[Pdns-users] First Release Candidate of PowerDNS Recursor 4.5.0

2021-04-28 Thread Otto Moerbeek via Pdns-users
Hello!,

   We are proud to announce the first release candidate of what should
   become PowerDNS Recursor 4.5.0. Compared to the last beta release, this
   release contains a few minor bug fixes and improvements.

   Compared to the previous major (4.4) release of PowerDNS Recursor, this
   release contains a rewrite of the way zone cuts are determined,
   reducing the number of outgoing queries by up to 17% when doing DNSSEC
   validation while reducing the CPU usage more than 20% . This is a
   rather substantial change and we would be very grateful for tests and
   feedback from the community.

   Another notable feature is the implementation of EDNS0 padding (RFC
   7830[1]) for answers sent to clients.

   The upcoming 4.5.0 release includes an important addition: the
   implementation of RFC 8198: Aggressive use of DNSSEC-Validated Cache.
   This enables the Recursor to answer queries for non-existing names with
   less effort in many cases. This feature uses both NSEC and NSEC3
   records. Additionally the DNSSEC default mode[2] is now "process",
   while it was "process-no-validate" before. This means that clients
   asking for it will get DNSSEC validated answers by default.

   We also added a cache of non-resolving nameservers. This enhances
   performance when the Recursor encounters domains that have nameservers
   that do not resolve.

   This release also features a re-worked negative cache that is shared
   between threads, allowing more efficient use of the cache and reduced
   memory consumption.

   Support for Extended DNS Errors (RFC 8914[3]) has been added. These can
   be enabled by setting the extended-resolution-errors[4] setting to
   'yes', this will send DNSSEC and resolution related errors to clients.
   Extended Errors are also hooked up to the Lua scripting engine[5],
   allowing fine-grained setting of both the error code and extra
   information in the response.

   A "refresh almost expired records" (also called "refetch") mechanism[6]
   has been introduced to keep the record cache warm. In short, if a query
   comes in and the cached record's TTL is almost expired (within N
   percent of its original value) the cached record is served to the
   client and the record queried for in the background, ensuring that new
   queries for that record are fresh and served from the cache.

   Other new features and improvements are:
 * The complete protobuf and dnstap logging code has been rewritten to
   have much smaller performance impact.
 * We have introduced non-offensive synonyms for words used in
   settings. See the upgrade[7] guide.
 * The default minimum TTL[8] override has been changed from 0 to 1.
 * The spoof-nearmiss-max setting[9]'s default has been changed to 1.
   This has the consequence that the Recursor will switch to do TCP
   queries to authoritative nameservers sooner as an effective measure
   against many spoofing attacks.
 * Incoming queries over TCP now also use the packet cache, providing
   another performance increase.
 * File written to by the rec_control command are new opened by the
   command itself. It is also possible to write the content to the
   standard output stream by using a hyphen as file name.
 * TCP FastOpen (RFC 7413[10]) support for outgoing TCP connections to
   authoritative servers and forwarders.

   Please refer to the changelog[11] for additional details.

   Please send us all feedback and issues you might have via the mailing
   list[12], or in case of a bug, via GitHub[13].

   The tarball[14] (signature[15]) is available from our download
   server[16] and packages for several distributions are available from
   our repository[17].

   With the future 4.5.0 final release, the 4.2.x releases will be EOL and
   the 4.3.x and 4.4.x releases will go into critical fixes only mode.
   Consult the EOL policy[18] for more details.

   We would also like to announce that with this release we will stop
   supporting systems using 32-bit time. This includes 32-bit Linux
   platforms like arm and i386.

   We are grateful to the PowerDNS community for the reporting of bugs,
   issues, feature requests, and especially to the submitters of fixes and
   implementations of features.

Regards,

 -Otto and the PowerDNS Team.

References

   1. https://tools.ietf.org/html/rfc7830.html
   2. https://docs.powerdns.com/recursor/settings.html#dnssec
   3. https://tools.ietf.org/html/rfc8914.html
   4. 
https://docs.powerdns.com/recursor/settings.html#extended-resolution-errors
   5. 
https://docs.powerdns.com/recursor/lua-scripting/dq.html#DNSQuestion.extendedErrorCode
   6. https://docs.powerdns.com/recursor/settings.html#refresh-on-ttl-perc
   7. https://docs.powerdns.com/recursor/upgrade.html#x-to-4-5-0-or-master
   8. https://docs.powerdns.com/recursor/settings.html#minimum-ttl-override
   9. https://docs.powerdns.com/recursor/settings.html#spoof-nearmiss-max
  10. 

Re: [Pdns-users] [E] Re: Powerdns on AWS Instances

2021-04-28 Thread Frank Louwers via Pdns-users
While this will indeed work, please note that using dnsdist.org has huge 
advantages: a simple (dns-unaware) LB will LB the request, either round-robin 
or in a least-outstanding manner.

