7 It is a book about a Spanish guy called Manual. You shou
10 __________________________________________________________
13 1. The PowerDNS dynamic nameserver
15 1.1. Function & design of PDNS
16 1.2. About this document
19 1.3.1. Authoritative Server version 2.9.22
20 1.3.2. Authoritative Server version 2.9.21.2
21 1.3.3. Authoritative Server version 2.9.21.1
22 1.3.4. Recursor version 3.1.7
23 1.3.5. Recursor version 3.1.6
24 1.3.6. Recursor version 3.1.5
25 1.3.7. PowerDNS Authoritative Server version 2.9.21
26 1.3.8. Recursor version 3.1.4
27 1.3.9. Recursor version 3.1.3
28 1.3.10. Recursor version 3.1.2
29 1.3.11. Recursor version 3.1.1
30 1.3.12. Recursor version 3.0.1
31 1.3.13. Recursor version 3.0
32 1.3.14. Version 2.9.20
33 1.3.15. Version 2.9.19
34 1.3.16. Version 2.9.18
35 1.3.17. Version 2.9.17
36 1.3.18. Version 2.9.16
37 1.3.19. Version 2.9.15
38 1.3.20. Version 2.9.14
39 1.3.21. Version 2.9.13
40 1.3.22. Version 2.9.12
41 1.3.23. Version 2.9.11
42 1.3.24. Version 2.9.10
48 1.3.30. Version 2.9.3a
53 1.3.35. Version 2.7 and 2.7.1
64 1.3.46. Version 2.0 Release Candidate 2
65 1.3.47. Version 2.0 Release Candidate 1
66 1.3.48. Version 1.99.12 Prerelease
67 1.3.49. Version 1.99.11 Prerelease
68 1.3.50. Version 1.99.10 Prerelease
69 1.3.51. Version 1.99.9 Early Access Prerelease
70 1.3.52. Version 1.99.8 Early Access Prerelease
71 1.3.53. Version 1.99.7 Early Access Prerelease
72 1.3.54. Version 1.99.6 Early Access Prerelease
73 1.3.55. Version 1.99.5 Early Access Prerelease
74 1.3.56. Version 1.99.4 Early Access Prerelease
75 1.3.57. Version 1.99.3 Early Access Prerelease
76 1.3.58. Version 1.99.2 Early Access Prerelease
77 1.3.59. Version 1.99.1 Early Access Prerelease
80 1.5. PowerDNS Security Advisory 2006-01: Malformed TCP
81 queries can lead to a buffer overflow which might
84 1.6. PowerDNS Security Advisory 2006-02: Zero second CNAME
85 TTLs can make PowerDNS exhaust allocated stack
88 1.7. PowerDNS Security Advisory 2008-01: System random
89 generator can be predicted, leading to the
90 potential to 'spoof' PowerDNS Recursor
92 1.8. PowerDNS Security Advisory 2008-02: By not responding
93 to certain queries, domains become easier to spoof
95 1.9. PowerDNS Security Advisory 2008-02: Some PowerDNS
96 Configurations can be forced to restart remotely
98 1.10. Acknowledgements
100 2. Installing on Unix
102 2.1. Possible problems at this point
103 2.2. Testing your install
105 2.2.1. Typical errors
107 2.3. Running PDNS on unix
109 3. Installing on Microsoft Windows
111 3.1. Configuring PDNS on Microsoft Windows
112 3.2. Running PDNS on Microsoft Windows
114 4. Basic setup: configuring database connectivity
116 4.1. Example: configuring MySQL
118 4.1.1. Common problems
120 5. Dynamic resolution using the PipeBackend
122 5.1. Deploying the PipeBackend with the BindBackend
124 6. Logging & Monitoring Authoritative Server performance
127 6.2. Via init.d commands
128 6.3. Operational logging using syslog
130 7. Security settings & considerations
134 7.1.1. Running as a less privileged identity
135 7.1.2. Jailing the process in a chroot
143 9.2. Native Posix Thread Library vs LinuxThreads
144 9.3. Performance related settings
149 10. Migrating to PDNS
157 12. PowerDNS resolver/recursing nameserver
159 12.1. pdns_recursor settings
160 12.2. Controlling and querying the recursor
161 12.3. PowerDNS Recursor performance
164 12.4.1. Anti-spoofing
170 12.6.1. Configuring Lua scripts
171 12.6.2. Writing Lua PowerDNS Recursor scripts
173 12.7. Design and Engineering of the PowerDNS Recursor
175 12.7.1. The PowerDNS Recursor
176 12.7.2. Synchronous code using MTasker
179 12.7.5. The C++ Standard Library / Boost
180 12.7.6. Actual DNS Algorithm
181 12.7.7. The non-cached case
182 12.7.8. Some of the things we glossed over
183 12.7.9. The Recursor Cache
184 12.7.10. Some small things
186 13. Master/Slave operation & replication
188 13.1. Native replication
189 13.2. Slave operation
191 13.2.1. Supermaster automatic provisioning of slaves
193 13.3. Master operation
195 14. Fancy records for seamless email and URL integration
196 15. Index of all Authoritative Server settings
197 16. Index of all Authoritative Server metrics
199 16.1. Counters & variables
204 17. Supported record types and their storage
205 18. HOWTO & Frequently Asked Questions
207 18.1. Getting support, free and paid FAQ
208 18.2. Using and Compiling PowerDNS FAQ
209 18.3. Backend developer HOWTO
210 18.4. About PowerDNS.COM BV, 'the company'
212 19. Other tools included with PowerDNS
214 19.1. Notification proxy (nproxy)
216 20. Tools to analyse DNS traffic
217 A. Backends in detail
221 A.1.1. PipeBackend protocol
225 A.2.1. Configuration settings
229 A.4. MySQL PDNS backend
233 A.5. Generic MySQL and PgSQL backends
235 A.5.1. MySQL specifics
236 A.5.2. PostgresSQL specifics
237 A.5.3. Oracle specifics
238 A.5.4. Basic functionality
239 A.5.5. Master/slave queries
241 A.5.7. Settings and specifying queries
242 A.5.8. Native operation
243 A.5.9. Slave operation
244 A.5.10. Superslave operation
245 A.5.11. Master operation
249 A.6.1. Setting up Oracle for use with PowerDNS
251 A.7. Generic SQLite backend (2 and 3)
253 A.7.1. Compiling the SQLite backend
254 A.7.2. Setting up the database
255 A.7.3. Using the SQLite backend
258 A.9. Bind zone file backend
261 A.9.2. Pdns_control commands
263 A.9.4. Master/slave configuration
269 A.13. OpenDBX backend
279 B.3. Modules & Backends
280 B.4. How PDNS translates DNS queries into backend queries
282 C. Backend writers' guide
284 C.1. Simple read-only native backends
286 C.1.1. A sample minimal backend
287 C.1.2. Interface definition
289 C.2. Reporting errors
290 C.3. Declaring and reading configuration details
291 C.4. Read/write slave-capable backends
293 C.4.1. Supermaster/Superslave capability
295 C.5. Read/write master-capable backends
297 D. Compiling PowerDNS
299 D.1. Compiling PowerDNS on Unix
308 D.2. Compiling PowerDNS on Windows
312 D.2.3. Nullsoft Installer
313 D.2.4. Setting up the build-environment
317 E. PowerDNS license (GNU General Public License version 2)
318 F. Further copyright statements
320 F.1. AES implementation by Brian Gladman
323 1-1. PowerDNS Security Advisory
324 1-2. PowerDNS Security Advisory
325 1-3. PowerDNS Security Advisory
326 1-4. PowerDNS Security Advisory
327 1-5. PowerDNS Security Advisory
329 A-1. PipeBackend capabilities
330 A-2. MySQL backend capabilities
331 A-3. Random Backend capabilities
332 A-4. MySQL backend capabilities
333 A-5. Generic PgSQL and MySQL backend capabilities
334 A-6. Oracle backend capabilities
335 A-7. Generic SQLite backend capabilities
336 A-8. DB2 backend capabilities
337 A-9. Bind zone file backend capabilities
338 A-10. ODBC backend capabilities
339 A-11. LDAP backend capabilities
340 A-12. OpenDBX backend capabilities
341 A-13. Geo backend capabilities
342 C-1. DNSResourceRecord class
344 C-3. DomainInfo struct
345 __________________________________________________________
347 Chapter 1. The PowerDNS dynamic nameserver
349 The PowerDNS daemon is a versatile nameserver which supports a
350 large number of backends. These backends can either be plain
351 zonefiles or be more dynamic in nature. Additionally, through
352 use of clever programming techniques, PowerDNS offers very high
353 domain resolution performance.
355 Prime examples of backends include relational databases, but
356 also (geographical) loadbalancing and failover algorithms.
358 The company is called PowerDNS.COM BV, the nameserver daemon is
360 __________________________________________________________
362 1.1. Function & design of PDNS
364 PowerDNS consists of two parts: the Authoritative Server and
365 the Recursor. Other nameservers fully combine these functions,
366 PowerDNS offers them separately, but can mix both authoritative
367 and recursive usage seamlessly. The Authoritative Server will
368 answer questions about domains it knows about, but will not go
369 out on the net to resolve queries about other domains. However,
370 it can use a recursing backend to provide that functionality.
371 Depending on your needs, this backend can either be the
372 PowerDNS recursor or an external one.
374 When the Authoritative Server answers a question, it comes out
375 of the database, and can be trusted as being authoritative.
376 There is no way to pollute the cache or to confuse the daemon.
378 The Recursor, conversely, by default has no knowledge of
379 domains itself, but will always consult other authoritative
380 servers to answer questions given to it.
382 PDNS has been designed to serve both the needs of small
383 installations by being easy to setup, as well as for serving
384 very large query volumes on large numbers of domains.
386 Another prime goal is security. By the use of language
387 features, the PDNS source code is very small (in the order of
388 10.000 lines) which makes auditing easy. In the same way,
389 library features have been used to mitigate the risks of buffer
392 Finally, PDNS is able to give a lot of statistics on its
393 operation which is both helpful in determining the scalability
394 of an installation as well as for spotting problems.
395 __________________________________________________________
397 1.2. About this document
399 If you are reading this document from disk, you may want to
400 check http://doc.powerdns.com for updates. The PDF version is
401 available on http://doc.powerdns.com/pdf, a text file is on
402 http://doc.powerdns.com/txt/.
403 __________________________________________________________
407 Before proceeding, it is advised to check the release notes for
408 your PDNS version, as specified in the name of the distribution
411 Beyond PowerDNS 2.9.20, the Authoritative Server and Recursor
412 are released separately.
413 __________________________________________________________
415 1.3.1. Authoritative Server version 2.9.22
419 Released on the 27th of January 2009.
421 This is a huge release, spanning almost 20 months of
422 development. Besides fixing a lot of bugs, of note is the
423 addition of the so called 'Notification Proxy', which allows
424 PowerDNS to function as a master server behind a firewall, plus
425 the huge performance improvement of the internal caches.
427 This work has been made possible by UPC Broadband and Directi,
430 Finally, the release candidates of this version have been
431 tested & improved by Jorn Ekkelenkamp, Ton van Rosmalen, Jeff
432 Sipek, Tyler Hall, Christof Meerwald and Stefan Schmidt.
434 Fixed between rc1 and rc2, but not an issue in 2.9.21.
436 * pdns_control ccounts again outputs proper cache statistics.
437 Implemented in commit 1304.
438 * Negative query caching was reinstated, leading to 6 times
439 fewer backend queries than rc1 on the Express.powerdns.com
441 * Packetcache no longer needlessly parses outgoing packets
443 * Fancy records work again. This work has been sponsored by
444 ISP Services. Implemented in commit 1302 and commit 1299.
448 * pdns_control can now also work over TCP/IP. Sponsored by
449 Directi. Commits 1246, 1251, 1254, 1255.
450 * Implemented a notification proxy, see Section 19.1. This
451 work was sponsored by UPC Broadband. Implemented in commits
452 1075, 1077, 1082, 1083, 1085 and 1086.
453 * IXFR queries are now supported in the sense that we treat
454 them as AXFR queries, silencing warnings in other
455 nameservers. Suggested in ticket 131.
456 * The PIPE backend has been extended by David Apgar to allow
457 the reporting of errors using the 'FAIL' command, plus
458 support for responses with whitespace. Implemented in
460 * PowerDNS Authoritative server now parses incoming EDNS
461 options, like maximum allowed packet size. Implemented in
462 commit 1123 and commit 1281.
463 * Added support for DHCID, IPSECKEY and KX records, thanks
464 Norbert Sendetzky for the hint. Implemented in commit 1144.
465 * Norbert Sendetzky has has added support for all record
466 types supported by PowerDNS to the LDAPBackend.
467 Furthermore, the detection of OpenLDAP in autoconf has been
468 improved. Finally, debian has supplied some fixes to
469 PowerLDAP. Implemented in commit 1152 and commit 1153.
470 * Implemented EDNS NSID option for retrieving the nameserver
471 ID out of band. Defaults to hostname, can be specified
472 using the server-id setting. Code in commit 1232.
473 * Implemented experimental EDNS PING for enhanced forgery
474 resilience. Code in commit 1232.
478 * Improve packet generation performance, in some cases by
479 25%. Code in 1258, 1259.
480 * Improved access list checking performance. commit 1261.
481 * PowerDNS Authoritative caches were completely redone, and
482 are now based on the same cache that is in the resolver.
483 This work has been sponsored by Directi. In large
484 benchmarks, PowerDNS performance has improved by an order
485 of magnitude or more. This new version allows for
486 near-instantaneous cache purging, plus very rapid purging
487 based on suffix. Purge commands can also be batched. This
488 work is partially based on an innovative reverse-string
489 comparison function authored by Aki Tuomi.
490 * Installations which run with very high cache hitrates can
491 now benefit from multiple CPUs by setting receiver-threads
492 to the number of desired CPUs to utilize in cache
493 operations. Implemented in commit 1316.
494 * BIND backend speedups in commit 1108, measured at around a
495 20% improvement, possibly more on very large setups.
499 * Tyler Hall discovered the PowerDNS configuration file
500 parser had problems with trailing tabs. This turned out to
501 be a wider problem in PowerDNS. Buggy code replaced by a
502 library call in commit 1237 and commit 1240.
503 * David Apgar of Yahoo discovered that our 'guardian' method
504 of restarting PowerDNS in case of problems was not fool
505 proof, and submitted a fix. A variation of this fix can be
506 found in commit 1323. Also reported by Directi.
507 * Connection reset by peer events in the TCP nameserver no
508 longer lead to the cycling of database connections. Code in
510 * FreeBSD compilation with Generic PostgreSQL backend was
511 fixed. Reported by Wouter de Jong of WideXS, fixed in
512 commit 1305, closes ticket 95.
513 * Webserver no longer prints '1e2%'. Finally closes ticket
514 26. Much friendly nagging for over 3 years by Jeff Sipek,
516 * PowerDNS used to ignore certain queries it could not
517 answer. These queries are no longer ignored, but get a
518 SERVFAIL response. Implemented in commit 1239.
519 * Fix subtle CNAME and wildcard interactions reported by
520 'zzyzz', implemented in commit 1147.
521 * The generic backends did not honour the default-ttl
522 setting. Spotted and implemented by Matti Hiljanen.
523 * Matti Hiljanen discovered that the OpenDBX backend did not
524 fill out the SOA ttl value properly. Matti also improved
525 the SQL statements for better compatibility. Implemented in
527 * Treat invalid WWW requests better. Spotted by Maikel
528 Verheijen, implemented in commit 1092.
529 * Documentation errors and typos, spotted by Marco Davids
530 (commit 1097) and Rejo Zengers (commit 1119)
531 * Properly fill out the 'recursion available'-flag. Spotted
532 by Augie Schwer in ticket 167.
533 * Several memory leaks on bad data in the database or other
534 errors have been fixed. Addressed in 1078 and 1079.
535 * In contravention to the documentation, the domain type as
536 specified in the database ('MASTER', 'SLAVE' or 'NATIVE')
537 was interpreted case sensitively. 1084.
538 * BIND backend could crash on processing information about
539 slave zones to be checked. Spotted by Stefan Schmidt, fixed
541 * Jelte Jansen of Stichting NLNetLabs discovered PowerDNS in
542 BIND mode couldn't operate as a root-server! Fixed in 1057.
543 * 'DPS' discovered there was a rare opportunity for PowerDNS
544 to lock up waiting for new data. Addressed in 1076.
545 * Make singlethreaded mode more resilient against errors.
547 * DNSSEC records were part of 2.9.21, but were not actually
548 hooked up. Please note that while PowerDNS can serve most
549 DNSSEC records, it does not do DNSSEC processing.
551 * Shawn Starr migrated all his domains to PowerDNS in one
552 evening, from an installation that had been used since
553 BIND4. In doing so, he found 3 bugs in as many hours. An IN
554 statement in the BIND named.conf with a zone with a
555 trailing dot was misparsed, fixed in commit 1233. Secondly,
556 the zonefile parser tripped over a line consisting of
557 nothing but comments in the wrong place. Finally '$ORIGIN
558 .' was misparsed. Last two issues fixed in commit 1234.
559 * Our statistics counters did not wrap correctly after the
560 2.15 billion mark. Spotted by Stefan Schmidt, reported in
561 ticket 179, fixed in commit 1284.
562 * Bindbackend could sometimes generate very strange error
563 messages while processing a malformed zone file. Sometimes
564 such error messages could cause a crash (reported on
565 HP-UX). Addressed by commit 1279. This could not be
566 triggered remotely. Closes ticket ticket 203.
567 * Pipe backend did not clean up killed coprocesses. Found and
568 fixed by Daniel Drown
569 * Installations with tens of thousands of slave domains would
570 never complete the cycle to check the freshness of all
571 zones as each incoming notification disrupted this cycle.
572 Addressed in cooperation with Tyler Hall of EditDNS.
576 * Zoneparser improvements mean $TTL and $INCLUDES now work a
577 lot better. Implemented in 1056, 1062.
578 * No longer report temporary recvfrom errors, which used to
579 spam the log on many systems. Addressed in commit 1320.
580 * Direct queries for 'fancy records' would lead to errors,
581 such queries now fail early. Spotted by Jorn Ekkelenkamp,
583 * Fix typo in geobackend, closing ticket 157, implemented in
585 * Initial work on TSIG support - not done yet. Spurred on by
587 * Embarrassingly, the 'master' configuration setting was not
588 documented in the list of all settings!
589 * Norbert has updated OpenDBX so that SQLite reads and writes
590 no longer deadlock, plus compliation fixes on Solaris, plus
591 the addition of autoserials to backends that support
592 triggers. Implemented in commit 1154.
593 * Random generator is now based on AES, improving the
594 security of certain proxy operations. This is the same
595 random generator that is in the recursor. Implemented in
597 * Documentation for 'supermaster' mode was improved due to
599 * When binding to a UDP port failed, supply a more precise
600 error message (commit 1245)
601 * The zoneparser error messages were vastly improved,
602 partially inspired by Shawn's cowboy migration. Code in
604 * Labels are compressed more efficiently
605 (case-insensitively), leading to smaller packets.
606 Implemented in commit 1156.
607 * Fix handling of TCP timeouts to not cause a reload of the
608 backends. Implemented in commit 1092.
609 * TCP Receiver no longer spams the log with common network
610 errors. Implemented in commit 1306.
611 * Move from select() to poll()-based multiplexing, allowing
612 PowerDNS to listen on more than 1024 sockets
613 simultaneously. One big PowerDNS user needs this.
615 * Zone2sql now reads source files in performance enhancing
616 inode order. Additionally, zone2sql no longer dies on a
617 missing zone file if --on-error-resume-next was specified.
618 Finally, statistics of zone2sql conversion have been
619 improved. Implemented in 1055.
620 * Address issues found by more recent g++ versions. Spotted
621 and/or fixed by Jorn Ekkelenkamp (commit 1051), Marcus
622 Rueckert (commit 1094), Norbert Sendetzky (commit 1107),
623 Serge Belyshev (commit 1171).
624 * The Intel C Compiler implements certain things differently,
625 causing the master/slave communicator to malfunction.
626 Spotted by Marcus Rueckert, implemented in 1052, plus
628 * PowerDNS can now be compiled with Boost 1.37.0.
629 * Andre Lorbach of Adiscon discovered the microsoft windows
630 2003 nameserver adds out of zone data to zonetransfers,
631 which we need to ignore, instead of rejecting the entire
632 zone. Implemented in 1048.
633 * PowerDNS now skips remote master servers which consistently
634 generate timeout messages, improving the master checking
635 cycle time tremendously. Developed in cooperation with
636 Tyler Hall. Implemented in commit 1278.
637 * When binding to a UDP port failed, supply a more precise
638 error message (commit 1245)
639 * dnsreplay now waits for the final answers to arrive, making
640 it possible to process even small pcap files and get
641 meaningful statistics. commit 1268.
642 * dnsreplay has a more sane default timeout now, which can be
643 configured too. Suggested by Augie Schwer in ticket 163,
644 implemented in commit 1287.
645 __________________________________________________________
647 1.3.2. Authoritative Server version 2.9.21.2
649 Released on the 18th of November 2008.
651 This release consists of a single patch to PowerDNS
652 Authoritative Server version 2.9.21.1. In some configurations,
653 notably with configuration option 'distributor-threads=1', the
654 PowerDNS Authoritative Server crashes easily in some error
657 All users are urged to upgrade. Even though PowerDNS restarts
658 itself on encountering such error conditions, and even though
659 most PowerDNS configurations do not run in single threaded
660 mode, an upgrade is recommended.
662 More detail can be found in Section 1.9.
663 __________________________________________________________
665 1.3.3. Authoritative Server version 2.9.21.1
667 Released on the 6th of August 2008.
669 This release consists of a single patch to PowerDNS
670 Authoritative Server version 2.9.21. Brian J. Dowling of
671 Simplicity Communications has discovered a security implication
672 of the previous PowerDNS behaviour to drop queries it considers
673 malformed. We are grateful that Brian notified us quickly about
676 This issue has been assigned CVE-2008-3337. The single patch is
677 in commit 1239. More detail can be found in Section 1.8.
679 The implication is that while the PowerDNS Authoritative server
680 itself does not face a security risk because of dropping these
681 malformed queries, other resolving nameservers run a higher
682 risk of accepting spoofed answers for domains being hosted by
683 PowerDNS Authoritative Servers before 2.9.21.1.
685 While the dropping of queries does not aid sophisticated
686 spoofing attempts, it does facilitate simpler attacks.
688 It may be good to know that several large sites already run
689 with this patch applied, as it has been in the public codebase
690 for some weeks already.
