|QType qtype|QType of this record|
|string qname|name of this record|
|string content|ASCII representation of right hand side|
-|uint16\_t priority| priority of an MX record.|
|uint32\_t ttl|Time To Live of this record|
|int domain\_id| ID of the domain this record belongs to|
|time\_t last\_modified| If unzero, last time\_t this record was changed|
To configure a supermaster with IP address 10.0.0.11 which lists this installation as 'autoslave.powerdns.com', issue the following:
```
- insert into supermasters ('10.0.0.11','autoslave.powerdns.com','internal');
+ insert into supermasters values ('10.0.0.11','autoslave.powerdns.com','internal');
```
From now on, valid notifies from 10.0.0.11 that list a NS record containing 'autoslave.powerdns.com' will lead to the provisioning of a slave domain under the account 'internal'. See [Supermaster](modes-of-operation.md#supermaster-automatic-provisioning-of-slaves) for details.
The Geo Backend is in wide use, for example by the Wikimedia foundation, which uses it to power the Wikipedia global load balancing.
-More details can be found [here](http://wiki.powerdns.com/cgi-bin/trac.fcgi/browser/trunk/pdns/modules/geobackend/README), or in `modules/geobackend/README`, part of the PowerDNS Authoritative Server distribution.
+More details can be found [here](https://raw.githubusercontent.com/PowerDNS/pdns/master/modules/geobackend/README), or in `modules/geobackend/README`, part of the PowerDNS Authoritative Server distribution.
--- /dev/null
+# GeoIP backend
+
+| | |
+|:--|:--|
+|Native|Yes|
+|Master|No|
+|Slave|No|
+|Superslave|No|
+|Autoserial|No|
+|DNSSEC|Yes|
+
+The GeoIP backend can be used to distribute queries globally using an MaxMind IP-address/country mapping table, currently avaible for debian and ubuntu for free. Other formats are not yet supported but will be in the future. The only format supported at the moment is country listing.
+
+This allows visitors to be sent to a server close to them, with no appreciable delay, as would otherwise be incurred with a protocol level redirect. Additionally, the Geo Backend can be used to provide service over several clusters, any of which can be taken out of use easily, for example for maintenance purposes.
+
+## Prerequisites
+To compile the backend, you need libyaml-cpp 0.5 or later and libgeoip.
+
+You must have geoip database available. As of writing, on debian/ubuntu systems, you can use apt-get install geoip-database to get one, and the backend is configured to use the location where these files are installed as source. On other systems you might need to alter the database-file and database-file6 attribute. If you don't need ipv4 or ipv6 support, set the respective setting to "". Leaving it unset leaves it pointing to default location, preventing the software from starting up.
+
+## Configuration Parameters
+These are the configuration file parameters that are available for the GeoIP backend. geoip-zones-files is the only thing you must set, if the defaults suite you.
+
+### `geoip-database-file`
+Specifies the full path of the data file for IPv4 to use.
+
+### `geoip-database-file6`
+Specifies the full path of the data file for IPv6 to use.
+
+### `geoip-zones-file`
+Specifies the full path of the zone configuration file to use.
+
+### `geoip-dnssec-keydir`
+Specifies the full path of a directory that will contain DNSSEC keys.
+
+## Zonefile format
+Zone configuration file uses YAML syntax. Here is simple example. Note that the ‐ before certain keys is part of the syntax.
+
+```
+domains:
+- domain: geo.example.com
+ ttl: 30
+ records:
+ geo.example.com:
+ - soa: ns1.example.com hostmaster.example.com 2014090125 7200 3600 1209600 3600
+ - ns: ns1.example.com
+ - ns: ns2.example.com
+ - mx: 10 mx.example.com
+ fin.eu.service.geo.example.com:
+ - a: 62.236.200.4
+ - txt: hello world
+ services:
+ service.geo.example.com: '%co.%cn.service.geo.example.com'
+```
+
+### Keys explained
+* **domains**: Mandatory root key. All configuration is below this
+* **domain**: Defines a domain. You need ttl, records, services under this.
+* **ttl**: TTL value for all records
+* **records**: Put fully qualified name as subkey, under which you must define at least soa: key. Note that this is an array of records, so ‐ is needed for the values.
+* **services**: Defines one or more services for querying. The format supports following placeholders, %% = %, %co = 3-letter country, %cn = continent, %af = v4 or v6. There are also other specifiers that will only work with suitable database and currently are untested. These are %re = region, %na = Name (such as, organisation), %ci = City.
## Compiling
To compile this backend, you need to configure `--with-modules="remote"`.
-If you want to use http connector, you need libcurl and use `--enable-remotebackend-http`.
+For versions prior to 3.4.0, if you want to use http connector, you need libcurl and use `--enable-remotebackend-http`.
