| 118 | | Other major new features include: |
| | 118 | This release has received exceptional levels of community support, and we'd like to thank the following people |
| | 119 | in addition to those mentioned explicitly below: |
| | 120 | Peter Koch (DENIC), Olaf Kolkman (NLNetLabs), Wouter Wijngaards (NLNetLabs), Marco Davids (SIDN), Markus Travaille (SIDN), |
| | 121 | Antoin Verschuren (SIDN), Olafur Gudmundsson (IETF), Dan Kaminsky (Recursion Ventures), Roy Arends (Nominet), |
| | 122 | Miek Gieben (SIDN), Stephane Bortzmeyer (AFNIC), Michael Braunoeder (nic.at), Peter van Dijk, Maik Zumstrull, |
| | 123 | Jose Arthur Benetasso Villanova (Locaweb), Stefan Schmidt, Roland van Rijswijk (Surfnet), Paul Bakker (Brainspark/Fox-IT), |
| | 124 | Mathew Hennessy, Johannes Kuehrer (Austrian World4You GmbH), Marc van de Geijn (bHosted.nl), Stefan Arentz and |
| | 125 | Martin van Hensbergen (Fox-IT) |
| | 126 | </para> |
| | 127 | <para> |
| | 128 | On to the release notes. Next to DNSSEC, other major new features include: |
| 134 | | .. |
| | 172 | sqlite2 and sqlite3 backends used MySQL-style escaping, leading to SQL |
| | 173 | errors in some cases. Discovered by Sten Spans. Fixed in c1342. |
| | 174 | </para> |
| | 175 | </listitem> |
| | 176 | <listitem> |
| | 177 | <para> |
| | 178 | Internal webserver no longer prints '1e2%'. Bug rediscovered by Jeff Sipek. Fixed in c1342. |
| | 179 | </para> |
| | 180 | </listitem> |
| | 181 | <listitem> |
| | 182 | <para> |
| | 183 | In some cases, we would include duplicate CNAMEs. In addition, we would hand out |
| | 184 | a full root-referral when not configured to in some cases (t223). Discovered by Andreas Jakum, fixed in c1344. |
| | 185 | </para> |
| | 186 | </listitem> |
| | 187 | <listitem> |
| | 188 | <para> |
| | 189 | Shane Kerr discovered we would corrupt DNS transaction IDs from the packet cache on big endian systems. |
| | 190 | Fix in c1346, closing t222. |
| | 191 | </para> |
| | 192 | </listitem> |
| | 193 | <listitem> |
| | 194 | <para> |
| | 195 | BIND backend got confused of a zone's filename changed after a configuration reload. |
| | 196 | Fix in c1347, closing t228. |
| | 197 | </para> |
| | 198 | </listitem> |
| | 199 | <listitem> |
| | 200 | <para> |
| | 201 | When restarted by the Guardian, PowerDNS will perform a full multi-threaded cache cleanup, which |
| | 202 | took a long time and could crash. Fix in c1364. |
| | 203 | </para> |
| | 204 | </listitem> |
| | 205 | <listitem> |
| | 206 | <para> |
| | 207 | Under artificial circumstances, PowerDNS would never clean its packet cache. Found by Marcus Goller, fix in |
| | 208 | c1399 and c1408. This update also retunes the cleanup frequency. |
| | 209 | </para> |
| | 210 | </listitem> |
| | 211 | <listitem> |
| | 212 | <para> |
| | 213 | Packetcache would cache things it should not have been caching. Fixes in commits C1407, C1488, C1869, C1880 |
| | 214 | </para> |
| | 215 | </listitem> |
| | 216 | <listitem> |
| | 217 | <para> |
| | 218 | When processing incoming notifications, the BIND backend was case-sensitive, and would disregard |
| | 219 | notifications in the wrong case. Discovered by 'Dolphin', fix in c1420. |
| | 220 | </para> |
| | 221 | </listitem> |
| | 222 | <listitem> |
| | 223 | <para> |
| | 224 | The init.d script did not mention the 'reload' command. Code in c1463, closes t233. |
| | 225 | </para> |
| | 226 | </listitem> |
| | 227 | <listitem> |
| | 228 | <para> |
| | 229 | PowerDNS would be confused by embedded NULs in domain names, and would also |
| | 230 | mess up the escaping of some characters. Fix in c1468, c1469, c1478, c1480, |
| | 231 | </para> |
| | 232 | </listitem> |
| | 233 | <listitem> |
| | 234 | <para> |
| | 235 | SOA queries for the name of a delegation point were not referred. Fix in c1466, closing t224. |
| | 236 | In addition, queries for AAAA for a CNAMEd record pointing to a name with no AAAA would deliver |
| | 237 | a direct SOA, without the CNAME in between. Fix in c1542, c1607. |
| | 238 | Also, wildcard CNAMEs pointing to a record without the type requested suffered from the same issue, fix in c1543. |
| | 239 | </para> |
| | 240 | </listitem> |
| | 241 | <listitem> |
| | 242 | <para> |
| | 243 | On processing an incoming AXFR, once an MX or SRV record had been seen, all future fields |
| | 244 | got a 'priority' entry as well. This had no operational impact, but looked messy. Fixed in c1437. |
| | 245 | </para> |
| | 246 | </listitem> |
| | 247 | <listitem> |
| | 248 | <para> |
| | 249 | Aki Tuomi discovered that the BIND zonefile parser would misrepresent 'something IN MX 15 @'. Fix in c1621. |
| | 250 | </para> |
| | 251 | </listitem> |
| | 252 | <listitem> |
| | 253 | <para> |
| | 254 | Marco Davids discovered the BIND zonefile parser would trip over really long lines. Fix in c1624, c1625. |
| | 255 | </para> |
| | 256 | </listitem> |
