Of course, this should have said 3.2-RC1. Thanks to Aki Tuomi for pointing that out. Brown paper bag engaged!
On Nov 12, 2012, at 14:51 , Peter van Dijk wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi everybody, > > Release Candidate 1 of the PowerDNS Authoritative Server 3.2 is available > from: > > http://powerdnssec.org/downloads/pdns-3.2-rc1.tar.gz > http://powerdnssec.org/downloads/packages/pdns-static-3.2rc1-1.i386.rpm > http://powerdnssec.org/downloads/packages/pdns-static-3.2rc1-1.x86_64.rpm > http://powerdnssec.org/downloads/packages/pdns-static_3.2-rc1-1_amd64.deb > http://powerdnssec.org/downloads/packages/pdns-static_3.2-rc1-1_i386.deb > > You are cordially invited to (carefully) test this Release Candidate for > correct behaviour. > > Full release notes, with clickable links, are available from: > http://doc.powerdns.com/changelog.html#changelog-auth-3-2 > > Here is a text-only version: > > This is a stability and confirmity update to 3.1. It mostly makes our DNSSEC > implementation more robust, and improves interoperability with various > validators. 3.2 has received very extensive testing on a lot of edge cases, > verifying output both against common validators and compared against other > authoritative servers. > > In addition to all the changes below, we now auto-build semi-static packages. > Relevant changes to make that possible are in commit 2849, commit 2853, 2858, > commit 2859, commit 2860. > > DNSSEC changes in 3.2: > > * Kees Monshouwer did a tremendous amount of work to improve and perfect our > DNSSEC implementation, mostly in the NSEC3 area. Code in commit 2687, > commit 2689, commit 2691, fixing ticket 486, ticket 537, ticket 540. He > also implemented support for Empty Non-Terminals, code in commit 2721, > commit 2732, commit 2745, fixing ticket 127 and ticket 558. > > * Presigned wildcard operation was improved with the help of many parties > (see commit message for commit 2676). Presigned operation was also changed > to be more consistent with master/live-signing operation. Code and a full > test suite in commit 2709, which also improves TTL behaviour for various > situations. Fixes ticket 460, ticket 533, ticket 559. > > * Depending on database & locale settings, names starting with underscore > would sometimes cause broken records. commit 2710 contains schema and code > changes for the gpgsql and gmysql backends to sort this (no pun intended) > definitively, closing ticket 550. In addition, a pdnssec test-schema > command was added (experimental and incomplete). It can be used to verify > underscore sorting and a few other parameters of the database. Code in > commit 2714. > > * We now always include an EDNS section in responses to queries that also had > an EDNS section. This was thought to improve BIND interoperability, but > this turned out to be false. In any case, this change improves standards > compliance. Spotted by Mats Dufberg, code in commit 2649. > > * It turns out we were storing Botan keys the wrong way. Botan did not care > but Polar did, causing interoperability problems. Fixed in commit 2720, > with the kind help of Paul Bakker of PolarSSL. Fixes ticket 492 as reported > by Florian Obser via Debian. > > * pdnssec add-zone-key now defaults to RSASHA256, like secure-zone already > did. Code in commit 2692. > > * pdns_control purge now also purges DNSSEC-related caches (keys and > metadata). Code in commit 2694, by Ruben d'Arco. Fixes ticket 530. > > * The signer thread would die in specific situations, leaving you with a > non-working but very busy system. Fixed in commit 2668, commit 2670, > closing ticket 517. > > * pdnssec secure-zone now warns when you just signed a slave zone. Suggested > by Mark Scholten, code in commit 2795, closes ticket 592. > > * pdnssec check-zone now warns about out-of-zone data. Patch by Kees > Monshouwer in commit 2826, closing ticket 604. > > * pdnssec now honours --no-config. Patch by Kees Monshouwer in commit 2810. > > * Various fixes for bindbackend presigned operation, mostly by Kees > Monshouwer. Code in commit 2815, closing ticket 600. > > * Bindbackend could get confused about domain metadata, sometimes even > causing hangs. Fixes by Kees Monshouwer in commit 2819 and commit 2834, > closing ticket 600 and ticket 603. > > * SQL queries in gsql backends that reference the domain_id column have been > made explicit about from what table they want this column. This makes it > easier to operate custom schemas without changing the queries. Fix by Nicky > Gerritsen in commit 2821. > > * In various situations involving CNAMEs and wildcards, and for ANY queries > involving CNAMEs, we would sometimes return bogus results. Fixed in commit > 2825 by Kees Monshouwer. > > * rectify-zone accidentally set auth=1 on NS records of secure delegations. > Reported by George Notaras, fixed by Kees Monshouwer in