]>
Commit | Line | Data |
---|---|---|
0e2063c3 PL |
1 | Upgrade Notes |
2 | ============= | |
3 | ||
4 | Before proceeding, it is advised to check the release notes for your | |
5 | PowerDNS version, as specified in the name of the distribution file. | |
6 | ||
7 | Please upgrade to the PowerDNS Authoritative Server 4.0.0 from 3.4.2+. | |
8 | See the `3.X <https://doc.powerdns.com/3/authoritative/upgrading/>`__ | |
9 | upgrade notes if your version is older than 3.4.2. | |
10 | ||
0c87a2b8 PD |
11 | 4.9.0 to 5.0.0/master |
12 | -------------- | |
13 | ||
26dbeed8 PD |
14 | LUA records whitespace insertion |
15 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | |
16 | ||
17 | :ref:`setting-lua-records-insert-whitespace`, introduced in 4.9.1 with the default value (``yes``) set to maintain the old behaviour of inserting whitespace, is set to ``no`` in 5.0. | |
18 | ||
0c87a2b8 PD |
19 | ixfrdist IPv6 support |
20 | ^^^^^^^^^^^^^^^^^^^^^ | |
21 | ||
22 | ``ixfrdist`` now binds listening sockets with `IPV6_V6ONLY set`, which means that ``[::]`` no longer accepts IPv4 connections. | |
23 | If you want to listen on both IPv4 and IPv6, you need to add a line with ``0.0.0.0`` to the ``listen`` section of your ixfrdist configuration. | |
24 | ||
490c2321 KM |
25 | 4.8.0 to 4.9.0 |
26 | -------------- | |
27 | ||
28 | Removed options | |
29 | ^^^^^^^^^^^^^^^ | |
30 | ||
31 | Various settings, deprecated since 4.5.0, have been removed. | |
32 | ||
33 | * :ref:`setting-allow-unsigned-supermaster` is now :ref:`setting-allow-unsigned-autoprimary` | |
34 | * :ref:`setting-master` is now :ref:`setting-primary` | |
35 | * :ref:`setting-slave-cycle-interval` is now :ref:`setting-xfr-cycle-interval` | |
36 | * :ref:`setting-slave-renotify` is now :ref:`setting-secondary-do-renotify` | |
37 | * :ref:`setting-slave` is now :ref:`setting-secondary` | |
38 | * :ref:`setting-superslave` is now :ref:`setting-autosecondary` | |
39 | ||
092dcb65 PD |
40 | In :ref:`setting-lmdb-sync-mode`, the previous default ``mapasync`` is no longer a valid value. |
41 | Due to a bug, it was interpreted as ``sync`` in previous versions. | |
42 | To avoid operational surprises, ``sync`` is the new default value. | |
43 | ||
490c2321 KM |
44 | Renamed options |
45 | ^^^^^^^^^^^^^^^ | |
46 | ||
47 | Bind backend | |
48 | ~~~~~~~~~~~~ | |
49 | ||
50 | Various experimental autoprimary settings have been renamed. | |
51 | ||
52 | * ``supermaster-config`` is now ``autoprimary-config`` | |
53 | * ``supermasters`` is now ``autoprimaries`` | |
54 | * ``supermaster-destdir`` is now ``autoprimary-destdir`` | |
55 | ||
56 | Gsql backends | |
57 | ~~~~~~~~~~~~~ | |
58 | ||
59 | Various custom queries have been renamed. | |
60 | ||
61 | * ``info-all-slaves-query`` is now ``info-all-secondaries-query`` | |
62 | * ``supermaster-query`` is now ``autoprimary-query`` | |
63 | * ``supermaster-name-to-ips`` is now ``autoprimary-name-to-ips`` | |
64 | * ``supermaster-add`` is now ``autoprimary-add`` | |
65 | * ``update-master-query`` is now ``update-primary-query`` | |
66 | * ``info-all-master-query`` is now ``info-all-primary-query`` | |
67 | ||
dc1bfa71 PD |
68 | Also, ``get-all-domains-query`` got an extra column for a zone's catalog assignment. |
69 | ||
36852ff8 PD |
70 | API changes |
71 | ~~~~~~~~~~~ | |
72 | ||
73 | A long time ago (in version 3.4.2), the ``priority`` field was removed from record content in the HTTP API. | |
74 | Starting with 4.9, API calls containing a ``priority`` field are actively rejected. | |
75 | This makes it easier for users to detect they are attempting to use a very old API client. | |
76 | ||
ef30dbb2 PD |
77 | any version to 4.8.x |
78 | -------------------- | |
79 | ||
b467b050 PD |
80 | Use of (RSA-)SHA1 on Red Hat Enterprise Linux 9 and derivatives |
81 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | |
82 | ||
83 | If you are using PowerDNS Authoritative Server on EL9, please read `this ticket about Red Hat's SHA1 deprecation and how it affects PowerDNS software <https://github.com/PowerDNS/pdns/issues/12890>`__. | |
84 | ||
ef30dbb2 PD |
85 | LMDB backend |
86 | ^^^^^^^^^^^^ | |
87 | ||
58987fb9 | 88 | Version 4.8.0-alpha1 ships a new version of the LMDB database schema (called version 5), for compatibility with `Lightning Stream <https://doc.powerdns.com/lightningstream>`_. |