If you want to use ZeroMQ connector, you need libzmq-dev or libzmq3-dev and use `--enable-remotebackend-zeromq`.
* Mandatory: Yes
* Parameters: qtype, qname, zone\_id
* Optional parameters: remote, local, real-remote
-* Reply: array of `qtype,qname,content,ttl,domain\_id,priority,scopeMask,auth`
+* Reply: array of `qtype,qname,content,ttl,domain\_id,scopeMask,auth`
* Optional values: domain\_id, scopeMask and auth
#### Example JSON/RPC
### `list`
Lists all records for the zonename. If you are running dnssec, you should take care of setting auth to appropriate value, otherwise things can go wrong.
-Mandatory: No (Gives AXFR support)
-Parameters: zonename, domain\_id
-Optional parameters: domain\_id
-Reply: array of `qtype,qname,content,ttl,domain\_id,priority,scopeMask,auth`
-Optional values: domain\_id, scopeMask and auth
+* Mandatory: No (Gives AXFR support)
+* Parameters: zonename, domain\_id
+* Optional parameters: domain\_id
+* Reply: array of `qtype,qname,content,ttl,domain\_id,scopeMask,auth`
+* Optional values: domain\_id, scopeMask and auth
#### Example JSON/RPC
Query:
{"result":[
{"qtype":"SOA", "qname":"example.com", "content":"dns1.icann.org. hostmaster.icann.org. 2012081600 7200 3600 1209600 3600", "ttl": 3600},
{"qtype":"NS", "qname":"example.com", "content":"ns1.example.com", "ttl": 60},
- {"qtype":"MX", "qname":"example.com", "content":"mx1.example.com.", "ttl": 60, "priority":10},
+ {"qtype":"MX", "qname":"example.com", "content":"10 mx1.example.com.", "ttl": 60},
{"qtype":"A", "qname":"www.example.com", "content":"192.168.1.2", "ttl": 60},
{"qtype":"A", "qname":"ns1.example.com", "content":"192.168.0.2", "ttl": 60},
{"qtype":"A", "qname":"mx1.example.com", "content":"192.168.0.3", "ttl": 60}
HTTP/1.1 200 OK
Content-Type: text/javascript; charset=utf-8
-{"result":[{"qtype":"SOA", "qname":"example.com", "content":"dns1.icann.org. hostmaster.icann.org. 2012081600 7200 3600 1209600 3600", "ttl": 3600},{"qtype":"NS", "qname":"example.com", "content":"ns1.example.com", "ttl": 60},{"qtype":"MX", "qname":"example.com", "content":"mx1.example.com.", "ttl": 60, "priority":10},{"qtype":"A", "qname":"www.example.com", "content":"192.168.1.2", "ttl": 60},{"qtype":"A", "qname":"ns1.example.com", "content":"192.168.0.2", "ttl": 60},{"qtype":"A", "qname":"mx1.example.com", "content":"192.168.0.3", "ttl": 60}]}
+{"result":[{"qtype":"SOA", "qname":"example.com", "content":"dns1.icann.org. hostmaster.icann.org. 2012081600 7200 3600 1209600 3600", "ttl": 3600},{"qtype":"NS", "qname":"example.com", "content":"ns1.example.com", "ttl": 60},{"qtype":"MX", "qname":"example.com", "content":"10 mx1.example.com.", "ttl": 60},{"qtype":"A", "qname":"www.example.com", "content":"192.168.1.2", "ttl": 60},{"qtype":"A", "qname":"ns1.example.com", "content":"192.168.0.2", "ttl": 60},{"qtype":"A", "qname":"mx1.example.com", "content":"192.168.0.3", "ttl": 60}]}
```
### `getBeforeAndAfterNamesAbsolute`
#### Example JSON/RPC
Query:
```
-{"method":"superMasterBackend","parameters":{"ip":"10.0.0.1","domain":"example.com","nsset":[{"qtype":"NS","qname":"example.com","qclass":1,"content":"ns1.example.com","ttl":300,"priority":0,"auth":true},{"qtype":"NS","qname":"example.com","qclass":1,"content":"ns2.example.com","ttl":300,"priority":0,"auth":true}]}}
+{"method":"superMasterBackend","parameters":{"ip":"10.0.0.1","domain":"example.com","nsset":[{"qtype":"NS","qname":"example.com","qclass":1,"content":"ns1.example.com","ttl":300,"auth":true},{"qtype":"NS","qname":"example.com","qclass":1,"content":"ns2.example.com","ttl":300,"auth":true}]}}
```
Response:
Content-Type: application/x-www-form-urlencoded
Content-Length: 317