691 __________________________________________________________
693 1.3.4. Recursor version 3.1.7
695 Released the 25th of June 2008.
697 This version contains powerful scripting abilities, allowing
698 operators to modify DNS responses in many interesting ways.
699 Among other things, these abilities can be used to filter out
700 malware domains, to perform load balancing, to comply with
701 legal and other requirements and finally, to implement
702 'NXDOMAIN' redirection.
704 It is hoped that the addition of Lua scripting will enable
705 responsible DNS modification for those that need it.
707 For more details about the Lua scripting, which can be
708 modified, loaded and unloaded at runtime, see Section 12.6.
709 Many thanks are due to the #lua irc channel, for excellent
710 near-realtime Lua support. In addition, a number of PowerDNS
711 users have been enthousiastically testing prereleases of the
712 scripting support, and have found and solved many issues.
714 In addition, 3.1.7 fixes a number of bugs:
716 * In 3.1.5 and 3.1.6, an authoritative server could continue
717 to renew its authority, even though a domain had been
718 delegated to other servers in the meantime.
719 In the rare cases where this happened, and the old servers
720 were not shut down, the observed effect is that users were
722 Bug spotted and analysed by Darren Gamble, fix in commit
723 1182 and commit 1183.
724 * Thanks to long time PowerDNS contributor Stefan Arentz, for
725 the first time, Mac OS X 10.5 users can compile and run the
726 PowerDNS Recursor! Patch in commit 1185.
727 * Sten Spans spotted that for outgoing TCP/IP queries, the
728 query-local-address setting was not honored. Fixed in
730 * rec_control wipe-cache now also wipes domains from the
731 negative cache, hurrying up the expiry of negatively cached
732 records. Suggested by Simon Kirby, implemented in commit
734 * When a forwarder server is configured for a domain, using
735 the forward-zones setting, this server IP address was
736 filtered using the dont-query setting, which is generally
737 not what is desired: the server to which queries are
738 forwarded will often live in private IP space, and the
739 operator should be trusted to know what he is doing.
740 Reported and argued by Simon Kirby, fix in commit 1211.
741 * Marcus Rueckert of OpenSUSE reported that very recent gcc
742 versions emitted a (correct) warning on an overly
743 complicated line in syncres.cc, fixed in commit 1189.
744 * Stefan Schmidt discovered that the netmask matching code,
745 used by the new Lua scripts, but also by all other parts of
746 PowerDNS, had problems with explicit '/32' matches. Fixed
748 __________________________________________________________
750 1.3.5. Recursor version 3.1.6
752 Released on the 1st of May 2008.
754 This version fixes two important problems, each on its own
755 important enough to justify a quick upgrade.
757 * Version 3.1.5 had problems resolving several slightly
758 misconfigured domains, including for a time 'juniper.net'.
759 Nameserver timeouts were not being processed correctly,
760 leading PowerDNS to not update the internal clock, which in
761 turn meant that any queries immediately following an error
762 would time out as well. Because of retries, this would
763 usually not be a problem except on very busy servers, for
764 domains with different nameservers at different levels of
765 the DNS-hierarchy, like 'juniper.net'.
766 This issue was fixed rapidly because of the help of XS4ALL
767 (Eric Veldhuyzen, Kai Storbeck), Brad Dameron and Kees
768 Monshouwer. Fix in commit 1178.
769 * The new high-quality random generator was not used for all
770 random numbers, especially in source port selection. This
771 means that 3.1.5 is still a lot more secure than 3.1.4 was,
772 and its algorithms more secure than most other nameservers,
773 but it also means 3.1.5 is not as secure as it could be. A
774 quick upgrade is recommended. Discovered by Thomas Biege of
775 Novell (SUSE), fixed in commit 1179.
776 __________________________________________________________
778 1.3.6. Recursor version 3.1.5
780 Released on the 31st of March 2008.
782 Much like 3.1.4, this release does not add a lot of major
783 features. Instead, performance has been improved significantly
784 (estimated at around 20%), and many rare and not so rare issues
785 were addressed. Multi-part TXT records now work as expected -
786 the only significant functional bug found in 15 months. One of
787 the oldest feature requests was fulfilled: version 3.1.5 can
788 finally forward queries for designated domains to multiple
789 servers, on differing port numbers if needed. Previously only
790 one forwarder address was supported. This lack held back a
791 number of migrations to PowerDNS.
793 We would like to thank Amit Klein of Trusteer for bringing a
794 serious vulnerability to our attention which would enable a
795 smart attacker to 'spoof' previous versions of the PowerDNS
796 Recursor into accepting possibly mallicious data.
798 Details can be found on this Trusteer page.
800 It is recommended that all users of the PowerDNS Recursor
801 upgrade to 3.1.5 as soon as practicable, while we
802 simultaneously note that busy servers are less susceptible to
803 the attack, but not immune.
805 The PowerDNS Security Advisory can be found in Section 1.7.
807 This version can properly benefit from all IPv4 and IPv6
808 addresses in use at the root-servers as of early February 2008.
809 In order to implement this, changes were made to how the
810 Recursor deals internally with A and AAAA queries for
811 nameservers, see below for more details.
813 Additionally, newer releases of the G++ compiler required some
814 fixes (see ticket 173).
816 This release was made possible by the help of Wichert Akkerman,
817 Winfried Angele, Arnoud Bakker (Fox-IT), Niels Bakker (no
818 relation!), Leo Baltus (Nederlandse Publieke Omroep), Marco
819 Davids (SIDN), David Gavarret (Neuf Cegetel), Peter Gervai,
820 Marcus Goller (UPC), Matti Hiljanen (Saunalahti/Elisa), Ruben
821 Kerkhof, Alex Kiernan, Amit Klein (Trusteer), Kenneth Marshall
822 (Rice University), Thomas Rietz, Marcus Rueckert (OpenSUSE),
823 Augie Schwer (Sonix), Sten Spans (Bit), Stefan Schmidt
824 (Freenet), Kai Storbeck (xs4all), Alex Trull, Andrew Turnbull
825 (No Wires) and Aaron Thompson, and many more who filed bugs
826 anonymously, or who we forgot to mention.
828 Security related issues:
830 * Amit Klein has informed us that System random generator
831 output can be predicted based on its past behaviour,
832 allowing a smart attacker to 'spoof' our nameserver. Full
833 details in Section 1.7.
834 * The Recursor will by default no longer query private-space
835 nameservers. This closes a slight security risk and
836 simultaneously improves performance and stability. For more
837 information, see dont-query in Section 12.1. Implemented in
839 * Applied fix for ticket 110 ('PowerDNS should change
840 directory to '/' in chroot), implemented in commit 944.
844 * The DNS packet writing and parsing infrastructure
845 performance was improved in several ways, see commits 925,
846 926, 928, 931, 1021, 1050.
847 * Remove multithreading overhead from the Recursor (commit
852 * Built-in authoritative server now properly derives the TTL
853 from the SOA record if not specified. Implemented in commit
854 1165. Additionally, even when TTL was specified for the
855 built-in authoritative server, it was ignored. Reported by
856 Stefan Schmidt, closing ticket 147.
857 * Empty TXT record components can now be served. Implemented
858 in commit 1166, closing ticket 178. Spotted by Matti
860 * The Recursor would not properly override old data with new,
861 sometimes serving old and new data concurrently. Fixed in
863 * SOA records with embedded carriage-return characters are
864 now parsed correctly. Implemented in commit 1167, closing
866 * Some routing conditions could cause UDP connected sockets
867 to generate an error which PowerDNS did not deal with
868 properly, leading to a leaked file descriptor. As these run
869 out over time, the recursor could crash. This would also
870 happen for IPv6 queries on a host with no IPv6
871 connectivity. Thanks to Kai of xs4all and Wichert Akkerman
872 for reporting this issue. Fix in commit 1133.
873 * Empty unknown record types can now be stored without
874 generating a scary error (commit 1129)
875 * Applied fix for ticket 111, ticket 112 and ticket 153 -
876 large (multipart) TXT records are now retrieved and served
877 properly. Fix in commit 996.
878 * Solaris compilation instructions in Recursor documentation
879 were wrong, leading to an instant crash on startup. Luckily
880 nobody reads the documentation, except for Marcus Goller
881 who found the error. Fixed in commit 1124.
882 * On Solaris, finally fix the issue where queries get
883 distributed strangely over CPUs, or not get distributed at
884 all. Much debugging and analysing performed by Alex
885 Kiernan, who also supplied fixes. Implemented in commit
887 * Various fixes for modern G++ versions, most spotted by
888 Marcus Rueckert (commits 964, 965, 1028, 1052), and Ruben
889 Kerkhof (commit 1136, closing ticket 175).
890 * Recursor would not properly clean up pidfile and control
891 socket, closing ticket 120, code in commit 988, commit 1098
892 (part of fix by Matti Hiljanen, spotted by Leo Baltus)
893 * Recursor can now serve multi-line records from its limited
894 authoritative server (commit 1014).
895 * When parsing zones, the 'm' time specification stands for
896 minutes, not months! Closing Debian bug 406462 (commit
898 * Authoritative zone parser did not support '@' in the
899 content of records. Spotted by Marco Davids, fixed in
901 * Authoritative zone parser could be confused by trailing
902 TABs on record lines (commit 1062).
903 * EINTR error code could block entire server if received at
904 the wrong time. Spotted by Arnoud Bakker, fix in commit
906 * Fix crash on NetBSD on Alpha CPUs, might improve startup
907 behaviour on empty caches on other architectures as well
909 * Outbound TCP queries were being performed sub-optimally
910 because of an interaction with the 'Mplexer'. Fixes in
911 commit 1115, commit 1116.
915 * Implemented rec_control command get uptime, as suggested by
916 Niels Bakker (commit 935). Added to default rrdtool scripts
918 * The Recursor Authorative component, meant for having the
919 Recursor serve some zones authoritatively, now supports
920 $INCLUDE and $GENERATE. Implemented in commit 951 and
921 commit 952, commit 967 (discovered by Thomas Rietz),
922 * Implemented forward-zones-file option in order to support
923 larger amounts of zones which should be forwarded to
924 another nameserver (commit 963).
925 * Both forward-zones and forward-zones-file can now specify
926 multiple forwarders per domain, implemented in commit 1168,
927 closing ticket 81. Additionally, both these settings can
928 also specify non-standard port numbers, as suggested in
929 ticket ticket 122. Patch authored by Aaron Thompson, with
930 additional work by Augie Schwer.
931 * Sten Spans contributed allow-from-file, implemented in
932 commit 1150. This feature allows the Recursor to read
933 access rules from a (large) file.
935 General improvements:
937 * Ruben Kerkhof fixed up weird permission bits as well as our
938 SGML documentation code in commit 936 and commit 937.
939 * Full IPv6 parity. If configured to use IPv6 for outgoing
940 queries (using query-local-address6=::0 for example), IPv6
941 and IPv4 addresses are finally treated 100% identically,
942 instead of 'mostly'. This feature is implemented using
943 'ANY' queries to find A and AAAA addresses in one query,
944 which is a new approach. Treat with caution.
945 * Now perform EDNS0 root refreshing queries, so as to benefit
946 from all returned addresses. Relevant since early February
947 2008 when the root-servers started to respond with IPv6
948 addresses, which made the default non-EDNS0 maximum packet
949 length reply no longer contain all records. Implemented in
950 commit 1130. Thanks to dns-operations AT mail.oarc.isc.org
951 for quick suggestions on how to deal with this change.
952 * rec_control now has a timeout in case the Recursor does not
953 respond. Implemented in commit 945.
954 * (Error) messages are now logged with saner priorities
956 * Outbound query IP interface stemmed from 1997 (!) and was
957 in dire need of a cleanup (commit 1117).
958 * L.ROOT-SERVERS.NET moved (commit 1118).
959 __________________________________________________________
961 1.3.7. PowerDNS Authoritative Server version 2.9.21
963 Released the 21st of April 2007.
965 This is the first release the PowerDNS Authoritative Server
966 since the Recursor was split off to a separate product, and
967 also marks the transfer of the new technology developed
968 specifically for the recursor, back to the authoritative
971 This move has reduced the amount of code of the Authoritative
972 server by over 2000 lines, while improving the quality of the
975 However, since so much has been changed, care should be taken
976 when deploying 2.9.21.
978 To signify the magnitude of the underlying improvements, the
979 next release of the PowerDNS Authoritative Server will be
982 This release would not have been possible without large amounts
983 of help and support from the PowerDNS Community. We
984 specifically want to thank Massimo Bandinelli of Italy's
985 Register.it, Dave Aaldering of Aaldering ICT, True BV, XS4ALL,
986 Daniel Bilik of Neosystem, EasyDNS, Heinrich Ruthensteiner of
987 Siemens, Augie Schwer, Mark Bergsma, Marco Davids, Marcus
988 Rueckert of OpenSUSE, Andre Muraro of Locaweb, Antony Lesuisse,
989 Norbert Sendetzky, Marco Chiavacci, Christoph Haas, Ralf van
990 der Enden and Ruben Kerkhof.
994 * The previous packet parsing and generating code contained
995 no known bugs, but was however very lengthy and overly
996 complex, and might have had security problems. The new code
997 is 'inherently safe' because it relies on bounds-checking
998 C++ constructs. Therefore, a move to 2.9.21 is highly
1000 * Pre-2.9.21, communication between master and server
1001 nameservers was not checked as rigidly as possible,
1002 possibly allowing third parties to disrupt but not modify
1003 such communications.
1007 The 'bind1' legacy version of our BIND backend has been
1008 dropped! There should be no need to rely on this old version
1009 anymore, as the main BIND backend has been very well tested
1014 * Multi-part TXT records weren't supported. This has been
1015 fixed, and regression tests have been added. Code in
1016 commits 1016, 996, 994.
1017 * Email addresses with embedded dots in SOA records were not
1018 parsed correctly, nor were other embedded dots. Noted by
1019 'Bastiaan', fixed in commit 1026.
1020 * BIND backend treated the 'm' TTL modifier as 'months' and
1021 not 'minutes'. Closes Debian bug 406462. Addressed in
1023 * Our snapshots were built against a static version of
1024 PosgreSQL that was incompatible with many Linux
1025 distributions, leading to instant crashes on startup. Fixed
1027 * CNAME referrals to child zones gave improper responses.
1028 Noted by Augie Schwer in ticket 123, fixed in commit 992.
1029 * When passing a port number with the recursor setting, this
1030 would sometimes generate errors during additional
1031 processing. Switched off overly helpful additional
1032 processing for recursive queries to remove this problem.
1033 Implemented in commit 1031, spotted by Ralf van der Enden.
1034 * NS to a nameserver with the name of the zone itself
1035 generated problems. Spotted by Augie Schwer, fixed in
1037 * Multi-line records in the BIND backend were not always
1038 parsed correctly. Fixed in commit 1014.
1039 * The LOC-record had problems operating outside of the
1040 eastern hemisphere of the northern part of the world! Fixed
1042 * Backends were compiled without multithreading preprocessor
1043 flags. As far as we can determine, this would only cause
1044 problems for the BIND backend, but we cannot rule out this
1045 caused instability in other backends. Fixed in commit 1001.
1046 * The BIND backend was highly unstable under reloads, and
1047 leaked memory and file descriptors. Thanks to Mark Bergsma
1048 and Massimo Bandinelli for respectively pointing this out
1049 to us and testing large amounts of patches to fix the
1050 problem. The fixes have resulted in better performance,
1051 less code, and a remarkable simplification of this backend.
1052 Commits 1039, 1034, 1035, 1006, 999, 905 and previous.
1053 * BIND backend gave convincing NXDOMAINS on unloaded zones in
1054 some cases. Spotted and fixed by Daniel Bilik in commit
1056 * SOA records in zone transfers sometimes contained the wrong
1057 SOA TTL. Spotted by Christian Kuehn, fixed in commit 902.
1058 * PowerDNS could get confused by very high SOA serial
1059 numbers. Spotted and fixed by Dan Billik, fixed in commit
1061 * Some versions of FreeBSD perform very strict checks on
1062 socket address sizes passed to 'connect', which could lead
1063 to problems retrieving zones over AXFR. Fixed in commit
1065 * Some versions of FreeBSD perform very strict checks on IPv6
1066 socket addresses, leading to problems. Discovered by Sten
1067 Spans, fixed in commit 885 and commit 886.
1068 * IXFR requests were not logged properly. Noted by Ralf van
1069 der Enden, fixed in commit 990.
1070 * Some NAPTR records needed an additional space character to
1071 encode correctly. Spotted by Heinrich Ruthensteiner, fixed
1073 * Many bugs in the TCP nameserver, leading to a PowerDNS
1074 process that did not respond to TCP queries over time. Many
1075 fixes provided by Dan Bilik, other problems were fixed by
1076 rewriting our TCP handling code. Commits 982 and 980, 950,
1077 924, 889, 874, 869, 685, 684.
1078 * Fix crashes on the ARM processor due to alignment errors.
1079 Thanks to Sjoerd Simons. Closes Debian bug 397031.
1080 * Missing data in generic SQL backends would sometimes lead
1081 to faked SOA serial data. Spotted by Leander Lakkas from
1082 True. Fix in commit 866.
1083 * When receiving two quick notifications in succession, the
1084 packet cache would sometimes "process" the second one,
1085 leading PowerDNS to ignore it. Spotted by Dan Bilik, fixed
1087 * Geobackend (by Mark Bergsma) did not properly override the
1088 getSOA method, breaking non-overlay operation of this fine
1089 backend. The geobackend now also skips '.hidden'
1090 configuration files, and now properly disregards empty
1091 configuration files. Additionally, the overlapping
1092 abilities were improved. Details available in commit 876,
1097 * Thanks to EasyDNS, PowerDNS now supports multiple masters
1098 per domain. For configuration details, see Section 13.2.
1099 Implemented in commit 1018, commit 1017.
1100 * Thanks to EasyDNS, PowerDNS now supports the KEY record
1101 type, as well the SPF record. In commit 976.
1102 * Added support for CERT, SSHFP, DNSKEY, DS, NSEC, RRSIG
1103 record types, as part of the move to the new DNS
1104 parsing/generating code.
1105 * Support for the AFSDB record type, as requested by
1106 'Bastian'. Implemented in commit 978, closing ticket 129.
1107 * Support for the MR record type. Implemented in commit 941
1109 * Gsqlite3 backend was added by Antony Lesuisse in commit
1111 * Added the ability to send out light-weight root-referrals
1112 that save bandwidth yet still placate mediocre resolver
1113 implementations. Implemented in commit 912, enable with
1114 'root-referral=lean'.
1118 * Miscellaneous OpenDBX and LDAP backend improvements by
1119 Norbert Sendetzky. Applied in commit 977 and commit 1040.
1120 * SGML source of the documentation was cleaned up by Ruben
1121 Kerkhof in commit 936.
1122 * Speedups in core DNS label processing code. Implemented in
1123 commit 928, commit 654, commit 1020.
1124 * When communicating with master servers and encountering
1125 errors, more useful details are logged. Reported by Stefan
1126 Arentz in ticket 137, closed by commit 1015.
1127 * Database errors are now logged with more details. Addressed
1129 * pdns_control problems are now logged more verbosely. Change
1131 * Erroneous address configuration was logged unclearly.
1132 Spotted by River Tarnell, fixed in commit 888.
1133 * Example configuration shipped with PowerDNS was very old.
1134 Noted by Leen Besselink, fixed in commit 946.
1135 * PowerDNS neglected to chdir to the root when chrooted. This
1136 closes ticket 110, fixed in commit 944.
1137 * Microsoft resolver had problems with responses we generated
1138 for CNAMEs pointing out of our bailiwick. Fixed in commit
1139 983 and expedited by Locaweb.com.br.
1140 * Built-in webserver logs errors more verbosely. Closes
1141 ticket 82, gixed in commit 991.
1142 * Queries containing '@' no longer flood the logs. Addressed
1144 * The build process now looks for PostgreSQL in more places.
1145 Implemented in commit 998, closes ticket 90.
1146 * Speedups in the BIND backend now mean large installations
1147 enjoy startup times up to 30 times faster than with the
1148 original BIND nameserver. Many thanks to Massimo
1150 * BIND backend now offers full support for query logging,
1151 implemented in commit 1026, commit 1029.
1152 * BIND backend named.conf parsing is now fully
1153 case-insensitive for domain names. This closes Debian bug
1154 406461, fixed in commit 1027.
1155 * IPv6 and IPv4 address parsing routines have been replaced,
1156 which should result in prettier output in some cases.
1157 commit 962, commit 1012 and others.
1158 * 5 new regression tests have been added to insure old bugs
1160 * Fix small issues with very modern compilers and BOOST
1161 snapshots. Noted by Marcus Rueckert, addressed in commit
1162 954, commit 964 commit 965, commit 1003.
1163 __________________________________________________________
1165 1.3.8. Recursor version 3.1.4
1167 Released the 13th of November 2006.
1169 This release contains almost no new features, but consists
1170 mostly of minor and major bug fixes. It also addresses two
1171 major security issues, which makes this release a highly
1172 recommended upgrade.
1176 * Large TCP questions followed by garbage could cause the
1177 recursor to crash. This critical security issue has been
1178 assigned CVE-2006-4251, and is fixed in commit 915. More
1179 information can be found in Section 1.5.
1180 * CNAME loops with zero second TTLs could cause crashes in
1181 some conditions. These loops could be constructed by
1182 malicious parties, making this issue a potential denial of
1183 service attack. This security issue has been assigned
1184 CVE-2006-4252 and is fixed by commit 919. More information
1185 can be found in Section 1.6. Many thanks to David Gavarret
1186 for helping pin down this problem.
1190 * On certain error conditions, PowerDNS would neglect to
1191 close a socket, which might therefore eventually run out.
1192 Spotted by Stefan Schmidt, fixed in commits 892, 897, 899.
1193 * Some nameservers (including PowerDNS in rare circumstances)
1194 emit a SOA record in the authority section. The recursor
1195 mistakenly interpreted this as an authoritative "NXRRSET".
1196 Spotted by Bryan Seitz, fixed in commit 893.
1197 * In some circumstances, PowerDNS could end up with a useless
1198 (not working, or no longer working) set of nameserver
1199 records for a domain. This release contains logic to
1200 invalidate such broken NSSETs, without overloading
1201 authoritative servers. This problem had previously been
1202 spotted by Bryan Seitz, 'Cerb' and Darren Gamble.
1203 Invalidations of NSSETs can be plotted using the
1204 "nsset-invalidations" metric, available through rec_control
1205 get. Implemented in commit 896 and commit 901.
1206 * PowerDNS could crash while dumping the cache using
1207 rec_control dump-cache. Reported by Wouter of WideXS and
1208 Stefan Schmidt and many others, fixed in commit 900.
1209 * Under rare circumstances (depleted TCP buffers), PowerDNS
1210 might send out incomplete questions to remote servers.
