain name. - - - Example JSON/RPC: - - - Query: - -{"method":"deactivatedomainkey","parameters":{"name":"example.com","id":1}} - - - - Response: - -{"result": true} - - - - - - Example HTTP/RPC: - - - Query: - -POST /dnsapi/deactivatedomainkey/example.com/1 HTTP/1.1 - - - - Response: - -HTTP/1.1 200 OK -Content-Type: text/javascript; utf-8 - -{"result": true} - - - - - - - -Method: getTSIGKey - - - Mandatory: - No - - - Parameters: - name - - - Reply: - algorithm, content - - - Description - -Retrieves the key needed to sign AXFR. - - - - Example JSON/RPC: - - - Query: - -{"method":"gettsigkey","parameters":{"name":"example.com"}} - - - - Response: - -{"result":{"algorithm":"hmac-md5","content:"kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys="}} - - - - - - Example HTTP/RPC: - - - Query: - -GET /dnsapi/gettsigkey/example.com - - - - Response: - -HTTP/1.1 200 OK -Content-Type: text/javascript; charset=utf-8 - -{"result":{"algorithm":"hmac-md5","content:"kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys="}} - - - - - - - -Method: getDomainInfo - - - Mandatory: - No - - - Parameters: - name - - - Reply: - zone - - - Optional values: - serial, kind, id, notified_serial, last_check, masters - - - Description - -Retrieves information about given domain from the backend. If your return value has no zone -attribute, the backend will signal error. Everything else will default to something. -Default values: serial:0, kind:NATIVE, id:-1, notified_serial:-1, last_check:0, masters: []. -Masters, if present, must be array of strings. - - - - Example JSON/RPC: - - - Query: - -{"method":"getdomaininfo","parameters":{"name":"example.com"}} - - - - Response: - -{"result":{id:1,"zone":"example.com","kind":"NATIVE","serial":2002010100}} - - - - - - Example HTTP/RPC: - - - Query: - -GET /dnsapi/getdomaininfo/example.com HTTP/1.1 - - - - Response: - -HTTP/1.1 200 OK -content-Type: text/javascript: charset=utf-8 - -{"result":{id:1,"zone":"example.com","kind":"NATIVE","serial":2002010100}} - - - - - - - -Method: setNotified - - - Mandatory: - No - - - Parameters: - id, serial - - - Reply: - true for success, false for failure - - - Description - -Updates last notified serial for the domain id. Any errors are ignored. - - - - Example JSON/RPC: - - - Query: - -{"method":"setnotified","parameters":{"id":1,"serial":2002010100}} - - - - Response: - -{"result":true} - - - - - - Example HTTP/RPC: - - - Query: - -PATCH /dnsapi/setnotified/1 -Content-Type: application/x-www-form-urlencoded -Content-Length: 17 - -serial=2002010100 - - - - Response: - -HTTP/1.1 200 OK -Content-Type: text/javascript; charset=utf-8 - -{"result":true} - - - - - - - -Method: isMaster - - - Mandatory: - No - - - Parameters: - name,ip - - - Reply: - true for success, false for failure. - - - Description - -Determines whether given IP is master for given domain name. - - - - Example JSON/RPC: - - - Query: - -{"method":"isMaster","parameters":{"name":"example.com","ip":"10.0.0.1"}} - - - - Response: - -{"result":true} - - - - - - Example HTTP/RPC: - - - Query: - -GET /dnsapi/isMaster/example.com/10.0.0.1 - - - - - Response: - -HTTP/1.1 200 OK -Content-Type: text/javascript; charset=utf-8 - -{"result":true} - - - - - - - -Method: superMasterBackend - - - Mandatory: - No - - - Parameters: - ip,domain,nsset,account - - - Reply: - true for success, false for failure. can also return account=>name of account - - - Description - -Creates new domain with given record(s) as master servers. IP address is the address where notify is received from. nsset is array of NS resource records. - - - - Example JSON/RPC: - - - Query: - -{"method":"superMasterBackend","parameters":{"ip":"10.0.0.1","domain":"example.com","nsset":[{"qtype":"NS","qname":"example.com","qclass":1,"content":"ns1.example.com","ttl":300,"auth":true},{"qtype":"NS","qname":"example.com","qclass":1,"content":"ns2.example.com","ttl":300,"auth":true}]}} - - - - Response: - -{"result":true} - - Alternative response: - -{"result":{"account":"my account"}} - - - - - - Example HTTP/RPC: - - - Query: - -POST /dnsapi/supermasterbackend/10.0.0.1/example.com -Content-Type: application/x-www-form-urlencoded -Content-Length: 317 - -nsset[1][qtype]=NS&nsset[1][qname]=example.com&nsset[1][qclass]=1&nsset[1][content]=ns1.example.com&nsset[1][ttl]=300&nsset[1][auth]=true&nsset[2][qtype]=NS&nsset[2][qname]=example.com&nsset[2][qclass]=1&nsset[2][content]=ns2.example.com&nsset[2][ttl]=300&nsset[2][auth]=true - - - - Response: - -HTTP/1.1 200 OK -Content-Type: text/javascript; charset=utf-8 - -{"result":true} - - Alternative response - -HTTP/1.1 200 OK -Content-Type: text/javascript; charset=utf-8 - -{"result":{"account":"my account}} - - - - - - - - -Method: createSlaveDomain - - - Mandatory: - No - - - Parameters: - ip, domain - - - Optional parameters: - account - - - Reply: - true for success, false for failure - - - Description - -Creates new domain. This method is called when NOTIFY is received and you are superslaving. - - - - Example JSON/RPC: - - - Query: - -{"method":"createSlaveDomain","parameters":{"ip":"10.0.0.1","domain":"pirate.unit.test"}} - - - - Response: - -{"result":true} - - - - - - Example HTTP/RPC: - - - Query: - -POST /dnsapi/createslavedomain/10.0.0.1/pirate.unit.test -Content-Type: application/x-www-form-urlencoded -Content-Length: 0 - - - - Response: - -HTTP/1.1 200 OK -Content-Type: text/javascript; charset=utf-8 - -{"result":true} - - - - - - - -Method: replaceRRSet - - - Mandatory: - No - - - Parameters: - domain_id, qname, qtype, rrset - - - Reply: - true for success, false for failure - - - Description - -This method replaces a given resource record with new set. The new qtype can be different from the old. - - - - Example JSON/RPC: - - - Query: - -{"method":"replaceRRSet","parameters":{"domain_id":2,"qname":"replace.example.com","qtype":"A","trxid":1370416133,"rrset":[{"qtype":"A","qname":"replace.example.com","qclass":1,"content":"1.1.1.1","ttl":300,"auth":true}]}} - - - - Response: - -{"result":true} - - - - - - Example HTTP/RPC: - - - Query: - -PATCH /dnsapi/replacerrset/2/replace.example.com/A -Content-Type: application/x-www-form-urlencoded -Content-Length: 135 - -trxid=1370416133&rrset[qtype]=A&rrset[qname]=replace.example.com&rrset[qclass]=1&rrset[content]=1.1.1.1&rrset[auth]=1 - - - - Response: - -HTTP/1.1 200 OK -Content-Type: text/javascript; charset=utf-8 - -{"result":true} - - - - - - - -Method: feedRecord - - - Mandatory: - No - - - Parameters: - rr, trxid - - - Reply: - true for success, false for failure - - - Description - -Asks to feed new record into system. If startTransaction was called, trxId identifies a transaction. It is not always called by PowerDNS. - - - - Example JSON/RPC: - - - Query: - -{"method":"feedRecord","parameters":{"rr":{"qtype":"A","qname":"replace.example.com","qclass":1,"content":"127.0.0.1","ttl":300,"auth":true},"trxid":1370416133}} - - - - Response: - -{"result":true} - - - - - - Example HTTP/RPC: - - - Query: - -PATCH /dnsapi/feedrecord/1370416133 -Content-Type: application/x-www-form-urlencoded -Content-Length: 117 - -rr[qtype]=A&rr[qname]=replace.example.com&rr[qclass]=1&rr[content]=127.0.0.1&rr[ttl]=300&rr[auth]=true - - - - Response: - -HTTP/1.1 200 OK -Content-Type: text/javascript; charset=utf-8 - -{"result":true} - - - - - - - -Method: feedEnts - - - Mandatory: - No - - - Parameters: - nonterm, trxid - - - Reply: - true for success, false for failure - - - Description - -This method is used by pdnssec rectify-zone to populate missing non-terminals. This is used when you have, say, record like _sip._upd.example.com, but no _udp.example.com. PowerDNS requires that there exists a non-terminal in between, and this instructs you to add one. If startTransaction is called, trxid identifies a transaction. - - - - Example JSON/RPC: - - - Query: - -{"method":"feedEnts","parameters":{"domain_id":2,"trxid":1370416133,"nonterm":["_sip._udp","_udp"]}} - - - - Response: - -{"result":true} - - - - - - Example