-nsset[1][qtype]=NS&nsset[1][qname]=example.com&nsset[1][qclass]=1&nsset[1][content]=ns1.example.com&nsset[1][ttl]=300&nsset[1][priority]=0&nsset[1][auth]=true&nsset[2][qtype]=NS&nsset[2][qname]=example.com&nsset[2][qclass]=1&nsset[2][content]=ns2.example.com&nsset[2][ttl]=300&nsset[2][priority]=0&nsset[2][auth]=true
+nsset[1][qtype]=NS&nsset[1][qname]=example.com&nsset[1][qclass]=1&nsset[1][content]=ns1.example.com&nsset[1][ttl]=300&nsset[1][auth]=true&nsset[2][qtype]=NS&nsset[2][qname]=example.com&nsset[2][qclass]=1&nsset[2][content]=ns2.example.com&nsset[2][ttl]=300&nsset[2][auth]=true
```
Response:
#### Example JSON/RPC
Query:
```
-{"method":"replaceRRSet","parameters":{"domain_id":2,"qname":"replace.example.com","qtype":"A","trxid":1370416133,"rrset":[{"qtype":"A","qname":"replace.example.com","qclass":1,"content":"1.1.1.1","ttl":300,"priority":0,"auth":true}]}}
+{"method":"replaceRRSet","parameters":{"domain_id":2,"qname":"replace.example.com","qtype":"A","trxid":1370416133,"rrset":[{"qtype":"A","qname":"replace.example.com","qclass":1,"content":"1.1.1.1","ttl":300,"auth":true}]}}
```
Response:
Content-Type: application/x-www-form-urlencoded
Content-Length: 135
-trxid=1370416133&rrset[qtype]=A&rrset[qname]=replace.example.com&rrset[qclass]=1&rrset[content]=1.1.1.1&rrset[priority]=0&rrset[auth]=1
+trxid=1370416133&rrset[qtype]=A&rrset[qname]=replace.example.com&rrset[qclass]=1&rrset[content]=1.1.1.1&rrset[auth]=1
```
Response:
#### Example JSON/RPC
Query:
```
-{"method":"feedRecord","parameters":{"rr":{"qtype":"A","qname":"replace.example.com","qclass":1,"content":"127.0.0.1","ttl":300,"priority":0,"auth":true},"trxid":1370416133}}
+{"method":"feedRecord","parameters":{"rr":{"qtype":"A","qname":"replace.example.com","qclass":1,"content":"127.0.0.1","ttl":300,"auth":true},"trxid":1370416133}}
```
Response:
Content-Type: application/x-www-form-urlencoded
Content-Length: 117
-rr[qtype]=A&rr[qname]=replace.example.com&rr[qclass]=1&rr[content]=127.0.0.1&rr[ttl]=300&rr[priority]=0&rr[auth]=true
+rr[qtype]=A&rr[qname]=replace.example.com&rr[qclass]=1&rr[content]=127.0.0.1&rr[ttl]=300&rr[auth]=true
```
Response:
"qname": "example.com",
"content": "dns1.icann.org. hostmaster.icann.org. 2012080849 7200 3600 1209600 3600",
"ttl": 3600,
- "priority": 0,
"domain_id": -1
}
]
"qname": "example.com",
"content": "dns1.icann.org. hostmaster.icann.org. 2012080849 7200 3600 1209600 3600",
"ttl": 3600,
- "priority": 0,
"domain_id": -1
}
]
# Thanks to, acknowledgements
PowerDNSSEC has been made possible by the help & contributions of many people. We would like to thank:
-- Peter Koch (DENIC)
-- Olaf Kolkman (NLNetLabs)
-- Wouter Wijngaards (NLNetLabs)
-- Marco Davids (SIDN)
-- Markus Travaille (SIDN)
-- Antoin Verschuren (SIDN)
-- Olafur Guðmundsson (IETF)
-- Dan Kaminsky (Recursion Ventures)
-- Roy Arends (Nominet)
-- Miek Gieben
-- Stephane Bortzmeyer (AFNIC)
-- Michael Braunoeder (nic.at)
-- Peter van Dijk
-- Maik Zumstrull
-- Jose Arthur Benetasso Villanova
-- Stefan Schmidt (CCC ;-))
-- Roland van Rijswijk (Surfnet)
-- Paul Bakker (Brainspark/Fox-IT)
-- Mathew Hennessy
-- Johannes Kuehrer (Austrian World4You GmbH)
-- Marc van de Geijn (bHosted.nl)
-- Stefan Arentz
-- Martin van Hensbergen (Fox-IT)
-- Christoph Meerwald
-- Leen Besselink
-- Detlef Peeters
-- Christof Meerwald
-- Jack Lloyd
-- Frank Altpeter
-- Fredrik Danerklint
-- Vasiliy G Tolstov
-- Brielle Bruns
-- Evan Hunt (ISC)
-- Ralf van der Enden
-- Jan-Piet Mens
-- Justin Clift
-- Kees Monshouwer
-- Aki Tuomi
+- Peter Koch (DENIC)
+- Olaf Kolkman (NLNetLabs)
+- Wouter Wijngaards (NLNetLabs)
+- Marco Davids (SIDN)
+- Markus Travaille (SIDN)
+- Antoin Verschuren (SIDN)
