PowerDNS

PowerDNS is a free and open source daemon nameserver that provides high-performance and can be modelled to act as an advanced and modern authoritative-only nameserver on GNU/Linux operating systems, as well as BSD distributions.

A DNS server written from scratch

PowerDNS is written from scratch, conforms with all relevant DNS standards documents, and interfaces with almost any database. It is distributed in multiple, separate packages, including pdns, powerdns-server, pdns-recursor and pdns-server.

Uses a flexible backend architecture

The application uses a flexible backend architecture that allows access to DNS information from any data source, including file formats, relational databases, LDAP directories, and Bind zone files.

PowerDNS is configured by default to serve all information directly from a database, which results in unmatched maintainability of your DNS information. It is available on all major Linux distributions.

Who uses PowerDNS?

Several domain name hosting companies and domain registrars use the PowerDNS software to handle thier services, including BIT Internet Technology, Hostnet, Totaalnet Internet Works, Oxilion, WebReus, and mijndomein.nl.

Under the hood and availability

The software is written entirely in the C++ programming language and it’s distributed as pre-built binary packages in the DEB and RPM file format, supporting both 64-bit and 32-bit hardware platforms.

Being an open source software project, PowerDNS is also available for download as a universal sources archive, allowing users to optimize it for a specific hardware architecture and operating systems.

What is new in this release:

• Improvements:
• #6239, #6559: pdnsutil: use new domain in b2bmigrate (Aki Tuomi)
• #6130: Update copyright years to 2018 (Matt Nordhoff)
• #6312, #6545: Lower ‘packet too short' loglevel
• Bug Fixes:
• #6441, #6614: Restrict creation of OPT and TSIG RRsets
• #6228, #6370: Fix handling of user-defined axfr filters return values
• #6584, #6585, #6608: Prevent the GeoIP backend from copying NetMaskTrees around, fixes slow-downs in certain configurations (Aki Tuomi)
• #6654, #6659: Ensure alias answers over TCP have correct name

What is new in version :

• This release features prominent contributions from our community. We'd like to highlight the tireless work of Kees Monshouwer in improving the Authoritative Server based on his huge experience scaling PowerDNS to millions of DNSSEC production zones. Christian Hofstaedtler and Jan-Piet Mens contributed massively as well in many different places. Also a round of thanks to Gregory Oestreicher for revamping and reviving the LDAP backend. Wolfgang Studier, "#MrM0nkey", Tudor Soroceanu and Benjamin Zengin delivered the DNSSEC management API, as part of their studies at TU Berlin.
• We have tried to list everyone else in the full changelog, and we are very grateful for all the work and testing PowerDNS has received from the community!
• Improved performance: 4x speedup in some scenarios:
• More than a year ago, the RIPE NCC benchmarked several nameserver implementations, and found PowerDNS was not a performant root-server. Although PowerDNS is great at serving millions of zones, we'd like to be fast on smaller zones as well. Results of this optimization spree are described here, and also in this longer article "Optimizing optimizing: some insights that led to a 400% speedup of PowerDNS". Kees Monshouwer's cache (re)work has been vital to attaining this performance improvement.
• Crypto API: DNSSEC fully configurable via RESTful API:
• Our RESTful HTTP API has gained support for DNSSEC & key management. This API is "richer than most" since it is aware of DNSSEC semantics, and therefore allows you to manipulate zones without having to think about DNSSEC details. The API will do the right thing. This work was contributed by Wolfgang Studier, #MrM0nkey, Tudor Soroceanu and Benjamin Zengin as part of their work over at TU Berlin.
• Database related: reconnection and 64 bit id fields:
• Database servers sometimes disconnect after shorter or longer idle periods. This could confuse both PowerDNS and database client libraries under some quiet conditions. 4.1 contains enhanced reconnection logic that we believe solves all associated problems. In a pleasing development, one PowerDNS user has a database so large they exceeded a 32 bit id counter, which has now been made 64 bit.
• Improved documentation:
• Our Pieter Lexis invested a ton of time improving not only the contents but also the appearance and search of our documentation. Take a look at https://doc.powerdns.com/authoritative/ and know you can easily edit our documentation via GitHub's built in editor.
• Recursor passthrough removal:
• This will impact many installations, and we realize this may be painful, but it is necessary. Previously, the PowerDNS Authoritative Server contained a facility for sending recursion desired queries to a resolving backend, possibly after first consulting its local cache. This feature (‘recursor=') was frequently confusing and also delivered inconsistent results, for example when a query ended up referring to a CNAME that was outside of the Authoritative Server's knowledge. To migrate from a 3.0 or 4.0 era PowerDNS Authoritative Server with a ‘recursor' statement in the configuration file, please see Migrating from using recursion on the Authoritative Server to using a Recursor.
• Miscellaneous:
• Support was added for TCP Fast Open. Non-local bind is now supported. pdnsutil check-zone will now warn about more errors or unlikely configurations. Our packages now ship with PKCS #11 support (which previously required a recompilation). Improved integration with systemd logging (timestamp removal).