ef30dbb2 PD |
89 | This schema is somewhat experimental, and although we do intend to make databases portable/upgradeable to future releases in the 4.8 train, we currently make no promises. |
90 | There is no downgrade process. | |
58987fb9 | 91 | If you upgrade your database (by starting 4.8.0 without ``lmdb-schema-version=4``), you cannot go back. |
ef30dbb2 PD |
92 | |
93 | Upgrading is only supported from database schema versions 3 and 4, that is, databases created/upgraded by version 4.4 and up. | |
94 | ||
bd7066a0 PD |
95 | In version 4.8.0, schema version 5 is finalised. |
96 | Databases created with -alpha1 or -beta1 work with 4.8.0. | |
97 | ||
98 | 4.6.0 to 4.7.0 | |
99 | -------------- | |
7f3563dd | 100 | |
c6419c8e PD |
101 | Schema changes |
102 | ^^^^^^^^^^^^^^ | |
103 | ||
104 | The new Catalog Zones feature comes with a mandatory schema change for the gsql database backends. | |
366d3886 | 105 | See files named ``4.3.x_to_4.7.0_schema.X.sql`` for your database backend in our Git repo, tarball, or distro-specific documentation path. |
c6419c8e PD |
106 | For the LMDB backend, please review :ref:`setting-lmdb-schema-version`. |
107 | The new LMDB schema version is 4. | |
108 | ||
109 | 4.5.x to 4.6.0 | |
110 | -------------- | |
111 | ||
400b7df8 PD |
112 | Automatic conversion of ``@`` signs in SOA |
113 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | |
114 | ||
115 | Before version 4.5.0, PowerDNS would automatically replace ``@`` in the SOA RNAME with ``.``, making it easy for users to enter their hostmaster email address without having to think about syntax. | |
116 | However, this feature interacts badly with handling of presigned zones. | |
117 | In version 4.5.0, this feature was accidentally broken in the implementation of the zone cache. | |
118 | In 4.6.0, this automatic conversion is fully removed. | |
119 | If you still have ``@`` signs in any SOA RNAMEs, 4.6.0 will serve those out literally. | |
70dbd079 | 120 | You can find any stray ``@`` signs by running ``pdnsutil check-all-zones``. |
400b7df8 | 121 | |
6830fcce PD |
122 | New default NSEC3 parameters |
123 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | |
124 | ||
125 | Following `draft-ietf-dnsop-nsec3-guidance (Guidance for NSEC3 parameter settings) <https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-nsec3-guidance>`__, the default NSEC3PARAM settings (see :ref:`dnssec-operational-nsec-modes-params`) in pdnsutil are now `1 0 0 -` instead of `1 0 1 ab`. | |
126 | ||
04912725 PD |
127 | SHA1 DSes |
128 | ^^^^^^^^^ | |
129 | ||
130 | ``pdnsutil show-zone`` and ``pdnsutil export-zone-ds`` no longer emit SHA1 DS records, unless ``--verbose`` is in use. | |
131 | ||
d49c3e14 PD |
132 | Privileged port binding in Docker |
133 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | |
134 | ||
135 | In our Docker image, our binaries are no longer granted the ``net_bind_service`` capability, as this is unnecessary in many deployments. | |
7cdef6ed | 136 | For more information, see the section `"Privileged ports" in Docker-README <https://github.com/PowerDNS/pdns/blob/master/Docker-README.md#privileged-ports>`__. |
d49c3e14 | 137 | |
400b7df8 PD |
138 | 4.4.x to 4.5.0 |
139 | -------------- | |
140 | ||
141 | Automatic conversion of ``@`` signs in SOA | |
142 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | |
143 | ||
144 | Before version 4.5.0, PowerDNS would automatically replace ``@`` in the SOA RNAME with ``.``, making it easy for users to enter their hostmaster email address without having to think about syntax. | |
145 | In version 4.5.0, this feature was accidentally broken in the implementation of the zone cache, and the replacement would only happen if the zone cache was disabled. | |
146 | Note that in 4.6.0, this automatic conversion is fully removed. | |
147 | If you still have ``@`` signs in any SOA RNAMEs, 4.5.0 will serve those out literally if the zone cache is enabled. | |
148 | ||
7f3563dd PD |
149 | Record type changes |
150 | ^^^^^^^^^^^^^^^^^^^ | |
151 | ||
786ed0ff | 152 | The in-database format of ``CSYNC``, ``IPSECKEY``, ``NID``, ``L32``, ``L64``, and ``LP`` records has changed from 'generic' format to its specialized format. |
7f3563dd | 153 | |
71f1dd2c PD |
154 | Generation of the in-database format of ``SVCB`` and ``HTTPS`` received some important bug fixes. |