+- Olafur Guðmundsson (IETF)
+- Dan Kaminsky (Recursion Ventures)
+- Roy Arends (Nominet)
+- Miek Gieben
+- Stephane Bortzmeyer (AFNIC)
+- Michael Braunoeder (nic.at)
+- Peter van Dijk
+- Maik Zumstrull
+- Jose Arthur Benetasso Villanova
+- Stefan Schmidt (CCC ;-))
+- Roland van Rijswijk (Surfnet)
+- Paul Bakker (Brainspark/Fox-IT)
+- Mathew Hennessy
+- Johannes Kuehrer (Austrian World4You GmbH)
+- Marc van de Geijn (bHosted.nl)
+- Stefan Arentz
+- Martin van Hensbergen (Fox-IT)
+- Christoph Meerwald
+- Leen Besselink
+- Detlef Peeters
+- Christof Meerwald
+- Jack Lloyd
+- Frank Altpeter
+- Fredrik Danerklint
+- Vasiliy G Tolstov
+- Brielle Bruns
+- Evan Hunt (ISC)
+- Ralf van der Enden
+- Jan-Piet Mens
+- Justin Clift
+- Kees Monshouwer
+- Aki Tuomi
+- Ruben Kerkhof
+- Christian Hofstaedtler
+- Ruben d'Arco
+- Morten Stevens
+- Pieter Lexis
- .. this list is far from complete yet ..
## `forward-dnsupdate`
Tell PowerDNS to forward to the master server if the zone is configured as slave. Masters are determined by the masters field in the domains table. The default behaviour is enabled (yes), which means that it will try to forward. In the processing of the update packet, the **allow-dnsupdate-from** and **TSIG-2136-ALLOW** are processed first, so those permissions apply before the **forward-dnsupdate** is used. It will try all masters that you have configured until one is successful.
+The semantics are that first a dynamic update has to be allowed either by the global allow-dnsupdate-from setting, or by a per-zone ALLOW-DNSUPDATE-FROM metadata setting.
+
+Secondly, if a zone has a TSIG-ALLOW-DNSUPDATE metadata setting, that must match too.
+
+So to only allow dynamic DNS updates to a zone based on TSIG key, and regardless of IP address, set allow-dns-update-from to empty, set ALLOW-DNSUPDATE-FROM to "0.0.0.0/0" and "::/0" and set the TSIG-ALLOW-DNSUPDATE to the proper key name.
+
+Further information can be found [below](#how-it-works).
+
# Per zone settings
For permissions, a number of per zone settings are available via the domain metadata (See [Chapter 15, *Per zone settings aka Domain Metadata*](domainmetadata.html "Chapter 15. Per zone settings aka Domain Metadata")).
TSIG, as defined in [RFC 2845](http://tools.ietf.org/html/rfc2845), is a method for signing DNS messages using shared secrets. Each TSIG shared secret has a name, and PowerDNS can be told to allow zone transfer of a domain if the request is signed with an authorized name.
-In PowerDNS, TSIG shared secrets are stored by the various backends. In case of the popular Generic backends, they can be found in the 'tsigkeys' table. The name can be chosen freely, but the algorithm name will typically be 'hmac-md5'. The content is a Base64-encoded secret.
+In PowerDNS, TSIG shared secrets are stored by the various backends. In case of the popular Generic backends, they can be found in the 'tsigkeys' table. The name can be chosen freely, but the algorithm name will typically be 'hmac-md5'. Other supported algorithms are 'hmac-sha1', 'hmac-shaX' where X is 224, 256, 384 or 512. The content is a Base64-encoded secret.
**Note**: Most backends require DNSSEC support enabled to support TSIG. For the Generic SQL Backend make sure to use the DNSSEC enabled schema and to turn on the relevant '-dnssec' flag (for example, gmysql-dnssec)!
* **packetcache-size**: Amount of packets in the packetcache
* **qsize-a**: Size of the queue before the transmitting socket.
* **qsize-q**: Number of packets waiting for database attention
+* **rd-queries**:Number of packets sent by clients requesting recursion (regardless of if we'll be providing them with recursion). Since 3.4.0.