What is new in version 4.0.0:

• Many of the changes are on the inside and were part of the great "spring cleaning":
• Moved to C++ 2011, a cleaner more powerful version of C++ that has allowed us to improve the quality of implementation in many places.
• Implemented dedicated infrastructure for dealing with DNS names that is fully "DNS Native" and needs less escaping and unescaping. Due to this, the PowerDNS Authoritative Server can now serve DNSSEC-enabled root-zones.
• All backends derived from the Generic SQL backend use prepared statements.
• Both the server and pdns_control do the right thing when chroot‘ed.
• Caches are now fully canonically ordered, which means entries can be wiped on suffix in all places
• In addition to this cleanup, the following new and exciting features have been added:
• A revived and supported ODBC backend (godbc).
• A revived and supported LDAP backend (ldap).
• Support for CDS/CDNSKEY and RFC 7344 key-rollovers.
• Support for the ALIAS record.
• The webserver and API are no longer experimental. The API-path has moved to /api/v1
• DNSUpdate is no longer experimental.
• ECDSA (algorithm 13 and 14) supported without in-tree cryptographic libraries (provided by OpenSSL).
• Experimental support for ed25519 DNSSEC signatures (when compiled with libsodium support).
• Many new pdnsutil commands, e.g.
• help command now produces the help
• Warns if the configuration file cannot be read
• Does not check disabled records with check-zone unless verbose mode is enabled
• create-zone command creates a new zone
• add-record command to add records
• delete-rrset and replace-rrset commands to delete and add rrsets
• edit-zone command that spawns $EDITOR with the zone contents in zonefile format regardless of the backend used (blogpost)
• GeoIP backend has gained many features, and can now e.g. run based on explicit netmasks not present in the GeoIP databases
• With new features come removals. The following backends have been dropped in 4.0.0:
• LMDB.
• Geo (use the improved GeoIP instead).
• Other important changes and deprecations include:
• pdnssec has been renamed to pdnsutil.
• Support for the PolarSSL/MbedTLS, Crypto++ and Botan cryptographic libraries have been dropped in favor of the (faster) OpenSSL libcrypto (except for GOST, which is still provided by Botan).
• ECDSA P256 SHA256 (algorithm 13) is now the default algorithm when securing zones.
• The PowerDNS Authoritative Server now listens by default on all IPv6 addresses.
• Several superfluous queries have been dropped from the Generic SQL backends, if you use a non-standard SQL schema, please review the new defaults
• insert-ent-query, insert-empty-non-terminal-query, insert-ent-order-query have been replaced by one query named insert-empty-non-terminal-order-query
• insert-record-order-query has been dropped, insert-record-query now sets the ordername (or NULL)
• insert-slave-query has been dropped, insert-zone-query now sets the type of zone
• The INCEPTION, INCEPTION-WEEK and EPOCH SOA-EDIT metadata values are marked as deprecated and will be removed in 4.1.0

What is new in version 3.4.9:

• The biggest fixes are improved negative caching and preventing a crash that could happen during the AXFR of a zone with many MX records of different priorities.

What is new in version 3.4.4:

• The most important part of this update is a fix for CVE-2015-1868.

What is new in version 3.4.3:

• Bug fixes:
• commit ceb49ce: pdns_control: exit 1 on unknown command (Ruben Kerkhof)
• commit 1406891: evaluate KSK ZSK pairs per algorithm (Kees Monshouwer)
• commit 3ca050f: always set di.notified_serial in getAllDomains (Kees Monshouwer)
• commit d9d09e1: pdns_control: don't open socket in /tmp (Ruben Kerkhof)
• New features:
• commit 2f67952: Limit who can send us AXFR notify queries (Ruben Kerkhof)
• Improvements:
• commit d7bec64: respond REFUSED instead of NOERROR for "unknown zone" situations
• commit ebeb9d7: Check for Lua 5.3 (Ruben Kerkhof)
• commit d09931d: Check compiler for relro support instead of linker (Ruben Kerkhof)
• commit c4b0d0c: Replace PacketHandler with UeberBackend where possible (Christian Hofstaedtler)
• commit 5a85152: PacketHandler: Share UeberBackend with DNSSECKeeper (Christian Hofstaedtler)
• commit 97bd444: fix building with GCC 5
• Experimental API changes (Christian Hofstaedtler):
• commit ca44706: API: move shared DomainInfo reader into it's own function
• commit 102602f: API: allow writing to domains.account field
• commit d82f632: API: read and expose domain account field
• commit 2b06977: API: be more strict when parsing record contents
• commit 2f72b7c: API: Reject unknown types (TYPE0)
• commit d82f632: API: read and expose domain account field