A dns-aware LB (such as dnsdist) will do this much more intelligently, which 
results in higher cache ration and improved performance. It will also enable 
you to do other things, like send suspicious queries to a specific instance, 
perform logging etc...

Kind Regards,

Frank

> On Apr 28, 2021, at 9:08 AM, Giovanni Vecchi via Pdns-users 
>  wrote:
> 
> Hi Chhavi,
> 
> I can confirm you can use AWS ELB (Network Load Balancer) in order to Load 
> Balance DNS queries: I configured it too in our production environment.
> I created a single target group containing all the EC2 instances where rec is 
> installed in order to balance 53/UDP port and 53/TCP is used for health 
> checks.
> No problem for more than a year now.
> 
> On Wed, 28 Apr 2021 at 02:21, Chhavi Mittal via Pdns-users 
> mailto:pdns-users@mailman.powerdns.com>> 
> wrote:
> I have a lot of ALIAS records so I am using a recursor to resolve those to A 
> records.
> I am using NATIVE domain "." with all the records pointing to it. So I have a 
> local pdns and pdns-recursor on all instances and they all will be connecting 
> to aws aurora db cluster to read data. 
> And since I have so many instances I would like to put them behind a load 
> balancer and we use aws ec2 load balancer so if I can use aws instances then 
> this becomes easy to setup.
> 
> Any issues you see in this approach please let me know.
> 
> Best,
> Chhavi
> 
> On Tue, Apr 27, 2021 at 3:54 PM Kevin P. Fleming  > wrote:
> If you use a 'Network Load Balancer' then you can use that to
> distribute UDP traffic to your instances, it appears, and then also
> set it up to distribute TCP traffic since your servers should support
> TCP too.
> 
> What is the reason you are using both PowerDNS Auth and Recursor on 32
> instances?
> 
> On Tue, Apr 27, 2021 at 6:34 PM Chhavi Mittal
> mailto:chhavi.mit...@verizonmedia.com>> 
> wrote:
> >
> > I have 32 instances in production and I might be adding more so definitely 
> > need the load balancer. That's why I am wondering if I can use aws 
> > instances.
> >
> >
> > On Tue, Apr 27, 2021 at 3:33 PM Kevin P. Fleming  > > wrote:
> >>
> >> If you just have one instance, or a small number of instances, there's
> >> no real reason to use a load balancer.
> >>
> >> On Tue, Apr 27, 2021 at 4:06 PM Nico CARTRON via Pdns-users
> >> mailto:pdns-users@mailman.powerdns.com>> 
> >> wrote:
> >> >
> >> > On 27-Apr-2021 21:17 CEST,  >> > > wrote:
> >> >
> >> > > Hello,
> >> > >
> >> > > Is it possible to deploy powerdns on aws instances and have the 
> >> > > instances
> >> > > run behind an ec2 load balancer?
> >> > > Any tips to set this up would be really helpful.
> >> > >
> >> > > My current design is a powerdns server and a pdns-recursor running on 
> >> > > the
> >> > > same host (not aws) and I am using aws aurora mysql cluster as my 
> >> > > backend
> >> > > with all the domains and records information. This setup is working as
> >> > > expected and I am able to resolve records that are saved in aurora sql 
> >> > > db.
> >> > > Now I want to move pdns and pdns-recursor to aws instance so wondering 
> >> > > what
> >> > > all issues I will face as I am not able to find any documentation 
> >> > > about it.
> >> >
> >> > Sounds like a mission for dnsdist! 
> >> > (https://urldefense.proofpoint.com/v2/url?u=http-3A__www.dnsdist.org=DwIBaQ=sWW_bEwW_mLyN3Kx2v57Q8e-CRbmiT9yOhqES_g_wVY=zhXmtZOB8qouWS1ukhEyCOSrM390DVZ1dg-asUtrEKo=wOeR0G5rNn_yQWhpuAiddQh4cnx-MxZ6VZwexVoiX8c=xVbxtLkoQxjJty7DpaziKKeUN5Bu8OsPDo5hU6hcqrw=
> >> >  
> >> > 
> >> >  )
> >> >
> >> >
> >> > --
> >> > Nico
> >> > ___
> >> > Pdns-users mailing list
> >> > Pdns-users@mailman.powerdns.com 
> >> > https://urldefense.proofpoint.com/v2/url?u=https-3A__mailman.powerdns.com_mailman_listinfo_pdns-2Dusers=DwIBaQ=sWW_bEwW_mLyN3Kx2v57Q8e-CRbmiT9yOhqES_g_wVY=zhXmtZOB8qouWS1ukhEyCOSrM390DVZ1dg-asUtrEKo=wOeR0G5rNn_yQWhpuAiddQh4cnx-MxZ6VZwexVoiX8c=Sr_880ZFHY0VwWs80L9dBBlzn318SkqL1ZxqQXIGD_A=
> >> >  
> >> > 
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com 

Re: [Pdns-users] [E] Re: Powerdns on AWS Instances

2021-04-28 Thread Giovanni Vecchi via Pdns-users
Hi Chhavi,

I can confirm you can use AWS ELB (Network Load Balancer) in order to Load
Balance DNS queries: I configured it too in our production environment.
I created a single target group containing all the EC2 instances where rec
is installed in order to balance 53/UDP port and 53/TCP is used for health
checks.
No problem for more than a year now.