+* **recursing-questions**: Number of packets we supplied an answer to after recursive processing
+* **recursing-questions**: Number of packets we performed recursive processing for
+* **recursion-unanswered**: Number of packets we sent to our recursor, but did not get a timely answer for. Since 3.4.0.
* **servfail-packets**: Amount of packets that could not be answered due to database problems
* **tcp-answers**: Number of answers sent out over TCP
* **tcp-questions**: Number of questions received over TCP
* **timedout-questions**: Amount of packets that were dropped because they had to wait too long internally
* **udp-answers**: Number of answers sent out over UDP
-* **udp-questions**: Number of questions received over UDP
+* **udp-queries**: Number of questions received over UDP
+* **udp4-answers**: Number of answers sent out over UDPv4
+* **udp4-queries**: Number of questions received over UDPv4
+* **udp6-answers**: Number of answers sent out over UDPv6
+* **udp6-queries**: Number of questions received over UDPv6
### Ring buffers
Besides counters, PDNS also maintains the ringbuffers. A ringbuffer records events, each new event gets a place in the buffer until it is full. When full, earlier entries get overwritten, hence the name 'ring'.
#### `experimental-api-readonly`
If the JSON API should disallow data modification
+#### `experimental-api-key`
+Static API authentication key, must be sent in the X-API-Key header. Required for any API usage.
+
#### `experimental-dname-processing`
If we should support DNAME records
**Note**: Beyond PowerDNS 2.9.20, the Authoritative Server and Recursor are released separately.
# PowerDNS Authoritative Server 3.4.0
-RC1 released August 1st, 2014
+Released September 30th, 2014
This is a performance, feature, bugfix and conformity update to 3.3.1 and any earlier version. It contains a huge amount of work by various contributors, to whom we are very grateful.
**Warning**: Version 3.4.0 of the PowerDNS Authoritative Server is a major upgrade if you are coming from 2.9.x. Additionally, if you are coming from any 3.x version (including 3.3.1), there is a mandatory SQL schema upgrade. Please refer to the [Upgrade documentation](authoritative/upgrading.md) for important information on correct and stable operation, as well as notes on performance and memory use.
## Downloads
-
- * [tar.bz2 source](http://powerdnssec.org/downloads/pdns-3.4.0-rc1.tar.bz2)
- * [i386 RPM](http://powerdnssec.org/downloads/packages/pdns-static-3.4.0rc1-1.i386.rpm)
- * [x86\_64 RPM](http://powerdnssec.org/downloads/packages/pdns-static-3.4.0rc1-1.x86_64.rpm)
- * [i386 deb](http://powerdnssec.org/downloads/packages/pdns-static_3.4.0-rc1-1_i386.deb)
- * [x86\_64 deb](http://powerdnssec.org/downloads/packages/pdns-static_3.4.0-rc1-1_amd64.deb)
- * [native RHEL5/6 packages from Kees Monshouwer](http://www.monshouwer.eu/download/3rd_party/pdns-server/)
+Find the downloads [on our download page](https://www.powerdns.com/downloads.html).
A list of changes since 3.3.1 follows.
+Changes between RC2 and 3.4.0:
+- [commit ad189c9](https://github.com/PowerDNS/pdns/commit/ad189c9), [commit 445d93c](https://github.com/PowerDNS/pdns/commit/445d93c): also distribute the dnsdist manual page
+- [commit b5a276d](https://github.com/PowerDNS/pdns/commit/b5a276d), [commit 0b346e9](https://github.com/PowerDNS/pdns/commit/0b346e9), [commit 74caf87](https://github.com/PowerDNS/pdns/commit/74caf87), [commit 642fd2e](https://github.com/PowerDNS/pdns/commit/642fd2e): Make sure all backends actually work as dynamic modules
+- [commit 14b11c4](https://github.com/PowerDNS/pdns/commit/14b11c4): raise log level on dlerror(), fixes [ticket 1734](https://github.com/PowerDNS/pdns/issues/1734), thanks @James-TR
+- [commit 016d810](https://github.com/PowerDNS/pdns/commit/016d810): improve postgresql detection during ./configure
+- [commit dce1e90](https://github.com/PowerDNS/pdns/commit/dce1e90): DNAME: don't sign the synthesised CNAME
+- [commit 25e7af3](https://github.com/PowerDNS/pdns/commit/25e7af3): send empty SERVFAIL after a backend throws a DBException, instead of including useless content
+
+Changes between RC1 and RC2:
+- [commit bb6e54f](https://github.com/PowerDNS/pdns/commit/bb6e54f): document udp6-queries, udp4-queries, add rd-queries, recursion-unanswered metrics & document. Closes [ticket 1400](https://github.com/PowerDNS/pdns/issues/1400).
