## Commit Guidelines
* Tell why the change does what it does, not how it does it.
* The first line should be short (preferably less than 50 characters)
-* The rest of the commit body should be wrapped at 72 characters (see [this](http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html) for more info)
+* The rest of the commit body should be wrapped at 72 characters (see [this](https://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html) for more info)
* If this commit fixes an issue, put "Closes #XXXX" in the message
* Do not put whitespace fixes/cleanup and functionality changes in the same commit
```
In the above example `/path/to/supervisord.conf` is the path where a configmap containing your supervisord configuration is mounted.
-Further details about `supervisord` and how to configure it can be found here: http://supervisord.org/configuration.html
+Further details about `supervisord` and how to configure it can be found here: https://supervisord.org/configuration.html
Building the HTML documentation
-------------------------------
-The HTML documentation (as seen [on the PowerDNS docs site](https://doc.powerdns.com/authoritative/)) is built from ReStructured Text (rst) files located in `docs`. They are compiled into HTML files using [Sphinx](http://www.sphinx-doc.org/en/master/index.html), a documentation generator tool which is built in Python.
+The HTML documentation (as seen [on the PowerDNS docs site](https://doc.powerdns.com/authoritative/)) is built from ReStructured Text (rst) files located in `docs`. They are compiled into HTML files using [Sphinx](https://www.sphinx-doc.org/en/master/index.html), a documentation generator tool which is built in Python.
Install the dependencies under "COMPILING", and run autoreconf if you haven't already:
- make error codes we get for building and running containers
readable if we can find a lib for this; otherwise, it requires too
much maintenance
- - `errno` http://joeyh.name/code/moreutils/
+ - `errno` https://joeyh.name/code/moreutils/
- parameter to test all the things! (this can currently easily done
by a shell script / command)
- `for RELEASE in auth-42 auth-43 auth-44 auth-master rec-42 rec-43 rec-44 rec-45 rec-master dnsdist-15 dnsdist-16 dnsdist-master; do ./generate-repo-files.py --test $RELEASE; done`
By default, the PowerDNS Authoritative Server requires the following libraries and headers:
-* `Boost <http://boost.org/>`_ 1.54 or newer
+* `Boost <https://boost.org/>`_ 1.54 or newer
* `OpenSSL <https://openssl.org>`_
To build from a Git repository clone, the following dependencies are also required:
-* `ragel <http://www.colm.net/open-source/ragel/>`_
+* `ragel <https://www.colm.net/open-source/ragel/>`_
* `bison <https://www.gnu.org/software/bison/>`_
* `flex <https://github.com/westes/flex>`_
* `Python <https://python.org>`_ 3.6 or newer, with the 'venv' package
replication **must** be set to ``MIXED`` or ``ROW`` to prevent
differences in data between replicated servers. See `"Setting
The Binary Log
-Format" <http://dev.mysql.com/doc/refman/5.7/en/binary-log-setting.html>`__
+Format" <https://dev.mysql.com/doc/refman/5.7/en/binary-log-setting.html>`__
and `"Binary Log Formats" <https://mariadb.com/kb/en/binary-log-formats/>`__
for more information.
The Generic ODBC Backend (godbc) is a child of the Generic SQL (gsql)
backend, similar to the gmysql and gpgsql backends. It uses
-`UnixODBC <http://www.unixodbc.org/>`__ and installed drivers to connect
+`UnixODBC <https://www.unixodbc.org/>`__ and installed drivers to connect
to the databases supported by said drivers.
.. warning::
least version 3.2.0 of UnixODBC. FreeDTS has been tested with versions
0.91 and 0.95.
-Install the `FreeTDS <http://www.freetds.org/>`__ driver for UnixODBC,
+Install the `FreeTDS <https://www.freetds.org/>`__ driver for UnixODBC,
either by compiling or getting it from our distribution's repository and
configure your ``/etc/odbcinst.ini`` with the driver, e.g.:
This backend retrieves all data from a SQLite database, which is an
RDBMS that's embedded into the application itself, so you won't need to
be running a separate server process. It also reduces overhead, and
-simplifies installation. At `www.sqlite.org <http://www.sqlite.org>`__
+simplifies installation. At `www.sqlite.org <https://www.sqlite.org>`__
you can find more information about SQLite.
As this is a generic backend, built on top of the gSql framework, you
Before you can begin compiling PowerDNS with the SQLite backend you need
to have the SQLite utility and library installed on your system. You can
-download these from http://www.sqlite.org/download.html, or you can use
+download these from https://www.sqlite.org/download.html, or you can use
packages (if your distribution provides those).
When you've installed the library you can use:
whereas BIND stores them split in "relativeDomainName" and "zoneName".
There is a `migration
-script <http://www.linuxnetworks.de/pdnsldap/bind2pdns-ldap>`__ which
+script <https://www.linuxnetworks.de/pdnsldap/bind2pdns-ldap>`__ which
creates a file in LDIF format with the necessary LDAP updates including
the "associatedDomain" and "dc" attributes. The utility is executed on
the command line by:
an anonymous bind is executed. The updates in LDIF format are written to
stdout and can be redirected to a file.