1211 Additionally, on big-endian systems (non-Intel and non-AMD
1212 generally), sending out large TCP answers questions would
1213 not work at all, and possibly crash. Brought to our
1214 attention by David Gavarret, fixed in commit 903.
1215 * The recursor contained the potential for a dead-lock
1216 processing an invalid domain name. It is not known how this
1217 might be triggered, but it has been observed by 'Cerb' on
1218 #powerdns. Several dead-locks where PowerDNS consumed all
1219 CPU, but did not answer questions, have been reported in
1220 the past few months. These might be fixed by commit 904.
1221 * IPv6 'allow-from' matching had problems with the least
1222 significant bits, sometimes allowing disallowed addresses,
1223 but mostly disallowing allowed addresses. Spotted by Wouter
1224 from WideXS, fixed in commit 916.
1228 * PowerDNS has support to drop answers from so called
1229 'delegation only' zones. A statistic ("dlg-only-drops") is
1230 now available to plot how often this happens. Implemented
1232 * Hint-file parameter was mistakenly named "hints-file" in
1233 the documentation. Spotted by my Marco Davids, fixed in
1235 * rec_control quit should be near instantaneous now, as it no
1236 longer meticulously cleans up memory before exiting.
1237 Problem spotted by Darren Gamble, fixed in commit 914,
1239 * init.d script no longer refers to the Recursor as the
1240 Authoritative Server. Spotted by Wouter of WideXS, fixed in
1242 * A potentially serious warning for users of the GNU C
1243 Library version 2.5 was fixed. Spotted by Marcus Rueckert,
1244 fixed in commit 920.
1245 __________________________________________________________
1247 1.3.9. Recursor version 3.1.3
1249 Released the 12th of September 2006.
1251 Compared to 3.1.2, this release again consists of a number of
1252 mostly minor bug fixes, and some slight improvements.
1254 Many thanks are again due to Darren Gamble who together with
1255 his team has discovered many misconfigured domains that do work
1256 with some other name servers. DNS has long been tolerant of
1257 misconfigurations, PowerDNS intends to uphold that tradition.
1258 Almost all of the domains found by Darren now work as well in
1259 PowerDNS as in other name server implementations.
1261 Thanks to some recent migrations, this release, or something
1262 very close to it, is powering over 40 million internet
1263 connections that we know of. We appreciate hearing about
1264 succesful as well as unsuccesful migrations, please feel free
1265 to notify pdns.bd@powerdns.com of your experiences, good or
1270 * The MThread default stack size was too small, which led to
1271 problems, mostly on 64-bit platforms. This stack size is
1272 now configurable using the stack-size setting should our
1273 estimate be off. Discovered by Darren Gamble, Sten Spans
1274 and a number of others. Fixed in commit 868.
1275 * Plug a small memory leak discovered by Kai and Darren
1276 Gamble, fixed in commit 870.
1277 * Switch from the excellent nedmalloc to dlmalloc, based on
1278 advice by the nedmalloc author. Nedmalloc is optimised for
1279 multithreaded operation, whereas the PowerDNS recursor is
1280 single threaded. The version of nedmalloc shipped contained
1281 a number of possible bugs, which are probably resolved by
1282 moving to dlmalloc. Some reported crashes on hitting 2G of
1283 allocated memory on 64 bit systems might be solved by this
1284 switch, which should also increase performance. See commit
1289 * The cache is now explicitly aware of the difference between
1290 authoritative and unauthoritative data, allowing it to deal
1291 with some domains that have different data in the parent
1292 zone than in the authoritative zone. Patch in commit 867.
1293 * No longer try to parse DNS updates as if they were queries.
1294 Discovered and fixed by Jan Gyselinck, fix in commit 871.
1295 * Rebalance logging priorities for less log cluttering and
1296 add IP address to a remote server error message. Noticed
1297 and fixed by Jan Gyselinck (commit 877).
1298 * Add logging-facility setting, allowing syslog to send
1299 PowerDNS logging to a separate file. Added in commit 871.
1300 __________________________________________________________
1302 1.3.10. Recursor version 3.1.2
1304 Released Monday 26th of June 2006.
1306 Compared to 3.1.1, this release consists almost exclusively of
1307 bug-fixes and speedups. A quick update is recommended, as some
1308 of the bugs impact operators of authoritative zones on the
1309 internet. This version has been tested by some of the largest
1310 internet providers on the planet, and is expected to perform
1313 Many thanks are due to Darren Gamble, Stefan Schmidt and Bryan
1314 Seitz who all provided excellent feedback based on their
1315 large-scale tests of the recursor.
1319 * Internal authoritative server did not differentiate between
1320 'NXDOMAIN' and 'NXRRSET', in other words, it would answer
1321 'no such host' when an AAAA query came in for a domain that
1322 did exist, but did not have an AAAA record. This only
1323 affects users with auth-zones configured. Discovered by
1324 Bryan Seitz, fixed in commit 848.
1325 * ANY queries for hosts where nothing was present in the
1326 cache would not work. This did not cause real problems as
1327 ANY queries are not reliable (by design) for anything other
1328 than debugging, but did slow down the nameserver and cause
1329 unnecessary load on remote nameservers. Fixed in commit
1331 * When exceeding the configured maximum amount of TCP
1332 sessions, TCP support would break and the nameserver would
1333 waste CPU trying to accept TCP connections on UDP ports.
1334 Noted by Bryan Seitz, fixed in commit 849.
1335 * DNS queries come in two flavours: recursion desired and
1336 non-recursion desired. The latter is not very useful for a
1337 recursor, but is sometimes (erroneously) used by monitoring
1338 software or loadbalancers to detect nameserver
1339 availability. A non-rd query would not only not recurse,
1340 but also not query authoritative zones, which is confusing.
1341 Fixed in commit 847.
1342 * Non-standard DNS TCP queries, that did occur however, could
1343 drive the recursor to 100% CPU usage for extended periods
1344 of time. This did not disrupt service immediately, but does
1345 waste a lot of CPU, possibly exhausting resources.
1346 Discovered by Bryan Seitz, fixed in commit 858, which is
1348 * The PowerDNS recursor did not honour the rare but
1349 standardised 'ANY' query class (normally 'ANY' refers to
1350 the query type, not class), upsetting the Wildfire Jabber
1351 server. Discovered and debugged by Daniel Nauck, fixed in
1352 commit 859, which is post-3.1.2-rc1.
1353 * Everybody's favorite, when starting up under high load, a
1354 bogus line of statistics was sometimes logged. Fixed in
1356 * Remove some spurious debugging output on dropping a packet
1357 by an unauthorized host. Discovered by Kai. Fixed in commit
1362 * Misconfigured domains, with a broken nameserver in the
1363 parent zone, should now work better. Changes motivated and
1364 suggested by Darren Gamble. This makes PowerDNS more
1365 compliant with RFC 2181 by making it prefer authoritative
1366 data over non-authoritative data. Implemented in commit
1368 * PowerDNS can now listen on multiple ports, using the
1369 local-address setting. Added in commit 845.
1370 * A number of speedups which should have a noticeable impact,
1371 implemented in commits 850, 852, 853, 855
1372 * The recursor now works around an issue with the Linux
1373 kernel 2.6.8, as shipped by Debian. Fixed by Christof
1374 Meerwald in commit 860, which is post 3.1.2-rc1.
1375 __________________________________________________________
1377 1.3.11. Recursor version 3.1.1
1381 3.1.1 is identical to 3.1 except for a bug in the packet
1382 chaining code which would mainly manifest itself for IPv6
1383 enabled Konqueror users with very fast connections to their
1384 PowerDNS installation. However, all 3.1 users are urged to
1385 upgrade to 3.1.1. Many thanks to Alessandro Bono for his quick
1386 aid in solving this problem.
1388 Released on the 23rd of May 2006. Many thanks are due to the
1389 operators of some of the largest internet access providers in
1390 the world, each having many millions of customers, who have
1391 tested the various 3.1 pre-releases for suitability. They have
1392 uncovered and helped fix bugs that could impact us all, but are
1393 only (quickly) noticeable with such vast amounts of DNS
1396 After version 3.0.1 has proved to hold up very well under
1397 tremendous loads, 3.1 adds important new features:
1399 * Ability to serve authoritative data from 'BIND' style zone
1400 files (using auth-zones statement).
1401 * Ability to forward domains so configured to external
1402 servers (using forward-zones).
1403 * Possibility of 'serving' the contents of /etc/hosts over
1404 DNS, which is very well suited to simple domestic
1405 router/DNS setups. Enabled using export-etc-hosts.
1406 * As recommended by recent standards documents, the PowerDNS
1407 recursor is now authoritative for RFC-1918 private IP space
1408 zones by default (suggested by Paul Vixie).
1409 * Full outgoing IPv6 support (off by default) with IPv6
1410 servers getting equal treatment with IPv4, nameserver
1411 addresses are chosen based on average response speed,
1412 irrespective of protocol.
1413 * Initial Windows support, including running as a service
1414 ('NET START "POWERDNS RECURSOR"'). rec_channel is still
1415 missing, the rest should work. Performance appears to be
1416 below that of the UNIX versions, this situation is expected
1421 * No longer send out SRV and MX record priorities as zero on
1422 big-endian platforms (UltraSPARC). Discovered by Eric
1423 Sproul, fixed in commit 773.
1424 * SRV records need additional processing, especially in an
1425 Active Directory setting. Reported by Kenneth Marshall,
1426 fixed in commit 774.
1427 * The root-records were not being refreshed, which could lead
1428 to problems under inconceivable conditions. Fixed in commit
1430 * Fix resolving domain names for nameservers with multiple IP
1431 addresses, with one of these addresses being lame. Other
1432 nameserver implementations were also unable to resolve
1433 these domains, so not a big bug. Fixed in commit 780.
1434 * For a period of 5 minutes after expiring a negative cache
1435 entry, the domain would not be re-cached negatively,
1436 leading to a lot of duplicate outgoing queries for this
1437 short period. This fix has raised the average cache hit
1438 rate of the recursor by a few percent. Fixed in commit 783.
1439 * Query throttling was not aggressive enough and not all
1440 sorts of queries were throttled. Implemented in commit 786.
1441 * Fix possible crash during startup when parsing empty
1442 configuration lines (commit 807).
1443 * Fix possible crash when the first query after wiping a
1444 cache entry was for the just deleted entry. Rare in
1445 production servers. Fixed in commit 820.
1446 * Recursor would send out differing TTLs when receiving a
1447 misconfigured, standards violating, RRSET with different
1448 TTLs. Implement fix as mandated by RFC 2181, paragraph 5.2.
1449 Reported by Stephen Harker (commit 819).
1450 * The top-remotes would list remotes duplicately, once per
1451 source port. Discovered by Jorn Ekkelenkamp, fixed in
1452 commit 827, which is post 3.1-pre1.
1453 * Default allow-from allowed queries from fe80::/16,
1454 corrected to fe80::/10. Spotted by Niels Bakker, fixed in
1455 commit 829, which is post 3.1-pre1.
1456 * While PowerDNS blocks failing queries quickly, multiple
1457 packets could briefly be in flight for the same domain and
1458 nameserver. This situation is now explicitly detected and
1459 queries are chained to identical queries already in flight.
1460 Fixed in commit 833 and commit 834, post 3.1-pre1.
1464 * ANY queries are now implemented as in other nameserver
1465 implementations, leading to a decrease in outgoing queries.
1466 The RFCs are not very clear on desired behaviour, what is
1467 implemented now saves bandwidth and CPU and brings us in
1468 line with existing practice. Previously ANY queries were
1469 not cached by the PowerDNS recursor. Implemented in commit
1471 * rec_control was very sparse in its error reporting, and
1472 user unfriendly as well. Reported by Erik Bos, fixed in
1473 commit 818 and commit 820.
1474 * IPv6 addresses were printed in a non-standard way, fixed in
1476 * TTLs of records are now capped at two weeks, commit 820.
1477 * allow-from IPv4 netmasks now automatically work for
1478 IP4-to-IPv6 mapper IPv4 addresses, which appear when
1479 running on the wildcard :: IPv6 address. Lack of feature
1480 noted by Marcus 'darix' Rueckert. Fixed in commit 826,
1481 which is post 3.1-pre1.
1482 * Errors before daemonizing are now also sent to syslog.
1483 Suggested by Marcus 'darix' Rueckert. Fixed in commit 825,
1484 which is post 3.1-pre1.
1485 * When launching without any form of configured network
1486 connectivity, all root-servers would be cached as 'down'
1487 for some time. Detect this special case and treat it as a
1488 resource-constraint, which is not accounted against
1489 specific nameservers. Spotted by Seth Arnold, fixed in
1490 commit 835, which is post 3.1-pre1.
1491 * The recursor now does not allow authoritative servers to
1492 keep supplying its own NS records into perpetuity, which
1493 causes problems when a domain is redelegated but the old
1494 authorative servers are not updated to this effect. Noticed
1495 and explained at length by Darren Gamble of Shaw
1496 Communications, addressed by commit 837, which is post
1498 * Some operators may want to follow RFC 2181 paragraph 5.2
1499 and 5.4. This harms performance and does not solve any real
1500 problem, but does make PowerDNS more compliant. If you want
1501 this, enable auth-can-lower-ttl. Implemented in commit 838,
1502 which is post 3.1-pre2.
1503 __________________________________________________________
1505 1.3.12. Recursor version 3.0.1
1507 Released 25th of April 2006, download.
1509 This release consists of nothing but tiny fixes to 3.0,
1510 including one with security implications. An upgrade is highly
1513 * Compilation used both cc and gcc, leading to the
1514 possibility of compiling with different compiler versions
1516 * rec_control would leave files named lsockXXXXXX around in
1517 the configured socket-dir. Operators may wish to remove
1518 these files from their socket-dir (often /var/run), quite a
1519 few might have accumulated already (commit 767).
1520 * Certain malformed packets could crash the recursor. As far
1521 as we can determine these packets could only lead to a
1522 crash, but as always, there are no guarantees. A quick
1523 upgrade is highly recommended (commits 760, 761). Reported
1525 * Recursor would not distinguish between NXDOMAIN and NXRRSET
1526 (commit 756). Reported and debugged by Jorn Ekkelenkamp.
1527 * Some error messages and trace logging statements were
1528 improved (commits 756, 758, 759).
1529 * stderr was closed during daemonizing, but not dupped to
1530 /dev/null, leading to slight chance of odd behaviour on
1531 reporting errors (commit 757)
1533 Operating system specific fixes:
1535 * The stock Debian sarge Linux kernel, 2.6.8, claims to
1536 support epoll but fails at runtime. The epoll self-testing
1537 code has been improved, and PowerDNS will fall back to a
1538 select based multiplexer if needed (commit 758) Reported by
1540 * Solaris 8 compilation and runtime issues were addressed.
1541 See the README for details (commit 765). Reported by
1542 Juergen Georgi and Kenneth Marshall.
1543 * Solaris 10 x86_64 compilation issues were addressed (commit
1544 755). Reported and debugged by Eric Sproul.
1545 __________________________________________________________
1547 1.3.13. Recursor version 3.0
1549 Released 20th of April 2006, download.
1551 This is the first separate release of the PowerDNS Recursor.
1552 There are many reasons for this, one of the most important ones
1553 is that previously we could only do a release when both the
1554 recursor and the authoritative nameserver were fully tested and
1555 in good shape. The split allows us to release new versions when
1558 Now for the real news. This version of the PowerDNS recursor
1559 powers the network access of over two million internet
1560 connections. Two large access providers have been running
1561 pre-releases of 3.0 for the past few weeks and results are
1562 good. Furthermore, the various pre-releases have been tested
1563 nearly non-stop with DNS traffic replayed at 3000
1566 As expected, the 2 million househoulds shook out some very rare
1567 bugs. But even a rare bug happens once in a while when there
1568 are this many users.
1570 We consider this version of the PowerDNS recursor to be the
1571 most advanced resolver publicly available. Given current levels
1572 of spam, phishing and other forms of internet crime we think no
1573 recursor should offer less than the best in spoofing
1574 protection. We urge all operators of resolvers without proper
1575 spoofing countermeasures to consider PowerDNS, as it is a
1576 Better Internet Nameserver Daemon.
1578 A good article on DNS spoofing can be found here. Some more
1579 information, based on a previous version of PowerDNS, can be
1580 found on the PowerDNS development blog.
1584 Because of recent DNS based denial of service attacks, running
1585 an open recursor has become a security risk. Therefore, unless
1586 configured otherwise this version of PowerDNS will only listen
1587 on localhost, which means it does not resolve for hosts on your
1588 network. To fix, configure the local-address setting with all
1589 addresses you want to listen on. Additionally, by default
1590 service is restricted to RFC 1918 private IP addresses. Use
1591 allow-from to selectively open up the recursor for your own
1592 network. See Section 12.1 for details.
1594 Important new features of the PowerDNS recursor 3.0:
1596 * Best spoofing protection and detection we know of. Not only
1597 is spoofing made harder by using a new network address for
1598 each query, PowerDNS detects when an attempt is made to
1599 spoof it, and temporarily ignores the data. For details,
1601 * First nameserver to benefit from epoll/kqueue/Solaris
1602 completion ports event reporting framework, for stellar
1604 * Best statistics of any recursing nameserver we know of, see
1606 * Last-recently-used based cache cleanup algorithm, keeping
1607 the 'best' records in memory
1608 * First class Solaris support, built on a 'try and buy' Sun
1610 * Full IPv6 support, implemented natively.
1611 * Access filtering, both for IPv4 and IPv6.
1612 * Experimental SMP support for nearly double performance. See
1615 Many people helped package and test this release. Jorn
1616 Ekkelenkamp of ISP-Services helped find the '8000 SOAs' bug and
1617 spotted many other oddities and XS4ALL internet funded a lot of
1618 the recent development. Joaquín M López Muñoz of the
1619 boost::multi_index_container was again of great help.
1620 __________________________________________________________
1622 1.3.14. Version 2.9.20
1624 Released the 15th of March 2006
1626 Besides adding OpenDBX, this release is mostly about fixing
1627 problems and speeding up the recursor. This release has been
1628 made possible by XS4ALL and True. Thanks!
1630 Furthermore, we are very grateful for the help of Andrew
1631 Pinski, who hacks on gcc, and of Joaquín M López Muñoz, the
1632 author of boost::multi_index_container. Without their
1633 near-realtime help this release would've been delayed a lot.
1636 Bugs fixed in the recursor:
1638 * Possible stability issues in the recursor on encountering
1639 errors (commit 532, commit 533)
1640 * Memory leaks in recursor fixed (commit 534, commit 572). In
1641 a test 800 million real life DNS packets have been sent to
1642 the recursor, representing several days of traffic from a
1643 major ISP, memory use was high (500MB), but stable.
1644 * Prune all data in PowerDNS - previously per-nameserver and
1645 per-query performance statistics were kept around forever
1647 * IPv6 additional processing was broken. Reported by Lionel
1648 Elie Mamane, who also provided a fix. The problem was fixed
1649 differently in the end. commit 562.
1650 * pdns_recursor did not shuffle answers since 2.9.19, leading
1651 to problems sending mail to the Hotmail servers. Reported
1652 in ticket 54, fixed in commit 567.
1653 * If a single nameserver had multiple IP addresses listed,
1654 PowerDNS would only use one of them. Noted by Mark Martin,
1655 fixed in commit 570, who depends on a domain with 4
1656 nameserver IP addresses of which 2 are broken.
1658 Improvements to the recursor:
1660 * Commits 535, 540, 541, 542, 543, 544, 545, 547 and 548, 574
1661 all speed up the recursor by a large factor, without
1662 altering the DNS algorithm.
1663 * Move recursor to the incredible
1664 boost::multi_index_container (commit 580). This brings a
1665 huge improvement in cache pruning times.
1666 * commit 549 and commit 550 work around gcc bug 24704 if
1667 requested, which speeds up the recursor a lot, but involves
1668 a dirty hack. Enable with ./configure
1669 --enable-gcc-skip-locking. No guarantees!
1671 Bugs fixed in the authoritative nameserver:
1673 * PowerDNS would no longer allow a '/' in domain names, fixed
1674 by commit 537, reported in ticket 48.
1675 * Parameters to pdns_control notify-host were not checked,
1676 leading to possible crashes. Reported in ticket 24, fixed
1678 * On some compilers, processing of NAPTR records could cause
1679 the server to crash. Reported by Bernd Froemel in ticket
1680 29, fixed in commit 538.
1681 * Backend errors could make the whole nameserver exit under
1682 some circumstances, notably using the LDAP backend. Fixed
1683 in commit 583, reported in ticket 62.
1684 * Referrals were subtly broken by recent CNAME/Wildcard
1685 improvements, fixed in commit 539. Fix and other
1686 improvements sponsored by True.
1687 * PowerDNS would try to insert records it has no knowledge
1688 about in slave zones, which did not work. Reported in
1689 ticket 60, fixed in commit 566. A superior fix would be to
1690 implement the relevant unknown record standard.
1692 Improvements to the authoritative nameserver:
1694 * Pipebackend did not properly propagate the ABI version to
1695 its children, fixed in commit 546, reported by
1696 kickdaddy@gmail.com in ticket 45.
1697 * OpenDBX backend added (commit 559, commit 560, commit 561)
1698 by Norbert Sendetzky. From the website: " The OpenDBX
1699 backend enables it to fetch DNS information from every DBMS
1700 supported by the OpenDBX library and combines the power of
1701 one of the best DNS server implementations with the
1702 flexibility of the OpenDBX library. " OpenDBX adds some
1703 other features like database failover. Thanks Norbert!
1704 * LDAP fixes as reported in ticket 37, fixed in commit 558,
1705 which maked pdns_control notify work.
1706 * Arjo Hooimeijer added support for soa-refresh-default,
1707 soa-retry-default, soa-expire-default, which were
1708 previously hardcoded. commit 563 and fallout in commit 573
1709 (thanks to Wolfram Schlich).
1713 * Fixes for g++ 4.1. Compiling with 4.1 realizes notable
1714 speedups. commit 568, commit 569.
1715 * PowerDNS now reports if it is running in 32 or 64 bit mode,
1716 useful for bi-arch users that need to know if they are
1717 benefitting from their great processor. commit 571.
1718 * dnsscope compiles again, commit 551, commit 564 (FreeBSD
1720 * dnsreplay_mindex compiles again, fixed by commit 572. Its
1721 performance, and the performance of the recursor was
1722 improved by commit 559.
1723 * Build scripts were added, mostly for internal use but we
1724 know some PowerDNS users build their own packages too.
1725 commit 553, commit 554, commit 555, commit 556, commit 557.