+- [commit 4a23af7](https://github.com/PowerDNS/pdns/commit/4a23af7): init script: support DAEMON\_ARGS; [commit 7e5b3a0](https://github.com/PowerDNS/pdns/commit/7e5b3a0): init script: ensure socket dir exists
+- [commit dd930ed](https://github.com/PowerDNS/pdns/commit/dd930ed): don't import supermaster ips from other accounts
+- [commit ed3afdf](https://github.com/PowerDNS/pdns/commit/ed3afdf): fall back to central bind if reuseport bind fails; improves [ticket 1715](https://github.com/PowerDNS/pdns/issues/1715)
+- [commit 709ca59](https://github.com/PowerDNS/pdns/commit/709ca59): GeoIP backend implementation. This is a new backend, still experimental!
+- [commit bf5a484](https://github.com/PowerDNS/pdns/commit/bf5a484): support EVERY future version of OS X, fixes [ticket 1702](https://github.com/PowerDNS/pdns/issues/1702)
+- [commit 4dbaec6](https://github.com/PowerDNS/pdns/commit/4dbaec6): Check for \_\_FreeBSD\_kernel\_\_ as per https://lists.debian.org/debian-bsd/2006/03/msg00127.html, fixes [ticket 1684](https://github.com/PowerDNS/pdns/issues/1684); [commit 74f389d](https://github.com/PowerDNS/pdns/commit/74f389d): \_\_FreeBSD\_kernel\_\_ is defined but empty on systems with FreeBSD kernels, breaking compile. Thanks pawal
+- [commit 2e6bbd8](https://github.com/PowerDNS/pdns/commit/2e6bbd8): Catch PDNSException in Signingpiper::helperWorker to avoid abort
+- [commit 0ffd51d](https://github.com/PowerDNS/pdns/commit/0ffd51d): improve error reporting on malformed labels
+- [commit c48dec7](https://github.com/PowerDNS/pdns/commit/c48dec7): Fix forwarded TSIG message issue
+- [commit dad70f2](https://github.com/PowerDNS/pdns/commit/dad70f2): skip TCP\_DEFER\_ACCEPT on platforms that do not have it (like FreeBSD); fixes [ticket 1658](https://github.com/PowerDNS/pdns/issues/1658)
+- [commit c7287b6](https://github.com/PowerDNS/pdns/commit/c7287b6): should fix [ticket 1662](https://github.com/PowerDNS/pdns/issues/1662), reloading while checking for domains that need to be notified in BIND, causing lock
+- [commit 3e67ea8](https://github.com/PowerDNS/pdns/commit/3e67ea8): allow OPT pseudo record type in IXFR query
+- [commit a1caa8b](https://github.com/PowerDNS/pdns/commit/a1caa8b): webserver: htmlescape VERSION and config name
+- [commit df9d980](https://github.com/PowerDNS/pdns/commit/df9d980): Remove "log-failed-updates" leftover
+- [commit a1fe72a](https://github.com/PowerDNS/pdns/commit/a1fe72a): Remove unused "soa-serial-offset" option
+
+Changes between 3.3.1 and 3.4.0-RC1 follow.
+
## DNSSEC changes
- [commit bba8413](https://github.com/PowerDNS/pdns/commit/bba8413): add option (max-signature-cache-entries) to limit the maximum number of cached signatures.
- [commit 28b66a9](https://github.com/PowerDNS/pdns/commit/28b66a9): limit the number of NSEC3 iterations (see RFC5155 10.3), with the max-nsec3-iterations option.
- [commit 5631b44](https://github.com/PowerDNS/pdns/commit/5631b44): gpsqlbackend: use empty defaults for dbname and user; libpq will use the current user name for both by default
- [commit d87ded3](https://github.com/PowerDNS/pdns/commit/d87ded3): implement udp-truncation-threshold to override the previous 1680 byte maximum response datagram size - no matter what EDNS0 said. Plus document it.
- Implement udp-truncation-threshold to override the previous 1680 byte maximum response datagram size - no matter what EDNS0 said.
-- On shutdown, PowerDNS now attempts to stop all processes in its process group, especially useful for pipe/remotebackend users. Feature donated by Spotify.
- Removed settings related to fancy records, as we haven't supported those since version 3.0
- Based on earlier work by Mark Zealey, Kees Monshouwer increased our packet cache performance between 200% and 500% depending on the situation, by simplifying some code in [commit 801812e](https://github.com/PowerDNS/pdns/commit/801812e) and [commit 8403ade](https://github.com/PowerDNS/pdns/commit/8403ade).
+# PowerDNS Recursor 3.6.1
+**Warning**: Version 3.6.1 is a mandatory security upgrade to 3.6.0! Released on the 10th of September 2014.