155 | (For these two types, you can skip the :ref:`setting-upgrade-unknown-types` setting mentioned below, but we still recommend the re-transfer.) | |
156 | ||
157 | API users might notice that replacing records of the newly supported types leaves the old TYPExx records around, even if PowerDNS is not serving them. | |
7f3563dd PD |
158 | To fix this, enable :ref:`setting-upgrade-unknown-types` and replace the records; this will then delete those TYPExx records. |
159 | Then, disable the setting again, because it has a serious performance impact on API operations. | |
160 | ||
161 | On secondaries, it is recommended to re-transfer, using ``pdns_control retrieve ZONE``, with :ref:`setting-upgrade-unknown-types` enabled, all zones that have records of those types, or ``TYPExx``, for numbers 45 and 62. | |
162 | Leave the setting on until all zones have been re-transferred. | |
163 | ||
be42a3b1 | 164 | Changed options |
7064f5eb PD |
165 | ^^^^^^^^^^^^^^^ |
166 | ||
be42a3b1 PL |
167 | Renamed options |
168 | ~~~~~~~~~~~~~~~ | |
169 | ||
7064f5eb | 170 | Various settings have been renamed. |
d0fbd333 | 171 | Their old names still work in 4.5.x, but will be removed in a release after it. |
7064f5eb PD |
172 | |
173 | * :ref:`setting-allow-unsigned-supermaster` is now :ref:`setting-allow-unsigned-autoprimary` | |
174 | * :ref:`setting-master` is now :ref:`setting-primary` | |
175 | * :ref:`setting-slave-cycle-interval` is now :ref:`setting-xfr-cycle-interval` | |
176 | * :ref:`setting-slave-renotify` is now :ref:`setting-secondary-do-renotify` | |
177 | * :ref:`setting-slave` is now :ref:`setting-secondary` | |
178 | * :ref:`setting-superslave` is now :ref:`setting-autosecondary` | |
2dc0dd0c | 179 | * :ref:`setting-domain-metadata-cache-ttl` is now :ref:`setting-zone-metadata-cache-ttl` |
7064f5eb | 180 | |
b69ea3b5 | 181 | Changed defaults |
182 | ~~~~~~~~~~~~~~~~ | |
183 | ||
107c81db PD |
184 | - The default value of the :ref:`setting-consistent-backends` option has been changed from ``no`` to ``yes``. |
185 | - The default value of the :ref:`setting-max-nsec3-iterations` option has been changed from ``500`` to ``100``. | |
186 | - The default value of the ``timeout`` parameter for :func:`ifportup` and :func:`ifurlup` functions has been changed from ``1`` to ``2`` seconds. | |
7a97147f PD |
187 | - The default value of the new :ref:`setting-zone-cache-refresh-interval` option is ``300``. |
188 | ||
189 | Zone cache | |
190 | ~~~~~~~~~~ | |
191 | ||
192 | Version 4.5 introduces the zone cache. | |
193 | The default refresh interval (:ref:`setting-zone-cache-refresh-interval`) is 300, meaning that zones newly added to your backend may need a few minutes to appear. | |
194 | However, zones added using the API should not notice a delay. | |
195 | ||
196 | If your backend is dynamic in what zones it does or does not offer, and thus cannot easily provide a complete list of zones every few minutes, set the interval to 0 to disable the feature. | |
b69ea3b5 | 197 | |
be42a3b1 PL |
198 | Removed options |
199 | ~~~~~~~~~~~~~~~ | |
200 | - :ref:`setting-local-ipv6` has been removed. IPv4 and IPv6 listen addresses should now be set with :ref:`setting-local-address`. | |
b85d2fb7 | 201 | - :ref:`setting-query-local-address6` has been removed. IPv4 and IPv6 addresses used for sending queries should now be set with :ref:`setting-query-local-address`. |
be42a3b1 | 202 | |
30285d45 | 203 | |
d4638952 PL |
204 | 4.3.x to 4.4.0 |
205 | -------------- | |
206 | ||
980049a4 PD |
207 | Latency calculation changes |
208 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^ | |
209 | ||
4b60a6b4 PD |
210 | It turned out that average latency calculations in earlier versions used integers instead of floating point variables, which led to the throwing away of any data points between 'the current average' and 1000ms above it, instead of having those data points affecting the average. |
211 | In 4.3.2 and 4.4.0, we `started using floating point variables for this <https://github.com/PowerDNS/pdns/pull/9768/files>`__, which means the latency calculation is accurate now. | |
212 | Usually, this means you will see higher latency numbers after upgrading. | |
980049a4 | 213 | |
142a0aff PD |
214 | MySQL character set detection |