HTTP/RPC: - - - Query: - -PATCH /dnsapi/feedents/2 -Content-Type: application/x-www-form-urlencoded -Content-Length: 50 - -trxid=1370416133&nonterm[]=_udp&nonterm[]=_sip.udp - - - - Response: - -HTTP/1.1 200 OK -Content-Type: text/javascript; charset=utf-8 - -{"result":true} - - - - - - - -Method: feedEnts3 - - - Mandatory: - No - - - Parameters: - trxid, domain_id, domain, times, salt, narrow, nonterm - - - Reply: - true for success, false for failure - - - Description - -Same as , but provides NSEC3 hashing parameters. Note that salt is BYTE value, and can be non-readable text. - - - - Example JSON/RPC: - - - Query: - -{"method":"feedEnts3","parameters":{"domain_id":2,"domain":"example.com","times":1,"salt":"9642","narrow":false,"trxid":1370416356,"nonterm":["_sip._udp","_udp"]}} - - - - Response: - -{"result":true} - - - - - - Example HTTP/RPC: - - - Query: - -PATCH /dnsapi/2/example.com -Content-Type: application/x-www-form-urlencoded -Content-Length: 78 - -trxid=1370416356&times=1&salt=9642&narrow=0&nonterm[]=_sip._udp&nonterm[]=_udp - - - - Response: - -HTTP/1.1 200 OK -Content-Type: text/javascript; charset=utf-8 - -{"result":true} - - - - - - - -Method: startTransaction - - - Mandatory: - No - - - Parameters: - domain_id, domain, trxid - - - Reply: - true for success, false for failure - - - Description - -Starts a new transaction. Transaction ID is chosen for you. Used to identify f.ex. AXFR transfer. - - - - Example JSON/RPC: - - - Query: - -{"method":"startTransaction","parameters":{"trxid":1234,"domain_id":1,"domain":"example.com"}} - - - - Response: - -{"result":true} - - - - - - Example HTTP/RPC: - - - Query: - -POST /dnsapi/starttransaction/1/example.com -Content-Type: application/x-www-form-urlencoded -Content-Length: 10 - -trxid=1234 - - - - Response: - -HTTP/1.1 200 OK -Content-Type: text/javascript; charset=utf-8 - -{"result":true} - - - - - - - -Method: commitTransaction - - - Mandatory: - No - - - Parameters: - trxid - - - Reply: - true for success, false for failure - - - Description - -Signals successful transfer and asks to commit data into permanent storage. - - - - Example JSON/RPC: - - - Query: - -{"method":"commitTransaction","parameters":{"trxid":1234}} - - - - Response: - -{"result":true} - - - - - - Example HTTP/RPC: - - - Query: - -POST /dnsapi/committransaction/1234 -Content-Type: application/x-www-form-urlencoded -Content-Length: 0 - - - - Response: - -HTTP/1.1 200 OK -Content-Type: text/javascript; charset=utf-8 - -{"result":true} - - - - - - - -Method: abortTransaction - - - Mandatory: - No - - - Parameters: - trxid - - - Reply: - true for success, false for failure - - - Description - -Signals failed transaction, and that you should rollback any changes. - - - - Example JSON/RPC: - - - Query: - -{"method":"abortTransaction","parameters":{"trxid":1234}} - - - - Response: - -{"result":true} - - - - - - Example HTTP/RPC: - - - Query: - -POST /dnsapi/aborttransaction/1234 -Content-Type: application/x-www-form-urlencoded -Content-Length: 0 - - - - Response: - -HTTP/1.1 200 OK -Content-Type: text/javascript; charset=utf-8 - -{"result":true} - - - - - - - -Method: calculateSOASerial - - - Mandatory: - No - - - Parameters: - domain,sd - - - Reply: - true for success, false for failure - - - Description - -Asks you to calculate a new serial based on the given data and update the serial. - - - - Example JSON/RPC: - - - Query: -{"method":"calculateSOASerial","parameters":{"domain":"unit.test","sd":{"qname":"unit.test","nameserver":"ns.unit.test","hostmaster":"hostmaster.unit.test","ttl":300,"serial":1,"refresh":2,"retry":3,"expire":4,"default_ttl":5,"domain_id":-1,"scopeMask":0}}} - - - - Response: - -{"result":2013060501} - - - - - - Example HTTP/RPC: - - - Query: - -POST /dnsapi/calculatesoaserial/unit.test -Content-Type: application/x-www-form-urlencoded -Content-Length: 198 - -sd[qname]=unit.test&sd[nameserver]=ns.unit.test&sd[hostmaster]=hostmaster.unit.test&sd[ttl]=300&sd[serial]=1&sd[refresh]=2&sd[retry]=3&sd[expire]=4&sd[default_ttl]=5&sd[domain_id]=-1&sd[scopemask]=0 - - - - Response: - -HTTP/1.1 200 OK -Content-Type: text/javascript; charset=utf-8 - -{"result":2013060501} - - - - - - - - - - -Examples - - Scenario: SOA lookup via pipe or unix connector - - -Query: - -{ - "method": "lookup", - "parameters": { - "qname": "example.com", - "qtype": "SOA", - "zone_id": "-1" - } -} - - - -Reply: - -{ - "result": - [ - { "qtype": "SOA", - "qname": "example.com", - "content": "dns1.icann.org. hostmaster.icann.org. 2012080849 7200 3600 1209600 3600", - "ttl": 3600, - "domain_id": -1 - } - ] -} - - - -Scenario: SOA lookup with HTTP connector - - -Query: - -/dns/lookup/example.com/SOA - -Reply: - -{ - "result": - [ - { "qtype": "SOA", - "qname": "example.com", - "content": "dns1.icann.org. hostmaster.icann.org. 2012080849 7200 3600 1209600 3600", - "ttl": 3600, - "domain_id": -1 - } - ] -} - - - - - -PDNS internals - - PDNS is normally launched by the init.d script but is actually a binary called pdns_server. This - file is started by the start and monitor commands to the init.d script. Other commands - are implemented using the controlsocket. - - Controlsocket - - The controlsocket is the means to contact a running PDNS daemon, or as we now know, a running pdns_server. - Over this sockets, instructions can be sent using the pdns_control program. Like the pdns_server, - this program is normally accessed via the init.d script. - - pdns_control - - - To communicate with PDNS over the controlsocket, the pdns_control command is used. The init.d script also calls - pdns_control. The syntax is simple: pdns_control command arguments. Currently this is most useful for telling backends - to rediscover domains or to force the transmission of notifications. See . - - - Besides the commands implemented by the init.d script, for which see , the following pdns_control commands - are available: - - - ccounts - - - Returns counts on the contents of the cache. - - - - - current-config - - - Retrieves the current configuration settings from the PDNS instance. This can be useful to generate a - from a running instance. - - - The output has the same format as pdns_server --config. You'll notice that all the - are uncommented. This is because PDNS simply has values, and the default isn't known at runtime. - - - - - cycle - - - Restart a PowerDNS instance. Only available when running in guardian mode. - - - - - notify domain - - - Adds a domain to the notification list, causing PDNS to send out notifications to the nameservers of a domain. Can be used if - a slave missed previous notifications or is generally hard of hearing. - - - - - notify-host domain host - - - Same as above but with operator specified IP address as destination, to be used if you know better than PowerDNS. - - - - - ping - - - 'PING' the powerdns-guardian. Will return 'PONG' when it is available. (Only works when you are running in guardian mode) - - - - - purge - - - Purges the entire Packet Cache - see . - - - - - purge record - - - Purges all entries for this exact record name - see . - - - - - purge record$ - - - Purges all cache entries ending on this name, effectively purging an entire domain - see . - - - - - purge - - - Purges the entire Packet Cache - see . - - - - - rping - - - 'PING' the powerdns-instance. Will return 'PONG' when it is available. - - - - - rediscover - - - Instructs backends that new domains may have appeared in the database, or, in the case of the Bind backend, in - named.conf. - - - - - reload - - - Instructs backends that the contents of domains may have changed. Many backends ignore this, the Bind backend will check - timestamps for all zones (once queries come in for it) and reload if needed. - - - - - retrieve domain - - - Retrieve a slave domain from its master. Done nearly immediately. - - - - - set variable value - - - Set a configuration parameter. Currently only the 'query-logging' parameter can be set. - - - - - uptime - - - Reports the uptime