-The `script <http://www.linuxnetworks.de/pdnsldap/bind2pdns-ldap>`__
+The `script <https://www.linuxnetworks.de/pdnsldap/bind2pdns-ldap>`__
requires Perl and the Perl Net::LDAP module.
Updating the entries in the LDAP tree requires to make the dnsdomain2
and dnszone) share the same record types and use the same OIDs so the
LDAP server can't use both schemas at the same time. The solution is to
add the `dnsdomain2
-schema <http://www.linuxnetworks.de/pdnsldap/dnsdomain2.schema>`__ and
+schema <https://www.linuxnetworks.de/pdnsldap/dnsdomain2.schema>`__ and
replace the dnszone schema by the `dnszone-migrate
-schema <http://www.linuxnetworks.de/pdnsldap/dnszone-migrate.schema>`__.
+schema <https://www.linuxnetworks.de/pdnsldap/dnszone-migrate.schema>`__.
After restarting the LDAP server attributes from both schemas can be
used and updating the objects in the LDAP tree using the LDIF file
generated from ``bind2pdns-ldap`` will work without errors.
.. warning::
On systemd systems,
- When running PowerDNS via the provided systemd service file, `ProtectSystem <http://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectSystem=>`_ is set to ``full``, this means PowerDNS is unable to write to e.g. ``/etc`` and ``/home``, possibly being unable to write to the LMDB database.
+ When running PowerDNS via the provided systemd service file, `ProtectSystem <https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectSystem=>`_ is set to ``full``, this means PowerDNS is unable to write to e.g. ``/etc`` and ``/home``, possibly being unable to write to the LMDB database.
.. _setting-lmdb-shards:
remote-connection-string=zeromq:endpoint=ipc:///tmp/tmp.sock
0MQ connector implements a REQ/REP RPC model. Please see
-http://zeromq.org/ for more information.
+https://zeromq.org/ for more information.
.. _remote-api:
This backend might solve some issues you have with the current tinydns
noted on `Jonathan de Boyne
-Pollard's <http://jdebp.uk/about-the-author.html>`__
+Pollard's <https://jdebp.uk/about-the-author.html>`__
`djbdns known problems
-page <http://jdebp.uk/FGA/djbdns-problems.html>`__.
+page <https://jdebp.uk/FGA/djbdns-problems.html>`__.
The ``data.cdb`` file format support all types of records. They are
sometimes difficult to create because you need to specify the actual
-content of the rdata. `Tinydns.org <http://tinydns.org/>`__ provides a
+content of the rdata. `Tinydns.org <https://tinydns.org/>`__ provides a
number of links to tools/cgi-scripts that allow you to create records.
`Anders Brownworth <https://andersbrownworth.com/>`__ also provides a number of
useful record building scripts on his
www.example.com A 198.51.100.1
Compiling the TinyDNS backend requires you to have
-`tinycdb <http://www.corpit.ru/mjt/tinycdb.html>`__ version 0.77.
+`tinycdb <https://www.corpit.ru/mjt/tinycdb.html>`__ version 0.77.
This release fixes two small issues and adds a setting to limit AXFR and
IXFR sizes, in response to
-`CVE-2016-6172 <http://www.openwall.com/lists/oss-security/2016/07/06/4>`__.
+`CVE-2016-6172 <https://www.openwall.com/lists/oss-security/2016/07/06/4>`__.
Bug fixes
~~~~~~~~~
- Moved to C++ 2011, a cleaner more powerful version of C++ that has
allowed us to `improve the quality of
- implementation <http://bert-hubert.blogspot.nl/2015/01/on-c2011-quality-of-implementation.html>`__
+ implementation <https://bert-hubert.blogspot.nl/2015/01/on-c2011-quality-of-implementation.html>`__
in many places.
- Implemented dedicated infrastructure for dealing with DNS names that
is fully "DNS Native" and needs less escaping and unescaping.
downloads.powerdns.com (those with -static in the name) for 3.4.8 have
been built against Botan 1.10.11 instead of Botan 1.10.3 like previous
packages. Please see `the Botan Security
-page <http://botan.randombit.net/security.html>`__ for more information
+page <https://botan.randombit.net/security.html>`__ for more information
on the fixes in Botan 1.10.11. As a PowerDNS user, these issues only
affect you if you ran our -static packages *and* allowed your users to
upload private keys to your configuration.
- `Official download
page <https://www.powerdns.com/downloads>`__
- `native RHEL5/6 packages from Kees
- Monshouwer <http://www.monshouwer.eu/download/3rd_party/pdns-server/>`__
+ Monshouwer <https://www.monshouwer.eu/download/3rd_party/pdns-server/>`__
Changes since 3.3
^^^^^^^^^^^^^^^^^
dfd1b82 <https://github.com/PowerDNS/pdns/commit/dfd1b82>`__).
- Build fixes for platforms with 'weird' types (like s390/s390x):
`commit c669f7c <https://github.com/PowerDNS/pdns/commit/c669f7c>`__
- (`details <http://blog.powerdns.com/2013/10/28/on-ragel-and-char-types/>`__),
+ (`details <https://blog.powerdns.com/2013/10/28/on-ragel-and-char-types/>`__),
`commit 07b904e <https://github.com/PowerDNS/pdns/commit/07b904e>`__
and `commit
2400764 <https://github.com/PowerDNS/pdns/commit/2400764>`__.