215 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | |
216 | ||
217 | Before 4.4.0, the gmysql backend told the MySQL (or MariaDB) client libraries to automatically detect the client character set and collation, based on the environment locale. | |
218 | (Look for 'autodetect' in https://dev.mysql.com/doc/refman/5.7/en/charset-connection.html to know more). | |
219 | On some systems, this autodetection makes choices that are incompatible with MySQL Server 8 defaults. | |
220 | On all systems, this autodetection can make choices that vary depending on how PowerDNS is started. | |
221 | In other words, the autodetection provides unpredictable results. | |
222 | ||
223 | In 4.4.0, the autodetection has been removed. | |
224 | The MySQL/MariaDB client lib will now use its default settings, unless overridden in ``my.cnf``, for example:: | |
225 | ||
226 | [client] | |
227 | default-character-set = latin1 | |
228 | ||
229 | If you have trouble connecting to your database with 4.4.0 or up, you can override the character set in ``my.cnf``. | |
230 | ||
231 | Before upgrading, please check your database for any non-ASCII content. | |
232 | The interpretation of the non-ASCII bytes in those fields might change because of a different charset suddenly being used. | |
233 | ||
981c048f PD |
234 | Record type changes |
235 | ^^^^^^^^^^^^^^^^^^^ | |
d4638952 | 236 | |
c466b354 | 237 | The in-database format of the ``SVCB``, ``HTTPS`` and ``APL`` records has changed from 'generic' format to its specialized format. |
981c048f | 238 | |
981c048f PD |
239 | API users might notice that replacing records of these types leaves the old TYPExx records around, even if PowerDNS is not serving them. |
240 | To fix this, enable :ref:`setting-upgrade-unknown-types` and replace the records; this will then delete those TYPExx records. | |
241 | Then, disable the setting again, because it has a serious performance impact on API operations. | |
d4638952 | 242 | |
7f3563dd | 243 | On secondaries, it is recommended to re-transfer, using ``pdns_control retrieve ZONE``, with :ref:`setting-upgrade-unknown-types` enabled, all zones that have records of those types, or ``TYPExx``, for numbers 42, 64, 65. |
c221a9cb | 244 | Leave the setting on until all zones have been re-transferred. |
7b12cd67 | 245 | |
5326e0af PD |
246 | PostgreSQL configuration escaping |
247 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | |
248 | ||
249 | We now correctly quote/escape Postgres connection parameters. | |
8fc33f55 | 250 | If you used single quotes (or some other form of escaping) around your Postgres password because it contained spaces, you now need to put your unmodified, unescaped, unquoted password in your configuration. |
5326e0af | 251 | |
a03aaad7 PD |
252 | New LMDB schema |
253 | ^^^^^^^^^^^^^^^ | |
254 | ||
255 | An LMDB schema upgrade is mandatory. | |
548b4d38 | 256 | Please carefully read :ref:`setting-lmdb-schema-version` before upgrading to 4.4.x. The new schema version is version 3. |
a03aaad7 | 257 | |
e756d013 PD |
258 | Removed features |
259 | ^^^^^^^^^^^^^^^^ | |
260 | ||
af02f99b | 261 | SOA autofilling (i.e. allowing incomplete SOAs in the database) and the API ``set-ptr`` feature, that both were deprecated in earlier releases, have now been removed. Please update your configuration and remove the following settings: |
e8cd98a7 MS |
262 | |
263 | * :ref:`setting-default-soa-mail` | |
264 | * :ref:`setting-default-soa-name` | |
265 | * :ref:`setting-soa-expire-default` | |
266 | * :ref:`setting-soa-minimum-ttl` | |
267 | * :ref:`setting-soa-refresh-default` | |
268 | * :ref:`setting-soa-retry-default` | |
269 | ||
bc95dff3 | 270 | Replace them with :ref:`setting-default-soa-content`, but be aware that this will only be used at zone creation time. |
e756d013 PD |
271 | Please run ``pdnsutil check-all-zones`` to check for incomplete SOAs. |
272 | ||
f8603612 PD |
273 | The :ref:`setting-do-ipv6-additional-processing` setting was removed. IPv6 additional processing now always happens when IPv4 additional processing happens. |
274 | ||
4b60a6b4 PD |
275 | 4.3.1 to 4.3.2 |
276 | -------------- | |
277 | ||
278 | Latency calculation changes | |
279 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^ | |
280 | ||