of the daemon in human readable form. - - - - - show variable - - Show a specific statistic. Use * for all. (You may need to quote as '*' or \*). - - - - version - - Returns the version of a running pdns daemon. - - - - status - - - Retrieves the status of PowerDNS. Only available when running with guardian. - - - - - - - - - Guardian - - When launched by the init.d script, pdns_server wraps itself inside a 'guardian'. This guardian monitors the - performance of the inner pdns_server instance which shows up in the process list of your OS as - pdns_server-instance. - - It is also this guardian that pdns_control talks to. A STOP is interpreted by the guardian, - which causes the guardian to sever the connection to the inner process and terminate it, after which it terminates itself. - - The init.d script DUMP and SHOW commands need to access the inner process, because - the guardian itself does not run a nameserver. For this purpose, the guardian passes controlsocket requests to the control console of the - inner process. This is the same console as seen with init.d MONITOR. - - Modules & Backends - - PDNS has the concept of backends and modules. Non-static PDNS distributions have the ability to load new modules at runtime, while the - static versions come with a number of modules built in, but cannot load more. - - - Related parameters are: - - - --help - - - Outputs all known parameters, including those of launched backends, see below. - - - - - --launch=backend,backend1,backend1:name - - - Launches backends. In its most simple form, supply all backends that need to be launched. If you find - that you need to launch single backends multiple times, you can specify a name for later instantiations. - In this case, there are 2 instances of backend1, and the second one is called 'name'. - - This means that --backend1-setting is available to configure the first or main instance, and - --backend1-name-setting for the second one. - - - - - --load-modules=/directory/libyourbackend.so - - - If backends are available in nonstandard directories, specify their location here. Multiple files - can be loaded if separated by commas. Only available in non-static PDNS distributions. - - - - - --list-modules - - - Will list all available modules, both compiled in and in dynamically loadable modules. - - - - - To run on the command line, use the pdns_server binary. For example, to see options for the gpgsql backend, - use the following: - - $ /usr/sbin/pdns_server --launch=gpgsql --help=gpgsql - - - - How PDNS translates DNS queries into backend queries - - A DNS query is not a straightforward lookup. Many DNS queries need to check the backend for additional data, for example to - determine of an unfound record should lead to an NXDOMAIN ('we know about this domain, but that record does not exist') or an - unauthoritative response. - - - Simplified, without CNAME processing, wildcards, referrals and DNSSEC, the algorithm is like this: - - - When a query for a qname/qtype tuple comes in, PDNS queries backends to find the closest matching - SOA, thus figuring out what backend owns this zone. When the right backend has been found, PDNS issues a - qname/ANY query to the backend. If the response is empty, NXDOMAIN is concluded. If the response is - not empty, any contents matching the original qtype are added to the list of records to return, and NOERROR is sset. - - - Each of these records is now investigated to see if it needs 'additional processing'. This holds for example for MX records which may - point to hosts for which the PDNS backends also contain data. This involves further lookups for A or AAAA records. - - - After all additional processing has been performed, PDNS sieves out all double records which may well have appeared. The resulting set of - records is added to the answer packet, and sent out. - - - A zone transfer works by looking up the domain_id of the SOA record of the name and then listing all records of that - domain_id. This is why all records in a domain need to have the same domain_id. - - - If no SOA was found, an unauthoritative no-error is returned. - - - PDNS (before 3.0) broke strict RFC compatibility by not always checking for the presence of a SOA record first. This was unlikely to lead to - problems though. - - - Adding new DNS record types - - Here are the full descriptions on how we added the TLSA record type to all PowerDNS products, with links to the actual source code. - - - First, define the TLSARecordContent class in dnsrecords.hh: - - - -class TLSARecordContent : public DNSRecordContent -{ -public: - includeboilerplate(TLSA) - uint8_t d_certusage, d_selector, d_matchtype; - string d_cert; -}; - - - -The 'includeboilerplate(TLSA)' generates the four methods that do everything PowerDNS would ever want to do with a record: - - - - read TLSA records from zonefile format - - - - -write out a TLSA record in zonefile format - - - - -read a TLSA record from a packet - - - - -write a TLSA record to a packet - - - - - -The actual parsing code: - - -boilerplate_conv(TLSA, 52, - conv.xfr8BitInt(d_certusage); - conv.xfr8BitInt(d_selector); - conv.xfr8BitInt(d_matchtype); - conv.xfrHexBlob(d_cert, true); - ) - - - - This code defines the TLSA rrtype number as 52. Secondly, it says there are 3 eight bit fields for Certificate Usage, Selector and Match type. Next, it defines that the rest of the record is the actual certificate (hash). 'conv' methods are supplied for all DNS data types in use. - - - -Now add TLSRecordContent::report() to reportOtherTypes(). - - - - And that's it. For completeness, add TLSA and 52 to the QType enum in qtype.hh, which makes it easier to refer to the TLSA record in code if so required. - - - - - - - Backend writers' guide - - PDNS backends are implemented via a simple yet powerful C++ interface. If your needs are not met by the PipeBackend, you - may want to write your own. Before doing any PowerDNS development, please visit the wiki. - - - A backend contains zero DNS logic. It need not look for CNAMEs, it need not return NS records unless explicitly asked for, etcetera. - All DNS logic is contained within PDNS itself - backends should simply return records matching the description asked for. - - - - However, please note that your backend can get queries in aNy CAsE! If your database is case sensitive, like most are (with the notable - exception of MySQL), you must make sure that you do find answers which differ only in case. - - - - - PowerDNS may instantiate multiple instances of your backend, or destroy existing copies and instantiate new ones. Backend code - should therefore be thread-safe with respect to its static data. Additionally, it is wise if instantiation is a fast operation, - with the possible exception of the first construction. - - - Simple read-only native backends - - Implementing a backend consists of inheriting from the DNSBackend class. For read-only backends, which do not support slave operation, - only the following methods are relevant: - - - class DNSBackend - { - public: - - virtual void lookup(const QType &qtype, const string &qdomain, DNSPacket *pkt_p=0, int zoneId=-1)=0; - virtual bool list(const string &target, int domain_id)=0; - virtual bool get(DNSResourceRecord &r)=0; - virtual bool getSOA(const string &name, SOAData &soadata, DNSPacket *p=0); - }; - - - Note that the first three methods must be implemented. getSOA() has a useful default implementation. - - - The semantics are simple. Each instance of your class only handles one (1) query at a time. There is no need for locking as PDNS guarantees - that your backend will never be called reentrantly. - - Queries for wildcard names should be answered literally, without expansion. So, - if a backend gets a question for "*.powerdns.com", it should only answer with data if there is - an actual "*.powerdns.com" name - - - Some examples, a more formal specification is down below. A normal lookup starts like this: - - - YourBackend