Software Update: PowerDNS Recursor 4.0.0

PowerDNS is a dns server with a database as back-end, which makes it easy to manage a large number of dns entries. The developers previously decided to release the two parts that make up PowerDNS, a recursor and an authoritative name server, separately. This means that a new version can be released faster and more specifically, according to the developers.

If you do a dns lookup, a recursor will initially start asking this question to a dns root server. This can then redirect to other servers, from where it can redirect to other servers, and so on, until finally a server is reached that knows the answer or knows that the look-up is not possible. The latter can be the case if the name does not exist or the servers do not respond. The process of going through different authoritative servers is called recursion. The developers have released PowerDNS Recursor 4.0.0. The announcement of this release looks like this:

hello everybody,

We are pleased to announce the availability of the PowerDNS Recursor 4.0.0. As announced, the Recursor was part of the great PowerDNS 4.x Spring Cleaning. And it was indeed kind of grand. More about the 4.0.0 release process can be found on our blog.

We changed many things internally to the nameserver:

• Moved to C++ 2011, a cleaner more powerful version of C++ that has allowed us to improve the quality of implementation in many places.c
• Implemented dedicated infrastructure for dealing with DNS names that is fully “DNS Native” and needs less escaping and unescaping.
• Switched to binary storage of DNS records in all places.
• Moved ACLs to a dedicated Netmask Tree.
• Implemented a version of RCU for configuration changes
• Instrumented our use of the memory allocator, reduced number of malloc calls substantially.
• The Lua hook infrastructure was redone using LuaWrapper; old scripts will no longer work, but new scripts are easier to write under the new interface.

Due to these changes, PowerDNS Recursor 4.0.0 is almost an order of magnitude faster than the 3.7 branch.

• DNSSEC processing: if you ask for DNSSEC records, you will get them.
• DNSSEC validation: if so configured, PowerDNS perform DNSSEC validation of your answers.
• Completely revamped Lua scripting API that is “DNSName” native and therefore far less error prone, and likely faster for most commonly used scenarios. Loads and indexes a 1 million domain custom policy list in a few seconds.
• New asynchronous per-domain, per-ip address, query engine. This allows PowerDNS to consult an external service in realtime to determine client or domain status. This could for example mean looking up actual customer identity from a DHCP server based on IP address (option 82 for example).
• RPZ (from file, over AXFR or IXFR) support. This loads the largest Spamhaus zone in 5 seconds on our hardware, containing around 2 million instructions.
• All caches can now be wiped on suffixes, because of canonical ordering.
• Many, many more relevant performance metrics, including upstream authoritative performance measurements (‘is it me or the network that is slow’).
• EDNS Client Subnet support, including cache awareness of subnet-varying answers.

DNSSEC

As stated in the features section above, the PowerDNS Recursor now has DNSSEC processing and experimental DNSSEC validation support. DNSSEC processing means the nameserver will return RRSIG records when requested to do so by the client (by means of the DO-bit) and will always retrieve the RRSIGs even if the client does not ask for. It will perform validation and set the AD-bit in the response if the client requests validation. In fullblown DNSSEC-mode, the PowerDNS Recursor will validate the answers and set the AD-bit in validated answers if the client requests it and will SERVFAIL on bogus answers to all clients.

The DNSSEC support is marked experimental, but functional at the moment, as it has 2 limitations:

• Negative answers validated but the NSEC proof is not fully checked.
• Zones that have a CNAME at the apex (which is ‘wrong’ anyway) validate as Bogus.

If you run with DNSSEC enabled and notice broken domains, do file an issue.

We would like to that everybody who helped with ideas, code and testing the Recursor.