281 | It turned out that average latency calculations in earlier versions used integers instead of floating point variables, which led to the throwing away of any data points between 'the current average' and 1000ms above it, instead of having those data points affecting the average. | |
282 | In 4.3.2 and 4.4.0, we `started using floating point variables for this <https://github.com/PowerDNS/pdns/pull/9786/files>`__, which means the latency calculation is accurate now. | |
283 | Usually, this means you will see higher latency numbers after upgrading. | |
284 | ||
285 | To be very clear, there is no performance difference between 4.3.1 and 4.3.2. | |
286 | The only change is in the latency calculation, which was wrong in 4.3.1 and is correct in 4.3.2. | |
287 | This fix was backported to 4.3.2 from 4.4.0 so that users can fairly compare the performance of 4.3.2 and 4.4.0. | |
288 | ||
4d34a714 PD |
289 | 4.3.0 to 4.3.1 |
290 | -------------- | |
291 | ||
292 | On RHEL/CentOS 8, the gmysql backend now uses ``mariadb-connector-c`` instead of ``mysql-libs``. | |
293 | This change was made because the default MySQL implementation for RHEL8 is MariaDB, and MariaDB and MySQL cannot be installed in parallel due to conflicting RPM packages. | |
294 | The mariadb client lib will connect to your existing MySQL servers without trouble. | |
295 | ||
5e58aee0 PD |
296 | Unknown record encoding (`RFC 3597 <https://tools.ietf.org/html/rfc3597>`__) has become more strict as a result of the fixes for :doc:`PowerDNS Security Advisory 2020-05 <../security-advisories/powerdns-advisory-2020-05>`. Please use ``pdnsutil check-all-zones`` to review your zone contents. |
297 | ||
1c52074d PD |
298 | The previous set of indexes for the gsqlite3 backend was found to be poor. |
299 | 4.3.1 ships a new schema, and a migration: | |
300 | ||
301 | .. literalinclude:: ../modules/gsqlite3backend/4.3.0_to_4.3.1_schema.sqlite3.sql | |
302 | ||
0870304c AT |
303 | 4.2.x to 4.3.0 |
304 | -------------- | |
305 | ||
68b63c08 PD |
306 | NSEC(3) TTL changed |
307 | ^^^^^^^^^^^^^^^^^^^ | |
308 | ||
309 | NSEC(3) records now use the negative TTL, instead of the SOA minimum TTL. | |
310 | See :ref:`the DNSSEC TTL notes <dnssec-ttl-notes>` for more information. | |
311 | ||
9ed258d5 PL |
312 | Lua Netmask class methods changed |
313 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | |
314 | ||
315 | Netmask class methods ``isIpv4`` and ``isIpv6`` have been deprecated in Lua, use :func:`Netmask.isIPv4` and :func:`Netmask.isIPv6` instead. In the C++ API, these methods have been removed. | |
316 | ||
317 | ``socket-dir`` changed | |
318 | ^^^^^^^^^^^^^^^^^^^^^^ | |
319 | The default :ref:`setting-socket-dir` has changed to include ``pdns`` in the path. | |
320 | It is now whatever is passed to ``--with-socketdir`` during configure (``/var/run`` by default) plus ``pdns``. | |
321 | The systemd unit-file is updated to reflect this change and systemd will automatically create the directory with the proper permissions. | |
322 | The packaged sysV init-script also creates this directory. | |
323 | For other operating systems, update your init-scripts accordingly. | |
324 | ||
325 | Systemd service and permissions | |
326 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | |
327 | The systemd service-file that is installed no longer uses the ``root`` user to start. | |
328 | It uses the user and group set with the ``--with-service-user`` and ``--with-service-group`` switches during configuration, "pdns" by default. | |
329 | This could mean that PowerDNS cannot read its configuration or zone-file data. | |
330 | It is recommended to recursively ``chown`` directories used by PowerDNS:: | |
331 | ||
332 | # For Debian-based systems | |
333 | chown -R root:pdns /etc/powerdns | |
334 | chown -R pdns:pdns /var/lib/powerdns | |
335 | ||
336 | # For CentOS and RHEL based systems | |
337 | chown -R root:pdns /etc/pdns | |
338 | chown -R pdns:pdns /var/lib/pdns | |
339 | ||
340 | Packages provided on `the PowerDNS Repository <https://repo.powerdns.com>`__ will ``chown`` directories created by them accordingly in the post-installation steps. | |
341 | ||
342 | New settings | |
343 | ^^^^^^^^^^^^ | |
344 | ||
cefba199 JS |
345 | - The :ref:`setting-axfr-fetch-timeout` setting has been added. |
346 | This setting controls how long an inbound AXFR may be idle in seconds. | |
347 | Its default is 10 | |