yb; - yb.lookup(QType::CNAME,"www.powerdns.com"); - - - Your class should now do everything to start this query. Perform as much preparation as possible - handling errors at this stage is better for PDNS - than doing so later on. A real error should be reported by throwing an exception. - - - PDNS will then call the get() method to get DNSResourceRecords back. The following code illustrates - a typical query: - - - yb.lookup(QType::CNAME,"www.powerdns.com"); - - DNSResourceRecord rr; - while(yb.get(rr)) - cout<<"Found cname pointing to '"+rr.content+"'"<<endl; - } - - - - Each zone starts with a Start of Authority (SOA) record. This record is special so many backends will choose to implement it - specially. The default getSOA() method performs a regular lookup on your backend to figure out the SOA, - so if you have no special treatment for SOA records, where is no need to implement your own getSOA(). - - - Besides direct queries, PDNS also needs to be able to list a zone, to do zone transfers for example. Each zone has an id which should be - unique within the backend. To list all records belonging to a zone id, the list() method is used. Conveniently, - the domain_id is also available in the SOAData structure. - - - The following lists the contents of a zone called "powerdns.com". - - - SOAData sd; - if(!yb.getSOA("powerdns.com",sd)) // are we authoritative over powerdns.com? - return RCode::NotAuth; // no - - yb.list(sd.domain_id); - while(yb.get(rr)) - cout<<rr.qname<<"\t IN "<<rr.qtype.getName()<<"\t"<<rr.content<<endl; - - - - Please note that when so called 'fancy records' (see ) are enabled, a backend can receive - wildcard lookups. These have a % as the first character of the qdomain in lookup. - - A sample minimal backend - - This backend only knows about the host "random.powerdns.com", and furthermore, only about its A record: - - -/* FIRST PART */ -class RandomBackend : public DNSBackend -{ -public: - bool list(const string &target, int id) - { - return false; // we don't support AXFR - } - - void lookup(const QType &type, const string &qdomain, DNSPacket *p, int zoneId) - { - if(type.getCode()!=QType::A || qdomain!="random.powerdns.com") // we only know about random.powerdns.com A - d_answer=""; // no answer - else { - ostringstream os; - os<<random()%256<<"."<<random()%256<<"."<<random()%256<<"."<<random()%256; - d_answer=os.str(); // our random ip address - } - } - - bool get(DNSResourceRecord &rr) - { - if(!d_answer.empty()) { - rr.qname="random.powerdns.com"; // fill in details - rr.qtype=QType::A; // A record - rr.ttl=86400; // 1 day - rr.content=d_answer; - - d_answer=""; // this was the last answer - - return true; - } - return false; // no more data - } - -private: - string d_answer; -}; - -/* SECOND PART */ - -class RandomFactory : public BackendFactory -{ -public: - RandomFactory() : BackendFactory("random") {} - - DNSBackend *make(const string &suffix) - { - return new RandomBackend(); - } -}; - -/* THIRD PART */ - -class RandomLoader -{ -public: - RandomLoader() - { - BackendMakers().report(new RandomFactory); - L << Logger::Info << "[randombackend] This is the random backend version " VERSION " reporting" << endl; - } -}; - -static RandomLoader randomloader; - - This simple backend can be used as an 'overlay'. In other words, it only knows about a single record, another loaded backend would have - to know about the SOA and NS records and such. But nothing prevents us from loading it without another backend. - - - The first part of the code contains the actual logic and should be pretty straightforward. The second part is a boilerplate - 'factory' class which PDNS calls to create randombackend instances. Note that a 'suffix' parameter is passed. Real life backends - also declare parameters for the configuration file; these get the 'suffix' appended to them. Note that the "random" in the - constructor denotes the name by which the backend will be known. - - - The third part registers the RandomFactory with PDNS. This is a simple C++ trick which makes sure that this function - is called on execution of the binary or when loading the dynamic module. - - - Please note that a RandomBackend is actually in most PDNS releases. By default it lives on random.example.com, but you can change - that by setting random-hostname. - - - NOTE: this simple backend neglects to handle case properly! - - - Interface definition - - Classes: - - DNSResourceRecord class - - - - QType qtypeQType of this record - - - string qnamename of this record - - - string contentASCII representation of right hand side - - - uint32_t ttlTime To Live of this record - - - int domain_idID of the domain this record belongs to - - - time_t last_modifiedIf unzero, last time_t this record was changed - - - bool authUsed for DNSSEC operations. See and more specifically . It is also useful to check out the rectifyZone() in pdnssec.cc - - - bool disabledIf set, this record is not to be served to DNS clients. Backends should not make these records available to PowerDNS unless indicated otherwise. - - - -
- - - - SOAData struct - - - - string nameserverName of the master nameserver of this zone - - - string hostmasterHostmaster of this domain. May contain an @ - - - u_int32_t serialSerial number of this zone - - - u_int32_t refreshHow often this zone should be refreshed - - - u_int32_t retryHow often a failed zone pull should be retried. - - - u_int32_t expireIf zone pulls failed for this long, retire records - - - u_int32_t default_ttlDifficult - - - int domain_idThe ID of the domain within this backend. Must be filled! - - - DNSBackend *dbPointer to the backend that feels authoritative for a domain and can act as a slave - - - -
- - - Methods: - - - void lookup(const QType &qtype, const string &qdomain, DNSPacket *pkt=0, int zoneId=-1) - - - This function is used to initiate a straight lookup for a record of name 'qdomain' and type 'qtype'. - A QType can be converted into an integer by invoking its getCode() method and into - a string with the getCode(). - - - The original question may or may not be passed in the pointer p. If it is, you can retrieve (from 1.99.11 onwards) - information about who asked the question with the getRemote(DNSPacket *) method. Alternatively, - bool getRemote(struct sockaddr *sa, socklen_t *len) is available. - - - Note that qdomain can be of any case and that your backend should make sure it is in effect case - insensitive. Furthermore, the case of the original question should be retained in answers returned by get()! - - - Finally, the domain_id might also be passed indicating that only answers from the indicated zone need apply. This - can both be used as a restriction or as a possible speedup, hinting your backend where the answer might be found. - - - If initiated successfully, as indicated by returning true, answers should be made available over the - get() method. - - - Should throw an PDNSException if an error occurred accessing the database. Returning otherwise indicates that the query - was started successfully. If it is known that no data is available, no exception should be thrown! An exception indicates - that the backend considers itself broken - not that no answers are available for a question. - - - It is legal to return here, and have the first call to get() return false. This is interpreted as 'no data'. - - - - - - bool list(int domain_id, bool include_disabled=false) - - - Initiates a list of the indicated domain. Records should then be made available via the get() method. - Need not include the SOA record. If it is, PDNS will not get confused. - If include_disabled is given as true, records that are configured but should not be served to DNS clients must also be made available. - - - Should return false if the backend does not consider itself authoritative for this zone. - Should throw an PDNSException if an error occurred accessing the database. Returning true indicates that data is or should be available. - - - - - - bool get(DNSResourceRecord &rr) - - - Request