| | 257 | <listitem> |
| | 258 | <para> |
| | 259 | Thomas Mieslinger discovered that our webserver would only be started after dropping privileges, |
| | 260 | which could cause problems. Fix in c1629. |
| | 261 | </para> |
| | 262 | </listitem> |
| | 263 | <listitem> |
| | 264 | <para> |
| | 265 | An Ubuntu user discovered in Launchpad bug 600479 that restarting database threads |
| | 266 | cost a lot of memory. Normally this is rare, except in case of problems. Addressed in c1676. |
| | 267 | </para> |
| | 268 | </listitem> |
| | 269 | <listitem> |
| | 270 | <para> |
| | 271 | BIND backend could crash under (very) high load with very large numbers of zones (hundreds of thousands). |
| | 272 | Fixed in c1690. |
| | 273 | </para> |
| | 274 | </listitem> |
| | 275 | <listitem> |
| | 276 | <para> |
| | 277 | Miek Gieben and Marco Davids spotted that PowerDNS would answer the version.bind query in the IN class too. |
| | 278 | Bug reported via twitter! Fix in c1709. |
| | 279 | </para> |
| | 280 | </listitem> |
| | 281 | <listitem> |
| | 282 | <para> |
| | 283 | Marcus Lauer and the OpenDNSSEC project discovered that outgoing notifications did not carry the 'aa' flag. |
| | 284 | Fixed in c1746. |
| | 285 | </para> |
| | 286 | </listitem> |
| | 287 | <listitem> |
| | 288 | <para> |
| | 289 | Debugging PowerDNS, or backgrounding it, could cause crashes. Fixed by Anders Kaseorg in c1747. |
| | 290 | </para> |
| | 291 | </listitem> |
| | 292 | <listitem> |
| | 293 | <para> |
| | 294 | Fixed a bug that could cause crashes on launching thousands of backend connections. Never observed to occur, |
| | 295 | but who knows. Fix in c1792. |
| | 296 | </para> |
| | 297 | </listitem> |
| | 298 | <listitem> |
| | 299 | <para> |
| | 300 | Under some circumstances, large answers could be truncated in mid-record. While technically legal, |
| | 301 | this upset a number of resolver implementations (including the PowerDNS Recursor!). Fixed in c1830, re-closes |
| | 302 | t200. |
| | 9666 | </section> |
| | 9667 | <section id="dnssec-advice-precautions"> |
| | 9668 | <title>DNSSEC advice & precautions</title> |
| | 9669 | <para> |
| | 9670 | DNSSEC is a major change in the way DNS works. Furthermore, there is a bewildering array of settings |
| | 9671 | that can be configured. |
| | 9672 | </para> |
| | 9673 | <para> |
| | 9674 | It is well possible to configure DNSSEC in such a way that your domain will not operate reliably, or even, at all. |
| | 9675 | </para> |
| | 9676 | <para> |
| | 9677 | We advise operators to stick to the keying defaults of 'pdnssec secure-zone': RSASHA256 (algorithm 8), |
| | 9678 | 1 Key Signing Key of 2048 bits, 1 active Zone Signing Key of 1024 bits, 1 passive Zone Signing Key of 1024 bits. |
| | 9679 | </para> |
| | 9680 | <para> |
| | 9681 | While the 'GOST' and 'ECDSA' algorithms are better choices in theory, not many DNSSEC resolvers can validate answers |
| | 9682 | signed with such keys. Much the same goes for RSASHA512, except that it does not offer better performance either. |
| | 9683 | </para> |
| | 9684 | <para> |
| | 9685 | <note><para>GOST may be more widely available in Russia, because it might be mandatory to implement this regional standard there.</para></note> |
| | 9686 | </para> |
| | 9687 | <para> |
| | 9688 | It is possible to operate a zone with different keying algorithms simultaneously, but it has also been observed that this is not reliable. |
| | 9689 | </para> |
| | 9690 | <section id="dnssec-packet-size-tcp"><title>Packet sizes, fragments, TCP/IP service</title> |
| | 9691 | <para> |
| | 9692 | DNSSEC answers contain (bulky) keying material and signatures, and are therefore a lot larger than regular DNS answers. |
| | 9693 | Normal DNS responses almost always fit in the 'magical' 512 byte limit previously imposed on DNS. |
| | 9694 | </para> |
| | 9695 | <para> |
| | 9696 | In order to support DNSSEC, operators must make sure that their network allows for: |
| | 9697 | <itemizedlist> |
| | 9698 | <listitem><para>>512 byte UDP packets on port 53</para></listitem> |
| | 9699 | <listitem><para>Fragmented UDP packets</para></listitem> |
| | 9700 | <listitem><para>ICMP packets related to fragmentation</para></listitem> |
| | 9701 | <listitem><para>TCP queries on port 53</para></listitem> |
| | 9702 | <listitem><para>EDNS0 queries/responses (filtered by some firewalls)</para></listitem> |
| | 9703 | </itemizedlist> |
| | 9704 | </para> |
| | 9705 | <para> |
| | 9706 | If any of the conditions outlined above is not met, DNSSEC service will suffer or be completely unavailable. |
| | 9707 | </para> |
| | 9708 | <para> |
| | 9709 | In addition, the larger your DNS answers, the more critical the above becomes. It is therefore advised not to provision too many keys, |
| | 9710 | or keys that are unneccessarily large. |
| | 9711 | </para> |
| | 9712 | </section> |