- `Official download
page <https://www.powerdns.com/downloads>`__
- `native RHEL5/6 packages from Kees
- Monshouwer <http://www.monshouwer.eu/download/3rd_party/pdns-server/>`__
+ Monshouwer <https://www.monshouwer.eu/download/3rd_party/pdns-server/>`__
Changes between RC2 and final
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
- `Official download
page <https://www.powerdns.com/downloads>`__
- `native RHEL5/6 packages from Kees
- Monshouwer <http://www.monshouwer.eu/download/3rd_party/pdns-server/>`__
+ Monshouwer <https://www.monshouwer.eu/download/3rd_party/pdns-server/>`__
- `additional third-party
builds <http://wiki.powerdns.com/trac#GettingPowerDNSpackages>`__
- `Official download
page <https://www.powerdns.com/downloads>`__
- `CentOS/RHEL 5/6
- RPMs <http://www.monshouwer.eu/download/3rd_party/pdns-server/>`__
+ RPMs <https://www.monshouwer.eu/download/3rd_party/pdns-server/>`__
kindly provided by Kees Monshouwer.
- `Additional
packages <http://wiki.powerdns.com/trac#GettingPowerDNSpackages>`__
PowerDNS Authoritative Server 3.0 development has been made possible by
the financial and moral support of
-- `AFNIC, the French registry <http://www.afnic.fr/>`__
+- `AFNIC, the French registry <https://www.afnic.fr/>`__
- `IPCom's RcodeZero Anycast
DNS <http://www.ipcom.at/en/dns/rcodezero_anycast/>`__, a subsidiary
of NIC.AT, the Austrian registry
-- `SIDN, the Dutch registry <http://www.sidn.nl/>`__
+- `SIDN, the Dutch registry <https://www.sidn.nl/>`__
This release has received exceptional levels of community support, and
we'd like to thank the following people in addition to those mentioned
This release would not have been possible without large amounts of help
and support from the PowerDNS Community. We specifically want to thank
-Massimo Bandinelli of Italy's `Register.it <http://register.it>`__,
+Massimo Bandinelli of Italy's `Register.it <https://register.it>`__,
`Dave Aaldering of Aaldering ICT <http://aaldering-ict.nl>`__, `True
-BV <http://true.nl>`__, `XS4ALL <http://www.xs4all.nl>`__, Daniel Bilik
-of `Neosystem <http://www.neosystem.cz>`__,
-`EasyDNS <http://www.easydns.com>`__, `Heinrich
-Ruthensteiner <http://www.siemens.com>`__ of Siemens, `Augie
-Schwer <http://schwer.us>`__, `Mark
-Bergsma <http://www.wikipedia.org>`__, `Marco
+BV <https://true.nl>`__, `XS4ALL <https://www.xs4all.nl>`__, Daniel Bilik
+of `Neosystem <https://www.neosystem.cz>`__,
+`EasyDNS <https://www.easydns.com>`__, `Heinrich
+Ruthensteiner <https://www.siemens.com>`__ of Siemens, `Augie
+Schwer <https://schwer.us>`__, `Mark
+Bergsma <https://www.wikipedia.org>`__, `Marco
Davids <http://www.forfun.net>`__, `Marcus Rueckert of
-OpenSUSE <http://www.opensuse.org>`__, Andre Muraro of
-`Locaweb <http://www.locaweb.com.br>`__, Antony Lesuisse, `Norbert
-Sendetzky <http://www.linuxnetworks.de>`__, `Marco
-Chiavacci <http://www.aruba.it>`__, Christoph Haas, Ralf van der Enden
+OpenSUSE <https://www.opensuse.org>`__, Andre Muraro of
+`Locaweb <https://www.locaweb.com.br>`__, Antony Lesuisse, `Norbert
+Sendetzky <https://www.linuxnetworks.de>`__, `Marco
+Chiavacci <https://www.aruba.it>`__, Christoph Haas, Ralf van der Enden
and Ruben Kerkhof.
Security issues
Features
^^^^^^^^
-- Thanks to `EasyDNS <http://www.easydns.com>`__, PowerDNS now supports
+- Thanks to `EasyDNS <https://www.easydns.com>`__, PowerDNS now supports
multiple masters per domain. For configuration details, see `Slave
operation <../modes-of-operation.rst#slave-operation>`__.
Implemented in `commit e5b11b2f2754b3c0c5193f0a692350342381addb <https://github.com/PowerDNS/pdns/commit/e5b11b2f2754b3c0c5193f0a692350342381addb>`__,
`commit 4232a932d733711c74a7e30b28fca755f9722d9f <https://github.com/PowerDNS/pdns/commit/4232a932d733711c74a7e30b28fca755f9722d9f>`__.
-- Thanks to `EasyDNS <http://www.easydns.com>`__, PowerDNS now supports
+- Thanks to `EasyDNS <https://www.easydns.com>`__, PowerDNS now supports
the KEY record type, as well the SPF record. In `commit 4b5762f1f096b0fdb741ad6d630ccd831910ad35 <https://github.com/PowerDNS/pdns/commit/4b5762f1f096b0fdb741ad6d630ccd831910ad35>`__.