r2831, closing > ticket 605. > > * The DNSSEC signature cache now actually gets cleaned up, avoiding lasting > spikes in memory usage every thursday. Code in commit 2836 and commit 2843, > closing ticket 594. > > * Signatures roll at midnight on thursday. We now set their inception to be > one hour before midnight, to allow for some variations in clock quality on > resolvers. Code in commit 2857. > > * Duplicate records (same name/type/content/priority) would sometimes get > broken RRSIGs during outgoing AXFR. Fixed in commit 2856. > > * A root zone (name="") with DNSSEC would cause crashes in some situations. > Reported by Luuk Hendriks. Fixed in commit 2867, commit 2868, closing > ticket 614. > > * Direct RRSIG queries for zones with auto-completed SOA records would cause > trouble. Reported by Kees Monshouwer and fixed by him in r2869. > > * When a name is matched only by a wildcard, but the type in the query is not > present, we would be lacking one NSEC(3) record to prove the existence of > the wildcard. Fixed by Kees Monshouwer in r2872 and r2873. > > * Luuk Hendriks spotted that our PolarSSL RSA key generation code was using > inferior entropy. This can be important on virtual machines with badly > implemented clocks. Fixed in commit 2876, closing ticket 615. > > Non-DNSSEC improvements/changes in 3.2: > > * Bindbackend would sometimes crash on startup, due to a sync_with_stdio > call. This call has been moved to pdns_server proper to occur before any > threads are spawned, avoiding race conditions in this call. Note that this > crash has only been observed twice in thousands of regression test runs and > has never been reported in the real world. Change in commit 2882. > > * Leen Besselink submitted query logging support for the SQLite3 parts in the > bindbackend. Code in commit 2874. > > * Multi-backend operation would sometimes cause garbage domain IDs to be > passed to backends. Reported by Kees Monshouwer and fixed by him in r2871. > > * Bindbackend would sometimes crash during reloads/rediscovers. The changes > in commit 2837 get rid of the crash, at the cost of returning SERVFAIL > during reloads. Closes ticket 564. > > * Our label decompression code was naive, causing troubles for slaving of > very specifically formatted zones. Fix in ticket 2822, closes ticket 599. > > * Bindbackend slaves would choke on unknown RR types and do silly things with > RP and SRV records. Fixed in commit 2811 and commit 2812. > > * The luabackend can now compile against Lua 5.2. Patch by Fredrik Danerklint > in commit 2794, additional luabackend compile fixes in commit 2854. > > * A new backend, the 'Remote backend' Section 16, “Remote Backend” was > submitted by Aki Tuomi. It aims to replace the pipebackend with a better > protocol and support for more connection methods, including HTTP. Code in > commit 2755, commit 2756, commit 2757, commit 2758, commit 2759, commit > 2824, closing ticket 529, ticket 597. > > * The gsqlite (SQLite 2) backend was removed. We were not aware of any users > and it was not actually working anyway. Changes in commits 2773-2777, > closing ticket 565. > > * Various tinydnsbackend improvements: ignore-bogus-records option; TAI > offset updated; strip dots on names where suitable; various internal > improvements. Code in commit 2762. > > * gpgsql no longer logs the database password in connection errors. Code in > commit 2609, commit 2612, closing ticket 459. > > * You can now finally specify 0.0.0.0 or :: as local-address/local-ipv6 > without getting replies from the wrong address. This much-requested feature > is implemented in commit 2763, commit 2766, commit 2779 and commit 2781. > Tested on Linux, FreeBSD and Mac OS X. > > * 3.2 can be reliably built with or without Lua. This and many other > configure/compile-related fixes in commit 2610, commit 2611 / ticket 461, > commit 2666, commit 2671, commit 2672 / ticket 522, commit 2673 / ticket > 522, commit 2696 / ticket 555, commit 2697 / ticket 457, commit 2698, > commit 2708, commit 2742 / ticket 462), commit 2752 / ticket 437, commit > 2764, commit 2809, commit 2844, commit 2845, commit 2846, commit 2881. > > * Juraj Lutter contributed AXFR-SOURCE per zone metadata settings. Code in > commit 2616. > > * Initscripts now have exit codes, submitted by Sander Hoentjes. Code in > commit 2728. Guardian now returns 0 instead of 1 when receiving SIGTERM, > requested by Morten Stevens of Fedora. Code in commit 2717. > > * Mark Zealey submitted various performance improvement patches and > suggestions. Accepted as commit 2729 / ticket 579, commit 2730 / ticket 584 > ), commit 2731 / ticket 583), commit 2768 / ticket 578). Please see commit > messages for more details. > > * pdnssec check-all-zones now reuses database connections, avoiding a socket > exhaustion issue in some situations. Code in commit 2749, closes ticket 519 > . > > * Ruben d'Arco submitted various improvements regarding trailing dots. > Additional lookups now try harder, pdnssec errors about trailing dots in > names, pdnssec warns about trailing dots in names inside content fields, > AXFR now strips the dot from SRV hostnames. Code in commit 2748, fixes > ticket 289. > > * Pre-3.0, backends would get cycled if they threw the right error. 