Software update: PowerDNS Recursor 4.5.1

PowerDNS is a DNS server with a database as a backend, which makes it easy to manage a large number of DNS entries. The developers have previously decided to release the two parts that make up PowerDNS, a recursor and an authoritative nameserver, separately, so that a new version can be released faster and more specifically, according to the developers.

When you perform a dns look-up, a recursor initially starts by asking the look-up question to a dns root server. It can then redirect to other servers, from where it can redirect to other servers and so on, until finally a server is reached that knows the answer or that the look-up is not possible. The latter can be the case if the name does not exist or the servers do not respond. The process of going through different authoritative servers is called recursion. The developers released PowerDNS Recursor 4.5.1 a few days ago. The announcement of this release looks like this:

PowerDNS Recursor 4.5.1 Released

We are proud to announce the release of PowerDNS Recursor 4.5.1. Compared to the release candidate, this release contains two bug fixes. Note that 4.5.0 was never released publicly, since an issue was found during QA.

Compared to the previous major (4.4) release of PowerDNS Recursor, this release contains a rewrite of the way zone cuts are determined, reducing the number of outgoing queries by up to 17% when doing DNSSEC validation while reducing the CPU usage more than 20% .

Another notable feature is the implementation of EDNS0 padding (RFC 7830) for answers sent to clients.

This 4.5.1 release includes an important addition: the implementation of RFC 8198: Aggressive use of DNSSEC-Validated Cache. This enables the Recursor to answer queries for non-existing names with less effort in many cases. This feature uses both NSEC and NSEC3 records. Additionally the DNSSEC default mode is now “process”, while it was “process-no-validate” before. This means that clients asking for it will get DNSSEC validated answers by default.

We also added a cache of non-resolving nameservers. This enhances performance when the Recursor encounters domains that list nameservers that do not resolve and further mitigates the TsuNAME vulnerability.

This release also features a re-worked negative cache that is shared between threads, allowing more efficient use of the cache and reduced memory consumption.

Support for Extended DNS Errors (RFC 8914) has been added. These can be enabled by setting the extended-resolution-errors setting to ‘yes’, this will send DNSSEC and resolution related errors to clients. Extended Errors are also hooked up to the Lua scripting engine, allowing fine-grained setting of both the error code and extra information in the response.

A “refresh almost expired records” (also called “refetch”) mechanism has been introduced to keep the record cache warm. In short, if a query comes in and the cached record’s TTL is almost expired (within N percent of its original value) the cached record is served to the client and the record queried for in the background, ensuring that new queries for that record are fresh and served from the cache.

Other new features and improvements are:

• The complete protobuf and dnstap logging code has been rewritten to have much smaller performance impact.
• We have introduced non-offensive synonyms for words used in settings. See the upgrade guide.
• The default minimum TTL override has been changed from 0 to 1.
• The spoof-nearmiss-max setting’s default has been changed to 1. This has the consequence that the Recursor will switch to do TCP queries to authoritative nameservers sooner as an effective measure against many spoofing attacks.
• Incoming queries over TCP now also use the packet cache, providing another performance increase.
• File written to by the rec_control command are new opened by the command itself. It is also possible to write the content to the standard output stream by using a hyphen as file name.
• TCP FastOpen (RFC 7413) support for outgoing TCP connections to authoritative servers and forwarders.

Please refer to the changelog for additional details.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

The tarball (signature) is available from our download server and packages for several distributions are available from our repository.

With this 4.5.1 release, the 4.2.x releases will be EOL and the 4.3.x and 4.4.x releases will go into critical fixes only mode. Consult the EOL policy for more details.

We would also like to announce that with this release we will stop supporting systems using 32-bit time. This includes 32-bit Linux platforms like arm6, arm7, and i386.

We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features.