+
+PowerDNS Recursor 3.6.0 could crash with a specific sequence of packets. For more details, see [the advisory](powerdns-advisory-2014-01.html). PowerDNS Recursor 3.6.1 was very well tested, and is in full production already, so it should be a safe upgrade.
+
+## Downloads
+- [Official download page](https://www.powerdns.com/downloads.html)
+
+In addition to various fixes related to this potential crash, 3.6.1 fixes a few minor issues and adds a debugging feature:
+
+- We could not encode IPv6 AAAA records that mapped to IPv4 addresses in some cases (:ffff.1.2.3.4). Fixed in [commit c90fcbd](https://github.com/PowerDNS/pdns/commit/c90fcbd) , closing [ticket 1663](https://github.com/PowerDNS/pdns/issues/1663).
+- Improve systemd startup timing with respect to network availability ([commit cf86c6a](https://github.com/PowerDNS/pdns/commit/cf86c6a)), thanks to Morten Stevens.
+- Realtime telemetry can now be enabled at runtime, for example with 'rec\_control carbon-server 82.94.213.34 ourname1234'. This ties in to our existing carbon-server and carbon-ourname settings, but now at runtime. This specific invocation will make your stats appear automatically on our [public telemetry server](http://xs.powerdns.com/metronome/?server=pdns.xs.recursor&beginTime=-3600).
+
# PowerDNS Recursor version 3.6.0
This is a performance, feature and bugfix update to 3.5/3.5.3. It contains important fixes for slightly broken domain names, which your users expect to work anyhow. It also brings robust resilience against certain classes of attacks.
## Downloads
- [Official download page](https://www.powerdns.com/downloads.html)
-- [native RHEL5/6 packages from Kees Monshouwer](http://www.monshouwer.eu/download/3rd_party/pdns-recursor/)
+- [native RHEL5/6 packages from Kees Monshouwer](https://www.monshouwer.eu/download/3rd_party/pdns-recursor/)
## Changes between RC1 and release
- [commit 30b13ef](https://github.com/PowerDNS/pdns/commit/30b13ef): do not apply some of our filters to root and gtlds, plus remove some useless {}
Multiple matches can be chained with the | operator. For example, to match all queries for Dutch (.nl) and German (.de) domain names, use: '\\.nl\\.\$|\\.de\\.\$'.
+### `version`
+Available after 3.6.1, report currently running version.
+
### `wipe-cache domain0. [domain1. domain2.]`
Wipe entries from the cache. This is useful if, for example, an important server has a new IP address, but the TTL has not yet expired. Multiple domain names can be passed. For versions before 3.1, you must terminate a domain with a .! So to wipe powerdns.org, issue 'rec\_control wipe-cache powerdns.org.'. For later versions, the dot is optional.
In the `rrd/` subdirectory a number of rrdtool scripts is provided to make nice graphs of all these numbers. Use **rec\_control get-all** to get all statistics in one go.
-It should be noted that answers0-1 + answers1-10 + answers10-100 + answers100-1000 + packetcache-hits + over-capacity-drops + policy-drops = questions.
+It should be noted that answers0-1 + answers1-10 + answers10-100 + answers100-1000 + answers-slow + packetcache-hits + over-capacity-drops + policy-drops = questions.
Also note that unauthorized-tcp and unauthorized-udp packets do not end up in the 'questions' count.
We remind PowerDNS users that under the terms of the GNU General Public License, PowerDNS comes with ABSOLUTELY NO WARRANTY. This license is included in this documentation.
-As of the 9th of January 2012, no actual security problems with PowerDNS 2.9.22.5, 3.0.1, Recursor 3.1.7.2, or later are known about. This page will be updated with all bugs which are deemed to be security problems, or could conceivably lead to those. Any such notifications will also be sent to all PowerDNS mailing lists.
+As of the 25th of September 2012, no actual security problems with PowerDNS 2.9.22.5, 3.0.1, Recursor 3.1.7.2, or later are known about, with the exception of Recursor 3.6.0 specifically. This page will be updated with all bugs which are deemed to be security problems, or could conceivably lead to those. Any such notifications will also be sent to all PowerDNS mailing lists.
+
+Version 3.6.0 of the Recursor (but not 3.5.x) can be crashed remotely with a specific packet sequence. For more detail, see [PowerDNS Security Advisory 2014-01](powerdns-advisory-2014-01.md)
Versions 2.9.22 and lower and 3.0 of the PowerDNS Authoritative Server were vulnerable to a temporary denial of service attack. For more detail, see [PowerDNS Security Advisory 2012-01](powerdns-advisory-2012-01.md).