348 | - The :ref:`setting-max-generate-steps` setting has been added. | |
349 | This sets the maximum number of steps that will be performed when loading a BIND zone with the ``$GENERATE`` directive. | |
350 | The default is 0, which is unlimited. | |
9ed258d5 | 351 | |
be42a3b1 PL |
352 | Deprecated settings |
353 | ^^^^^^^^^^^^^^^^^^^ | |
9ed258d5 | 354 | |
be42a3b1 PL |
355 | - :ref:`setting-local-ipv6` has been deprecated and will be removed in 4.5.0. Both IPv4 and IPv6 listen addresses can now be set with :ref:`setting-local-address`. The default for the latter has been changed to ``0.0.0.0, ::``. |
356 | ||
357 | Changed defaults | |
358 | ^^^^^^^^^^^^^^^^ | |
359 | - :ref:`setting-local-address` now defaults to ``0.0.0.0, ::``. | |
9ed258d5 | 360 | |
47fff195 PD |
361 | Schema changes |
362 | ^^^^^^^^^^^^^^ | |
cefba199 JS |
363 | - The new 'unpublished DNSSEC keys' feature comes with a mandatory schema change for all database backends (including BIND with a DNSSEC database). |
364 | See files named ``4.2.0_to_4.3.0_schema.X.sql`` for your database backend in our Git repo, tarball, or distro-specific documentation path. | |
365 | For the LMDB backend, please review :ref:`setting-lmdb-schema-version`. | |
f22c2ea6 | 366 | - If you are upgrading from 4.3.0-beta2 or 4.3.0-rc2, AND ONLY THEN, please read `pull request #8975 <https://github.com/PowerDNS/pdns/pull/8975>`__ very carefully. |
b66617ed | 367 | |
47fff195 PD |
368 | Implicit 5->7 algorithm upgrades |
369 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | |
370 | ||
a4a8f6c8 | 371 | Since version 3.0 (the first version of the PowerDNS Authoritative Server that supported DNSSEC signing), we have automatically, silently, upgraded algorithm 5 (RSASHA1) keys to algorithm 7 (RSASHA1-NSEC3-SHA1) when the user enabled NSEC3. This has been a source of confusion, and because of that, we introduced warnings for users of this feature in 4.0 and 4.1. To see if you are affected, run ``pdnsutil check-all-zones`` from version 4.0 or up. In this release, the automatic upgrade is gone, and affected zones will break if no action is taken. |
0870304c | 372 | |
320757b3 PD |
373 | .. _ixfr-in-corruption-4.3.0: |
374 | ||
375 | IXFR-in corruption | |
376 | ^^^^^^^^^^^^^^^^^^ | |
377 | ||
378 | A bug in PowerDNS versions before 4.2.2/4.3.0 would cause wrong deletion or addition of records if IXFR deltas came in very quickly (within the query cache timeout, which defaults to 20/60 seconds). | |
379 | If you have zones which use inbound IXFR (in other words, the ``IXFR`` metadata item for that zone is set to ``1``), we strongly suggest triggering a completely fresh transfer. | |
380 | You could accomplish that by deleting all records in the zone with an SQL query and waiting for a fresh transfer, or (1) disabling IXFR (2) forcing a fresh transfer using ``pdns_control retrieve example.com`` (3) enabling IXFR again. | |
381 | ||
5e58aee0 PD |
382 | 4.2.X to 4.2.3 |
383 | -------------- | |
384 | ||
385 | Unknown record encoding (`RFC 3597 <https://tools.ietf.org/html/rfc3597>`__) has become more strict as a result of the fixes for :doc:`PowerDNS Security Advisory 2020-05 <../security-advisories/powerdns-advisory-2020-05>`. Please use ``pdnsutil check-all-zones`` to review your zone contents. | |
386 | ||
f87a4264 PD |
387 | 4.X.X to 4.2.2 |
388 | -------------- | |
389 | ||
390 | .. _ixfr-in-corruption-4.2.2: | |
391 | ||
392 | IXFR-in corruption | |
393 | ^^^^^^^^^^^^^^^^^^ | |
394 | ||
395 | A bug in PowerDNS versions before 4.2.2/4.3.0 would cause wrong deletion or addition of records if IXFR deltas came in very quickly (within the query cache timeout, which defaults to 20/60 seconds). | |
396 | If you have zones which use inbound IXFR (in other words, the ``IXFR`` metadata item for that zone is set to ``1``), we strongly suggest triggering a completely fresh transfer. | |
397 | You could accomplish that by deleting all records in the zone with an SQL query and waiting for a fresh transfer, or (1) disabling IXFR (2) forcing a fresh transfer using ``pdns_control retrieve example.com`` (3) enabling IXFR again. | |
398 | ||
399 | ||
d3dfd71e PD |
400 | 4.1.X to 4.2.0 |
401 | -------------- | |
402 | ||
403 | - Superslave operation is no longer enabled by default, use :ref:`setting-superslave` to enable. This setting was called ``supermaster`` in some 4.2.0 prereleases. | |