On Wed, 28 Apr 2021 at 02:21, Chhavi Mittal via Pdns-users <
pdns-users@mailman.powerdns.com> wrote:

> I have a lot of ALIAS records so I am using a recursor to resolve those
> to A records.
> I am using NATIVE domain "." with all the records pointing to it. So I
> have a local pdns and pdns-recursor on all instances and they all will be
> connecting to aws aurora db cluster to read data.
> And since I have so many instances I would like to put them behind a load
> balancer and we use aws ec2 load balancer so if I can use aws instances
> then this becomes easy to setup.
>
> Any issues you see in this approach please let me know.
>
> Best,
> Chhavi
>
> On Tue, Apr 27, 2021 at 3:54 PM Kevin P. Fleming  wrote:
>
>> If you use a 'Network Load Balancer' then you can use that to
>> distribute UDP traffic to your instances, it appears, and then also
>> set it up to distribute TCP traffic since your servers should support
>> TCP too.
>>
>> What is the reason you are using both PowerDNS Auth and Recursor on 32
>> instances?
>>
>> On Tue, Apr 27, 2021 at 6:34 PM Chhavi Mittal
>>  wrote:
>> >
>> > I have 32 instances in production and I might be adding more so
>> definitely need the load balancer. That's why I am wondering if I can use
>> aws instances.
>> >
>> >
>> > On Tue, Apr 27, 2021 at 3:33 PM Kevin P. Fleming  wrote:
>> >>
>> >> If you just have one instance, or a small number of instances, there's
>> >> no real reason to use a load balancer.
>> >>
>> >> On Tue, Apr 27, 2021 at 4:06 PM Nico CARTRON via Pdns-users
>> >>  wrote:
>> >> >
>> >> > On 27-Apr-2021 21:17 CEST,  wrote:
>> >> >
>> >> > > Hello,
>> >> > >
>> >> > > Is it possible to deploy powerdns on aws instances and have the
>> instances
>> >> > > run behind an ec2 load balancer?
>> >> > > Any tips to set this up would be really helpful.
>> >> > >
>> >> > > My current design is a powerdns server and a pdns-recursor running
>> on the
>> >> > > same host (not aws) and I am using aws aurora mysql cluster as my
>> backend
>> >> > > with all the domains and records information. This setup is
>> working as
>> >> > > expected and I am able to resolve records that are saved in aurora
>> sql db.
>> >> > > Now I want to move pdns and pdns-recursor to aws instance so
>> wondering what
>> >> > > all issues I will face as I am not able to find any documentation
>> about it.
>> >> >
>> >> > Sounds like a mission for dnsdist! (
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.dnsdist.org=DwIBaQ=sWW_bEwW_mLyN3Kx2v57Q8e-CRbmiT9yOhqES_g_wVY=zhXmtZOB8qouWS1ukhEyCOSrM390DVZ1dg-asUtrEKo=wOeR0G5rNn_yQWhpuAiddQh4cnx-MxZ6VZwexVoiX8c=xVbxtLkoQxjJty7DpaziKKeUN5Bu8OsPDo5hU6hcqrw=
>> )
>> >> >
>> >> >
>> >> > --
>> >> > Nico
>> >> > ___
>> >> > Pdns-users mailing list
>> >> > Pdns-users@mailman.powerdns.com
>> >> >
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__mailman.powerdns.com_mailman_listinfo_pdns-2Dusers=DwIBaQ=sWW_bEwW_mLyN3Kx2v57Q8e-CRbmiT9yOhqES_g_wVY=zhXmtZOB8qouWS1ukhEyCOSrM390DVZ1dg-asUtrEKo=wOeR0G5rNn_yQWhpuAiddQh4cnx-MxZ6VZwexVoiX8c=Sr_880ZFHY0VwWs80L9dBBlzn318SkqL1ZxqQXIGD_A=
>>
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>


-- 

 
Giovanni Vecchi
Infrastructure Lead Engineer, Certego
+39-059-735
 
  


Use of the information within this document constitutes acceptance for
use in an "as is" condition. There are no warranties with regard to
this information; Certego has verified the data as thoroughly as
possible. Any use of this information lies within the user's
responsibility. In no event shall Certego be liable for any
consequences or damages, including direct, indirect, incidental,
consequential, loss of business profits or special damages, arising
out of or in connection with the use or spread of this information.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users