3.2 > reinstates this behaviour, as it is more robust. Change in commit 2734 > (reverting commit 2100), fixes ticket 386. > > * PowerDNS auth does not use the select() kernel/library call anymore. This > means fd-numbers over 1023 (and, in general, more than 1024 sockets, > including more than 1024 listening sockets) should now work reliably. Code > in commit 2739, commit 2740, fixes ticket 408. > > * gmysql users can now specify the 'group' we connect as, using the > gmysql-group setting. Submitted by Kees Monshouwer, code in commit 2770, > commit 2771, commit 2778, commit 2780, closing ticket 463. > > * The Linux-only traceback handler is now optional (use traceback-handler=off > to disable it). Suggested by Marc Haber. Change in commit 2798, closes > ticket 497. > > * We now use IPV6_V6ONLY to bind IPv6 sockets. This ensures consistent > behaviour between different operating systems. Change in commit 2799. > > * MySQL connections are now logged at a higher loglevel, reducing log > clutter. Change in commit 2800. > > * We now ship a systemd unit file in contrib/. Added in commit 2847 and > commit 2848, submitted by Morten Stevens. > > Assorted bugfixes: > > * If a slave domain is removed while a transfer for it is queued, we no > longer try the transfer. This also avoids a rare crash in similar > circumstances. Code in commit 2802, closes ticket 596. > > * When using pdnssec with gsql backends, sometimes an SSqlException would pop > up without any useful information. This no longer happens and errors are > now in general more meaningful. Fix in commit 2803. > > * zone2sql now uses correct string syntax for PostgreSQL. This is needed for > importing with the changed default settings in PostgreSQL 9.2 and up. Code > in commit 2797, closes ticket 471. > > * We no longer send v6 notifications if v6 is not available. Same for IPv4. > Code in commit 2772, fixes ticket 515. > > * We would sometimes serve stale data after an incoming AXFR. Reported by > Martin Draschl, fixed by Ruben d'Arco in commit 2699, closing ticket 525. > > * Duplicate incoming NOTIFYs could cause PowerDNS to try to insert the same > domain name into a database twice. Fixed in commit 2703, closing ticket 453 > . > > * pdnssec show-zone now works on a zone that has any number of keys, instead > of requiring active keys. Reported by Jeroen Tushuizen of myH2Oservers, > code in commit 2769, closes ticket 586. > > * pdns-control notify-host now accepts v6 literals. Reported by Christof > Meerwald, fixed in commit 2704. > > * The tinydnsbackend no longer chokes on questions longer than 64 bytes. Code > in commit 2622. > > * *-all-domains commands in pdnssec now work with Postgres (gpgsql) too. Code > in commit 2645, closing ticket 472. > > * We would sometimes leave the opcode of an outgoing packet uninitialized. > Fixed in commit 2680, closing ticket 532. > > * nproxy can now listen on a configurable port. Code in commit 2684, fixes > ticket 534. > > * Improve mydnsbackend for SOA queries. Code in commit 2751, fixes ticket 439 > , by Ruben d'Arco. > > * Various non-functional fixes that make Valgrind happy (note that Valgrind > was right to complain in all of these situations), in commit 2715, commit > 2716, commit 2718. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2.0.17 (Darwin) > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBAgAGBQJQoP13AAoJENz1E/p+7RnzWMgQAOKzAq6DmmDiC8pkwC8G3Oll > SwRL9RMT4Clb1Kocsc123XB7FOzWvz8EqS7pV3/CMEzmxHrqrAqMY8+etHRUCYYP > B4siE0xDwmflcqtcV/rbZ59mEnRqCsUWve+/xd2g8Sro+1mPVZUK6W++7R20N9AA > S0d9qX8gr4e0X8MOop0HuXPFj9ccrqqg7+VONnUfvALNAn798VOZ8aJC/QnHUchS > iogL/9cQsdwYDQWd2z2EDOvWWTHd/ac5fdvT0QMavoRyt+fvCBBMW+0TvLH7d4mO > 9/I/ARM+eD4LeUPNi9TZAp6bofNYlsW59qC2PmFJbNl5FIzQAWXWR53UBqRS07ZI > Wgsy68ELSFU7c5ayOJddRUC0c12ipzizsa5xT4F8RFGtUTn54U5LTWS63HvxpMLF > g3hglkmNFTYEzmsiFxy6ivid5+hBwnY8hZdpBsOfwcTCKNAKybSbmxFigjOtLhGO > KfyqTOSNcW8q5KjUkSZazDW8AANFqsAo2cRQRxto6a/wmYloH+3pMTzKAN8LEbtT > GYkIDWI/d7r/UIoMNNv+lDsJqltsIRYFDDGVoyQYZo4VmMM87GqWFc3RVhg4+E6O > peYbQq8OLY/VINFWy+gvwRme3Di9E2SZMaVnwygtdh/E6vXdbi60BEyaQfo6rFcS > N0Ch4E3Ekhel4O0YoK1R > =3Sgm > -----END PGP SIGNATURE----- > _______________________________________________ > Pdns-announce mailing list > [email protected] > http://mailman.powerdns.com/mailman/listinfo/pdns-announce Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ _______________________________________________ Pdns-dev mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-dev