- Added support for CERT, SSHFP, DNSKEY, DS, NSEC, RRSIG record types,
as part of the move to the new DNS parsing/generating code.
Besides adding OpenDBX, this release is mostly about fixing problems and
speeding up the recursor. This release has been made possible by
-`XS4ALL <http://www.xs4all.nl>`__ and `True <http://true.nl>`__. Thanks!
+`XS4ALL <https://www.xs4all.nl>`__ and `True <https://true.nl>`__. Thanks!
Furthermore, we are very grateful for the help of Andrew Pinski, who
hacks on gcc, and of Joaquín M López Muñoz, the author of
-`boost::multi\_index\_container <http://www.boost.org/libs/multi_index/doc/index.html>`__.
+`boost::multi\_index\_container <https://www.boost.org/libs/multi_index/doc/index.html>`__.
Without their near-realtime help this release would've been delayed a
lot. Thanks!
- `commit 0bb34eb126cc8512b69099d0c7a525ff64499575 <https://github.com/PowerDNS/pdns/commit/0bb34eb126cc8512b69099d0c7a525ff64499575>`__
and `commit 90a5cfe2b52e1724dc3b428d2cfc7ef427f6e5a8 <https://github.com/PowerDNS/pdns/commit/90a5cfe2b52e1724dc3b428d2cfc7ef427f6e5a8>`__ work
around gcc bug
- `24704 <http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24704>`__ if
+ `24704 <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=24704>`__ if
requested, which speeds up the recursor a lot, but involves a dirty
hack. Enable with **./configure ^^enable-gcc-skip-locking**. No
guarantees!
62 <https://github.com/PowerDNS/pdns/issues/62>`__.
- Referrals were subtly broken by recent CNAME/Wildcard improvements,
fixed in `commit 95f0df4542f6abf2ffbdc92da9cc3e56bd9e1253 <https://github.com/PowerDNS/pdns/commit/95f0df4542f6abf2ffbdc92da9cc3e56bd9e1253>`__. Fix
- and other improvements sponsored by `True <http://true.nl>`__.
+ and other improvements sponsored by `True <https://true.nl>`__.
- PowerDNS would try to insert records it has no knowledge about in
slave zones, which did not work. Reported in `ticket
60 <https://github.com/PowerDNS/pdns/issues/60>`__, fixed in `commit 02b37061fea43ed29fc972bc24374bf858853a03 <https://github.com/PowerDNS/pdns/commit/02b37061fea43ed29fc972bc24374bf858853a03>`__. A
`commit a0dbd4ce64427e3232e321cbe0f349ccca864d87 <https://github.com/PowerDNS/pdns/commit/a0dbd4ce64427e3232e321cbe0f349ccca864d87>`__.
- PowerDNS now reports if it is running in 32 or 64 bit mode, useful
for bi-arch users that need to know if they are benefiting from
- `AMD's great processor <http://www.amd.com>`__. `commit 22c012a8251c54e95e8b08aed06eae830ff0a448 <https://github.com/PowerDNS/pdns/commit/22c012a8251c54e95e8b08aed06eae830ff0a448>`__.
+ `AMD's great processor <https://www.amd.com>`__. `commit 22c012a8251c54e95e8b08aed06eae830ff0a448 <https://github.com/PowerDNS/pdns/commit/22c012a8251c54e95e8b08aed06eae830ff0a448>`__.
- **dnsscope** compiles again, `commit 1a21c2a52be8b787196e7f2532f1c10d28cb973e <https://github.com/PowerDNS/pdns/commit/1a21c2a52be8b787196e7f2532f1c10d28cb973e>`__,
`commit d5ad413a3069181834c4188e0787d8d14cb7982c <https://github.com/PowerDNS/pdns/commit/d5ad413a3069181834c4188e0787d8d14cb7982c>`__
(FreeBSD 64-bit time\_t).
This release fixes a number of embarrassing bugs and is a recommended
upgrade.
-Thanks are due to `XS4ALL <http://www.xs4all.nl>`__ who are supporting
+Thanks are due to `XS4ALL <https://www.xs4all.nl>`__ who are supporting
continuing development of PowerDNS, the fruits of which can be found in
this release already. Furthermore, a remarkable number of people have
helped report bugs, validate solutions or have submitted entire patches.
recursor deployments have too much traffic for this to be useful.
- PowerDNS recursor is now able to read its root-hints from disk, which
is useful to operate with alternate roots, like the `Open Root Server
- Network <http://www.orsn.org>`__. See `PowerDNS
+ Network <https://www.orsn.org>`__. See `PowerDNS
Recursor <https://docs.powerdns.com/recursor/>`__.
- PowerDNS can now send out old-fashioned root-referrals when queried
for domains for which it is not authoritative. Wastes some bandwidth
The '8 million domains' release, which also marks the battle readiness
of the PowerDNS Recursor. The latest improvements have been made
possible by financial support and contributions by
-`Register.com <http://register.com>`__ and
-`XS4ALL <http://www.xs4all.nl/>`__. Thanks!