Version 3.1.4 and earlier of the PowerDNS recursor were vulnerable to a spoofing attack. For more detail, see [PowerDNS Security Advisory 2008-01](powerdns-advisory-2008-01.md "System random generator can be predicted, leading to the potential to 'spoof' PowerDNS Recursor").
-Version 3.1.3 and earlier of the PowerDNS recursor contain two security issues, both of which can lead to a denial of service, both of which can be triggered by remote users. One of the issues might lead be exploited and lead to a system compromise. For more detail, see [PowerDNS Security Advisory 2006-01](powerdns-advisory-2006-01.md "Malformed TCP queries can lead to a buffer overflow which might be exploitable") and [PowerDNS Security Advisory 2006-02](powerdns-advisory-2006-02.md "Zero second CNAME TTLs can make PowerDNS exhaust allocated stack space, and crash").
+Version 3.1.3 and earlier of the PowerDNS recursor contain two security issues, both of which can lead to a denial of service, both of which can be triggered by remote users. One of the issues might be exploited and ead to a system compromise. For more detail, see [PowerDNS Security Advisory 2006-01](powerdns-advisory-2006-01.md "Malformed TCP queries can lead to a buffer overflow which might be exploitable") and [PowerDNS Security Advisory 2006-02](powerdns-advisory-2006-02.md "Zero second CNAME TTLs can make PowerDNS exhaust allocated stack space, and crash").
Version 3.0 of the PowerDNS recursor contains a denial of service bug which can be exploited remotely. This bug, which we believe to only lead to a crash, has been fixed in 3.0.1. There are no guarantees however, so an upgrade from 3.0 is highly recommended.
--- /dev/null
+## PowerDNS Security Advisory 2014-01: PowerDNS Recursor 3.6.0 can be crashed remotely
+
+* CVE: CVE-2014-3614
+* Date: 10th of September 2014
+* Credit: Dedicated PowerDNS users willing to study a crash that happens once every few months (thanks)
+* Affects: Only PowerDNS Recursor version 3.6.0.
+* Not affected: No other versions of PowerDNS Recursor, no versions of PowerDNS Authoritative Server
+* Severity: High
+* Impact: Crash
+* Exploit: The sequence of packets required is known
+* Risk of system compromise: No
+* Solution: Upgrade to PowerDNS Recursor 3.6.1
+* Workaround: Restrict service using [`allow-from`](../recursor/settings.md#allow-from), install script that restarts PowerDNS
+
+Recently, we've discovered that PowerDNS Recursor 3.6.0 (but NOT earlier) can crash when exposed to a specific sequence of malformed packets. This sequence happened spontaneously with one of our largest deployments, and the packets did not appear to have a malicious origin.
+
+Yet, this crash can be triggered remotely, leading to a denial of service attack. There appears to be no way to use this crash for system compromise or stack overflow.
+
+Upgrading to 3.6.1 solves the issue.
+
+In addition, if you want to apply a minimal fix to your own tree, it can be found [here](https://xs.powerdns.com/tmp/minipatch-3.6.1)
+
+As for workarounds, only clients in allow-from are able to trigger the crash, so this should be limited to your userbase. Secondly, [this](https://github.com/PowerDNS/pdns/blob/master/contrib/upstart-recursor.conf) and [this](https://github.com/PowerDNS/pdns/blob/master/contrib/systemd-pdns-recursor.service) can be used to enable Upstart and Systemd to restart the PowerDNS Recursor automatically.
- [authoritative/backend-db2.md, 'Authoritative', 'Backend: DB2']
- [authoritative/backend-generic-mypgsql.md, 'Authoritative', 'Backend: Generic MySQL and PostGreSQL']
- [authoritative/backend-geo.md, 'Authoritative', 'Backend: Geo(graphic loadbalancing)']
+ - [authoritative/backend-geoip.md, 'Authoritative', 'Backend: GeoIP']
- [authoritative/backend-gsqlite.md, 'Authoritative', 'Backend: Generic SQLite']
- [authoritative/backend-ldap.md, 'Authoritative', 'Backend: LDAP']
- [authoritative/backend-lmdb.md, 'Authoritative', 'Backend: LMDB']
- [recursor/internals.md, 'Recursor', 'Internals']
- [recursor/settings.md, 'Recursor', 'List of Settings']
- [security/index.md, 'Security', 'Security Policy']
+ - [security/powerdns-advisory-2014-01.md, 'Security', 'Advisory 2014-01']
- [security/powerdns-advisory-2012-01.md, 'Security', 'Advisory 2012-01']
- [security/powerdns-advisory-2010-02.md, 'Security', 'Advisory 2010-02']
- [security/powerdns-advisory-2010-01.md, 'Security', 'Advisory 2010-01']
projects / thirdparty / pdns.git / commitdiff