367f9b40 | 404 | - The gsqlite3 backend, and the DNSSEC database for the BIND backend, have a new journal-mode setting. This setting defaults to `WAL <https://www.sqlite.org/wal.html>`_; older versions of PowerDNS did not set the journal mode, which means they used the SQLite default of DELETE. |
4d39fb4b | 405 | - Autoserial support has been removed. The ``change_date`` column has been removed from the ``records`` table in all gsql backends, but leaving it in is harmless. |
a84c85c1 | 406 | - The :doc:`Generic PostgreSQL backend <backends/generic-postgresql>` schema has changed: the ``notified_serial`` column type in the ``domains`` table has been changed from ``INT DEFAULT NULL`` to ``BIGINT DEFAULT NULL``: ``ALTER TABLE domains ALTER notified_serial TYPE bigint USING CASE WHEN notified_serial >= 0 THEN notified_serial::bigint END;`` |
4b525a97 | 407 | - Rectification after API changes is now default (:ref:`setting-default-api-rectify`). If you do mutations in large zones, you may notice a slowdown. |
d3dfd71e | 408 | |
5e58aee0 PD |
409 | 4.1.X to 4.1.14 |
410 | --------------- | |
411 | ||
412 | Unknown record encoding (`RFC 3597 <https://tools.ietf.org/html/rfc3597>`__) has become more strict as a result of the fixes for :doc:`PowerDNS Security Advisory 2020-05 <../security-advisories/powerdns-advisory-2020-05>`. Please use ``pdnsutil check-all-zones`` to review your zone contents. | |
413 | ||
1346a21e EW |
414 | 4.1.0 to 4.1.1 |
415 | -------------- | |
416 | ||
417 | - The :doc:`Generic MySQL backend <backends/generic-mysql>` schema has | |
418 | changed: the ``notified_serial`` column default in the ``domains`` | |
419 | table has been changed from ``INT DEFAULT NULL`` to ``INT UNSIGNED | |
420 | DEFAULT NULL``: | |
421 | ||
422 | - ``ALTER TABLE domains MODIFY notified_serial INT UNSIGNED DEFAULT NULL;`` | |
423 | ||
0e2063c3 PL |
424 | 4.0.X to 4.1.0 |
425 | -------------- | |
426 | ||
22544d28 | 427 | - Recursion has been removed, see the :doc:`dedicated migration guide <guides/recursion>`. |
7a88a92f | 428 | - ALIAS record expansion is disabled by default, use :ref:`setting-expand-alias` to enable. |
bab2a886 EW |
429 | - *Your LDAP schema might need to be updated*, because new record types |
430 | have been added (see below) and the ``dNSDomain2`` type has been | |
431 | changed. | |
22544d28 PL |
432 | - The :doc:`LDAP Backend <backends/ldap>` now supports additional Record types |
433 | ||
434 | - NSEC3 | |
435 | - NSEC3PARAM | |
436 | - TLSA | |
437 | - CDS | |
438 | - CDNSKEY | |
439 | - OPENPGPKEY | |
440 | - TKEY | |
441 | - URI | |
442 | - CAA | |
0e2063c3 PL |
443 | |
444 | Changed options | |
445 | ^^^^^^^^^^^^^^^ | |
446 | ||
447 | - ``experimental-lua-policy-script`` option and the feature itself have | |
10200e92 PL |
448 | been completely dropped. We invite you to use `PowerDNS |
449 | dnsdist <https://dnsdist.org>`_ instead. | |
0e2063c3 | 450 | |
621f5105 PL |
451 | - As recursion has been removed from the Authoritative Server, the |
452 | ``allow-recursion``, ``recursive-cache-ttl`` and ``recursor`` options have | |
453 | been removed as well. | |
454 | ||
c01b3507 PL |
455 | - ``default-ksk-algorithms`` has been renamed to :ref:`setting-default-ksk-algorithm` |
456 | and only supports a single algorithm name now. | |
457 | ||
458 | - ``default-zsk-algorithms`` has been renamed to :ref:`setting-default-zsk-algorithm` | |
459 | and only supports a single algorithm name now. | |
460 | ||
0e2063c3 PL |
461 | Changed defaults |
462 | ~~~~~~~~~~~~~~~~ | |
463 | ||
ef75af13 EW |
464 | - The default value of :ref:`setting-webserver-allow-from` has been changed from ``0.0.0.0, ::/0`` to ``127.0.0.1, ::1``. |
465 | ||
0e2063c3 PL |
466 | Other changes |
467 | ^^^^^^^^^^^^^ | |
468 | ||
469 | The ``--with-pgsql``, ``--with-pgsql-libs``, ``--with-pgsql-includes`` | |
470 | and ``--with-pgsql-config`` ``configure`` options have been deprecated. | |
471 | ``configure`` now attempts to find the Postgresql client libraries via | |
472 | ``pkg-config``, falling back to detecting ``pg_config``. Use | |
473 | ``--with-pg-config`` to specify a path to a non-default ``pg_config`` if | |
474 | you have Postgresql installed in a non-default location. | |
475 | ||