1726 * bootstrap script was not included in release. Thanks to
1727 Stefan Arentz for noticing. Fixed in commit 574.
1728 __________________________________________________________
1730 1.3.15. Version 2.9.19
1732 Released 29th of October 2005.
1734 As with other recent releases, the usage of PowerDNS appears to
1735 have skyrocketed. Informal, though strict, measurements show
1736 that PowerDNS now powers around 50% of all German domains, and
1737 somewhere in the order of 10-15% of the rest of the world.
1738 Furthermore, DNS is set to take a central role in connecting
1739 Voice over IP providers, with PowerDNS offering a very good
1740 feature set for these ENUM deployments. PowerDNS is already
1741 powering the E164.info ENUM zone and also acts as the backend
1742 for a major VoIP provisioning platform.
1744 Included in this release is the now complete packet
1745 parsing/generating, record parsing/generating infrastructure.
1746 Furthermore, this framework is used by the recursor, hopefully
1747 making it very fast, memory efficient and robust. Many records
1748 are now processed using a single line of code. This has made
1749 the recursor a lot stricter in packet parsing, you will see
1750 some error messages which did not appear before. Rest assured
1751 however that these only happen for queries which have no valid
1754 Furthermore, support for DNSSEC records is available in the new
1755 infrastructure, although is should be emphasised that there is
1756 more to DNSSEC than parsing records. There is no real support
1759 Additionally, the BIND Backend has been replaced by what was up
1760 to now known as the 'Bind2Backend'. Initial benchmarking
1761 appears to show that this backend is faster, uses less memory
1762 and has shorter startup times. The code is also shorter.
1764 This release fixes a number of embarassing bugs and is a
1765 recommended upgrade.
1767 Thanks are due to XS4ALL who are supporting continuing
1768 development of PowerDNS, the fruits of which can be found in
1769 this release already. Furthermore, a remarkable number of
1770 people have helped report bugs, validate solutions or have
1771 submitted entire patches. Many thanks!
1775 * dnsreplay now has a help message and has received further
1776 massive updates, making the code substantially faster. It
1777 turns out that dnsreplay is often 'heavier' than the
1778 PowerDNS process being benchmarked.
1779 * PowerDNS recursor no longer prints out its queries by
1780 default as most recursor deployments have too much traffic
1781 for this to be useful.
1782 * PowerDNS recursor is now able to read its root-hints from
1783 disk, which is useful to operate with alternate roots, like
1784 the Open Root Server Network. See Chapter 12.
1785 * PowerDNS can now send out old-fashioned root-referrals when
1786 queried for domains for which it is not authoritative.
1787 Wastes some bandwidth but may solve incoming query floods
1788 if domains are delegated to you for which you are not
1789 authoritative, but which are queried by broken recursors.
1790 * PowerDNS now prints out a warning when running with legacy
1791 LinuxThreads implementation instead of the high performance
1792 NPTL library, see Section 9.2. commit 455.
1793 * A lot of superfluous calls to gettimeofday() have been
1794 removed, making PowerDNS and especially the recursor
1795 faster. Suggested by Kai.
1796 * SPF records are now supported natively. commit 472, closing
1798 * Improved IPv6 'bound to' messages. Thanks to Niels Bakker,
1799 Wichert Akkerman and Gerty de Wolf for suggestions.
1800 * Separate graphs can now be made of IPv6 queries and
1801 answers. commit 485.
1802 * Out of zone additional processing is now on by default to
1803 better comply with standards. commit 487.
1804 * Regression tests have been expanded to deal with more
1805 record types (SRV, NAPTR, TXT, duplicate SRV).
1806 * Improved query-logging in Bindbackend, which can be used
1807 for debugging purposes.
1808 * Dropped libpcap dependency, making compilation easier
1809 * pdns_control now has a help message.
1810 * Add RRSIG, DNSKEY, DS and NSEC records for DNSSEC-bis to
1811 new parser infrastructure.
1812 * Recursor now honours EDNS0 allowing it to send out larger
1817 * Domain name validation has been made a lot stricter - it
1818 turns out PostgreSQL was interpreting some (corrupt) domain
1819 names as unicode. Tested and suggested by Register.com
1821 * LDAP backend did not compile (commits 452, 453) due to
1822 partially applied patch (Norbert Sendetzky)
1823 * Incoming zone transfers work reliably again. Fixed in
1824 commit 460 and beyond. And commit 523 - closing Debian bug
1826 * Recent g++ versions exposed a mistake in the PowerDNS
1827 recursor cache pruning code, causing random crashes. Fixed
1828 in commit 465. Reported by several Red Hat users.
1829 * PowerDNS recursor, and MTasker in general, did not work on
1830 Solaris. Patch by Juergen Ilse, commit 471. Also moved most
1831 of PowerDNS over to uint32_t style typedefs, which eases
1832 compilation problems on Solaris, commit 477.
1833 * Bindbackend2 did not properly search its include path for
1834 $INCLUDE statements. Noted by Mark Bergsma, commit 474.
1835 * Bindbackend did not notice changed zones, this problem has
1836 been fixed by the move to Bind2.
1837 * Pipebackend did not clean up, leading to an additional pipe
1838 backend per AXFR or pdns_control reload. Discovered by Marc
1839 Jauvin, fixed by commit 525.
1840 * Bindbackend (both old and current versions) did not honour
1841 'include' statements in named.conf on pdns_control
1842 rediscover. Noted by Marc Jauvin, fixed by commit 526.
1843 * Zone transfers were sometimes shuffled, which wastes
1844 useless time, commit 478.
1845 * CNAMEs and Wildcards now work as in Bind, fixing many
1846 complaints, commit 487.
1847 * NAPTR records were compressed, which would work, but was in
1848 violation of the RFC, commit 493.
1849 * NAPTR records were not always parsed correctly from BIND
1850 zonefiles, fixed, commit 494.
1851 * Geobackend needed additional include statement to compile
1852 on more recent Linux distrbutions, commit 496.
1853 __________________________________________________________
1855 1.3.16. Version 2.9.18
1857 Released on the 16th of July 2005.
1859 The '8 million domains' release, which also marks the battle
1860 readiness of the PowerDNS Recursor. The latest improvements
1861 have been made possible by financial support and contributions
1862 by Register.com and XS4ALL. Thanks!
1864 This release brings a number of new features (vastly improved
1865 recursor, Generic Oracle Support, DNS analysis and replay
1866 tools, and more) but also has a new build dependency, the Boost
1867 library (version 1.31 or higher).
1869 Currently several big ISPs are evaluating the PowerDNS recursor
1870 for their resolving needs, some of them have switched already.
1871 In the course of testing, over 350 million actual queries have
1872 been recorded and replayed, the answers turn out to be
1875 This testing has verified that the pdns recursor, as shipped in
1876 this release, can stand up to heavy duty ISP loads (over 20000
1877 queries/second) and in fact does so better than major other
1878 nameservers, giving more complete answers and being faster to
1881 We invite ISPs who note recursor problems to record their
1882 problematic traffic and replay it using the tools described in
1883 Chapter 20 to discover if PowerDNS does a better job, and to
1884 let us know the results.
1886 Additionally, the bind2backend is almost ready to replace the
1887 stock bind backend. If you run with Bind zones, you are
1888 cordially invited to substitute 'launch=bind2' for
1889 'launch=bind'. This will happen automatically in 2.9.19!
1891 In other news, the entire Wikipedia constellation now runs on
1892 PowerDNS using the Geo Backend! Thanks to Mark Bergsma for
1895 There are two bugs with security implications, which only apply
1896 to installations running with the LDAP backend, or
1897 installations providing recursion to a limited range of IP
1898 addresses. If any of these apply to you, an upgrade is highly
1901 * The LDAP backend did not properly escape all queries,
1902 allowing it to fail and not answer questions. We have not
1903 investigated further risks involved, but we advise LDAP
1904 users to update as quickly as possible (Norbert Sendetzky,
1906 * Questions from clients denied recursion could blank out
1907 answers to clients who are allowed recursion services,
1908 temporarily. Reported by Wilco Baan. This would've made it
1909 possible for outsiders to blank out a domain temporarily to
1910 your users. Luckily PowerDNS would send out SERVFAIL or
1911 Refused, and not a denial of a domain's existence.
1915 * TCP authoritative server would not relaunch a backend after
1916 failure (reported by Norbert Sendetzky)
1917 * Fix backend restarting logic (reported, and fix suggested
1918 by Norbert Sendetzky)
1919 * Launching identical backends multiple times, with different
1920 settings, did not work. Reported by Mario Manno.
1921 * Master/slave queries did not honour the query-local-address
1922 setting. Spotted by David Levy of Register.com. The fix
1923 also randomises the local port used, slightly improving
1928 * Fix compile on Solaris, they define 'PC' for some reason.
1929 Reported by Eric Yiu.
1930 * PowerDNS recursor would not compile on FreeBSD due to Linux
1931 specific defines, as reported in cvstrac ticket 26 (Ralf
1933 * Several 64 bits issues have been fixed, especially in the
1935 * SSQLite would fail to compile on recent Debian systems
1937 * Generic MySQL would not compile on 64-bit platforms.
1941 * PowerDNS now reports stray command line arguments, like
1942 when running '--local-port 5300' instead of
1943 '--local-port=5300'. Reported by Christian Welzel.
1944 * We now warn against erroneous logging-facility
1945 specification, ie specifying an unknown facility.
1946 * --version now outputs gcc version used, so we can tell
1947 people 2.95 is no longer supported.
1948 * Extended regression tests, moved them to the new 'sdig'
1950 * Bind2backend is now blazingly fast, and highly memory
1951 efficient to boot. As a special bonus it can read gzipped
1952 zones directly. The '.NET' zone is hosted using 401MB of
1953 memory, the same size as the zone on disk.
1954 * The Pipe Backend has been improved such that it can send
1955 out different answers based on the IP address the question
1956 was received ON. See Section A.1.1 for how this changed the
1957 Pipe Backend protocol. Note that you need to set
1958 pipebackend-abi-version to benefit from this change,
1959 existing clients are not affected. Change and documentation
1960 contributed by Marc Jauvin of Register4Less.
1961 * LDAP backend has been updated (Norbert Sendetzky).
1963 Recursor improvements and fixes. See Chapter 11 for details.
1964 The changes below mean that all of the caveats listed for the
1965 recursor have now been addressed.
1967 * After half an hour of uptime, the entire cache would be
1968 pruned for each packet, which is a tad slow. It now appears
1969 the pdns recursor is among the faststest around.
1970 * Under high loads, or when unlucky, some query mthreads
1971 would get 'stuck', and show up in the statistics as
1972 eternally running queries.
1973 * Lots of redundant gettimeofday() and time() calls were
1974 removed, which has resulted in a measurable speedup.
1975 * pdns_recursor can now listen on several addresses
1977 * Now supports setuid and setgid operation to allow running
1978 as a less privileged user (Bram Vandoren)
1979 * Return code of pdns_recursor binary did not make sense
1980 (Matthijs Mohlmann and Thomas Hood)
1981 * Timeouts and errors are now split out in statistics.
1982 * Many people reported broken statistics, it turned out that
1983 no statistics were being reported if there had been no
1984 questions to base them on. We now log a message to that
1986 * Add query-local-address support, which allows the recursor
1987 to send questions from a specific IP address. Useful for
1989 * Add outgoing TCP query support and proper truncated answer
1990 support. Needed for Worldnic Denial of Service protection,
1991 which sends out truncated packets to force clients to
1992 connect over TCP, which prevents spoofing.
1993 * Properly truncate our own answers.
1994 * Improve our TCP answers by using writev, which is slightly
1995 friendlier to the network.
1996 * On FreeBSD, TCP errors could cause the recursor to exit
1997 suddenly due to a SIGPIPE signal.
1998 * Maximum number of simultaneous client TCP connections can
1999 now be limited with the max-tcp-clients setting.
2000 * Add agressive timeouts for TCP clients to make sure
2001 resources are not wasted. Defaults to two seconds, can be
2002 configured with the client-tcp-timeout setting.
2006 * SQLite backend would not slave properly (Darron Broad)
2007 * Generic MySQL would not compile on 64-bit platforms.
2011 * Added the new DNS parser logic, called MOADNSParser.
2012 Completely modular, every memory access checked.
2013 * 'sdig', a simple dig workalike with 'canonical' output,
2014 which is used for the regression tests. Based on the new
2016 * dnswasher, dnsreplay and dnsscope, all DNS analysis tools.
2017 See Chapter 20 for more details.
2018 * Generic Oracle Backend, sponsored by Register.COM. See
2020 __________________________________________________________
2022 1.3.17. Version 2.9.17
2024 See the new timeline for progress reports.
2026 The 'million domains' release - PowerDNS has now firmly
2027 established itself as a major player with the unofficial count
2028 (ie, guesswork) now at over two million PowerDNS domains! Also,
2029 the GeoBackend has been tested by a big website and may soon
2030 see wider deployment. Thanks to Mark Bergsma for spreading the
2033 It is also a release with lots of changes and fixes. Take care
2038 * PowerDNS could be temporarily DoSed using a random stream
2039 of bytes. Reported cause of this has been fixed.
2043 * Reported version can be changed, or removed - see the
2044 "version-string" setting.
2045 * Duplicate MX records are now no longer considered duplicate
2046 if their priorities differ. Some people need this feature
2051 * NAPTR records can now be slaved, patch by Lorens Kockum.
2052 * GMySQL now works on Solaris
2053 * PowerDNS could be confused by questions with a %-sign in
2054 them - fixing cvstrac ticket #16 (reported by dilinger at
2056 * An authentication bug in the webserver was possibly fixed,
2057 please report if you were suffering from this. Being unable
2058 to authenticate to the webserver was what you would've
2060 * Fix for cvstrac ticket #2, PowerDNS could lose sync when
2061 sending out a very large number of notifications. Excellent
2062 bug report by Martin Hoffman, who also improved our
2064 * Fix the oldest PowerDNS bug in existence - under some
2065 circumstances, PowerDNS would log to syslog one character
2066 at a time. This was cvstrac ticket #4
2067 * HINFO records can now be slaved, fixing cvstrac ticket #8.
2068 * pdns_recursor could block under some circumstances,
2069 especially in case of corrupt UDP packets. Reported by
2070 Wichert Akkerman. Fix by Christopher Meer. This was cvstrac
2072 * Large SOA serial numbers would sometimes be logged as a
2073 signed integer, leading to negative numbers in the log.
2074 * PowerDNS now fully supports 32 bit SOA serial numbers
2075 (thanks to Mark Bergsma), closing cvstrac ticket #5.
2076 * pdns_recursor --local-address help text was wrong.
2077 * Very devious bug - PowerDNS did not clear its cache before
2078 sending out update notifications, leading slaves to
2079 conclude there was no update to AXFR. Excellent debugging
2080 by mkuchar at wproduction.cz.
2081 * Probably fixed cvstrac ticket #26, which caused
2082 pdns_recursor to fail on recent FreeBSD 5.3 systems. Please
2083 check, I have no such system to test on.
2084 * Geobackend did not get built for Debian.
2085 __________________________________________________________
2087 1.3.18. Version 2.9.16
2089 The 'it must still be Friday somewhere' release. Massive number
2090 of fixes, portability improvements and the new Geobackend by
2091 Mark Bergsma & friends.
2095 * The Geobackend which makes it possible to send different
2096 answers to different IP ranges. Initial documentation can
2097 be found in pdns/modules/geobackend/README.
2098 * qgen query generation tool. Nearly completely undocumented
2099 and hard to build too, it requires Boost. But very spiffy.
2100 Use cd pdns; make qgen to build it.
2104 * The most reported bug ever was fixed. Zone2sql required the
2105 inclusion of unistd.h, except on Debian unstable.
2106 * PowerDNS tried to listen on its control "pipe" which does
2107 not work. Probably harmless, but might have caused some
2109 * The Packet Cache did not always set its TTL immediately,
2110 causing some packets to be inserted, even when running with
2111 the cache disabled (Mark Bergsma).
2112 * Valgrind found some unitialized reads, causing bogus values
2113 in the priority field when it was not needed
2114 * Valgrind found a bug in MTasker where we used delete
2115 instead of delete[].
2116 * SOA serials and other parameters are unsigned. This means
2117 that very large SOA serial numbers would be messed up
2118 (Michel Stol, Stefano Straus)
2119 * PowerDNS left its controlsocket around after exit and
2120 reported confusing errors if a socket was already in use.
2121 * The recursor proxy did not work on big endian systems like
2122 SPARC and some MIPS processors (Remco Post)
2123 * We no longer dump core on processing LOC records on
2124 UltraSPARC (Andrew Mulholland supplied a testing machine)
2128 * MySQL can now connect to a specified port again (Chris
2130 * When running chroot()ed and with master or slave support
2131 active, PowerDNS needs to resolve domain names to find
2132 slaves. This in turn may require access to certain
2133 libraries. Previously, these needed to be available in the
2134 chroot directory but by forcing an initial lookup, these
2135 libraries are now loaded before the chrooting.
2136 * pdns_recursor was very slow after having done a larger
2137 number of queries because of the checks to see if a query
2138 should be throttled. This is now done using a set which is
2139 a lot faster than the previous full sequential scan.
2140 * The throttling code may not have throttled as much as was
2142 * Yet another big LDAP update. The LDAP backend now
2143 loadbalances connections over several hosts (Norbert
2145 * Updated b.root-servers.net address in the recursor
2146 __________________________________________________________
2148 1.3.19. Version 2.9.15
2150 This release fixes up some of the shortcomings in 2.9.14, and
2151 adds some new features too.
2155 * allow-recursion-override was on by default, it was meant to
2157 * Logging was still off in daemon mode, fixed.
2158 * debian/rules forgot to build an sqllite package
2159 * Recursor accidentally linked in MySQL - this was the result
2160 of an experiment with a persistent recursor cache.
2161 * The PowerDNS recursor had stability problems. It now sorts
2162 nameservers (roughly) by responsiveness. The 'roughly' part
2163 upset the sorting algorithm used, the speeds being sorted
2164 on changed during sorting.
2165 * The recursor now outputs the nameserver average response
2167 * LDAP compiles again.
2171 * zone2sql can now accept - as a filename which causes it to
2172 read stdin. This allows the following to work: dig axfr
2173 ds9a.nl | zone2sql --gmysql --zone=- | mysql pdns, which is
2174 a nice way to import a zone.
2175 * zone2sql now ignores duplicate SOA records which are
2176 identical - which also makes the above possible.
2177 * Remove libpqpp dependencies - since we now use the native C
2179 __________________________________________________________
2181 1.3.20. Version 2.9.14
2183 Big release with the fix for the all important 2^30 seconds
2184 problem and a lot of other news.
2186 * errno problems would cause compilation problems when using
2187 LDAP (Norbert Sendetzky)
2188 * The Generic SQL backend could cause crashes on PostgreSQL
2189 when using pdns_control notify (Georg Bauer)
2190 * Debian compatible init.d script (Wichert Akkerman)
2191 * If using the master or slave features, pdns had the notion
2192 of eternity ending in 2038, except that due to a thinko,
2193 eternity ended out to be the 10th of January 2004. This
2194 caused a loop to timeout immediately. Many thanks to Jasper
2195 Spaans for spotting the bug within five minutes.
2196 * Parts of the SOA field were not cannonicalized
2197 * The loglevel could in fact cause nothing to be logged
2202 * The recursor now chooses the fastest nameserver, which
2203 causes a big speedup!
2204 * LDAP now has different lookup models
2205 * Cleanups, better load distribution, better exception
2206 handling, zone2ldap improvements
2207 * The recursor was somewhat chatty about TCP connections
2208 * PostgreSQL now only depends on the C API and not on the
2210 * PowerDNS can now fully overrule external zones when doing
2211 recursion. See Chapter 11.
2212 __________________________________________________________
2214 1.3.21. Version 2.9.13
2216 Big news! Windows is back! Our great friend Michel Stol found
2217 the time to update the PowerDNS code so it works again under
2220 Furthermore, big thanks go out to Dell who quickly repaired my
2225 * Generic SQLite support added
2226 * Removed the ODBC backend, replaced it by the Generic ODBC
2227 Backend, which has all the cool configurability of the
2228 Generic MySQL and PostgreSQL backends.
2229 * The PowerDNS Recursor now runs as a Service. It defaults to
2230 running on port 5300, PowerDNS itself is configured to
2231 expect the Recursor on port 5300 now.
2232 * The PowerDNS Service is now known as 'PowerDNS' to Windows.
2233 * The Installer was redone, this time with NSIS2.
2234 * General updates and fixes.
2240 There appears to be a problem with PowerDNS on Red Hat 7.3 with
2241 GCC 2.96 and self-compiled binaries. The symptoms are that
2242 PowerDNS works on the foreground but fails as a daemon. We're
2245 If you do note problems, let the list know, if you don't,
2246 please do so as well. Tell us if you use the RPM or compiled
2249 It is known that not compiling in MySQL support helps solve the
2250 problem, but then you don't have MySQL.
2252 There have been a number of reports on MySQL connections being
2253 dropped on FreeBSD 4.x, which sometimes causes PowerDNS to give
2254 up and reload itself. To combat this, MySQL error messages have
2255 been improved in some places in hopes of figuring out what is
2256 up. The initial indication is that MySQL itself sometimes
2257 terminates the connection and, amazingly, that switching to a
2258 Unix domain socket instead of TCP solves the problem.
2262 * allow-axfr-ips did not work for individual IP addresses
2263 (bug & fix by Norbert Sendetzky)
2267 * Opteron support! Thanks to Jeff Davey for providing a shell
2268 on an Opteron. The fixes should also help PowerDNS on other
2269 platforms with a 64 bit userspace.
2270 Btw, the PowerDNS team has a strong desire for an Opteron
2272 * pdns_recursor jumbles answers now. This means that you can
2273 do poor man's roundrobin by supplying multiple A, MX or
2274 AAAA records for a service, and get a random one on top
2275 each time. Interestingly, this feature appeared out of
2276 nowhere, this change was made to the authoritative code but
2277 due to the wonders of code-reuse had an effect on
2279 * Big LDAP cleanup. Support for TLS was added. Zone2LDAP also
2280 gained the ability to generate ldif files containing a tree
2281 or a list of entries. (Norbert Sendetzky)
2282 * Zone2sql is now somewhat clearer when reporting malformed
2283 line errors - it did not always include the name of the
2284 file causing a problem, especially for big installations.
2285 Problem noted by Thom May.
2286 * pdns_recursor now survives the expiration of all its root
2287 records, most often caused by prolonged disconnection from
2289 __________________________________________________________
2291 1.3.22. Version 2.9.12
2293 Release rich in features. Work on Verisign oddities, addition
2294 of SQLite backend, pdns_recursor maturity.