a DNSResourceRecord from a query started by get() of list(). If this functions returns - true, rr has been filled with data. When it returns false, no more data is available, - and rr does not contain new data. A backend should make sure that it either fills out all fields of the - DNSResourceRecord or resets them to their default values. - - - The qname field of the DNSResourceRecord should be filled out with the exact qdomain passed to lookup, preserving - its case. So if a query for 'CaSe.yourdomain.com' comes in and your database contains data for 'case.yourdomain.com', the qname field of rr - should contain 'CaSe.yourdomain.com'! - - - Should throw an PDNSException in case a database error occurred. - - - - - - bool getSOA(const string &name, SOAData &soadata) - - - If the backend considers itself authoritative over domain name, this method should fill out - the passed SOAData structure and return a positive number. If the backend is functioning correctly, but - does not consider itself authoritative, it should return 0. In case of errors, an PDNSException should be thrown. - - - - - - - - Reporting errors - - To report errors, the Logger class is available which works mostly like an iostream. Example usage is as shown above in the RandomBackend. - Note that it is very important that each line is ended with endl as your message won't be visible otherwise. - - - To indicate the importance of an error, the standard syslog errorlevels are available. They can be set by outputting - Logger::Critical, - Logger::Error, - Logger::Warning, - Logger::Notice, - Logger::Info or - Logger::Debug to L, in descending order of graveness. - - - Declaring and reading configuration details - - It is highly likely that a backend needs configuration details. On launch, these parameters need to be declared with PDNS so it knows it - should accept them in the configuration file and on the command line. Furthermore, they will be listed in the output of - --help. - - - Declaring arguments is done by implementing the member function declareArguments() in the factory class of your - backend. PDNS will call this method after launching the backend. - - - In the declareArguments() method, the function declare() is available. The exact definitions: - - - void declareArguments(const string &suffix="") - - - This method is called to allow a backend to register configurable parameters. The suffix is the sub-name of this module. There is - no need to touch this suffix, just pass it on to the declare method. - - - - - - void declare(const string &suffix, const string &param, const string &explanation, const string &value) - - The suffix is passed to your method, and can be passed on to declare. param is the name of your parameter. - explanation is what will appear in the output of --help. Furthermore, a default value can be supplied in the - value parameter. - - - - - - - A sample implementation: - - void declareArguments(const string &suffix) - { - declare(suffix,"dbname","Pdns backend database name to connect to","powerdns"); - declare(suffix,"user","Pdns backend user to connect as","powerdns"); - declare(suffix,"host","Pdns backend host to connect to",""); - declare(suffix,"password","Pdns backend password to connect with",""); - } - - - - After the arguments have been declared, they can be accessed from your backend using the mustDo(), - getArg() and getArgAsNum() methods. The are defined as follows in the DNSBackend class: - - - - - void setArgPrefix(const string &prefix) - - - Must be called before any of the other accessing functions are used. Typical usage is 'setArgPrefix("mybackend"+suffix)' - in the constructor of a backend. - - - - - - bool mustDo(const string &key) - - - Returns true if the variable key is set to anything but 'no'. - - - - - - const string& getArg(const string &key) - - - Returns the exact value of a parameter. - - - - - - int getArgAsNum(const string &key) - - - Returns the numerical value of a parameter. Uses atoi() internally - - - - - - - Sample usage from the BindBackend, using the bind-example-zones and bind-config - parameters. - - if(mustDo("example-zones")) { - insert(0,"www.example.com","A","192.0.2.4"); - /* ... */ - } - - - if(!getArg("config").empty()) { - BindParser BP; - - BP.parse(getArg("config")); - } - - - - - - Read/write slave-capable backends - - The backends above are 'natively capable' in that they contain all data relevant for a domain and do not pull in data from other nameservers. - To enable storage of information, a backend must be able to do more. - - - Before diving into the details of the implementation some theory is in order. Slave domains are pulled from the master. PDNS needs to - know for which domains it is to be a slave, and for each slave domain, what the IP address of the master is. - - - A slave zone is pulled from a master, after which it is 'fresh', but this is only temporary. In the SOA record of a zone there is a field - which specifies the 'refresh' interval. After that interval has elapsed, the slave nameserver needs to check at the master ff the serial - number there is higher than what is stored in the backend locally. - - - If this is the case, PDNS dubs the domain 'stale', and schedules a transfer of data from the remote. This transfer remains scheduled - until the serial numbers remote and locally are identical again. - - - This theory is implemented by the getUnfreshSlaveInfos method, which is called on all backends periodically. - This method fills a vector of SlaveDomains with domains that are unfresh and possibly stale. - - - PDNS then retrieves the SOA of those domains remotely and locally and creates a list of stale domains. For each of these domains, PDNS - starts a zone transfer to resynchronise. Because zone transfers can fail, it is important that the interface to the backend allows - for transaction semantics because a zone might otherwise be left in a halfway updated situation. - - - The following excerpt from the DNSBackend shows the relevant functions: - - - - class DNSBackend { - public: - /* ... */ - virtual bool getDomainInfo(const string &domain, DomainInfo &di); - virtual bool isMaster(const string &name, const string &ip); - virtual bool startTransaction(const string &qname, int id); - virtual bool commitTransaction(); - virtual bool abortTransaction(); - virtual bool feedRecord(const DNSResourceRecord &rr, string *ordername=0); - virtual void getUnfreshSlaveInfos(vector<DomainInfo>* domains); - virtual void setFresh(uint32_t id); - /* ... */ - } - - - - The mentioned DomainInfo struct looks like this: - - DomainInfo struct - - - - uint32_t idID of this zone within this backend - - - string masterIP address of the master of this domain, if any - - - uint32_t serialSerial number of this zone - - - uint32_t notified_serialLast serial number of this zone that slaves have seen - - - time_t last_checkLast time this zone was checked over at the master for changes - - - enum {Master,Slave,Native} kindType of zone - - - DNSBackend *backendPointer to the backend that feels authoritative for a domain and can act as a slave - - - -