+`Register.com <https://register.com>`__ and
+`XS4ALL <https://www.xs4all.nl/>`__. Thanks!
This release brings a number of new features (vastly improved recursor,
Generic Oracle Support, DNS analysis and replay tools, and more) but
also has a new build dependency, the `Boost
-library <http://www.boost.org>`__ (version 1.31 or higher).
+library <https://www.boost.org>`__ (version 1.31 or higher).
Currently several big ISPs are evaluating the PowerDNS recursor for
their resolving needs, some of them have switched already. In the course
- ^^version command (requested by Mike Benoit)
- delegation-only, a Verisign special.
-- Generic `SQLite <http://www.sqlite.org>`__ support, by Michel 'Who da
+- Generic `SQLite <https://www.sqlite.org>`__ support, by Michel 'Who da
man?' Stol. See `Generic SQLite
backend <../backends/generic-sqlite3.rst>`__.
- init.d script for pdns\_recursor
stay away from these.
Developers: this version needs the pdns-2.5.1 development kit, available
-on http://downloads.powerdns.com/releases/dev. See also `Backend
+on https://downloads.powerdns.com/releases/dev. See also `Backend
writers' guide <../appendices/backend-writers-guide.rst>`__.
Performance
release fixing a huge memory leak in the new Query Cache.
Developers: this version needs the new pdns-2.5.1 development kit,
-available on http://downloads.powerdns.com/releases/dev. See also
+available on https://downloads.powerdns.com/releases/dev. See also
`Backend writers' guide <../appendices/backend-writers-guide.rst>`__.
And some small changes
-----------
Developers: this version is compatible with the pdns-2.1 development
-kit, available on http://downloads.powerdns.com/releases/dev. See also
+kit, available on https://downloads.powerdns.com/releases/dev. See also
`*Backend writers' guide* <../appendices/backend-writers-guide.rst>`__.
This version fixes some stability issues with malformed or malcrafted
-----------
Developers: this version is compatible with the pdns-2.1 development
-kit, available on http://downloads.powerdns.com/releases/dev. See also
+kit, available on https://downloads.powerdns.com/releases/dev. See also
`Backend writers' guide <../appendices/backend-writers-guide.rst>`__
This release adds the Generic MySQL backend which allows full
-----------
Developers: this version is compatible with the pdns-2.1 development
-kit, available on http://downloads.powerdns.com/releases/dev. See also
+kit, available on https://downloads.powerdns.com/releases/dev. See also
`Backend writers' guide <../appendices/backend-writers-guide.rst>`__
Again a big release. PowerDNS is seeing some larger deployments in more
restored by turning **lazy-recursion** off.
Developers: this version has a new pdns-2.1 development kit, available
-on http://downloads.powerdns.com/releases/dev. See also `Backend
+on https://downloads.powerdns.com/releases/dev. See also `Backend
writers' guide <../appendices/backend-writers-guide.rst>`__.
**Warning**: Most users will run a static version of PowerDNS which has
--------------------
Supported Algorithms (See the `IANA
-website <http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml#dns-sec-alg-numbers-1>`__
+website <https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml#dns-sec-alg-numbers-1>`__
for more information):
- RSASHA1 (algorithm 5, algorithm 7)
- ed448 (algorithm 16)
For the DS records, these `digest
-types <http://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml#ds-rr-types-1>`__
+types <https://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml#ds-rr-types-1>`__
are supported:
- SHA-1 (algorithm 1)
To publish CDS records for the KSKs in the zone, set ``PUBLISH-CDS`` to
a comma- separated list of `signature algorithm
-numbers <http://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml#ds-rr-types-1>`__.
+numbers <https://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml#ds-rr-types-1>`__.
This metadata can also be set using the
:doc:`pdnsutil <dnssec/pdnsutil>` commands ``set-publish-cdnskey``
The best way to "migrate" in this scenario is to separate the recursive
service fully from the Authoritative Server. See `Dan Bernstein's
-article <http://cr.yp.to/djbdns/separation.html>`__ on this topic.
+article <https://cr.yp.to/djbdns/separation.html>`__ on this topic.
If this is not possible, this migration guide will maintain the
functionality of the existing installation while allowing to upgrade.
~~~~~~~
PowerDNS Authoritative Server is available through the
-`ports <http://www.freshports.org/dns/powerdns/>`__ system:
+`ports <https://www.freshports.org/dns/powerdns/>`__ system:
For the package:
.. note::
When running PowerDNS via the provided systemd service file,
- `ProtectSystem <http://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectSystem=>`_
+ `ProtectSystem <https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectSystem=>`_
is set to ``full``, this means PowerDNS is unable to write to e.g.
``/etc`` and ``/home``, possibly being unable to write AXFR'd zones.
RPM/DEB) of 2.9.22.5 and 3.0.1 have been uploaded to `our download
site <https://www.powerdns.com/downloads>`__. Kees
Monshouwer has provided updated CentOS/RHEL packages in `his
-repository <http://www.monshouwer.eu/download/3th_party/>`__. Debian,
+repository <https://www.monshouwer.eu/download/3th_party/>`__. Debian,
Fedora and SuSE should have packages available shortly after this
announcement.