2298 * --version command (requested by Mike Benoit)
2299 * delegation-only, a Verisign special.
2300 * Generic SQLite support, by Michel 'Who da man?' Stol. See
2302 * init.d script for pdns_recursor
2303 * Recursor now actually purges its cache, saving memory.
2304 * Slave configuration now no longer falls over when presented
2306 * Bindbackend2 now has supermaster support (Mark Bergsma,
2308 * Answers are now shuffled! It turns out a few recursors
2309 don't do shuffling (pdns_recursor, djbdns), so we do it
2310 now. Requested by Jorn Ekkelenkamp of ISP-Services. This
2311 means that if you have multiple IP addresses for one host,
2312 they will be returned in differing order every once in a
2317 * 0.0.0.0/0 didn't use to work (Norbert Sendetzky)
2318 * pdns_recursor would try to resolve IP address which to bind
2319 to, potentially causing chicken/egg problem
2320 * gpgsql no longer reports as gmysql (Sherwin Daganoto)
2321 * SRV would not be parsed right from disk (Christof Meerwald)
2322 * An AXFR from a zone hosted on the LDAP backend no longer
2323 transmits all the reverse entries too (Norbert Sendetzky)
2324 * PostgreSQL backend now does error checking. It would be a
2325 bit too trusting before.
2327 Improvements, cleanups:
2329 * PowerDNS now reports the numerical IP addresses it binds to
2330 instead of the, possibly, alphanumeric names the operator
2332 * Removed only-soa hackery (noticed by Norbert Sendetzky)
2333 * Debian packaging fixes (Wichert Akkerman)
2334 * Some parameter descriptions were improved.
2335 * Cleanups by Norbert: getAuth moved to chopOff,
2336 arguments::contains massive cleanup, more.
2337 __________________________________________________________
2339 1.3.23. Version 2.9.11
2341 Yet another iteration, hopefully this will be the last silly
2346 There has been a change in behaviour whereby disable-axfr does
2347 what it means now! From now on, setting allow-axfr-ips
2348 automatically disables AXFR from unmentioned subnets.
2350 This release enables AXFR again, disable-axfr did the opposite
2351 of what it claimed. Furthermore, the pdns_recursor now cleans
2352 its cache, which should save some memory in the long run.
2353 Norbert contributed some small LDAP work which should come in
2354 useful in the future.
2355 __________________________________________________________
2357 1.3.24. Version 2.9.10
2359 Small bugfixes, LDAP update. Released 3rd of July 2003.
2360 Apologies for the long delay, real life keeps interfering.
2364 Do not use or try to use 2.9.9, it was a botched release!
2368 There has been a change in behaviour whereby disable-axfr does
2369 what it means now! From now on, setting allow-axfr-ips
2370 automatically disables AXFR from unmentioned subnets.
2372 * 2.9.8 was prone to crash on adding additional records.
2373 Thanks to excellent debugging by PowerDNS users worldwide,
2374 the bug was found quickly and is in fact present in all
2375 earlier PowerDNS releases, but for some reason doesn't
2376 cause crashes there.
2377 * Notifications now jump in front of the queue of domains
2378 that need to be checked for changes, giving much greater
2379 perceived performance. This is needed if you have tens of
2380 thousands of slave domains and your master server is on a
2381 high latency link. Thanks to Mark Jeftovic of EasyDNS for
2382 suggesting this change and testing it on their platform.
2383 * Dean Mills reported that PowerDNS does confusing logging
2384 about changing GIDs and UIDs, fixed. Cosmetic only.
2385 * pdns_recursor may have logged empty lines for some users,
2386 fixed. Solution suggested by Norbert Sendetzky.
2387 * LDAP: DNS TTLs were random values (Norbert Sendetzky,
2388 Stefan Pfetzing). New ldap-default-ttl option.
2389 * LDAP: Now works with OpenLDAP 2.1 (Norbert Sendetzky)
2390 * LDAP: error handling for invalid MX records implemented
2392 * LDAP: better exception handling (Norbert Sendetzky)
2393 * LDAP: code cleanup of lookup() (Norbert Sendetzky)
2394 * LDAP: added support for scoped searches (Norbert Sendetzky)
2395 __________________________________________________________
2397 1.3.25. Version 2.9.8
2399 Queen's day release! 30th of April 2003.
2401 Added support for AIX, fixed negative SOA caching. Some other
2402 cleanups. Not a major release but enough reasons to upgrade.
2406 * Recursor had problems expiring negatively cached entries,
2407 which wasted memory and also led to the continued
2408 non-existence of hosts that since had come into existence.
2409 * The Generic SQL backends did not lowercase the names of
2410 records, which led to new records not being found by case
2411 sensitive databases (notably PostgreSQL). Found by Volker
2413 * NS queries for zones for which we did not carry authority,
2414 but only had delegation information, had their NS records
2415 in the wrong section. Minor detail, but a standards
2416 violation on etheless. Spotted by Stephane Bortzmeyer.
2420 * Removed crypt.h dependency from powerldap.hh, which was a
2421 problem on some platforms (Richard Arends)
2422 * PowerDNS can't parse so called binary labels which we now
2423 detect and ignore, after printing a warning.
2424 * Specifying allow-axfr-ips now automatically disables AXFR
2425 for all non-mentioned addresses.
2426 * A Solaris ready init.d script is now part of the tar.gz
2427 (contributed, but I lost by whom).
2428 * Added some fixes to PowerDNS can work on AIX (spotted by
2429 Markus Heimhilcher).
2430 * Norbert Sendetzky contributed zone2ldap.
2431 * Everybody's favorite compiler warning from zone2sql.cc was
2433 * Recursor now listens on TCP!
2434 __________________________________________________________
2436 1.3.26. Version 2.9.7
2438 Released on 2003-03-20.
2440 This is a sweeping release in the sense of cleanup. There are
2441 some new features but mostly a lot of cleanup going on. Hiding
2442 inside is the bind2backend, the next generation of the bind
2443 backend. A work in progress. Those of you with overlapping
2444 zones, as mentioned in the changelog of 2.9.6, are invited to
2445 check it out by replacing launch=bind by launch=bind2 and
2446 renaming all bind- parameters to bind2-. Be aware that if you
2447 run with many small zones, this backend is faster, but if you
2448 run with a few large ones, it is slower. This will improve.
2452 * Mark Bergsma contributed query-local-address which allows
2453 the operator to select which source address to use. This is
2454 useful on servers with multiple source addresses and the
2455 operating system selecting an unintended one, leading to
2456 remotes denying access.
2457 * PowerDNS can now perform AAAA additional processing
2458 optionally, turned on by setting
2459 do-ipv6-additional-processing. Thanks to Stephane
2460 Bortzmeyer for pointing out the need.
2461 * Bind2backend, which is almost in compliance with the new
2462 IETF AXFR-clarify (some would say 'redefinition') draft.
2463 This backend is not ready for primetime but you may want to
2464 try it if you currently have overlapping zones and note
2465 problems. An overlapping zone would be having
2466 "ipv6.powerdns.com" and "powerdns.com" zones on one server.
2470 * Zone2sql would happily try to read from a directory and not
2471 give a useful error about this.
2472 * PowerDNS now reports the case where it can't figure out any
2473 IP address of slave nameservers for a zone
2474 * Removed receiver-threads setting which was experimental and
2475 in fact only made things worse.
2476 * LDAP backend updates from its author Norbert Sendetzky.
2477 Reverse lookups should work now too.
2478 * An error message about unparseable packets did not include
2479 the originating IP address (fixed by Mark Bergsma)
2480 * PowerDNS can now be started via path resolution while
2481 running with a guardian. Suggested by Maurice Nonnekes.
2482 * pdns_recursor moved to sbin (reported by Norbert Sendetzky)
2483 * Retuned some logger errorlevels, a lot of master/slave
2484 chatter was logged as 'Error'. Reported by Willem de Groot.
2488 * zone2sql did not remove trailing dots in SOA records.
2489 * ldapbackend did not include utility.hh which caused
2490 compilation problems on Solaris (reported by Remco Post)
2491 * pdns_control could leave behind remnants in case PowerDNS
2492 was not running (reported by dG)
2493 * Incoming AXFR did not work on Solaris and other big-endian
2494 systems (Willem de Groot helped debugging this long
2496 * Recursor could crash on convoluted CNAME loops. Thanks to
2497 Dan Faerch for delivering coredumps.
2498 * Silly 'wuh' debugging output in zone2sql and bindbackend
2499 removed (spotted by Ivo van der Wijk)
2500 * Recursor neglected to differentiate between negative cache
2501 of NXDOMAIN and NOERROR, leading to problems with IPv6
2502 enabled Windows clients. Thanks to Stuart Walsh for
2503 reporting this and testing the fix.
2504 * PowerDNS set the 'aa' bit on serving NS records in a zone
2505 for which it was authoritative. Most implementations drop
2506 the 'aa' bit in this case and Stephane Bortzmeyer informed
2507 us of this. PowerDNS now also drops the 'aa' bit in this
2509 * The webserver tended to fail after prolonged operation on
2510 FreeBSD, this was due to an uninitialised timeout, other
2511 platforms were lucky. Thanks to G.P. de Boer for helping
2513 * getAnswers() in dnspacket.cc could be forced to read bytes
2514 beyond the end of the packet, leading to crashes in the
2515 PowerDNS recursor. This is an ongoing project that needs
2516 more work. Reported by Dan Faerch, with a coredump proving
2518 __________________________________________________________
2520 1.3.27. Version 2.9.6
2522 Two new backends - Generic ODBC (windows only) and LDAP.
2523 Furthermore, a few important bugs have been fixed which may
2524 have hampered sites seeing a lot of outgoing zonetransfers.
2525 Additionally, the pdns recursor now has 'query throttling'
2526 which is pretty cool. In short this makes sure that PowerDNS
2527 does not send out heaps of queries if a nameserver is unable to
2528 provide an answer. Many operators of authoritative setups are
2529 all too aware of recursing nameservers that hammer them for
2530 zones they don't have, PowerDNS won't do that anymore now, no
2531 matter what clients request of it.
2535 There is an unresolved issue with the BIND backend and
2536 'overlapping' slave zones. So if you have 'example.com' and
2537 also have a separate slave zone called 'external.example.com',
2538 things may go wrong badly. Thanks to Christian Laursen for
2539 working with us a lot in finding this issue. We hope to resolve
2542 * BIND Backend now honours notifies, code to support this was
2543 accidentally left out. Thanks to Christian Laursen for
2545 * Massive speedup for those of you using the slightly
2546 deprecated MBOXFW records. Thanks to Jorn of ISP Services
2547 for helping and testing this improvement.
2548 * $GENERATE had an off-by-one bug where it would omit the
2549 last record to be generated (Christian Laursen)
2550 * Simultaneous AXFRs may have been problematic on some
2551 backends. Thanks to Jorn of ISP-Services again for helping
2552 us resolve this issue.
2553 * Added LDAP backend by Norbert Sendetzky, see Section A.12.
2554 * Added Generic ODBC backend for Windows by Michel Stol.
2555 * Simplified 'out of zone data' detection in incoming AXFR
2556 support, hopefully removing a case sensitivity bug there.
2557 Thanks again to Christian Laursen for reporting this issue.
2558 * $include in-zonefile was broken under some circumstances,
2559 losing the last character of a filename. Thanks to Joris
2560 Vandalon for noticing this.
2561 * The zoneparser was more case-sensitive than BIND, refusing
2562 to accept 'in' as well as 'IN'. Thanks to Joris Vandalon
2564 __________________________________________________________
2566 1.3.28. Version 2.9.5
2568 Released on 2002-02-03.
2570 This version is almost entirely about recursion with major
2571 changes to both the pdns recursor, which is renamed to
2572 'pdns_recursor' and to the main PowerDNS binary to make it
2573 interact better with the recursing component.
2575 Sadly, due to technical reasons, compiling the pdns recursor
2576 and pdns authoritative nameserver into one binary is not
2577 immediately possible. During the release of 2.9.4 we stated
2578 that the recursing nameserver would be integrated in the next
2579 release - this won't happen now.
2581 However, this turns out to not be that bad at all. The recursor
2582 can now be restarted without having to restart the rest of the
2583 nameserver, for example. Cooperation between the both halves of
2584 PDNS is also almost seamless. As a result, 'non-lazy recursion'
2585 has been dropped. See Chapter 11 for more details.
2587 Furthermore, the recursor only works on Linux, Windows and
2588 Solaris (not entirely). FreeBSD does not support the required
2589 functions. If you know any important FreeBSD people, plea with
2590 them to support set/get/swapcontext! Alternatively, FreeBSD
2591 coders could read the solution presented here in figure 5.
2593 The 'Contributor of the Month' award goes to Mark Bergsma who
2594 has responded to our plea for help with the label compressor
2595 and contributed a wonderfully simple and right fix that allows
2596 PDNS to compress just as well as Other namerervers out there.
2597 An honorary mention goes to Ueli Heuer who, despite having no
2598 C++ experience, submitted an excellent SRV record
2601 Excellent work was also performed by Michel Stol, the Windows
2602 guy, in fixing all our non-portable stuff again. Christof
2603 Meerwald has also done wonderful work in porting MTasker to
2604 Windows, which was then used by Michel to get the recursor
2605 functioning on Windows.
2609 * dnspacket.cc was cleaned up by factoring out common
2611 * Heaps of work on the recursing nameserver. Has now achieved
2613 * Recursor renamed from syncres to pdns_recursor
2614 * PowerDNS can now serve records it does not know about. To
2615 benefit from this slightly undocumented feature, add 1024
2616 to the numerical type of a record and include the record in
2617 binary form in your database. Used internally by the
2618 recursing nameserver but you can use it too.
2619 * PowerDNS now knows about SIG and KEY records *names*. It
2620 does not support them yet but can at least report so now.
2621 * HINFO records can now be transferred from a master to
2622 PowerDNS (thanks to Ueli Heuer for noticing it didn't
2624 * Yet more UltraSPARC alignment issues fixed (Chris Andrews).
2625 * Dropped non-lazy recursion, nobody was using it. Lazy
2626 recursion became even more lazy after Dan Bernstein pointed
2627 out that additional processing is not vital, so PowerDNS
2628 does its best to do additional processing on recursive
2629 queries, but does not scream murder if it does not succeed.
2630 Due to caching, the next identical query will be
2631 successfully additionally processed.
2632 * Label compression was improved so we can now fit all .
2633 records in 436 bytes, this used to be 460! (Code & formal
2634 proof of correctness by Mark Bergsma).
2635 * SRV support (incoming and outgoing), submitted by Ueli
2637 * Generic backends do not support SOA serial autocalculation,
2638 it appears. Could lead to random SOA serials in case of a
2639 serial of 0 in the database. Fixed so that 0 stays zero in
2640 that case. Don't set the SOA serial to 0 when using Generic
2641 MySQL or Generic PostgreSQL!
2642 * J root-server address was updated to its new location.
2643 * SIGUSR1 now forces the recursor to print out statistics to
2645 * Meaning of recursor logging was changed a bit - a cache hit
2646 is now a question that was answered with 0 outgoing packets
2647 needed. Used to be a weighted average of internal cache
2649 * MySQL compilation did not include -lz which causes problems
2650 on some platforms. Thanks to James H. Cloos Jr for
2652 * After a suggestion by Daniel Meyer and Florus Both, the
2653 built in webserver now reports the configuration name when
2654 multiple PowerDNS instances are active.
2655 * Brad Knowles noticed that zone2sql had problems with the
2656 root.zone, fixed. This also closes some other zone2sql
2657 annoyances with converting single zones.
2658 __________________________________________________________
2660 1.3.29. Version 2.9.4
2662 Yet another grand release. Big news is the addition of a
2663 recursing nameserver which has sprung into existence over the
2664 past week. It is in use on several computers already but it is
2665 not ready for prime time. Complete integration with PowerDNS is
2666 expected around 2.9.5, for now the recursor is a separate
2669 In preliminary tests, the recursor appears to be four times
2670 faster than BIND 9 on a naive benchmark starting from a cold
2671 cache. BIND 9 managed to get through to some slower nameservers
2672 however, which were given up on by PowerDNS. We will continue
2673 to tune the recursor. See Chapter 12 for further details.
2675 The BIND Backend has also been tested (see the
2676 bind-domain-status item below) rather heavily by several
2677 parties. After some discussion online, one of the BIND authors
2678 ventured that the newsgroup comp.protocols.dns.bind may now in
2679 fact be an appropriate venue for discussing PowerDNS. Since
2680 this discussion, traffic to the PowerDNS pages has increased
2681 sixfold and shows no signs of slowing down.
2683 From this, it is apparent that far more people are interested
2684 in PowerDNS than yet know about it. So spread the word!
2686 In other news, we now have a security page at Section 1.4.
2687 Furthermore, Maurice Nonnekes contributed an OpenBSD port! See
2688 his page for more details!
2690 New features and improvements:
2692 * All SQL queries in the generic backends are now available
2693 for configuration. (Martin Klebermass, bert hubert). See
2695 * A recursing nameserver! See Chapter 12.
2696 * An incoming AXFR now only starts a backend zone replacement
2697 transaction after the first record arrived successfully,
2698 thus making sure no work is done when a remote nameserver
2699 is unable/unwilling to AXFR a zone to us.
2700 * Zoneparser error messages were improved slightly (thanks to
2701 Stef van Dessel for spotting this shortcoming)
2702 * XS4ALL's Erik Bos checked how PowerDNS reacted to a BIND
2703 installation with almost 60.000 domains, some of which with
2704 >100.000 records, and he discovered the pdns_control
2705 bind-domain-status command became very slow with larger
2706 numbers of domains. Fixed, 60.000 domains are now listed in
2708 * If a remote nameserver disconnects during an incoming AXFR,
2709 the update is now rolled back, unless the AXFR was properly
2711 * The migration chapter mentioned the use of deprecated
2714 A tremendous number of bugs were discovered and fixed:
2716 * Zone parser would only accept $include and not $INCLUDE
2717 * Zone parser had problems with $lines with comments on the
2719 * Wildcard ANY queries were broken (thanks Colemarcus for
2721 * A connection failure with the Generic backends would lead
2722 to a powerdns reload (cast of many)
2723 * Generic backends had some semantic problems with slave
2724 support. Symptoms were oft-repeated notifications and
2725 transfers (thanks to Mark Bergsma for helping resolve
2727 * Solaris version compiles again. Thanks to Mohamed Lrhazi
2728 for reporting that it didn't.
2729 * Some UltraSPARC alignment fixes. Thanks to Mohamed Lrhazi
2730 for being helpful in spotting these. One problem is still
2731 outstanding, Mohamed sent a core dump that tells us where
2732 the problem is. Expect the fix to be in 2.9.5. Volunteers
2733 can grep the source for 'UltraSPARC' to find where the
2735 * Our support of IPv6 on FreeBSD had phase of moon dependent
2736 bugs, fixed by Peter van Dijk.
2737 * Some crashes of and by pdns_control were fixed, thanks to
2738 Mark Bergsma for helping resolve these.
2739 * Outgoing AXFR in pdns installations with multiple loaded
2740 backends was broken (thanks to Stuart Walsh for reporting
2742 * A failed BIND Backend incoming AXFR would block the zone
2743 until it succeeded again.
2744 * Generic PostgreSQL backend wouldn't compile with newer
2745 libpq++, fixed by Julien Lemoine/SpeedBlue.
2746 * Potential bug (not observed) when listening on multiple
2748 * Some typos in manpages fixed (reported by Marco Davids).
2749 __________________________________________________________
2751 1.3.30. Version 2.9.3a
2755 2.9.3a is identical to 2.9.3 except that zone2sql does work
2757 Broad range of huge improvements. We now have an all-static
2758 .rpm and .deb for Linux users and a link to an OpenBSD port.
2759 Major news is that work on the Bind backend has progressed to
2760 the point that we've just retired our last Bind server and
2761 replaced it with PowerDNS in Bind mode! This server is
2762 operating a number of master and slave setups so it should
2763 stress the Bind backend somewhat.
2765 This version is rapidly approaching the point where it is a
2766 better-Bind-than-Bind and nearly a drop-in replacement for
2767 authoritative setups. PowerDNS is now equipped with a powerful
2768 master/slave apparatus that offers a lot of insight and control
2769 to the user, even when operating from Bind zonefiles and a Bind
2770 configuration. Observe.
2772 After the SOA of ds9a.nl was raised:
2773 pdns[17495]: All slave domains are fresh
2774 pdns[17495]: 1 domain for which we are master needs notifications
2775 pdns[17495]: Queued notification of domain 'ds9a.nl' to 195.193.163.3
2776 pdns[17495]: Queued notification of domain 'ds9a.nl' to 213.156.2.1
2777 pdns[17520]: AXFR of domain 'ds9a.nl' initiated by 195.193.163.3
2778 pdns[17520]: AXFR of domain 'ds9a.nl' to 195.193.163.3 finished
2779 pdns[17521]: AXFR of domain 'ds9a.nl' initiated by 213.156.2.1
2780 pdns[17521]: AXFR of domain 'ds9a.nl' to 213.156.2.1 finished
2781 pdns[17495]: Removed from notification list: 'ds9a.nl' to 195.193.163.3
2783 pdns[17495]: Removed from notification list: 'ds9a.nl' to 213.156.2.1 (w
2785 pdns[17495]: No master domains need notifications
2787 If however our slaves would ignore us, as some are prone to do,
2788 we can send some additional notifications:
2789 $ sudo pdns_control notify ds9a.nl
2791 pdns[17492]: Notification request for domain 'ds9a.nl' received
2792 pdns[17492]: Queued notification of domain 'ds9a.nl' to 195.193.163.3
2793 pdns[17492]: Queued notification of domain 'ds9a.nl' to 213.156.2.1
2794 pdns[17495]: Removed from notification list: 'ds9a.nl' to 195.193.163.3
2796 pdns[17495]: Removed from notification list: 'ds9a.nl' to 213.156.2.1 (w
2799 Conversely, if PowerDNS needs to be reminded to retrieve a zone
2800 from a master, a command is provided:
2801 $ sudo pdns_control retrieve forfun.net
2802 Added retrieval request for 'forfun.net' from master 212.187.98.67
2803 pdns[17495]: AXFR started for 'forfun.net', transaction started
2804 pdns[17495]: Zone 'forfun.net' (/var/cache/bind/forfun.net) reloaded
2805 pdns[17495]: AXFR done for 'forfun.net', zone committed
2807 Also, you can force PowerDNS to reload a zone from disk
2808 immediately with pdns_control bind-reload-now. All this happens
2809 'live', per your instructions. Without instructions, the right
2810 things also happen, but the operator is in charge.