What is new in version 3.4.2:

• Improvements:
• commit 73004f1: implement CORS for the HTTP API
• commit 4d9c289: qtype is now case insensitive in API and database
• commit 13af5d8, commit 223373a, commit 1d5a68d, commit 705a73f, commit b418d52: Allow (optional) PIE hardening
• commit 2f86f20: json-api: remove priority from json
• commit cefcf9f: backport remotebackend fixes
• commit 920f987, commit dd8853c: Support Lua 5.3
• commit 003aae5: support single-type ZSK signing
• commit 1c57e1d: Potential fix for ticket #1907, we now try to trigger libgcc_s.so.1 to load before we chroot. I can't reproduce the bug on my local system, but this "should" help.
• commit 031ab21: update polarssl to 1.3.9
• Bug fixes:
• commit 60b2b7c, commit d962fbc: refuse overly long labels in names
• commit a64fd6a: auth: limit long version strings to 63 characters and catch exceptions in secpoll
• commit fa52e02: pdnssec: fix ttl check for RRSIG records
• commit 0678b25: fix up latency reporting for sub-millisecond latencies (would clip to 0)
• commit d45c1f1: make sure we don't throw an exception on "pdns_control show" of an unknown variable
• commit 63c8088: fix startup race condition with carbon thread already trying to broadcast uninitialized data
• commit 796321c: make qsize-q more robust
• commit 407867c: Kees Monshouwer discovered we count corrupt packets and EAGAIN situations as validly received packets, skewing the udp questions/answers graphs on auth.
• commit f06d069: make latency & qsize reporting ‘live'. Plus fix that we only reported the qsize of the first distributor.
• commit 2f3498e: fix up statbag for carbon protocol and function pointers
• commit 0f2f999: get priority from table in Lua axfrfilter; fixes ticket #1857
• commit 96963e2, commit bbcbbbe, commit d5c9c07: various backends: fix records pointing at root
• commit e94c2c4: remove additional layer of trailing . stripping, which broke MX records to the root in the BIND backend. Should close ticket #1243.
• commit 8f35ba2: api: use uncached results for getKeys()
• commit c574336: read ALLOW-AXFR-FROM from the backend with the metadata
• Minor changes:
• commit 1e39b4c: move manpages to section 1
• commit b3992d9: secpoll: Replace ~ with _
• commit 9799ef5: only zones with an active ksk are secure
• commit d02744f: api: show keys for zones without active ksk
• New features:
• commit 1b97ba0: add signatures metric to auth, so we can plot signatures/second
• commit 92cef2d: pdns_control: make it posible to notify all zones at once
• commit f648752: JSON API: provide flush-cache, notify, axfr-receive
• commit 02653a7: add ‘bench-db' to do very simple database backend performance benchmark
• commit a83257a: enable callback based metrics to statbas, and add 5 such metrics: uptime, sys-msec, user-msec, key-cache-size, meta-cache-size, signature-cache-size
• Performance improvements:
• commit a37fe8c: better key for packetcache
• commit e5217bb: don't do time(0) under signature cache lock
• commit d061045, commit 135db51, commit 7d0f392: shard the packet cache, closing ticket #1910.
• commit d71a712: with thanks to Jack Lloyd, this works around the default Botan allocator slowing down for us during production use.

What is new in version 3.4.1:

• commit dcd6524, commit a8750a5, commit 7dc86bf, commit 2fda71f: PowerDNS now polls the security status of a release at startup and periodically. More detail on this feature, and how to turn it off, can be found in Section 2, "Security polling".
• commit 5fe6dc0: API: Replace HTTP Basic auth with static key in custom header (X-API-Key)
• commit 4a95ab4: Use transaction for pdnssec increase-serial
• commit 6e82a23: Don't empty ordername during pdnssec increase-serial
• commit 535f4e3: honor SOA-EDIT while considering "empty IXFR" fallback, fixes ticket 1835. This fixes slaving of signed zones to IXFR-aware slaves like NSD or BIND.

What is new in version 3.4:

• This is a performance, feature, bugfix and conformity update to 3.3.1 and any earlier version. It contains a huge amount of work by various contributors, to whom we are very grateful.