Authoritative Server and Recursor `were
released <../changelog/pre-4.0.rst#powerdns-recursor-364>`__ on the 9th of June.
Minimal patches are
-`available <http://downloads.powerdns.com/patches/2015-01/>`__. The
+`available <https://downloads.powerdns.com/patches/2015-01/>`__. The
insufficient fix was assigned CVE-2015-5470.
eBPF Socket Filtering
=====================
-:program:`dnsdist` can use `eBPF <http://www.brendangregg.com/ebpf.html>`_ socket filtering on recent Linux kernels (4.1+) built with eBPF support (``CONFIG_BPF``, ``CONFIG_BPF_SYSCALL``, ideally ``CONFIG_BPF_JIT``). It requires dnsdist to have the ``CAP_SYS_ADMIN`` capabilities at startup.
+:program:`dnsdist` can use `eBPF <https://www.brendangregg.com/ebpf.html>`_ socket filtering on recent Linux kernels (4.1+) built with eBPF support (``CONFIG_BPF``, ``CONFIG_BPF_SYSCALL``, ideally ``CONFIG_BPF_JIT``). It requires dnsdist to have the ``CAP_SYS_ADMIN`` capabilities at startup.
.. note::
To retain the required capability, ``CAP_SYS_ADMIN``, it is necessary to call :func:`addCapabilitiesToRetain` during startup, as :program:`dnsdist` drops capabilities after startup.
does not. This is not an issue for actual DNS over HTTPS clients that support HTTP/2, but might be one in setups running dnsdist behind a reverse-proxy that
does not support HTTP/2, like nginx. We do not plan on implementing HTTP/1, and recommend using HTTP/2 between the reverse-proxy and dnsdist for performance reasons.
-For nginx in particular, a possible work-around is to use the `grpc_pass <http://nginx.org/r/grpc_pass>`_ directive as suggested in their `bug tracker <https://trac.nginx.org/nginx/ticket/1875>`_ e.g.::
+For nginx in particular, a possible work-around is to use the `grpc_pass <https://nginx.org/r/grpc_pass>`_ directive as suggested in their `bug tracker <https://trac.nginx.org/nginx/ticket/1875>`_ e.g.::
location /dns-query {
set $upstream_app dnsdist;
:program:`dnsdist` is dynamic, its configuration can be changed at runtime via a :doc:`console-like interface <guides/console>`.
It exposes :doc:`metrics <statistics>` that can be exported via Carbon, Prometheus, an HTTP API and the console.
-Until 2.0.0 the configuration was written in `Lua <http://lua.org>`_, but it is now possible to write the configuration in :doc:`yaml <reference/yaml-settings>` as well.
+Until 2.0.0 the configuration was written in `Lua <https://lua.org>`_, but it is now possible to write the configuration in :doc:`yaml <reference/yaml-settings>` as well.
A configuration to balance DNS queries to several backend servers:
FreeBSD
~~~~~~~
-dnsdist is also available in `FreeBSD ports <http://www.freshports.org/dns/dnsdist/>`_.
+dnsdist is also available in `FreeBSD ports <https://www.freshports.org/dns/dnsdist/>`_.
Installing from Source
----------------------
In order to compile dnsdist, a modern compiler with C++ 2017 support, a Python 3 interpreter with the ``YAML`` module, and either GNU make or ``meson`` with ``ninja`` are required.
dnsdist depends on the following libraries:
-* `Boost <http://boost.org/>`_
-* `Lua <http://www.lua.org/>`_ 5.1+ or `LuaJit <http://luajit.org/>`_
-* `Editline (libedit) <http://thrysoee.dk/editline/>`_
+* `Boost <https://boost.org/>`_
+* `Lua <https://www.lua.org/>`_ 5.1+ or `LuaJit <https://luajit.org/>`_
+* `Editline (libedit) <https://thrysoee.dk/editline/>`_
* `libfstrm <https://github.com/farsightsec/fstrm>`_ (optional, dnstap support)
* `GnuTLS <https://www.gnutls.org/>`_ (optional, DoT and DoH support)
* `hostname from Inetutils <https://www.gnu.org/software/inetutils/>`_
* `libh2o <https://github.com/h2o/h2o>`_ (optional, incoming DoH support, deprecated in 1.9.0 in favor of ``nghttp2``)
* `libsodium <https://download.libsodium.org/doc/>`_ (optional, DNSCrypt support)
* `LMDB <http://www.lmdb.tech/doc/>`_ (optional, LMDB support)
-* `net-snmp <http://www.net-snmp.org/>`_ (optional, SNMP support)
+* `net-snmp <https://www.net-snmp.org/>`_ (optional, SNMP support)
* `nghttp2 <https://nghttp2.org/>`_ (optional, DoH support)
* `OpenSSL <https://www.openssl.org/>`_ (optional, DoT and DoH support)
* `Quiche <https://github.com/cloudflare/quiche>`_ (optional, incoming DoQ and DoH3 support)
To compile from git, these additional dependencies are required:
-* GNU `Autoconf <http://www.gnu.org/software/autoconf/autoconf.html>`_
+* GNU `Autoconf <https://www.gnu.org/software/autoconf/autoconf.html>`_
* GNU `Automake <https://www.gnu.org/software/automake/>`_
-* `Ragel <http://www.colm.net/open-source/ragel/>`_
+* `Ragel <https://www.colm.net/open-source/ragel/>`_
dnsdist source code lives in the `PowerDNS git repository <https://github.com/PowerDNS/pdns>`_ but is independent of PowerDNS.
dnstap Logging Reference
========================
-`dnstap <http://dnstap.info>`__ is a flexible, structured binary log format for DNS software.
