From: Bert Hubert Date: Thu, 27 Jan 2011 22:20:36 +0000 (+0000) Subject: release notes for 3.0 X-Git-Tag: auth-3.0~326 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9fc47995b8ae52ff7ebfaa2d1c24b9a94f0d7f02;p=thirdparty%2Fpdns.git release notes for 3.0 git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@1921 d19b8d6e-7fed-0310-83ef-9ca221ded41b --- diff --git a/pdns/docs/pdns.xml b/pdns/docs/pdns.xml index 05c769ed28..2236494a8f 100644 --- a/pdns/docs/pdns.xml +++ b/pdns/docs/pdns.xml @@ -115,23 +115,191 @@ while maintaining performance and achieving high levels of security. - Other major new features include: + This release has received exceptional levels of community support, and we'd like to thank the following people + in addition to those mentioned explicitly below: + Peter Koch (DENIC), Olaf Kolkman (NLNetLabs), Wouter Wijngaards (NLNetLabs), Marco Davids (SIDN), Markus Travaille (SIDN), + Antoin Verschuren (SIDN), Olafur Gudmundsson (IETF), Dan Kaminsky (Recursion Ventures), Roy Arends (Nominet), + Miek Gieben (SIDN), Stephane Bortzmeyer (AFNIC), Michael Braunoeder (nic.at), Peter van Dijk, Maik Zumstrull, + Jose Arthur Benetasso Villanova (Locaweb), Stefan Schmidt, Roland van Rijswijk (Surfnet), Paul Bakker (Brainspark/Fox-IT), + Mathew Hennessy, Johannes Kuehrer (Austrian World4You GmbH), Marc van de Geijn (bHosted.nl), Stefan Arentz and + Martin van Hensbergen (Fox-IT) + + + On to the release notes. Next to DNSSEC, other major new features include: - Long TXT records are now split into 255-byte components automatically. Implemented in c1340, reported by Darren Gamble in t188. + + + Per zone AXFR ACLs, implemented in c1360. + + + + + "Also-notify" support, implemented by Aki Tuomi in c1400. Support for Generic SQL backends and + for the BIND backend. + + + + + Support for binding to thousands of IP addresses, code in c1443. + + + + + Massively parallel slaving infrastructure, able to check the freshness of thousands of remote + zones per second, plus perform many incoming zone transfers simultaneously. Sponsored by Tyler Hall, + code in C1449, C1500, C1859 + + + + + Core DNS logic replaced completely to deal with the brave new world of DNSSEC. + + + Bugs fixed: - .. + sqlite2 and sqlite3 backends used MySQL-style escaping, leading to SQL +errors in some cases. Discovered by Sten Spans. Fixed in c1342. + + + + + Internal webserver no longer prints '1e2%'. Bug rediscovered by Jeff Sipek. Fixed in c1342. + + + + + In some cases, we would include duplicate CNAMEs. In addition, we would hand out + a full root-referral when not configured to in some cases (t223). Discovered by Andreas Jakum, fixed in c1344. + + + + + Shane Kerr discovered we would corrupt DNS transaction IDs from the packet cache on big endian systems. + Fix in c1346, closing t222. + + + + + BIND backend got confused of a zone's filename changed after a configuration reload. + Fix in c1347, closing t228. + + + + + When restarted by the Guardian, PowerDNS will perform a full multi-threaded cache cleanup, which + took a long time and could crash. Fix in c1364. + + + + + Under artificial circumstances, PowerDNS would never clean its packet cache. Found by Marcus Goller, fix in + c1399 and c1408. This update also retunes the cleanup frequency. + + + + + Packetcache would cache things it should not have been caching. Fixes in commits C1407, C1488, C1869, C1880 + + + + + When processing incoming notifications, the BIND backend was case-sensitive, and would disregard + notifications in the wrong case. Discovered by 'Dolphin', fix in c1420. + + + + + The init.d script did not mention the 'reload' command. Code in c1463, closes t233. + + + + + PowerDNS would be confused by embedded NULs in domain names, and would also + mess up the escaping of some characters. Fix in c1468, c1469, c1478, c1480, + + + + + SOA queries for the name of a delegation point were not referred. Fix in c1466, closing t224. + In addition, queries for AAAA for a CNAMEd record pointing to a name with no AAAA would deliver + a direct SOA, without the CNAME in between. Fix in c1542, c1607. + Also, wildcard CNAMEs pointing to a record without the type requested suffered from the same issue, fix in c1543. + + + + + On processing an incoming AXFR, once an MX or SRV record had been seen, all future fields + got a 'priority' entry as well. This had no operational impact, but looked messy. Fixed in c1437. + + + + + Aki Tuomi discovered that the BIND zonefile parser would misrepresent 'something IN MX 15 @'. Fix in c1621. + + + + + Marco Davids discovered the BIND zonefile parser would trip over really long lines. Fix in c1624, c1625. + + + + + Thomas Mieslinger discovered that our webserver would only be started after dropping privileges, + which could cause problems. Fix in c1629. + + + + + An Ubuntu user discovered in Launchpad bug 600479 that restarting database threads + cost a lot of memory. Normally this is rare, except in case of problems. Addressed in c1676. + + + + + BIND backend could crash under (very) high load with very large numbers of zones (hundreds of thousands). + Fixed in c1690. + + + + + Miek Gieben and Marco Davids spotted that PowerDNS would answer the version.bind query in the IN class too. + Bug reported via twitter! Fix in c1709. + + + + + Marcus Lauer