2812 For more about all this coolness, see Section B.1.1 and Section
2817 Again some changes in compilation instructions. The hybrid
2818 pgmysql backend has been split up into 'gmysql' and 'gpgsql',
2819 sharing a common base within the PowerDNS server itself. This
2820 means that you can no longer compile --with-modules="pgmysql"
2821 --enable-mysql --enable-pgsql but that you should now use:
2822 --with-modules="gmysql gpgsql". The old launch-names remain
2825 If you launch the Generic PgSQL backend as gpgsql2, all
2826 parameters will have gpsql2 as a prefix, for example
2827 pgsql2-dbname. If launched as gpsql, the regular names are in
2832 The pdns_control protocol was changed which means that older
2833 pdns_controls cannot talk to 2.9.3. The other way around is
2834 broken too. This may lead to problems with automatic upgrade
2835 scripts, so pay attention if your daemon is truly restarted.
2837 Also make sure no old pdns_control command is around to confuse
2842 * Bind backend can now deal with missing files and try to
2844 * Bind backend is now explicitly master capable and triggers
2845 the sending of notifications.
2846 * General robustness improvements in Bind backend - many
2847 errors are now non-fatal.
2848 * Accessability, Serviceability. New pdns_server commands
2849 like bind-list-rejects (lists zones that could not be
2850 loaded, and the reason why), bind-reload-now (reload a zone
2851 from disk NOW), rediscover (reread named.conf NOW). More is
2853 * Added support for retrieving RP (Responsible Person)
2854 records from remote masters. Serving them was already
2856 * Added support for LOC records, which encode the
2857 geographical location of a host, both serving and
2858 retrieving (thanks to Marco Davids using them on our last
2859 Bind server, forcing us to implement this silly record).
2860 * Configuration file parser now strips leading spaces too,
2861 allowing "chroot= /tmp" to work, as well as "chroot=/tmp"
2862 (Thanks to Hub Dohmen for reporting this for months on
2864 * Added bind-domain-status command that shows the status of
2865 all domains (when/if they were parsed, any errors
2866 encountered while parsing them).
2867 * Added bind-reload-now command that tries to reload a zone
2868 from disk NOW, and reports back errors to the operator
2870 * Added retrieve command that queues a request to retrieve a
2871 zone from its master.
2872 * Zones retrieved from masters are now stored way smaller on
2873 disk because the domain is stripped from records, which is
2874 derived from the configuration file. Retrieved zones are
2875 now prefixed with some information on where they came from.
2879 * gpgsql and gmysql backends split out of the hybrid
2880 pgmysqlbackend. This again changed compilation
2882 * pdns_control now uses the rarely seen SOCK_STREAM Unix
2883 Domain socket variety so it can transport large amounts of
2884 text, which is needed for the bind-domain-status command,
2885 for which see Section A.9.2. This breaks compatibility with
2886 older pdns_control and pdns_server binaries!
2887 * Bind backend now ignores 'hint' and 'forward' and other
2888 unsupported zone types.
2889 * AXFRs are now logged more heavily by default. An AXFR is a
2890 heavy operation anyhow, some more logging does not further
2891 increase the load materially. Does help in clearing up what
2893 * A lot of master/slave chatter has been silenced, making
2894 output more relevant. No more repetitive 'No master domains
2895 need notifications' etc, only changes are reported now.
2899 * Windows version did not compile without minor changes.
2900 * Confusing error reporting on Windows 98 (which does not
2901 support PowerDNS) fixed
2902 * Potential crashes with shortened packets addressed. An
2904 * notify (which was already there, just badly documented) no
2905 longer prints out debugging garbage.
2906 * pgmysql backend had problems launching when not compiled in
2907 but available as a module. Workaround for 2.9.2 is
2908 'load-modules=pgmysql', but even then gpgsql would not
2909 work! gmysql would then, however. These modules are now
2910 split out, removing such issues.
2911 __________________________________________________________
2913 1.3.31. Version 2.9.2
2915 Bugfixes galore. Solaris porting created some issues on all
2916 platforms. Great news is that PowerDNS is now in Debian 'sid'
2917 (unstable). The 2.9.1 packages in there currently aren't very
2918 good but the 2.9.2 ones will be. Many thanks to Wichert
2919 Akkerman, our 'downstream' for making this possible.
2923 The Generic MySQL backend, part of the Generic MySQL &
2924 PostgreSQL backend, is now the DEFAULT! The previous default,
2925 the 'mysql' backend (note the lack of 'g') is now DEPRECATED.
2926 This was the source of much confusion. The 'mysql' backend does
2927 not support MASTER or SLAVE operation. The Generic backends do.
2929 To get back the mysql backend, add --with-modules="mysql" or
2930 --with-dynmodules="mysql" if you prefer to load your modules at
2935 * Silly debugging output removed from the webserver (found by
2937 * SEVERE: due to Solaris portability fixes, qtypes<127 were
2938 broken. These include NAPTR, ANY and AXFR. The upshot is
2939 that powerdns wasn't performing outgoing AXFRs nor ANY
2940 queries. These were the 'question for type -1' warnings in
2942 * incoming AXFR could theoretically miss some trailing
2943 records (not observed, but could happen)
2944 * incoming AXFR did not support TXT records (spotted by Paul
2946 * with some remotes, an incoming AXFR would not terminate
2947 until a timeout occured (observed by Paul Wouters)
2948 * Documentation bug, pgmysql != mypgsql
2952 * Documented the 'random backend', see Section A.3.
2953 * Wichert Akkerman contributed three manpages.
2954 * Building PowerDNS on Unix is now documented somewhat more,
2959 * pdns init.d script is now +x by default
2960 * OpenBSD is on its way of becoming a supported platform! As
2961 of 2.9.2, PowerDNS compiles on OpenBSD but swiftly crashes.
2963 * ODBC backend (for Windows only) was missing from the
2964 distribution, now added.
2965 * xdb backend added - see Section A.11. Designed for use by
2966 root-server operators.
2967 * Dynamic modules are back which is good news for
2968 distributors who want to make a pdns packages that does not
2969 depend one every database under the sun.
2970 __________________________________________________________
2972 1.3.32. Version 2.9.1
2974 Thanks to the great enthusiasm from around the world, powerdns
2975 is now available for Solaris and FreeBSD users again!
2976 Furthermore, the Windows build is back. We are very grateful
2990 We are happy to have been able to work with the open source
2991 community to improve PowerDNS!
2995 * The monitor command set no longer allows the changing of
2996 non-existant variables.
2997 * IBM Universal Database DB2 backend now included in source
2998 distribution (untested!)
2999 * Oracle backend now included in source distribution
3001 * configure script now searches for postgresql and mysql
3003 * Bind parser now no longer dies on records with a ' in them
3005 * The pipebackend was accidentally left out of 2.9
3006 * FreeBSD fixes (with help from Erik Bos, Alex Bleeker, Niels
3008 * Heap of Solaris work (with help from Edvard Tuinder, Stefan
3009 Van Steen, Koos van den Hout, Roel van der Made and
3010 especially Mark Bakker). Now compiles in 2.7 and 2.8,
3011 haven't tried 2.9. May be a bit dysfunctional on 2.7 though
3012 - it won't do IPv6 and it won't serve AAAA. Patches
3014 * Windows 32 build is back! Michel Stol updated his earlier
3015 work to the current version.
3016 * S/Linux (Linux on Sparc) build works now (with help from
3018 * Silly debugging message ('sd.ttl from cache') removed
3019 * .debs are back, hopefully in 'sid' soon! (Wichert Akkerman)
3020 * Removal of bzero and other less portable constructs.
3021 Discovered that recent Linux glibc's need -D_GNU_SOURCE
3023 __________________________________________________________
3027 Open source release. Do not deploy unless you know what you are
3028 doing. Stability is expected to return with 2.9.1, as are the
3031 * License changed to the GNU General Public License version
3033 * Cleanups by Erik Bos @ xs4all.
3034 * Build improvements by Wichert Akkerman
3035 * Lots of work on the build system, entirely revamped. By
3037 __________________________________________________________
3041 From this release onwards, we'll concentrate on stabilising for
3042 the 3.0 release. So if you have any must-have features, let us
3043 know soonest. The 2.8 release fixes a bunch of small stability
3044 issues and add two new features. In the spirit of the move to
3045 stability, this release has already been running 24 hours on
3046 our servers before release.
3048 * pipe backend gains the ability to restricts its invocation
3049 to a limited number of requests. This allows a very busy
3050 nameserver to still serve packets from a slow perl backend.
3051 * pipe backend now honors query-logging, which also documents
3052 which queries were blocked by the regex.
3053 * pipe backend now has its own backend chapter.
3054 * An incoming AXFR timeout at the wrong moment had the
3055 ability to crash the binary, forcing a reload. Thanks to
3056 our bug spotting champions Mike Benoit and Simon Kirby of
3057 NetNation for reporting this.
3058 __________________________________________________________
3060 1.3.35. Version 2.7 and 2.7.1
3062 This version fixes some very long standing issues and adds a
3063 few new features. If you are still running 2.6, upgrade
3064 yesterday. If you were running 2.6.1, an upgrade is still
3069 * The controlsocket is now readable and writable by the
3070 'setgid' user. This allows for non-root access to PDNS
3071 which is nice for mrtg or cricket graphs.
3072 * MySQL backend (the non-generic one) gains the ability to
3073 read from a different table using the mysql-table setting.
3074 * pipe backend now has a configurable timeout using the
3075 pipe-timeout setting. Thanks fo Steve Bromwich for pointing
3076 out the need for this.
3077 * Experimental backtraces. If PowerDNS crashes, it will log a
3078 lot of numbers and sometimes more to the syslog. If you see
3079 these, please report them to us. Only available under
3084 * 2.7 briefly broke the mysql backend, so don't use it if you
3085 use that. 2.7.1 fixes this.
3086 * SOA records could sometimes have the wrong TTL. Thanks to
3087 Jonas Daugaard for reporting this.
3088 * An ANY query might lead to duplicate SOA records being
3089 returned under exceptional circumstances. Thanks to Jonas
3090 Daugaard for reporting this.
3091 * Underlying the above bug, packet compression could
3092 sometimes suddenly be turned off, leading to overly large
3093 responses and non-removal of duplicate records.
3094 * The allow-axfr-ips setting did not accept IP ranges
3095 (1.2.3.0/24) which the documentation claimed it did (thanks
3096 to Florus Both of Ascio technologies for being sufficiently
3097 persistent in reporting this).
3098 * Killed backends were not being respawned, leading to
3099 suboptimal behaviour on intermittent database errors.
3100 Thanks to Steve Bromwich for reporting this.
3101 * Corrupt packets during an incoming AXFR when acting as a
3102 slave would cause a PowerDNS reload instead of just failing
3103 that AXFR. Thanks to Mike Benoit and Simon Kirby of
3104 NetNation for reporting this.
3105 * Label compression in incoming AXFR had problems with large
3106 offsets, causing the above mentioned errors. Thanks to Mike
3107 Benoit and Simon Kirby of NetNation for reporting this.
3108 __________________________________________________________
3110 1.3.36. Version 2.6.1
3112 Quick fix release for a big cache problem.
3113 __________________________________________________________
3117 Performance release. A lot of work has been done to raise PDNS
3118 performance to staggering levels in order to take part in
3119 benchmarketing efforts. Together with our as yet unnamed
3120 partner, PDNS has been benchmarked at 60.000 mostly cached
3121 queries/second on off the shelf PC hardware. Uncached
3122 performance was 17.000 uncached DNS queries/second on the .ORG
3125 Performance has been increased by both making PDNS itself
3126 quicker but also by lowering the number of backend queries
3127 typically needed. Operators will typically see PDNS taking less
3128 CPU and the backend seeing less load.
3130 Furthermore, some real bugs were fixed. A couple of
3131 undocumented performance switches may appear in --help output
3132 but you are advised to stay away from these.
3134 Developers: this version needs the pdns-2.5.1 development kit,
3135 available on http://downloads.powerdns.com/releases/dev. See
3140 * A big error in latency calculations - cached packets were
3141 weighed 50 times less, leading to inflated latency
3142 reporting. Latency calculations are now correct and way
3143 lower - often in the microseconds range.
3144 * It is now possible to run with 0 second cache TTLs. This
3145 used to cause very frequent cache cleanups, leading to
3146 performance degradation.
3147 * Many tiny performance improvements, removing duplicate
3148 cache key calculations, etc. The cache itself has also been
3149 reworked to be more efficient.
3150 * First 'CNAME' backend query replaced by an 'ANY' query,
3151 which most of the time returns the actual record,
3152 preventing the need for a separate CNAME lookup, halving
3154 * Much of the same for same-level-NS records on queries
3159 * Incidentally, the cache count would show 'unknown' packets,
3160 which was harmless but confusing. Thanks to Mike and Simon
3161 of NetNation for reporting this.
3162 * SOA hostmaster with a . in the local-part would be cached
3163 wrongly, leading to a stray backslash in case of multiple
3164 successively SOA queries. Thanks to Ascio Techologies for
3166 * zone2sql did not parse Verisign zonefiles correctly as
3167 these contained a $TTL statement in mid-record.
3168 * Sometimes packets would not be accounted, leading to
3169 'udp-queries' and 'udp-answers' divergence.
3173 * 'cricket' command added to init.d scripts that provides
3174 unadorned output for parsing by 'Cricket'.
3175 __________________________________________________________
3177 1.3.38. Version 2.5.1
3179 Brown paper bag release fixing a huge memory leak in the new
3182 Developers: this version needs the new pdns-2.5.1 development
3183 kit, available on http://downloads.powerdns.com/releases/dev.
3184 See also Appendix C.
3186 And some small changes:
3188 * Added support for RF2038 compliant negative-answer caching.
3189 This allows remotes to cache the fact that a domain does
3190 not exist and will not exist for a while. Thanks to Chris
3191 Thompson for pointing out how tiny our minds are. This
3192 feature may cause a noticeable reduction in query load.
3193 * Small speedup to non-packet-cached queries, incidentally
3194 fixing the huge memory leak.
3195 * pdns_control ccounts command outputs statistics on what is
3196 in the cache, which is useful to help optimize your caching
3198 __________________________________________________________
3202 An important release which has seen quite a lot of trial and
3203 error testing. As a result, PDNS can now run with a huge cache
3204 and concurrent invalidations. This is useful when running of a
3205 slower database or under high traffic load with a fast
3208 Furthermore, the gpgsql2 backend has been validated for use and
3209 will soon supplant the gpgsql backend entirely. This also bodes
3210 well for the gmysql backend which is the same code.
3212 Also, a large amount of issues biting large scale slave
3213 operators were addressed. Most of these issues would only show
3214 up after prolonged uptime.
3218 * Query cache. The old Packet Cache only cached entire
3219 questions and their answers. This is very CPU efficient but
3220 does not lead to maximum hitrate. Two packets both needing
3221 to resolve smtp.you.com internally would not benefit from
3222 any caching. Furthermore, many different DNS queries lead
3223 to the same backend queries, like 'SOA for .COM?'.
3224 PDNS now also caches backend queries, but only those having
3225 no answer (the majority) and those having one answer
3227 In tests, these additional caches appear to halve the
3228 database backend load numerically and perhaps even more in
3229 terms of CPU load. Often, queries with no answer are more
3230 expensive than those having one.
3231 The default ttls for the query-cache and negquery-cache are
3232 set to safe values (20 and 60 seconds respectively), you
3233 should be seeing an improvement in behaviour without
3234 sacrificing a lot in terms of quick updates.
3235 The webserver also displays the efficiency of the new Query
3237 The old Packet Cache is still there (and useful) but see
3238 Chapter 9 for more details.
3239 * There is now the ability to shut off some logging at a very
3240 early stage. High performance sites doing thousands of
3241 queries/second may in fact spend most of their CPU time on
3242 attempting to write out logging, even though it is ignored
3243 by syslog. The new flag log-dns-details, on by default,
3244 allows the operator to kill most informative-only logging
3245 before it takes any cpu.
3246 * Flags which can be switched 'on' and 'off' can now also be
3247 set to 'off' instead of only to 'no' to turn them off.
3251 * Packet Cache is now case insensitive, leading to a higher
3252 hitrate because identical queries only differing in case
3253 now both match. Care is taken to restore the proper case in
3254 the answer sent out.
3255 * Packet Cache stores packets more efficiently now, savings
3256 are estimated at 50%.
3257 * The Packet Cache is now asynchronous which means that PDNS
3258 continues to answer questions while the cache is busy being
3259 purged or queried. Incidentally this will mean a cache miss
3260 where previously the question would wait until the cache
3261 became available again.
3262 The upshot of this is that operators can call pdns_control
3263 purge as often as desired without fearing performance loss.
3264 Especially the full, non-specific, purge was speeded up
3266 This optimization is of little merit for small sites but is
3267 very important when running with a large packetcache, such
3268 as when using recursion under high load.
3269 * AXFR log messages now all contain the word 'AXFR' to ease
3271 * Linux static version now compiled with gcc 3.2 which is
3272 known to output better and faster code than the previously
3277 * Packetcache would sometimes send packets back with slightly
3278 modified flags if these differed from the flags of the
3280 * Resolver code did bad things with filedescriptors leading
3281 to fd exhaustion after prolonged uptimes and many slave SOA
3283 * Resolver code failed to properly log some errors, leading
3284 to operator uncertainty regarding to AXFR problems with
3286 * After prolonged uptime, slave code would try to use
3287 privileged ports for originating queries, leading to bad
3288 replication efficiency.
3289 * Masters sending back answers in differing case from
3290 questions would lead to bogus 'Master tried to sneak in
3291 out-of-zone data' errors and failing AXFRs.
3292 __________________________________________________________
3296 Developers: this version is compatible with the pdns-2.1
3297 development kit, available on
3298 http://downloads.powerdns.com/releases/dev. See also Appendix
3301 This version fixes some stability issues with malformed or
3302 malcrafted packets. An upgrade is advised. Furthermore, there
3303 are interesting new features.
3307 * Recursive queries are now also cached, but in a separate
3308 namespace so non-recursive queries don't get recursed
3309 answers and vice versa. This should mean way lower database
3310 load for sites running with the current default
3311 lazy-recursion. Up to now, each and every recursive query
3312 would lead to a large amount of SQL queries.
3313 To prevent the packetcache from becoming huge, a separate
3314 recursive-cache-ttl can be specified.
3315 * The ability to change parameters at runtime was added.
3316 Currently, only the new query-logging flag can be changed.
3317 * Added query-logging flag which hints a backend that it
3318 should output a textual representation of queries it
3319 receives. Currently only gmysql and gpgsql2 honor this
3321 * Gmysql backend can now also talk to PgSQL, leading to less
3322 code. Currently, the old postgresql driver ('gpgsql') is
3323 still the default, the new driver is available as 'gpgsql2'
3324 and has the benefit that it does query logging. In the
3325 future, gpgsql2 will become the default gpgsql driver.
3326 * DNS recursing proxy is now more verbose in logging odd
3327 events which may be caused by buggy recursing backends.
3328 * Webserver now displays peak queries/second 1 minute
3333 * Failure to connect to database in master/slave communicator
3334 thread could lead to an unclean reload, fixed.
3336 Documentation: added details for strict-rfc-axfrs. This feature
3337 can be used if very old clients need to be able to do zone
3338 transfers with PDNS. Very slow.
3339 __________________________________________________________
3343 Developers: this version is compatible with the pdns-2.1
3344 development kit, available on
3345 http://downloads.powerdns.com/releases/dev. See also Appendix
3348 This release adds the Generic MySQL backend which allows full
3349 master/slave semantics with MySQL and InnoDB tables (or other
3350 tables that support transactions). See Section A.5.
3354 * Improved error messages in master/slave communicator will
3355 help down track problems.
3356 * slave-cycle-interval setting added. Very large sites with
3357 thousands of slave domains may need to raise this value
3358 above the default of 60. Every cycle, domains in
3359 undeterminate state are checked for their condition.
3360 Depending on the health of the masters, this may entail
3361 many SOA queries or attempted AXFRs.
3365 * 'pdns_control purge domain' and 'pdns_control purge
3366 domain$' were broken in version 2.2 and did not in fact
3367 purge the cache. There is a slight risk that
3368 domain-specific purge commands could force a reload in
3369 previous version. Thanks to Mike Benoit of NetNation for
3371 * Master/slave communicator thread got confused in case of
3372 delayed answers from slow masters. While not causing harm,
3373 this caused inefficient behaviour when testing large
3374 amounts of slave domains because additional 'cycles' had to
3375 pass before all domains would have their status
3377 * Backends implementing special SOA semantics (currently only
3378 the undocumented 'pdns express backend', or homegrown
3379 backends) would under some circumstances not answer the SOA
3380 record in case of an ANY query. This should put an end to
3381 the last DENIC problems. Thanks to DENIC for helping us
3383 __________________________________________________________
3387 Developers: this version is compatible with the pdns-2.1
3388 development kit, available on
3389 http://downloads.powerdns.com/releases/dev. See also Appendix
3392 Again a big release. PowerDNS is seeing some larger deployments
3393 in more demanding environments and these are helping shake out
3394 remaining issues, especially with recursing backends.
3396 The big news is that wildcard CNAMEs are now supported, an oft
3397 requested feature and nearly the only part in which PDNS
3398 differed from BIND in authoritative capabilities.
3400 If you were seeing signal 6 errors in PDNS causing reloads and
3401 intermittent service disruptions, please upgrade to this
3404 For operators of PowerDNS Express trying to host .DE domains,
3405 the very special soa-serial-offset feature has been added to
3406 placate the new DENIC requirement that the SOA serial be at
3407 least six digits. PowerDNS Express uses the SOA serial as an
3408 actual serial and not to insert dates and hence often has
3409 single digit soa serial numbers, causing big problems with .DE
3414 * Malformed or shortened TCP recursion queries would cause a
3415 signal 6 and a reload. Same for EOF from the TCP recursing
3416 backend. Thanks to Simon Kirby and Mike Benoit of NetNation
3417 for helping debug this.
3418 * Timeouts on the TCP recursing backend were far too long,
3419 leading to possible exhaustion of TCP resolving threads.
3420 * pdns_control purge domain accidentally cleaned all packets
3421 with that name as a prefix. Thanks to Simon Kirby for
3423 * Improved exception error logging - in some circumstances
3424 PDNS would not properly log the cause of an exception,
3425 which hampered problem resolution.
3429 * Wildcard CNAMEs now work as expected!
3430 * pdns_control purge can now also purge based on suffix,
3431 allowing operators to purge an entire domain from the
3432 packet cache instead of only specific records. See also
3433 Section B.1.1 Thanks to Mike Benoit for this suggestion.
3434 * soa-serial-offset for installations with small SOA serial
3435 numbers wishing to register .DE domains with DENIC which
3436 demands six-figure SOA serial numbers. See also Chapter 15.