+`dnstap <https://dnstap.info>`__ is a flexible, structured binary log format for DNS software.
Reader implementations in various languages exist.
:program:`dnsdist` supports dnstap since version 1.3.0.
By default, the :program:`Recursor` requires the following libraries and headers:
-* `Boost <http://boost.org/>`_ 1.54 or newer
-* `Lua <http://www.lua.org/>`_ 5.1+ or `LuaJit <http://luajit.org/>`_
+* `Boost <https://boost.org/>`_ 1.54 or newer
+* `Lua <https://www.lua.org/>`_ 5.1+ or `LuaJit <https://luajit.org/>`_
* `OpenSSL <https://openssl.org>`_
* For :program:`Recursor` version 5 and higher, `cargo <https://www.rust-lang.org/tools/install>`_ version 1.64 or newer.
turn a program into a real freakshow if you so desire.
PowerDNS generally tries not to go overboard in this respect, but we do
-build upon a very advanced part of the `Boost <http://www.boost.org>`__
+build upon a very advanced part of the `Boost <https://www.boost.org>`__
C++ library: `boost::multi index
-container <http://boost.org/libs/multi_index/doc/index.html>`__.
+container <https://boost.org/libs/multi_index/doc/index.html>`__.
This container provides the equivalent of SQL indexes on multiple keys.
It also implements compound keys, which PowerDNS uses as well.
and `commit
7abbb2c <https://github.com/PowerDNS/pdns/commit/7abbb2c>`__: Update
Ed25519 `algorithm number and
- mnemonic <http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml>`__
+ mnemonic <https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml>`__
and hook up to the Recursor (Kees Monshouwer)
- `#5355 <https://github.com/PowerDNS/pdns/pull/5355>`__: Add
``use-incoming-edns-subnet`` option to process and pass along ECS and
- `Official download page <https://www.powerdns.com/downloads.html>`__
- `native RHEL5/6 packages from Kees
- Monshouwer <http://www.monshouwer.eu/download/3rd_party/pdns-recursor/>`__
+ Monshouwer <https://www.monshouwer.eu/download/3rd_party/pdns-recursor/>`__
Changes since 3.5.2
^^^^^^^^^^^^^^^^^^^
- `Official download page <https://www.powerdns.com/downloads.html>`__
- `native RHEL5/6 packages from Kees
- Monshouwer <http://www.monshouwer.eu/download/3rd_party/pdns-recursor/>`__
+ Monshouwer <https://www.monshouwer.eu/download/3rd_party/pdns-recursor/>`__
Changes since 3.5.1
^^^^^^^^^^^^^^^^^^^
- `Official download page <https://www.powerdns.com/downloads.html>`__
- `native RHEL5/6 packages from Kees
- Monshouwer <http://www.monshouwer.eu/download/3rd_party/pdns-recursor/>`__
+ Monshouwer <https://www.monshouwer.eu/download/3rd_party/pdns-recursor/>`__
Changes since 3.5
^^^^^^^^^^^^^^^^^
- `Official download page <https://www.powerdns.com/downloads.html>`__
- `native RHEL5/6 packages from Kees
- Monshouwer <http://www.monshouwer.eu/download/3rd_party/pdns-recursor/>`__
+ Monshouwer <https://www.monshouwer.eu/download/3rd_party/pdns-recursor/>`__
Changes between RC5 and the final 3.5 release
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This was fixed in `commit
3085 <http://wiki.powerdns.com/projects/trac/changeset/3085>`__. This
should also close the slightly bogus
- `CVE-2012-1193 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1193>`__.
+ `CVE-2012-1193 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1193>`__.
Closes `ticket 668 <https://github.com/PowerDNS/pdns/issues/668>`__.
- The auth-can-lower-ttl flag was removed, as it did not have any
effect in most situations, and thus did not operate as advertised. We
DNS-hierarchy, like 'juniper.net'.
This issue was fixed rapidly because of the help of
- `XS4ALL <http://www.xs4all.nl>`__ (Eric Veldhuyzen, Kai Storbeck),
+ `XS4ALL <https://www.xs4all.nl>`__ (Eric Veldhuyzen, Kai Storbeck),
Brad Dameron and Kees Monshouwer. Fix in `commit
1178 <http://wiki.powerdns.com/projects/trac/changeset/1178>`__.
Some more information, based on a previous version of PowerDNS, can be
found on the `PowerDNS development
-blog <http://blog.netherlabs.nl/articles/2006/04/14/holy-cow-1-3-million-additional-ip-addresses-served-by-powerdns>`__.