- - - These functions all have a default implementation that returns false - which explains that these methods can be omitted in simple backends. - Furthermore, unlike with simple backends, a slave capable backend must make sure that the 'DNSBackend *db' field of the SOAData record is filled - out correctly - it is used to determine which backend will house this zone. - - - bool isMaster(const string &name, const string &ip); - - - If a backend considers itself a slave for the domain name and if the IP address in ip - is indeed a master, it should return true. False otherwise. This is a first line of checks to guard against reloading a domain - unnecessarily. - - - - - void getUnfreshSlaveInfos(vector<DomainInfo>* domains) - - - When called, the backend should examine its list of slave domains and add any unfresh ones to the domains vector. - - - - - bool getDomainInfo(const string &name, DomainInfo & di) - - - This is like getUnfreshSlaveInfos, but for a specific domain. If the backend considers itself authoritative for the named - zone, di should be filled out, and 'true' be returned. Otherwise return false. - - - - - bool startTransaction(const string &qname, int id) - - - When called, the backend should start a transaction that can be committed or rolled back atomically later on. - In SQL terms, this function should BEGIN a transaction and DELETE all - records. - - - - - bool feedRecord(const DNSResourceRecord &rr, string *ordername) - - - Insert this record. - - - - - - bool commitTransaction(); - - - Make the changes effective. In SQL terms, execute COMMIT. - - - - - - bool abortTransaction(); - - - Abort changes. In SQL terms, execute ABORT. - - - - - bool setFresh() - - - Indicate that a domain has either been updated or refreshed without the need for a retransfer. This causes - the domain to vanish from the vector modified by getUnfreshSlaveInfos(). - - - - - - - - PDNS will always call startTransaction() before making calls to feedRecord(). - Although it is likely that abortTransaction() will be called in case of problems, backends should also - be prepared to abort from their destructor. - - - The actual code in PDNS is currently (1.99.9): - - Resolver resolver; - resolver.axfr(remote,domain.c_str()); - - db->startTransaction(domain, domain_id); - - L<<Logger::Error<<"AXFR started for '"<<domain<<"'"<<endl; - Resolver::res_t recs; - - while(resolver.axfrChunk(recs)) { - for(Resolver::res_t::const_iterator i=recs.begin();i!=recs.end();++i) { - db->feedRecord(*i); - } - } - db->commitTransaction(); - db->setFresh(domain_id); - L<<Logger::Error<<"AXFR done for '"<<domain<<"'"<<endl; - - - Supermaster/Superslave capability - - A backend that wants to act as a 'superslave' for a master should implement the following method: - - class DNSBackend - { - virtual bool superMasterBackend(const string &ip, const string &domain, const vector<DNSResourceRecord>&nsset, string *account, DNSBackend **db) - }; - - This function gets called with the IP address of the potential supermaster, the domain it is sending a notification for and the set of NS records - for this domain at that IP address. - - - Using the supplied data, the backend needs to determine if this is a bonafide 'supernotification' which should be honoured. If it decides that it - should, the supplied pointer to 'account' needs to be filled with the configured name of the supermaster (if accounting is desired), and the - db needs to be filled with a pointer to your backend. - - - Supermaster/superslave is a complicated concept, if this is all unclear see . - - - - Read/write master-capable backends - - In order to be a useful master for a domain, notifies must be sent out whenever a domain is changed. Periodically, PDNS - queries backends for domains that may have changed, and sends out notifications for slave nameservers. - - - In order to do so, PDNS calls the getUpdatedMasters() method. Like the getUnfreshSlaveInfos() - function mentioned above, this should add changed domain names to the vector passed. - - - The following excerpt from the DNSBackend shows the relevant functions: - - - - class DNSBackend { - public: - /* ... */ - virtual void getUpdatedMasters(vector<DomainInfo>* domains); - virtual void setNotified(uint32_t id, uint32_t serial); - /* ... */ - } - - - - These functions all have a default implementation that returns false - which explains that these methods can be omitted in simple backends. - - Furthermore, unlike with simple backends, a slave capable backend must make sure that the 'DNSBackend *db' field of the SOAData record is filled - out correctly - it is used to determine which backend will house this zone. - - - - void getUpdatedMasters(vector<DomainInfo>* domains) - - - When called, the backend should examine its list of master domains and add any changed ones to the DomainInfo vector - - - - - bool setNotified(uint32_t domain_id, uint32_t serial) - - - Indicate that notifications have been queued for this domain and that it need not be considered 'updated' anymore - - - - - - - - DNS update support - - To make your backend DNS update compatible, it needs to implement a number of new functions and functions already used for slave-operation. - The new functions are not DNS update specific and might be used for other update/remove functionality at a later stage. - -class DNSBackend { -public: - /* ... */ - virtual bool startTransaction(const string &qname, int id); - virtual bool commitTransaction(); - virtual bool abortTransaction(); - virtual bool feedRecord(const DNSResourceRecord &rr, string *ordername); - virtual bool replaceRRSet(uint32_t domain_id, const string& qname, const QType& qt, const vector<DNSResourceRecord>& rrset) - virtual bool listSubZone(const string &zone, int domain_id); - /* ... */ -} - - - - - - - - - virtual bool startTransaction(const string &qname, int id); - - - See . Please note that this function now receives a negative number (-1), which indicates that - the current zone data should NOT be deleted. - - - - - virtual bool commitTransaction(); - - See . - - - - virtual bool abortTransaction(); - - See . Method is called when an exception is received. - - - - virtual bool feedRecord(const DNSResourceRecord &rr, string *ordername); - - See . Please keep in mind that the zone is not empty because startTransaction() was called different. - - - - virtual bool listSubZone(const string &name, int domain_id); - - - This method is needed for rectification of a zone after NS-records have been added. For DNSSEC, we need to know which records - are below the currently added record. - listSubZone() is used like list() which means PowerDNS will call get() - after this method. - The default SQL query looks something like this: - -// First %s is 'sub.zone.com', second %s is '*.sub.zone.com' -select content,ttl,prio,type,domain_id,name from records where (name='%s' OR name like '%s') and domain_id=%d - - The method is not only used when adding records, but also to correct ENT-records in powerdns. Make sure it returns every record in the tree - below the given record. - - - - - virtual bool replaceRRSet(uint32_t domain_id, const string& qname, const QType& qt, const vector<DNSResourceRecord>& rrset); - - - This method should remove all the records with qname of type qt. qt - might also be ANY, which means all the records with that qname need to be removed. - After removal, the records in rrset must be added to the zone. rrset can be empty in which case the method is used to remove a RRset. - - - - - - - - Compiling PowerDNS - Compiling PowerDNS on Unix - - - For now, see the Open Source PowerDNS site. - ./configure ; make ; make install will do The Right Thing for most people. - - - - PowerDNS can be compiled with modules built in, or with modules designed to be loaded at runtime. All that is configured - before compiling using the well known autoconf/automake system. - - - To compile in modules, specify them as --with-modules="mod1 mod2 mod3", substituting the desired module names. - Each backend has a module name in the table at the beginning of its section. - - - To compile a module for inclusion at runtime, which is great if you are a unix vendor, use --with-dynmodules="mod1 mod2 mod3". - These modules then end up as .so files in the compiled libdir. - - - Starting with version 2.9.18, PowerDNS requires 'Boost' to compile, it is available for most operating systems. Otherwise, see the Boost - website. - - AIX - - Known to compile with gcc, but only since 2.9.8. AIX lacks POSIX semaphores so they need to be emulated, as with MacOS X. - - - FreeBSD - - Works fine, but use gmake. Pipe backend is currently broken, for reasons, see . Due to the threading model - of FreeBSD, PowerDNS does not benefit from additional CPUs on the system. - - - The FreeBSD Boost include files are installed in /usr/local/include, so prefix CXXFLAGS=-I/usr/local/include - to your ./configure invocation. - - - Linux - - Linux is probably the best supported platform as most of the main coders are Linux users. The static DEB distribution is known to have - problems on Debian 'Sid', but that doesn't matter as PowerDNS is a native part of Debian 'Sid'. Just apt-get! - - - MacOS X - - Did compile at one point but maintenance has lapsed. Let us know if you can provide us with a login on MacOS X or if you want to help. - - - OpenBSD - - Compiles but then does not work very well. We hear that it may work with more recent versions of gcc, please let us know on - pdns-dev@mailman.powerdns.com. - - - Solaris - - Solaris 7 is supported, but only just. AAAA records do not work on Solaris 7. Solaris 8 and 9 work fine. The 'Sunpro' compiler - has not been tried but is reported to be lacking large parts of the Standard Template Library, which PowerDNS relies on heavily. - Use gcc and gmake (if available). Regular Solaris make has some issues with some PowerDNS Makefile constructs. - - - When compiling, make sure that you have /usr/ccs/bin in your path. Furthermore, with some versions of MySQL, - you may have to add "LDFLAGS=-lz" before ./configure. - - - - - PowerDNS license (GNU General Public License version 2) - - GNU GENERAL PUBLIC LICENSE - TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION - - - - 0. This License applies to any program or other work which contains -a notice placed by the copyright holder saying it may be distributed -under the terms of this General Public License. The "Program", below, -refers to any such program or work, and a "work based on the Program" -means either the Program or any derivative work under copyright law: -that is to say, a work containing the Program or a portion of it, -either verbatim or with modifications and/or translated into another -language. (Hereinafter, translation is included without limitation in -the term "modification".) Each licensee is addressed as "you". - -Activities other than copying, distribution and modification are not -covered by this License; they are outside its scope. The act of -running the Program is not restricted, and the output from the Program -is covered only if its contents constitute a work based on the -Program (independent of having been made by running the Program). -Whether that is true depends on what the Program does. - - 1. You may copy and distribute verbatim copies of the Program's -source code as you receive it, in any medium, provided that you -conspicuously and appropriately publish on each copy an appropriate -copyright notice and disclaimer of warranty; keep intact all the -notices that refer to this License and to the absence of any warranty; -and give any other recipients of the Program a copy of this License -along with the Program. - -You may charge a fee for the physical act of transferring a copy, and -you may at your option offer warranty protection in exchange for a fee. - - 2. You may modify your copy or copies of the Program or any portion -of it, thus forming a work based on the Program, and copy and -distribute such modifications or work under the terms of Section 1 -above, provided that you also meet all of these conditions: - - a) You must cause the modified files to carry prominent notices - stating that you changed the files and the date of any change. - - b) You must cause any work that you distribute or publish, that in - whole or in part contains or is derived from the Program or any - part thereof, to be licensed as a whole at no charge to all third - parties under the terms of this License. - - - c) If the modified program normally reads commands interactively - when run, you must cause it, when started running for such - interactive use in the most ordinary way, to print or display an - announcement including an appropriate copyright notice and a - notice that there is no warranty (or else, saying that you provide - a warranty) and that users may redistribute the program under - these conditions, and telling the user how to view a copy of this - License. (Exception: if the Program itself is interactive but - does not normally print such an announcement, your work based on - the Program is not required to print an announcement.) - -These requirements apply to the modified work as a whole. If -identifiable sections of that work are not derived from the Program, -and can be reasonably considered independent and separate works in -themselves, then this License, and its terms, do not apply to those -sections when you distribute them as separate works. But when you -distribute the same sections as part of a whole which is a work based -on the Program, the distribution of the whole must be on the terms of -this License, whose permissions for other licensees extend to the -entire whole, and thus to each and every part regardless of who wrote it. - -Thus, it is not the intent of this section to claim rights or contest -your rights to work written entirely by you; rather, the intent is to -exercise the right to control the distribution of derivative or -collective works based on the Program. - -In addition, mere aggregation of another work not based on the Program -with the Program (or with a work based on the Program) on a volume of -a storage or distribution medium does not bring the other work under -the scope of this License. - - 3. You may copy and distribute the Program (or a work based on it, -under Section 2) in object code or executable form under the terms of -Sections 1 and 2 above provided that you also do one of the following: - - a) Accompany it with the complete corresponding machine-readable - source code, which must be distributed under the terms of Sections - 1 and 2 above on a medium customarily used for software interchange; or, - - b) Accompany it with a written offer, valid for at least three - years, to give any third party, for a charge no more than your - cost of physically performing source distribution, a complete - machine-readable copy of the corresponding source code, to be - distributed under the terms of Sections 1 and 2 above on a medium - customarily used for software interchange; or, - - - c) Accompany it with the information you received as to the offer - to distribute corresponding source code. (This alternative is - allowed only for noncommercial distribution and only if you - received the program in object code or executable form with such - an offer, in accord with Subsection b above.) - -The source code for a work means the preferred form of the work for -making modifications to it. For an executable work, complete source -code means all the source code for all modules it contains, plus any -associated interface definition files, plus the scripts used to -control compilation and installation of the executable. However, as a -special exception, the source code distributed need not include -anything that is normally distributed (in either source or binary -form) with the major components (compiler, kernel, and so on) of the -operating system on which the executable runs, unless that component -itself accompanies the executable. - -If distribution of executable or object code is made by offering -access to copy from a designated place, then offering equivalent -access to copy the source code from the same place counts as -distribution of the source code, even though third parties are not -compelled to copy the source along with the object code. - - 4. You may not copy, modify, sublicense, or distribute the Program -except as expressly provided under this License. Any attempt -otherwise to copy, modify, sublicense or distribute the Program is -void, and will automatically terminate your rights under this License. -However, parties who have received copies, or rights, from you under -this License will not have their licenses terminated so long as such -parties remain in full compliance. - - 5. You are not required to accept this License, since you have not -signed it. However, nothing else