cb264691 | 476 | The ``--with-libsodium`` configure flag has changed from 'no' to 'auto'. |
67f12ad9 PL |
477 | This means that if libsodium and its development header are installed, it will be linked in. |
478 | ||
d001d2e4 PL |
479 | The improved :doc:`LDAP Backend <backends/ldap>` backend now requires Kerberos headers to be installed. |
480 | Specifically, it needs `krb5.h` to be installed. | |
481 | ||
0e2063c3 PL |
482 | 4.0.X to 4.0.2 |
483 | -------------- | |
484 | ||
485 | Changed options | |
486 | ^^^^^^^^^^^^^^^ | |
487 | ||
488 | Changed defaults | |
489 | ~~~~~~~~~~~~~~~~ | |
490 | ||
491 | - :ref:`setting-any-to-tcp` changed from ``no`` to ``yes`` | |
492 | ||
493 | 3.4.X to 4.0.0 | |
494 | -------------- | |
495 | ||
496 | Database changes | |
497 | ^^^^^^^^^^^^^^^^ | |
498 | ||
499 | No changes have been made to the database schema. However, several | |
500 | superfluous queries have been dropped from the SQL backend. Furthermore, | |
501 | the generic SQL backends switched to prepared statements. If you use a | |
502 | non-standard SQL schema, please review the new defaults. | |
503 | ||
504 | - ``insert-ent-query``, ``insert-empty-non-terminal-query``, | |
505 | ``insert-ent-order-query`` have been replaced by one query named | |
506 | ``insert-empty-non-terminal-order-query`` | |
507 | - ``insert-record-order-query`` has been dropped, | |
508 | ``insert-record-query`` now sets the ordername (or NULL) | |
509 | - ``insert-slave-query`` has been dropped, ``insert-zone-query`` now | |
510 | sets the type of zone | |
511 | ||
512 | Changed options | |
513 | ^^^^^^^^^^^^^^^ | |
514 | ||
515 | Several options have been removed or renamed, for the full overview of | |
516 | all options, see :doc:`settings`. | |
517 | ||
518 | Renamed options | |
519 | ~~~~~~~~~~~~~~~ | |
520 | ||
521 | The following options have been renamed: | |
522 | ||
523 | - ``experimental-json-interface`` ==> :ref:`setting-api` | |
080108eb | 524 | - ``experimental-api-readonly`` ==> ``api-readonly`` |
0e2063c3 PL |
525 | - ``experimental-api-key`` ==> :ref:`setting-api-key` |
526 | - ``experimental-dname-processing`` ==> :ref:`setting-dname-processing` | |
527 | - ``experimental-dnsupdate`` ==> :ref:`setting-dnsupdate` | |
528 | - ``allow-dns-update-from`` ==> :ref:`setting-allow-dnsupdate-from` | |
529 | - ``forward-dnsupdates`` ==> :ref:`setting-forward-dnsupdate` | |
530 | ||
531 | Changed defaults | |
532 | ~~~~~~~~~~~~~~~~ | |
533 | ||
534 | - :ref:`setting-default-ksk-algorithms` | |
535 | changed from rsasha256 to ecdsa256 | |
536 | - :ref:`setting-default-zsk-algorithms` | |
537 | changed from rsasha256 to empty | |
538 | ||
539 | Removed options | |
540 | ~~~~~~~~~~~~~~~ | |
541 | ||
542 | The following options are removed: | |
543 | ||
544 | - ``pipebackend-abi-version``, it now a setting per-pipe backend. | |
545 | - ``strict-rfc-axfrs`` | |
546 | - ``send-root-referral`` | |
547 | ||
548 | API | |
549 | ^^^ | |
550 | ||
551 | The API path has changed to ``/api/v1``. | |
552 | ||
553 | Incompatible change: ``SOA-EDIT-API`` now follows ``SOA-EDIT-DNSUPDATE`` | |
554 | instead of ``SOA-EDIT`` (incl. the fact that it now has a default value | |
555 | of ``DEFAULT``). You must update your existing ``SOA-EDIT-API`` metadata | |
556 | (set ``SOA-EDIT`` to your previous ``SOA-EDIT-API`` value, and | |
557 | ``SOA-EDIT-API`` to ``SOA-EDIT`` to keep the old behaviour). | |
558 | ||
559 | Resource Record Changes | |
560 | ^^^^^^^^^^^^^^^^^^^^^^^ | |
561 | ||
562 | Since PowerDNS 4.0.0 the CAA resource record (type 257) is supported. | |
563 | Before PowerDNS 4.0.0 type 257 was used for a proprietary MBOXFW | |
564 | resource record, which was removed from PowerDNS 4.0. Hence, if you used | |
565 | CAA records with 3.4.x (stored in the DB with wrong type=MBOXFW but | |
566 | worked fine) and upgrade to 4.0, PowerDNS will fail to parse this | |
567 | records and will throw an exception on all queries for a label with | |
568 | MBOXFW records. Thus, make sure to clean up the records in the DB. | |
17f0bbcf PL |
569 | |
570 | In version 3.X, the PowerDNS Authoritative Server silently ignored records that | |
571 | have a 'priority' field (like MX or SRV), but where one was not in the database. | |
572 | In 4.X, :doc:`pdnsutil check-zone <manpages/pdnsutil.1>` will complain about this. |