3437 __________________________________________________________
3441 This is a somewhat bigger release due to pressing demands from
3442 customers. An upgrade is advised for installations using
3443 Recursion. If you are using recursion, it is vital that you are
3444 aware of changes in semantics. Basically, local data will now
3445 override data in your recursing backend under most
3446 circumstances. Old behaviour can be restored by turning
3449 Developers: this version has a new pdns-2.1 development kit,
3450 available on http://downloads.powerdns.com/releases/dev. See
3455 Most users will run a static version of PDNS which has no
3456 dependencies on external libraries. However, some may need to
3457 run the dynamic version. This warning applies to these users.
3459 To run the dynamic version of PDNS, which is needed for backend
3460 drivers which are only available in source form, gcc 3.0 is
3461 required. RedHat 7.2 comes with gcc 3.0 as an optional
3462 component, RedHat 7.3 does not. However, the RedHat 7.2 Update
3463 gcc rpms install just fine on RedHat 7.3. For Debian, we
3464 suggest running 'woody' and installing the g++-3.0 package. We
3465 expect to release a FreeBSD dynamic version shortly.
3469 * RPM releases sometimes overwrote previous configuration
3470 files. Thanks to Jorn Ekkelenkamp of Hubris/ISP Services
3472 * TCP recursion sent out overly large responses due to a
3473 byteorder mistake, confusing some clients. Thanks to the
3474 capable engineers of NetNation for bringing this to our
3476 * TCP recursion in combination with a recursing backend on a
3477 non-standard port did not work, leading to a
3478 non-functioning TCP listener. Thanks to the capable
3479 engineers of NetNation for bringing this to our attention.
3481 Unexpected behaviour:
3483 * Wildcard URL records where not implemented because they are
3484 a performance penalty. To turn these on, enable
3485 wildcard-url in the configuration.
3486 * Unlike other nameservers, local data did not override the
3487 internet for recursing queries. This has mostly been
3488 brought into conformance with user expectations. If a
3489 recursive question can be answered entirely from local
3490 data, it is. To restore old behaviour, disable
3491 lazy-recursion. Also see Chapter 11.
3495 * Oracle support has been tuned, leading to the first public
3496 release of the Oracle backend. Zone2sql now outputs better
3497 SQL and the backend is now fully documented. Furthermore,
3498 the queries are compatible with the PowerDNS XML-RPC
3499 product, allowing PowerDNS express to run off Oracle. See
3501 * Zone2sql now accepts --transactions to wrap zones in a
3502 transaction for PostgreSQL and Oracle output. This is a
3503 major speedup and also makes for better isolation of
3504 inserts. See Section 10.1.
3505 * pdns_control now has the ability to purge the PowerDNS
3506 cache or parts of it. This enables operators to raise the
3507 TTL of the Packet Cache to huge values and only to
3508 invalidate the cache when changes are made. See also
3509 Chapter 9 and Section B.1.1.
3510 __________________________________________________________
3512 1.3.44. Version 2.0.1
3514 Maintenance release, fixing three small issues.
3516 Developers: this version is compatible with 1.99.11 backends.
3518 * PowerDNS ignored the logging-facility setting unless it was
3519 specified on the commandline. Thanks to Karl Obermayer from
3520 WebMachine Technologies for noticing this.
3521 * Zone2sql neglected to preserve 'slaveness' of domains when
3522 converting to the slave capable PostgreSQL backend. Thanks
3523 to Mike Benoit of NetNation for reporting this. Zone2sql
3524 now has a --slave option.
3525 * SOA Hostmaster addresses with dots in them before the
3526 @-sign were mis-encoded on the wire.
3527 __________________________________________________________
3531 Two bugfixes, one stability/security related. No new features.
3533 Developers: this version is compatible with 1.99.11 backends.
3537 * zone2sql refused to work under some circumstances, taking
3538 100% cpu and not functioning. Thanks to Andrew Clark and
3539 Mike Benoit for reporting this.
3540 * Fixed a stability issue where malformed packets could force
3541 PDNS to reload. Present in all earlier 2.0 versions.
3542 __________________________________________________________
3544 1.3.46. Version 2.0 Release Candidate 2
3546 Mostly bugfixes, no really new features.
3548 Developers: this version is compatible with 1.99.11 backends.
3552 * chroot() works again - 2.0rc1 silently refused to chroot.
3553 Thanks to Hub Dohmen for noticing this.
3554 * setuid() and setgid() security features were silently not
3555 being performed in 2.0rc1. Thanks to Hub Dohmen for
3557 * MX preferences over 255 now work as intended. Thanks to
3558 Jeff Crowe for noticing this.
3559 * IPv6 clients can now also benefit from the recursing
3560 backend feature. Thanks to Andy Furnell for proving beyond
3561 any doubt that this did not work.
3562 * Extremely bogus code removed from DNS notification
3563 reception code - please test! Thanks to Jakub Jermar for
3564 working with us in figuring out just how broken this was.
3565 * AXFR code improved to handle more of the myriad different
3566 zonetransfer dialects available. Specifically,
3567 interoperability with Bind 4 was improved, as well as Bind
3568 8 in 'strict rfc conformance' mode. Thanks again for Jakub
3569 Jermar for running many tests for us. If your transfers
3570 failed with 'Unknown type 14!!' or words to that effect,
3575 * Win32 version now has a zone2sql tool.
3576 * Win32 version now has support for specifying how urgent
3577 messages should be before they go to the NT event log.
3581 * One persistent report of the default 'chroot=./'
3582 configuration not working.
3583 * One report of disable-axfr and allow-axfr-ips not working
3585 * Support for relative paths in zones and in Bind
3586 configuration is not bug-for-bug compatible with bind yet.
3587 __________________________________________________________
3589 1.3.47. Version 2.0 Release Candidate 1
3591 The MacOS X release! A very experimental OS X 10.2 build has
3592 been added. Furthermore, the Windows version is now in line
3593 with Unix with respect to capabilities. The ODBC backend now
3594 has the code to function as both a master and a slave.
3596 Developers: this version is compatible with 1.99.11 backends.
3598 * Implemented native packet response parsing code, allowing
3599 Windows to perform AXFR and NS and SOA queries.
3600 * This is the first version for which we have added support
3601 for Darwin 6.0, which is part of the forthcoming Mac OS X
3602 10.2. Please note that although this version is marked RC1,
3603 that we have not done extensive testing yet. Consider this
3604 a technology preview.
3605 + The Darwin version has been developed on Mac OS X 10.2
3606 (635). Other versions may or may not work.
3607 + Currently only the random, bind, mysql and pdns
3608 backends are included.
3609 + The menu based installer script does not work, you
3610 will have to edit pathconfig by hand as outlined in
3612 + On Mac OS X Client, PDNS will fail to start because a
3613 system service is already bound to port 53.
3614 This version is distributed as a compressed tar file. You
3615 should follow the generic UNIX installation instructions.
3619 * Zone2sql PostgreSQL mode neglected to lowercase $ORIGIN.
3620 Thanks to Maikel Verheijen of Ladot for spotting this.
3621 * Zone2sql PostgreSQL mode neglected to remove a trailing dot
3622 from $ORIGIN if present. Thanks to Thanks to Maikel
3623 Verheijen of Ladot for spotting this.
3624 * Zonefile parser was not compatible with bind when
3625 $INCLUDING non-absolute filenames. Thanks to Jeff Miller
3626 for working out how this should work.
3627 * Bind configuration parser was not compatible with bind when
3628 including non-absolute filenames. Thanks to Jeff Miller for
3629 working out how this should work.
3630 * Documentation incorrectly listed the Bind backend as 'slave
3631 capable'. This is not yet true, now labeled 'experimental'.
3633 Windows changes. We are indebted to Dimitry Andric who educated
3634 us in the ways of distributing Windows software.
3636 * pdns.conf is now read if available.
3637 * Console version responds to ^c now.
3638 * Default pdns.conf added to distribution
3639 * Uninstaller missed several files, leaving remnants behind
3640 * DLLs are now installed locally, with the pdns executable.
3641 * pdns_control is now also available on Windows
3642 * ODBC backend can now act as master and slave. Experimental.
3643 * The example zone missed indexes and had other faults.
3644 * A runtime DLL that is present on most windows systems (but
3645 not all!) was missing.
3646 __________________________________________________________
3648 1.3.48. Version 1.99.12 Prerelease
3650 The Windows release! See Chapter 3. Beware, windows support is
3651 still very fresh and untested. Feedback is very welcome.
3653 Developers: this version is compatible with 1.99.11 backends.
3655 * Windows 2000 codebase merge completed. This resulted in
3656 quite some changes on the Unix end of things, so this may
3658 * ODBC backend added for Windows. See Section A.10.
3659 * IBM DB2 Universal Database backend available for Linux. See
3661 * Zone2sql now understands $INCLUDE. Thanks to Amaze Internet
3662 for nagging about this
3663 * The SOA Mininum TTL now has a configurable default
3664 (soa-minimum-ttl)value to placate the DENIC requirements.
3665 * Added a limit on the simultaneous numbers of TCP
3666 connections to accept (max-tcp-connections). Defaults to
3671 * When operating in virtual hosting mode (See Chapter 8), the
3672 additional init.d scripts would not function correctly and
3673 interface with other pdns instances.
3674 * PDNS neglected to conserve case on answers. So a query for
3675 WwW.PoWeRdNs.CoM would get an answer listing the address of
3676 www.powerdns.com. While this did not confuse resolvers, it
3677 is better to conserve case. This has semantical
3678 concequences for all backends, which the documentation now
3680 * PostgreSQL backend was case sensitive and returned only
3681 answers in case an exact match was found. The Generic
3682 PostgreSQL backend is now officially all lower case and
3683 zone2sql in PostgreSQL mode enforces this. Documentation
3684 has been been updated to reflect the case change. Thanks to
3685 Maikel Verheijen of Ladot for spotting this!
3686 * Documentation bug - postgresql create/index statements
3687 created a duplicate index. If you've previously copy pasted
3688 the commands and not noticed the error, execute CREATE
3689 INDEX rec_name_index ON records(name) to remedy. Thanks to
3690 Jeff Miller for reporting this. This also lead to
3691 depressingly slow 'ANY' lookups for those of you doing
3696 * pdns_control (see Section B.1.1) now opens the local end of
3697 its socket in /tmp instead of next to the remote socket (by
3698 default /var/run). This eases the way for allowing non-root
3699 access to pdns_control. When running chrooted (see Chapter
3700 7), the local socket again moves back to /var/run.
3701 * pdns_control now has a 'version' command. See Section
3703 __________________________________________________________
3705 1.3.49. Version 1.99.11 Prerelease
3707 This release is important because it is the first release which
3708 is accompanied by an Open Source Backend Development Kit,
3709 allowing external developers to write backends for PDNS.
3710 Furthermore, a few bugs have been fixed:
3712 * Lines with only whitespace in zone files confused PDNS
3713 (thanks Henk Wevers)
3714 * PDNS did not properly parse TTLs with symbolic sufixes in
3715 zone files, ie 2H instead of 7200 (thanks Henk Wevers)
3716 __________________________________________________________
3718 1.3.50. Version 1.99.10 Prerelease
3720 IMPORTANT: there has been a tiny license change involving free
3721 public webbased dns hosting, check out the changes before
3724 PDNS is now feature complete, or very nearly so. Besides adding
3725 features, a lot of 'fleshing out' work is done now. There is an
3726 important performance bug fix which may have lead to
3727 disappointing benchmarks - so if you saw any of that, please
3728 try either this version or 1.99.8 which also does not have the
3731 This version has been very stable for us on multiple hosts, as
3734 PostgreSQL users should be aware that while 1.99.10 works with
3735 the schema as presented in earlier versions, advanced features
3736 such as master or slave support will not work unless you create
3737 the new 'domains' table as well.
3741 * Wildcard AAAA queries sometimes received an NXDOMAIN error
3742 where they should have gotten an empty NO ERROR. Thanks to
3743 Jeroen Massar for spotting this on the .TK TLD!
3744 * Do not disable the packetcache for 'recursion desired'
3745 packets unless a recursor was configured. Thanks to Greg
3746 Schueler for noticing this.
3747 * A failing backend would not be reinstated. Thanks to
3748 'Webspider' for discovering this problem with PostgreSQL
3749 connections that die after prolonged inactivity.
3750 * Fixed loads of IPv6 transport problems. Thanks to Marco
3751 Davids and others for testing. Considered ready for
3753 * Zone2sql printed a debugging statement on range $GENERATE
3754 commands. Thanks to Rene van Valkenburg for spotting this.
3758 * PDNS can now act as a master, sending out notifications in
3759 case of changes and allowing slaves to AXFR. Big rewording
3760 of replication support, domains are now either 'native',
3761 'master' or 'slave'. See Chapter 13 for lots of details.
3762 * Zone2sql in PostgreSQL mode now populates the 'domains'
3763 table for easy master, slave or native replication support.
3764 * Ability to disable those annoying Windows DNS Dynamic
3765 Update messages from appearing in the log. See
3766 log-failed-updates in Chapter 15.
3767 * Ability to run on IPv6 transport only
3768 * Logging can now happen under a 'facility' so all PDNS
3769 messages appear in their own file. See Section 6.3.
3770 * Different OS releases of PDNS now get different install
3771 path defaults. Thanks to Mark Lastdrager for nagging about
3772 this and to Nero Imhard and Frederique Rijsdijk for
3773 suggesting saner defaults.
3774 * Infrastructure for 'also-notify' statements added.
3775 __________________________________________________________
3777 1.3.51. Version 1.99.9 Early Access Prerelease
3779 This is again a feature and an infrastructure release. We are
3780 nearly feature complete and will soon start work on the
3781 backends to make sure that they are all master, slave and
3782 'superslave' capable.
3786 * PDNS sometimes sent out duplicate replies for packets
3787 passed to the recursing backend. Mostly a problem on SMP
3788 systems. Thanks to Mike Benoit for noticing this.
3789 * Out-of-bailiwick CNAMES (ie, a CNAME to a domain not in
3790 PDNS) caused a 'ServFail' packet in 1.99.8, indicating
3791 failure, leading to hosts not resolving. Thanks to Martin
3792 Gillstrom for noticing this.
3793 * Zone2sql balked at zones editted under operating sytems
3794 terminating files with ^Z (Windows). Thanks Brian Willcott
3796 * PostgreSQL backend logged the password used to connect. Now
3797 only does so in case of failure to connect. Thanks to
3798 'Webspider' for noticing this.
3799 * Debian unstable distribution wrongly depended on home
3800 compiled PostgreSQL libraries. Thanks to Konrad Wojas for
3805 * When operating as a slave, AAAA records are now supported
3806 in the zone. They were already supported in master zones.
3807 * IPv6 transport support - PDNS can now listen on an IPv6
3808 socket using the local-ipv6 setting.
3809 * Very silly randombackend added which appears in the
3810 documentation as a sample backend. See Appendix C.
3811 * When transferring a slave zone from a master, out of zone
3812 data is now rejected. Malicious operators might try to
3813 insert bad records otherwise.
3814 * 'Supermaster' support for automatic provisioning from
3815 masters. See Section 13.2.1.
3816 * Recursing backend can now live on a non-standard (!=53)
3817 port. See Chapter 11.
3818 * Slave zone retrieval is now queued instead of immediate,
3819 which scales better and is more resilient to temporary
3821 * max-queue-length parameter. If this many packets are queued
3822 for database attention, consider the situation hopeless and
3827 * SOA records are now 'special' and each backend can
3828 optionally generate them in special ways. PostgreSQL
3829 backend does so when operating as a slave.
3830 * Writing backends is now a lot easier. See Appendix C.
3831 * Added Bindbackend to internal regression tests, confirming
3832 that it is compliant.
3833 __________________________________________________________
3835 1.3.52. Version 1.99.8 Early Access Prerelease
3837 A lot of infrastructure work gearing up to 2.0. Some stability
3838 bugs fixed and a lot of new features.
3842 * Bindbackend was overly complex and crashed on some systems
3843 on startup. Simplified launch code.
3844 * SOA fields were not always properly filled in, causing
3845 default values to go out on the wire
3846 * Obscure bug triggered by malicious packets (we know who you
3847 are) in SOA finding code fixed.
3848 * Magic serial number calculation contained a double free
3849 leading to instability.
3850 * Standards violation, questions for domains for which PDNS
3851 was unauthoritative now get a SERVFAIL answer. Thanks to
3852 the IETF Namedroppers list for helping out with this.
3853 * Slowly launching backends were being relaunched at a great
3854 rate when queries were coming in while launching backends.
3855 * MySQL-on-unix-domain-socket on SMP systems was overwhelmed
3856 by the quick connection rate on launch, inserted a small
3858 * Some SMP problems appear to be compiler related. Shifted to
3859 GCC 3.0.4 for Linux.
3860 * Ran ispell on documentation.
3862 Feature enhancements:
3864 * Recursing backend. See Chapter 11. Allows recursive and
3865 authoritative DNS on the same IP address.
3866 * NAPTR support, which is especially useful for the
3867 ENUM/E.164 community.
3868 * Zone transfers can now be allowed per netmask instead of
3869 only per IP address.
3870 * Preliminary support for slave operation included. Only for
3871 the adventurous right now! See Section 13.2
3872 * All record types now documented, see Chapter 17.
3873 __________________________________________________________
3875 1.3.52.1. Known bugs
3877 Wildcard CNAMES do not work as they do with bind.
3879 Recursion sometimes sends out duplicate packets (fixed in
3882 Some stability issues which are caught by the guardian
3883 __________________________________________________________
3885 1.3.52.2. Missing features
3887 Features present in this document, but disabled or withheld
3888 from the current release:
3890 * gmysqlbackend, oraclebackend
3891 __________________________________________________________
3893 1.3.53. Version 1.99.7 Early Access Prerelease
3895 Named.conf parsing got a lot of work and many more bind
3896 configurations can now be parsed. Furthermore, error reporting
3897 was improved. Stability is looking good.
3901 * Bind parser got confused by filenames with underscores and
3903 * Bind parser got confused by spaces in quoted names
3904 * FreeBSD version now stops and starts when instructed to do
3906 * Wildcards were off by default, which violates standards.
3908 * --oracle was broken in zone2sql
3910 Feature enhancements:
3912 * Line number counting goes on as it should when including
3914 * Added --no-config to enable users to start the pdns daemon
3915 without parsing the configuration file.
3916 * zone2sql now has --bare for unformatted output which can be
3917 used to generate insert statements for different database
3919 * zone2sql now has --gpgsql, which is an alias for --mysql,
3920 to output in a format useful for the default Generic PgSQL
3922 * zone2sql is now documented.
3923 __________________________________________________________
3925 1.3.53.1. Known bugs
3927 Wildcard CNAMES do not work as they do with bind.
3928 __________________________________________________________
3930 1.3.53.2. Missing features
3932 Features present in this document, but disabled or withheld
3933 from the current release:
3935 * gmysqlbackend, oraclebackend
3937 Some of these features will be present in newer releases.
3938 __________________________________________________________
3940 1.3.54. Version 1.99.6 Early Access Prerelease
3942 This version is now running on dns-eu1.powerdns.net and working
3943 very well for us. But please remain cautious before deploying!
3947 * Webserver neglected to show log messages
3948 * TCP question/answer miscounted multiple questions over one
3949 socket. Fixed misnaming of counter
3950 * Packetcache now detects clock skew and times out entries
3951 * named.conf parser now reports errors with line number and
3953 * Filenames in named.conf can now contain :
3955 Feature enhancements:
3957 * The webserver now by default does not print out
3958 configuration statements, which might contain database
3959 backends. Use webserver-print-arguments to restore the old
3961 * Generic PostgreSQL backend is now included. Still rather
3963 __________________________________________________________
3965 1.3.54.1. Known bugs
3967 FreeBSD version does not stop when requested to do so.
3969 Wildcard CNAMES do not work as they do with bind.
3970 __________________________________________________________
3972 1.3.54.2. Missing features
3974 Features present in this document, but disabled or withheld
3975 from the current release:
3977 * gmysqlbackend, oraclebackend
3979 Some of these features will be present in newer releases.
3980 __________________________________________________________
3982 1.3.55. Version 1.99.5 Early Access Prerelease
3984 The main focus of this release is stability and TCP
3985 improvements. This is the first release PowerDNS-the-company
3986 actually considers for running on its production servers!
3990 * Zone2sql received a floating point division by zero error
3991 on named.confs with less than 100 domains.
3992 * Huffman encoder failed without specific error on illegal
3993 characters in a domain
3994 * Fixed huge memory leaks in TCP code.
3995 * Removed further file descriptor leaks in guardian
3997 * Pipebackend was too chatty.
3998 * pdns_server neglected to close fds 0, 1 & 2 when
4001 Feature enhancements:
4003 * bindbackend can be instructed not to check the ctime of a
4004 zone by specifying bind-check-interval=0, which is also the
4006 * pdns_server --list-modules lists all available modules.
4008 Performance enhancements:
4010 * TCP code now only creates a new database connection for
4012 * TCP connections timeout rather quickly now, leading to less
4014 __________________________________________________________
4016 1.3.55.1. Known bugs
4018 FreeBSD version does not stop when requested to do so.
4020 Wildcard CNAMES do not work as they do with bind.
4021 __________________________________________________________
4023 1.3.55.2. Missing features
4025 Features present in this document, but disabled or withheld
4026 from the current release:
4028 * gmysqlbackend, oraclebackend, gpgsqlbackend
4030 Some of these features will be present in newer releases.
4031 __________________________________________________________
4033 1.3.56. Version 1.99.4 Early Access Prerelease
4035 A lot of new named.confs can now be parsed, zone2sql &
4036 bindbackend have gained features and stability.
4040 * Label compression was not always enabled, leading to large
4041 reply packets sometimes.
4042 * Database errors on TCP server lead to a nameserver reload
4044 * MySQL backend neglected to close its connection properly.
4045 * BindParser miss parsed some IP addresses and netmasks.
4046 * Truncated answers were also truncated on the packetcache,
4047 leading to truncated TCP answers.
4049 Feature enhancements:
4051 * Zone2sql and the bindbackend now understand the Bind
4053 * Zone2sql can optionally gloss over non-existing zones with
4054 --on-error-resume-next.
4055 * Zone2sql and the bindbackend now properly expand @ also on
4056 the right hand side of records.
4057 * Zone2sql now sets a default TTL.
4058 * DNS UPDATEs and NOTIFYs are now logged properly and sent
4059 the right responses.
4061 Performance enhancements:
4063 * 'Fancy records' are no longer queried for on ANY queries -
4064 this is a big speedup.