grants you permission to modify or -distribute the Program or its derivative works. These actions are -prohibited by law if you do not accept this License. Therefore, by -modifying or distributing the Program (or any work based on the -Program), you indicate your acceptance of this License to do so, and -all its terms and conditions for copying, distributing or modifying -the Program or works based on it. - - 6. Each time you redistribute the Program (or any work based on the -Program), the recipient automatically receives a license from the -original licensor to copy, distribute or modify the Program subject to -these terms and conditions. You may not impose any further -restrictions on the recipients' exercise of the rights granted herein. -You are not responsible for enforcing compliance by third parties to -this License. - - 7. If, as a consequence of a court judgment or allegation of patent -infringement or for any other reason (not limited to patent issues), -conditions are imposed on you (whether by court order, agreement or -otherwise) that contradict the conditions of this License, they do not -excuse you from the conditions of this License. If you cannot -distribute so as to satisfy simultaneously your obligations under this -License and any other pertinent obligations, then as a consequence you -may not distribute the Program at all. For example, if a patent -license would not permit royalty-free redistribution of the Program by -all those who receive copies directly or indirectly through you, then -the only way you could satisfy both it and this License would be to -refrain entirely from distribution of the Program. - -If any portion of this section is held invalid or unenforceable under -any particular circumstance, the balance of the section is intended to -apply and the section as a whole is intended to apply in other -circumstances. - - -It is not the purpose of this section to induce you to infringe any -patents or other property right claims or to contest validity of any -such claims; this section has the sole purpose of protecting the -integrity of the free software distribution system, which is -implemented by public license practices. Many people have made -generous contributions to the wide range of software distributed -through that system in reliance on consistent application of that -system; it is up to the author/donor to decide if he or she is willing -to distribute software through any other system and a licensee cannot -impose that choice. - -This section is intended to make thoroughly clear what is believed to -be a consequence of the rest of this License. - - 8. If the distribution and/or use of the Program is restricted in -certain countries either by patents or by copyrighted interfaces, the -original copyright holder who places the Program under this License -may add an explicit geographical distribution limitation excluding -those countries, so that distribution is permitted only in or among -countries not thus excluded. In such case, this License incorporates -the limitation as if written in the body of this License. - - 9. The Free Software Foundation may publish revised and/or new versions -of the General Public License from time to time. Such new versions will -be similar in spirit to the present version, but may differ in detail to -address new problems or concerns. - -Each version is given a distinguishing version number. If the Program -specifies a version number of this License which applies to it and "any -later version", you have the option of following the terms and conditions -either of that version or of any later version published by the Free -Software Foundation. If the Program does not specify a version number of -this License, you may choose any version ever published by the Free Software -Foundation. - - 10. If you wish to incorporate parts of the Program into other free -programs whose distribution conditions are different, write to the author -to ask for permission. For software which is copyrighted by the Free -Software Foundation, write to the Free Software Foundation; we sometimes -make exceptions for this. Our decision will be guided by the two goals -of preserving the free status of all derivatives of our free software and -of promoting the sharing and reuse of software generally. - - NO WARRANTY - - 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY -FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN -OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES -PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED -OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS -TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE -PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, -REPAIR OR CORRECTION. - - - 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING -WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR -REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, -INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING -OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED -TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY -YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER -PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE -POSSIBILITY OF SUCH DAMAGES. - - END OF TERMS AND CONDITIONS - - - Further copyright statements - OpenSSL linking exception - - Permission is granted to link this program with OpenSSL and to - (re)distribute the binaries produced as the result of such linking. - - - AES implementation by Brian Gladman - - Since version 3.1.5, PowerDNS contains AES code by Brian Gladman, to which - the following applies: - - - Copyright © 1998-2007, Brian Gladman, Worcester, UK. All rights reserved. - - - LICENSE TERMS - - - The free distribution and use of this software is allowed (with or without - changes) provided that: - - 1. source code distributions include the above copyright notice, this - list of conditions and the following disclaimer; - - 2. binary distributions include the above copyright notice, this list - of conditions and the following disclaimer in their documentation; - - 3. the name of the copyright holder is not used to endorse products - built using this software without specific written permission. - - DISCLAIMER - - This software is provided 'as is' with no explicit or implied warranties - in respect of its properties, including, but not limited to, correctness - and/or fitness for purpose. - - - -Cryptographic software and export control - - In certain legal climates, PowerDNS might potentially require an export control status, particularly - since PowerDNS software contains cryptographic primitives. - - - PowerDNS does not itself implement any cryptographic algorithms but relies on third party implementations - of AES, RSA, ECDSA, GOST, MD5 and various SHA-based hashing algorithms. - - - For AES, we rely on Brian Gladman's code, as outlined in . Furthermore, - RSA, MD5 and the SHA-based algorithms are supplied as a copy of PolarSSL. - - - Optionally, PowerDNS can link in a copy of the open source Botan cryptographic library. - - - Optionally, PowerDNS can link in a copy of the open source Crypto++ library. - - Specific United States Export Control Notes - - PowerDNS is not "US Origin" software. For re-export, like most open source, publicly available "mass market" projects, PowerDNS is - considered to be governed by section 740.13(e) of the US EAR, "Unrestricted encryption source code", under which PowerDNS source code - would be considered re-exportable from the US without an export license under License Exception TSU (Technology and Software - Unrestricted). - - - Like most open source projects containing some encryption, the ECCN that best fits PowerDNS software is 5D002. - - - The official link to the publicly available source code is http://downloads.powerdns.com/releases. - - - If absolute certainty is required, we recommend consulting an expert in US Export Control, or asking the BIS for confirmation. - - - - - -- 2.49.0