and the OpenDNSSEC project discovered that outgoing notifications did not carry the 'aa' flag. + Fixed in c1746. + + + + + Debugging PowerDNS, or backgrounding it, could cause crashes. Fixed by Anders Kaseorg in c1747. + + + + + Fixed a bug that could cause crashes on launching thousands of backend connections. Never observed to occur, + but who knows. Fix in c1792. + + + + + Under some circumstances, large answers could be truncated in mid-record. While technically legal, + this upset a number of resolver implementations (including the PowerDNS Recursor!). Fixed in c1830, re-closes + t200. @@ -139,9 +307,46 @@ - .. + Fixed compilation on newer compilers and newer versions of Boost. + Changes in C1345 (t227), C1391, C1394, C1425, C1427, C1428, C1429, C1440, C1653, thanks to Ruben Kerkhof and others. + + + Compilation fixes for Mac OS X 10.5.7 in c1389, thanks to Tobias Markmann. + + + + + Allow for timestamps to explicitly be specified in (s)econds. Code in c1398, closing t250. + + + + + Internal support for TSIG, not yet hooked up. Commits C1417, C1485 and beyond. + + + + + + Zones with URL and MBOXFW records can be transferred over AXFR, code in c1464. + + + + + + Maik Zumstrull cleaned up the BIND Backend makefile, plus taught our init.d script to read /etc/default/pdns. + Code in c1601, c1602. + + + + + + Generic SQL backends now support multiple masters in the domains table. Code in c1857. Additionally, + masters can also have :port numbers. Code in c1858. + + + @@ -9024,7 +9229,7 @@ local0.err /var/log/pdns.err with minimal administrative overhead. - In PowerDNSSEC, DNS and signatures and keys are treated as separate entities. The domain & record + In PowerDNSSEC, DNS and signatures and keys are (usually) treated as separate entities. The domain & record storage is thus almost completely devoid of DNSSEC record types. @@ -9043,6 +9248,9 @@ $ pdnssec secure-zone powerdnssec.org $ pdnssec rectify-zone + + Alternatively, PowerDNS can serve pre-signed zones, without knowledge of private keys. +
A brief introduction to DNSSEC @@ -9218,6 +9426,8 @@ $ pdnssec rectify-zone PowerDNS needs to know if a zone should receive DNSSEC processing. To configure, run 'pdnssec set-presigned zone'. + Right now, you will also need to configure NSEC(3) settings for pre-signed zones using 'pdnssec set-nsec3'. Default + is NSEC, in which case no further configuration is necessary.
From existing DNSSEC non-PowerDNS setups, live signing @@ -9414,7 +9624,7 @@ $ pdnssec rectify-zone Sets NSEC3 parameters for this zone. A sample commandline is: "pdnssec set-nsec3 powerdnssec.org '1 0 1 ab' narrow". The NSEC3 parameters must be quoted on the command line. - WARNING: This requires updating the 'DS" over at the parent zone! + If running in RSASHA1 mode (algorithm 5 or 7), switching from NSEC to NSEC3 will require a DS update at the parent zone! @@ -9438,7 +9648,8 @@ $ pdnssec rectify-zone unset-nsec3 ZONE - Converts a zone to NSEC operations. WARNING: This requires updating the 'DS" over at the parent zone! + Converts a zone to NSEC operations. + If running in RSASHA1 mode (algorithm 5 or 7), switching from NSEC to NSEC3 will require a DS update at the parent zone! @@ -9453,6 +9664,53 @@ $ pdnssec rectify-zone
+
+ DNSSEC advice & precautions + + DNSSEC is a major change in the way DNS works. Furthermore, there is a bewildering array of settings + that can be configured. + + + It is well possible to configure DNSSEC in such a way that your domain will not operate reliably, or even, at all. + + + We advise operators to stick to the keying defaults of 'pdnssec secure-zone': RSASHA256 (algorithm 8), + 1 Key Signing Key of 2048 bits, 1 active Zone Signing Key of 1024 bits, 1 passive Zone Signing Key of 1024 bits. + + + While the 'GOST' and 'ECDSA' algorithms are better choices in theory, not many DNSSEC resolvers can validate answers + signed with such keys. Much the same goes for RSASHA512, except that it does not offer better performance either. + + + GOST may be more widely available in Russia, because it might be mandatory to implement this regional standard there. + + + It is possible to operate a zone with different keying algorithms simultaneously, but it has also been observed that this is not reliable. + +
Packet sizes, fragments, TCP/IP service + + DNSSEC answers contain (bulky) keying material and signatures, and are therefore a lot larger than regular DNS answers. + Normal DNS responses almost always fit in the 'magical' 512 byte limit previously imposed on DNS. + + + In order to support DNSSEC, operators must make sure that their network allows for: + + >512 byte UDP packets on port 53 + Fragmented UDP packets + ICMP packets related to fragmentation + TCP queries on port 53 + EDNS0 queries/responses (filtered by some firewalls) + + + + If any of the conditions outlined above is not met, DNSSEC service will suffer or be completely unavailable. + + + In addition, the larger your DNS answers, the more critical the above becomes. It is therefore advised not to provision too many keys, + or keys that are unneccessarily large. + +
+
Operational instructions @@ -9627,6 +9885,7 @@ $ pdnssec rectify-zone Marc van de Geijn (bHosted.nl) Stefan Arentz Martin van Hensbergen (Fox-IT) + Christoph Meerwald .. this list is far from complete yet ..