What is new in version 3.3.1:

• direct-dnskey is no longer experimental, thanks Kees Monshouwer & co for extensive testing (commit e4b36a4).
• Handle signals during poll (commit 5dde2c6).
• commit 7538e56: Fix zone2{sql,json} exit codes
• commit 7593c40: geobackend: fix possible nullptr deref
• commit 3506cc6: gpsqlbackend: don't append empty dbname=/user= values to connect string
• gpgsql queries were simplified through the use of casting (commit 9a6e39c).
• commit a7aa9be: Replace hardcoded make with variable
• commit e4fe901: make sure to run PKG_PROG_PKG_CONFIG before the first PKG_* usage
• commit 29bf169: fix hmac-md5 TSIG key lookup
• commit c4e348b: fix 64+ character TSIG keys
• commit 00a7b25: Fix comparison between signed and unsigned by using uint32_t for inception on INCEPTION-EPOCH
• commit d3f6432: fix building on os x 10.9, thanks Martijn Bakker.
• We now allow building against Lua 5.2 (commit bef3000, commit 2bdd03b, commit 88d9e99).
• commit fa1f845: autodetect MySQL 5.5+ connection charset
• When misconfigured using 'right' timezones, a bug in (g)libc gmtime breaks our signatures. Fixed in commit e4faf74 by Kees Monshouwer by implementing our own gmtime_r.
• When sending SERVFAIL due to a CNAME loop, don't uselessly include the CNAMEs (commit dfd1b82).
• Build fixes for platforms with 'weird' types (like s390/s390x): commit c669f7c (details), commit 07b904e and commit 2400764.
• Support for += syntax for options, commit 98dd325 and others.
• commit f8f29f4: nproxy: Add missing chdir("/") after chroot()
• commit 2e6e9ad: fix for "missing" libmysqlclient on RHEL/CentOS based systems
• pdnssec check-zone improvements in commit 5205892, commit edb255f, commit 0dde9d0, commit 07ee700, commit 79a3091, commit 08f3452, commit bcf9daf, commit c9a3dd7, commit 6ebfd08, commit fd53bd0, commit 7eaa83a, commit e319467, ,
• NSEC/NSEC3 fixes in commit 3191709, commit f75293f, commit cd30e94, commit 74baf86, commit 1fa8b2b
• The webserver could crash when the ring buffers were resized, fixed in commit 3dfb45f.
• commit 213ec4a: add constraints for name to pg schema
• commit f104427: make domainmetadata queries case insensitive
• commit 78fc378: no label compression for name in TSIG records
• commit 15d6ffb: pdnssec now outputs ZSK DNSKEY records if experimental-direct-dnskey support is enabled (renamed to direct-dnskey before release!)
• commit ad67d0e: drop cryptopp from static build as libcryptopp.a is broken on Debian 7, which is what we build on
• commit 7632dd8: support polarssl 1.3 externally.
• Remotebackend was fully updated in various commits.
• commit 82def39: SOA-EDIT: fix INCEPTION-INCREMENT handling
• commit a3a546c: add innodb-read-committed option to gmysql settings.
• commit 9c56e16: actually notice timeout during AXFR retrieve, thanks hkraal

What is new in version 3.1 RC1:

• This version fixes important DNSSEC issues, addresses memory use, and contains a vast amount of improvements and bugfixes.

What is new in version 3.0.1:

• This version is identical to 3.0, except with a fix for CVE-2012-0206 aka PowerDNS Security Notification 2012-01. An upgrade is recommended.

What is new in version 3.0 RC3:

• This release brings full support for DNSSEC, with automated signing, rollovers, and key maintenance.
• The goal is to allow existing PowerDNS installations to start serving DNSSEC with as little hassle as possible, while maintaining performance and achieving high levels of security.
• Other new features include TSIG, a MyDNS-compat backend, also-notify, master/slave over IPv6, a bulk parallel slaving engine, MongoDB support, and Lua zone editing.

What is new in version 3.0 RC1:

• This release brings full support for DNSSEC, with automated signing, rollovers, and key maintenance.
• The goal is to allow existing PowerDNS installations to start serving DNSSEC with as little hassle as possible, while maintaining performance and achieving high levels of security.
• Other new features include TSIG, a MyDNS-compat backend, also-notify, master/slave over IPv6, a bulk parallel slaving engine, and Lua zone editing.

What is new in version 2.9.22:

• This version brings a reasonable amount of new features, combined with vast performance increases for large setups.
• In addition, significant numbers of bugs and issues have been addressed.
• This is a much recommended upgrade.

What is new in version 2.9.22 RC2:

• Compared to 2.9.21, this version offers a massive performance boost for installations running with high cache-TTLs or a large packet cache, in many cases of an order of magnitude.
• Additionally, a large number of bugs were addressed, some features were added, and overall many areas saw improvements.
• RC2 fixes important issues compared to RC1.

What is new in version 2.9.22 RC1:

• Compared to 2.9.21, this version offers a massive performance boost for installations running with high cache-TTLs or a large packet cache, in many cases of an order of magnitude.
• Additionally, a large number of bugs were addressed, some features were added, and overall many areas saw improvements.

What is new in version 2.9.21.2:

• Some (rare) PowerDNS Authoritative Server configurations could be forced to restart themselves remotely.
• For other configurations, a database reconnect can be triggered remotely.
• These problems have been fixed.