+blog <https://blog.netherlabs.nl/articles/2006/04/14/holy-cow-1-3-million-additional-ip-addresses-served-by-powerdns>`__.
**Warning**: Because of recent DNS based denial of service attacks,
running an open recursor has become a security risk. Therefore, unless
Many people helped package and test this release. Jorn Ekkelenkamp of
ISP-Services helped find the '8000 SOAs' bug and spotted many other
-oddities and `XS4ALL <http://www.xs4all.nl>`__ internet funded a lot of
+oddities and `XS4ALL <https://www.xs4all.nl>`__ internet funded a lot of
the recent development. Joaquín M López Muñoz of the
boost::multi\_index\_container was again of great help.
- Very fast, and contains innovative query-throttling code to save time talking to obsolete or broken nameservers.
- Code is written linearly, sequentially, which means that there are no problems with 'query restart' or anything.
- Does DNSSEC validation
-- Is highly scriptable in `Lua <http://lua.org>`_
+- Is highly scriptable in `Lua <https://lua.org>`_
Getting support
---------------
Scripting PowerDNS Recursor
===========================
-In the PowerDNS Recursor, it is possible to modify resolving behaviour using simple scripts written in the `Lua <http://www.lua.org>`_ programming language.
+In the PowerDNS Recursor, it is possible to modify resolving behaviour using simple scripts written in the `Lua <https://www.lua.org>`_ programming language.
Lua scripts can be used for load balancing, legal reasons, commercial purposes, to quickly block dangerous domains or override problematic responses.
Because Lua is extremely fast and lightweight, it easily supports hundreds of thousands of queries per second.
-The Lua language is explained very well in the excellent book `Programming in Lua <http://www.amazon.com/exec/obidos/ASIN/859037985X/lua-pilindex-20>`_.
-If you already have programming experience, `Learn Lua in 15 Minutes <http://tylerneylon.com/a/learn-lua/>`_ is a great primer.
+The Lua language is explained very well in the excellent book `Programming in Lua <https://www.amazon.com/exec/obidos/ASIN/859037985X/lua-pilindex-20>`_.
+If you already have programming experience, `Learn Lua in 15 Minutes <https://tylerneylon.com/a/learn-lua/>`_ is a great primer.
-For extra performance, a Just In Time compiled version of Lua called `LuaJIT <http://luajit.org/>`_ is supported.
+For extra performance, a Just In Time compiled version of Lua called `LuaJIT <https://luajit.org/>`_ is supported.
.. note::
PowerDNS Recursor is capable of handling many queries simultaneously using cooperative user space multi-threading.
A simple method to determine a candidate domain would simply be to check if the domain was not in the recursor cache; indeed this is a method used by many security researchers. However, while that does produce a smaller list of candidate domains, cache misses are still relatively common, particularly in deployments where techniques such as EDNS client-subnet are used.
-Therefore, a feature has been developed for the recursor which uses probabilistic data structures (specifically a Stable Bloom Filter (SBF): [http://webdocs.cs.ualberta.ca/~drafiei/papers/DupDet06Sigmod.pdf]). This recursor feature is named "Newly Observed Domain" or "NOD" for short.
+Therefore, a feature has been developed for the recursor which uses probabilistic data structures (specifically a Stable Bloom Filter (SBF): [https://webdocs.cs.ualberta.ca/~drafiei/papers/DupDet06Sigmod.pdf]). This recursor feature is named "Newly Observed Domain" or "NOD" for short.
The use of a probabilistic data structure means that the memory and CPU usage for the NOD feature is minimal, however it does mean that there can be false positives (a domain flagged as new when it is not), and false negatives (a domain that is new is not detected). The size of the SBF data structure can be tuned to reduce the FP/FN rate, although it is created with a default size (67108864 cells) that should provide a reasonably low FP/FN rate. To configure a different size use the :ref:`setting-yaml-nod.db_size` setting to specify a higher or lower cell count. Each cell consumes 1-bit of RAM (per recursor thread) and 1-byte of disk space.
page <http://www.trusteer.com/docs/powerdnsrecursor.html>`__.
This security problem was announced in `this email
-message <http://mailman.powerdns.com/pipermail/pdns-users/2008-March/005279.html>`__.
+message <https://mailman.powerdns.com/pipermail/pdns-users/2008-March/005279.html>`__.
It is recommended that all users of the PowerDNS Recursor upgrade to
3.1.5 as soon as practicable, while we simultaneously note that busy
- CVE: CVE-2014-8601
- Date: 8th of December 2014
-- Credit: Florian Maury (`ANSSI <http://www.ssi.gouv.fr/en/>`__)
+- Credit: Florian Maury (`ANSSI <https://www.ssi.gouv.fr/en/>`__)
- Affects: PowerDNS Recursor versions 3.6.1 and earlier
- Not affected: PowerDNS Recursor 3.6.2; no versions of PowerDNS
Authoritative Server
------------
We need very recent versions of:
- * validns (http://www.validns.net/)
+ * validns (https://www.validns.net/)
* ldns-verify-zone (part of ldns)
* jdnssec-verifyzone (https://github.com/dblacka/jdnssec-tools)
* named-checkzone (part of BIND9)
projects / thirdparty / pdns.git / commitdiff