4065 __________________________________________________________
4067 1.3.56.1. Known bugs
4069 FreeBSD version does not stop when requested to do so.
4071 Zone2sql refuses named.confs with less than 100 domains.
4073 Wildcard CNAMES do not work as they do with bind.
4074 __________________________________________________________
4076 1.3.56.2. Missing features
4078 Features present in this document, but disabled or withheld
4079 from the current release:
4081 * gmysqlbackend, oraclebackend, gpgsqlbackend
4083 Some of these features will be present in newer releases.
4084 __________________________________________________________
4086 1.3.57. Version 1.99.3 Early Access Prerelease
4088 The big news in this release is the BindBackend which is now
4089 capable of parsing many more named.conf Bind configurations.
4090 Furthermore, PDNS has successfully parsed very large
4091 named.confs with large numbers of small domains, as well as
4092 small numbers of large domains (TLD).
4094 Zone transfers are now also much improved.
4098 * zone2sql leaked file descriptors on each domain, used wrong
4099 Bison recursion leading to parser stack overflows. This
4100 limited the amount of domains that could be parsed to 1024.
4101 * zone2sql can now read all known zonefiles, with the
4102 exception of those containing $GENERATE
4103 * Guardian relaunching a child lost two file descriptors
4104 * Don't die on a connection reset by peer during zone
4106 * Webserver does not crash anymore on ringbuffer resize
4108 Feature enhancements:
4110 * AXFR can now be disabled, and re-enabled per IP address
4111 * --help accepts a parameter, will then show only help items
4113 * zone2sql now accepts a --zone-name parameter
4114 * BindBackend maturing - 9500 zones parsed in 3.5 seconds. No
4115 longer case sensitive.
4117 Performance enhancements:
4119 * Implemented RFC-breaking AXFR format (which is the industry
4120 standard). Zone transfers now zoom along at wirespeed (many
4122 __________________________________________________________
4124 1.3.57.1. Known bugs
4126 FreeBSD version does not stop when requested to do so.
4128 BindBackend cannot parse zones with $GENERATE statements.
4129 __________________________________________________________
4131 1.3.57.2. Missing features
4133 Features present in this document, but disabled or withheld
4134 from the current release:
4136 * gmysqlbackend, oraclebackend, gpgsqlbackend
4138 Some of these features will be present in newer releases.
4139 __________________________________________________________
4141 1.3.58. Version 1.99.2 Early Access Prerelease
4145 * Database backend reload does not hang the daemon anymore
4146 * Buffer overrun in local socket address initialisation may
4147 have caused binding problems
4148 * setuid changed the uid to the gid of the selected user
4149 * zone2sql doesn't coredump on invocation anymore. Fixed lots
4151 * Don't parse configuration file when creating configuration
4152 file. This was a problem with reinstalling.
4154 Performance improvements:
4156 * removed a lot of unnecessary gettimeofday calls
4157 * removed needless select(2) call in case of listening on
4159 * removed 3 useless syscalls in the fast path
4161 Having said that, more work may need to be done. Testing on a
4162 486 saw packet rates in a simple setup
4163 (question/wait/answer/question..) improve from 200
4164 queries/second to over 400.
4166 Usability improvements:
4168 * Fixed error checking in init.d script (show, mrtg)
4169 * Added 'uptime' to the mrtg output
4170 * removed further GNUisms from installer and init.d scripts
4172 * Debian package and apt repository, thanks to Wichert
4174 * FreeBSD /usr/ports, thanks to Peter van Dijk (in progress).
4176 Stability may be an issue as well as performance. This version
4177 has a tendency to log a bit too much which slows the nameserver
4179 __________________________________________________________
4181 1.3.58.1. Known bugs
4183 Decreasing a ringbuffer on the website is a sure way to crash
4184 the daemon. Zone2sql, while improved, still has problems with a
4185 zone in the following format:
4189 To fix, add 'name' to the second line.
4191 Zone2sql does not close filedescriptors.
4193 FreeBSD version does not stop when requested via the init.d
4195 __________________________________________________________
4197 1.3.58.2. Missing features
4199 Features present in this document, but disabled or withheld
4200 from the current release:
4202 * gmysqlbackend, oraclebackend, gpgsqlbackend
4203 * fully functioning bindbackend - will try to parse
4204 named.conf, but probably fail
4206 Some of these features will be present in newer releases.
4207 __________________________________________________________
4209 1.3.59. Version 1.99.1 Early Access Prerelease
4211 This is the first public release of what is going to become
4212 PDNS 2.0. As such, it is not of production quality. Even
4213 PowerDNS-the-company does not run this yet.
4215 Stability may be an issue as well as performance. This version
4216 has a tendency to log a bit too much which slows the nameserver
4218 __________________________________________________________
4220 1.3.59.1. Known bugs
4222 Decreasing a ringbuffer on the website is a sure way to crash
4223 the daemon. Zone2sql is very buggy.
4224 __________________________________________________________
4226 1.3.59.2. Missing features
4228 Features present in this document, but disabled or withheld
4229 from the current release:
4231 * gmysqlbackend, oraclebackend, gpgsqlbackend
4232 * fully functioning bindbackend - will not parse
4235 Some of these features will be present in newer releases.
4236 __________________________________________________________
4240 If you have a security problem to report, please email us at
4241 both <powerdns@powerdns.com> and at <ahu@ds9a.nl>. We adhere to
4242 the Rain Forest Puppy Full Disclosure Policy (RFPolicy) v2.0
4243 and we ask you to do the same. In particular, please do not
4244 mail security issues to public lists unless we do not get back
4245 to you in a timely manner.
4247 We remind PowerDNS users that under the terms of the GNU
4248 General Public License, PowerDNS comes with ABSOLUTELY NO
4249 WARRANTY. This license is included in the distribution and in
4250 this documentation, see Appendix E.
4252 As of the 6th of August 2008, no actual security problems with
4253 PowerDNS 2.9.21.1, Recursor 3.1.5, or later are known about.
4254 This page will be updated with all bugs which are deemed to be
4255 security problems, or could conceivably lead to those. Any such
4256 notifications will also be sent to all PowerDNS mailinglists.
4258 Version 3.1.4 and earlier of the PowerDNS recursor were
4259 vulnerable to a spoofing attack. For more detail, see Section
4262 Version 3.1.3 and earlier of the PowerDNS recursor contain two
4263 security issues, both of which can lead to a denial of service,
4264 both of which can be triggered by remote users. One of the
4265 issues might lead be exploited and lead to a system compromise.
4266 For more detail, see Section 1.5 and Section 1.6.
4268 Version 3.0 of the PowerDNS recursor contains a denial of
4269 service bug which can be exploited remotely. This bug, which we
4270 believe to only lead to a crash, has been fixed in 3.0.1. There
4271 are no guarantees however, so an upgrade from 3.0 is highly
4274 All versions of PowerDNS before 2.9.21.1 do not respond to
4275 certain queries. This in itself is not a problem, but since the
4276 discovery by Dan Kaminsky of a new spoofing technique, this
4277 silence for queries PowerDNS considers invalid, within a valid
4278 domain, allows attackers more chances to feed *other* resolvers
4281 All versions of PowerDNS before 2.9.18 contain the following
4282 two bugs, which only apply to installations running with the
4283 LDAP backend, or installations providing recursion to a limited
4284 range of IP addresses. If any of these apply to you, an upgrade
4287 * The LDAP backend did not properly escape all queries,
4288 allowing it to fail and not answer questions. We have not
4289 investigated further risks involved, but we advise LDAP
4290 users to update as quickly as possible (Norbert Sendetzky,
4292 * Questions from clients denied recursion could blank out
4293 answers to clients who are allowed recursion services,
4294 temporarily. Reported by Wilco Baan. This would've made it
4295 possible for outsiders to blank out a domain temporarily to
4296 your users. Luckily PowerDNS would send out SERVFAIL or
4297 Refused, and not a denial of a domain's existence.
4299 All versions of PowerDNS before 2.9.17 are known to suffer from
4300 remote denial of service problems which can disrupt operation.
4301 Please upgrade to 2.9.17 as this page will only contain
4302 detailed security information from 2.9.17 onwards.
4303 __________________________________________________________
4305 1.5. PowerDNS Security Advisory 2006-01: Malformed TCP queries can
4306 lead to a buffer overflow which might be exploitable
4308 Table 1-1. PowerDNS Security Advisory
4310 Date 13th of November 2006
4311 Affects PowerDNS Recursor versions 3.1.3 and earlier, on all
4313 Not affected No versions of the PowerDNS Authoritative Server
4314 ('pdns_server') are affected.
4316 Impact Potential remote system compromise.
4317 Exploit As far as we know, no exploit is available as of 11th
4319 Solution Upgrade to PowerDNS Recursor 3.1.4, or apply the
4320 patches referred below and recompile
4321 Workaround Disable TCP access to the Recursor. This will have
4322 slight operational impact, but it is likely that this will not
4323 lead to meaningful degradation of service. Disabling access is
4324 best performed at packet level, either by configuring a
4325 firewall, or instructing the host operating system to drop TCP
4326 connections to port 53. Additionally, exposure can be limited
4327 by configuring the allow-from setting so only trusted users can
4328 query your nameserver.
4330 PowerDNS Recursor 3.1.3 and previous miscalculate the length of
4331 incoming TCP DNS queries, and will attempt to read up to 4
4332 gigabytes of query into a 65535 byte buffer.
4334 We have not verified if this problem might actually lead to a
4335 system compromise, but are acting on the assumption that it
4338 For distributors, a minimal patch is available on the PowerDNS
4339 wiki. Additionally, those shipping very old versions of the
4340 PowerDNS Recursor might benefit from this patch.
4342 The impact of these and other security problems can be lessened
4343 by considering the advice in Chapter 7.
4344 __________________________________________________________
4346 1.6. PowerDNS Security Advisory 2006-02: Zero second CNAME TTLs can
4347 make PowerDNS exhaust allocated stack space, and crash
4349 Table 1-2. PowerDNS Security Advisory
4351 Date 13th of November 2006
4352 Affects PowerDNS Recursor versions 3.1.3 and earlier, on all
4354 Not affected No versions of the PowerDNS Authoritative Server
4355 ('pdns_server') are affected.
4357 Impact Denial of service
4358 Exploit This problem can be triggered by sending queries for
4359 specifically configured domains
4360 Solution Upgrade to PowerDNS Recursor 3.1.4, or apply commit
4362 Workaround None known. Exposure can be limited by configuring
4363 the allow-from setting so only trusted users can query your
4366 PowerDNS would recurse endlessly on encountering a CNAME loop
4367 consisting entirely of zero second CNAME records, eventually
4368 exceeding resources and crashing.
4369 __________________________________________________________
4371 1.7. PowerDNS Security Advisory 2008-01: System random generator can
4372 be predicted, leading to the potential to 'spoof' PowerDNS Recursor
4374 Table 1-3. PowerDNS Security Advisory
4375 CVE Not yet assigned
4376 Date 31st of March 2008
4377 Affects PowerDNS Recursor versions 3.1.4 and earlier, on most
4379 Not affected No versions of the PowerDNS Authoritative Server
4380 ('pdns_server') are affected.
4382 Impact Data manipulation; client redirection
4383 Exploit This problem can be triggered by sending queries for
4384 specifically configured domains, sending spoofed answer packets
4385 immediately afterwards.
4386 Solution Upgrade to PowerDNS Recursor 3.1.5, or apply
4387 changesets 1159, 1160 and 1164.
4388 Workaround None known. Exposure can be limited by configuring
4389 the allow-from setting so only trusted users can query your
4392 We would like to thank Amit Klein of Trusteer for bringing a
4393 serious vulnerability to our attention which would enable a
4394 smart attacker to 'spoof' previous versions of the PowerDNS
4395 Recursor into accepting possibly mallicious data.
4397 Details can be found on this Trusteer page.
4399 This security problem was announced in this email message.
4401 It is recommended that all users of the PowerDNS Recursor
4402 upgrade to 3.1.5 as soon as practicable, while we
4403 simultaneously note that busy servers are less susceptible to
4404 the attack, but not immune.
4406 The vulnerability is present on all operating systems where the
4407 behaviour of the libc random() function can be predicted based
4408 on its past output. This includes at least all known versions
4409 of Linux, as well as Microsoft Windows, and probably FreeBSD
4412 The magnitude of this vulnerability depends on internal details
4413 of the system random() generator. For Linux, the mathematics of
4414 the random generator are complex, but well understood and Amit
4415 Klein has written and published a proof of concept that can
4416 succesfully predict its output after uninterrupted observation
4417 of 40-50 DNS queries.
4419 Because the observation needs to be uninterrupted, busy
4420 PowerDNS Recursor instances are harder to subvert - other data
4421 is highly likely to be interleaved with traffic generated by an
4424 Nevertheless, operators are urged to update at their earliest
4426 __________________________________________________________
4428 1.8. PowerDNS Security Advisory 2008-02: By not responding to certain
4429 queries, domains become easier to spoof
4431 Table 1-4. PowerDNS Security Advisory
4433 Date 6th of August 2008
4434 Affects PowerDNS Authoritative Server 2.9.21 and earlier
4435 Not affected No versions of the PowerDNS Recursor
4436 ('pdns_recursor') are affected.
4438 Impact Data manipulation; client redirection
4439 Exploit Domains with servers that drop certain queries can be
4440 spoofed using simpler measures than would usually be required
4441 Solution Upgrade to PowerDNS Authoritative Server 2.9.21.1, or
4443 Workaround None known.
4445 Brian J. Dowling of Simplicity Communications has discovered a
4446 security implication of the previous PowerDNS behaviour to drop
4447 queries it considers malformed. We are grateful that Brian
4448 notified us quickly about this problem.
4450 The implication is that while the PowerDNS Authoritative server
4451 itself does not face a security risk because of dropping these
4452 malformed queries, other resolving nameservers run a higher
4453 risk of accepting spoofed answers for domains being hosted by
4454 PowerDNS Authoritative Servers before 2.9.21.1.
4456 While the dropping of queries does not aid sophisticated
4457 spoofing attempts, it does facilitate simpler attacks.
4458 __________________________________________________________
4460 1.9. PowerDNS Security Advisory 2008-02: Some PowerDNS Configurations
4461 can be forced to restart remotely
4463 Table 1-5. PowerDNS Security Advisory
4464 CVE Not yet assigned
4465 Date 18th of November 2008
4466 Affects PowerDNS Authoritative Server 2.9.21.1 and earlier
4467 Not affected No versions of the PowerDNS Recursor
4468 ('pdns_recursor') are affected. Versions not running in single
4469 threaded mode ('distributor-threads=1') are probably not
4472 Impact Denial of Service
4473 Exploit Send PowerDNS an CH HINFO query.
4474 Solution Upgrade to PowerDNS Authoritative Server 2.9.21.2, or
4476 Workaround Remove 'distributor-threads=1' if this is set.
4478 Daniel Drown discovered that his PowerDNS 2.9.21.1 installation
4479 crashed on receiving a HINFO CH query. In his enthousiasm, he
4480 shared his discovery with the world, forcing a rapid over the
4481 weekend release cycle.
4483 While we thank Daniel for his discovery, please study our
4484 security policy as outlined in Section 1.4 before making
4485 vulnerabilities public.
4487 It is believed that this issue only impacts PowerDNS
4488 Authoritative Servers operating with 'distributor-threads=1',
4489 but even on other configurations a database reconnect occurs on
4490 receiving a CH HINFO query.
4491 __________________________________________________________
4493 1.10. Acknowledgements
4495 PowerDNS is grateful for the help of the following people or
4501 * Mike Benoit (NetNation Communication Inc)
4508 * IETF Namedroppers mailinglist
4512 (these people don't share the blame for any errors or mistakes
4513 in powerdns - those are all ours)
4514 __________________________________________________________
4516 Chapter 2. Installing on Unix
4518 You will typically install PDNS > 2.9 via source or via a
4519 package. Earlier versions used a clumsy binary installer.
4520 __________________________________________________________
4522 2.1. Possible problems at this point
4524 At this point some things may have gone wrong. Typical errors
4527 error while loading shared libraries: libstdc++.so.x: cannot
4528 open shared object file: No such file or directory
4529 Errors looking like this indicate a mismatch between
4530 your PDNS distribution and your Unix operating system.
4531 Download the static PDNS distribution for your operating
4532 system and try again. Please contact <pdns@powerdns.com>
4533 if this is impractical.
4534 __________________________________________________________
4536 2.2. Testing your install
4538 After installing, it is a good idea to test the basic
4539 functionality of the software before configuring database
4540 backends. For this purpose, PowerDNS contains the 'bindbackend'
4541 which has a domain built in example.com, which is officially
4542 reserved for testing. To test, edit pdns.conf and add the
4543 following if not already present:
4549 As of 2.9.21, the BIND backend no longer features the
4550 'bind-example-zones' command. These will return in 2.9.22.
4551 This configures powerdns to 'launch' the bindbackend, and
4552 enable the example zones. To fire up PDNS in testing mode,
4553 execute: /etc/init.d/pdns monitor, where you may have to
4554 substitute the location of your SysV init.d location you
4555 specified earlier. In monitor mode, the pdns process runs in
4556 the foreground and is very verbose, which is perfect for
4557 testing your install. If everything went all right, you can
4558 query the example.com domain like this:
4559 host www.example.com 127.0.0.1
4561 www.example.com should now have IP address 1.2.3.4. The host
4562 command can usually be found in the dnsutils package of your
4563 operating system. Alternate command is: dig www.example.com A
4564 @127.0.0.1 or even nslookup www.example.com 127.0.0.1, although
4565 nslookup is not advised for DNS diagnostics.
4567 * example.com SOA record
4568 * example.com NS record pointing to ns1.example.com
4569 * example.com NS record pointing to ns2.example.com
4570 * example.com MX record pointing to mail.example.com
4571 * example.com MX record pointing to mail1.example.com
4572 * mail.example.com A record pointing to 4.3.2.1
4573 * mail1.example.com A record pointing to 5.4.3.2
4574 * ns1.example.com A record pointing to 4.3.2.1
4575 * ns2.example.com A record pointing to 5.4.3.2
4576 * host-0 to host-9999.example.com A record pointing to
4579 When satisfied that basic functionality is there, type QUIT to
4580 exit the monitor mode. The adventurous may also type SHOW * to
4581 see some internal statistics. In case of problems, you will
4582 want to read the following section.
4583 __________________________________________________________
4585 2.2.1. Typical errors
4587 At this point some things may have gone wrong. Typical errors
4590 binding to UDP socket: Address already in use
4591 This means that another nameserver is listening on port
4592 53 already. You can resolve this problem by determining
4593 if it is safe to shutdown the nameserver already
4594 present, and doing so. If uncertain, it is also possible
4595 to run PDNS on another port. To do so, add
4596 local-port=5300 to pdns.conf, and try again. This
4597 however implies that you can only test your nameserver
4598 as clients expect the nameserver to live on port 53.
4600 binding to UDP socket: Permission denied
4601 You must be superuser in order to be able to bind to
4602 port 53. If this is not a possibility, it is also
4603 possible to run PDNS on another port. To do so, add
4604 local-port=5300 to pdns.conf, and try again. This
4605 however implies that you can only test your nameserver
4606 as clients expect the nameserver to live on port 53.
4608 Unable to launch, no backends configured for querying
4609 PDNS did not find the launch=bind instruction in
4612 Multiple IP addresses on your server, PDNS sending out answers
4613 on the wrong one, Massive amounts of 'recvfrom gave
4614 error, ignoring: Connection refused'
4615 If you have multiple IP addresses on the internet on one
4616 machine, UNIX often sends out answers over another
4617 interface than which the packet came in on. In such
4618 cases, use local-address to bind to specific IP
4619 addresses, which can be comma separated. The second
4620 error comes from remotes disregarding answers to
4621 questions it didn't ask to that IP address and sending
4623 __________________________________________________________
4625 2.3. Running PDNS on unix
4627 PDNS is normally controlled via a SysV-style init.d script,
4628 often located in /etc/init.d or /etc/rc.d/init.d. This script
4629 accepts the following commands:
4632 Monitor is a special way to view the daemon. It executes
4633 PDNS in the foreground with a lot of logging turned on,
4634 which helps in determining startup problems. Besides
4635 running in the foreground, the raw PDNS control socket
4636 is made available. All external communication with the
4637 daemon is normally sent over this socket. While useful,
4638 the control console is not an officially supported
4639 feature. Commands which work are: QUIT, SHOW *, SHOW
4643 Start PDNS in the background. Launches the daemon but
4644 makes no special effort to determine success, as making
4645 database connections may take a while. Use status to
4646 query success. You can safely run start many times, it
4647 will not start additional PDNS instances.
4650 Restarts PDNS if it was running, starts it otherwise.
4653 Query PDNS for status. This can be used to figure out if
4654 a launch was successful. The status found is prefixed by
4655 the PID of the main PDNS process.
4658 Requests that PDNS stop. Again, does not confirm
4659 success. Success can be ascertained with the status
4663 Dumps a lot of statistics of a running PDNS daemon. It
4664 is also possible to single out specific variable by
4665 using the show command.
4668 Show a single statistic, as present in the output of the
4672 See the performance monitoring Chapter 6.
4673 __________________________________________________________
4675 Chapter 3. Installing on Microsoft Windows
4679 PowerDNS support for Windows is, as of 1.99.12, very recent and
4680 therefore quite 'beta'. For reliability, we currently advise
4681 the use of the Unix versions. Furthermore there is no support
4682 for master or slave operation in the ODBC backend, which is the
4683 only one provided currently.
4685 As of 1.99.12, PowerDNS supports Windows natively. PDNS can act
4686 as an NT service and works with any ODBC drivers you may have.
4688 To install PowerDNS for Windows you should check if your PC
4689 meets the following requirements:
4691 * A PC running Microsoft NT (with a recent servicepack and at
4692 least mdac 2.5), 2000 or XP.
4693 * An ODBC source containing valid zone information (an
4694 example MS Access database is supplied in the form of
4697 After installing the software you should create a valid ODBC
4698 source. To do this you have open the ODBC sources dialog:
4699 Start->Settings->Control Panel->Administrative Tools->Data
4702 We'll use the example zone database that is included in the
4703 installation to explain how to create a source.
4705 When you are in the ODBC sources dialog you activate the System
4710 It is important to create a System DSN instead of an User DNS,
4711 otherwise the ODBC backend cannot function.
4713 Press Add..., then you have to select a driver.
4715 Select Microsoft Access Driver (*.mdb).
4717 Use PowerDNS as the DSN name, you can leave the description
4720 Then press Select... to select the database (ie. C:\Program
4721 Files\PowerDNS\powerdns.mdb).
4723 Press Ok and you should be done.
4725 For more information, see Section A.10.
4726 __________________________________________________________
4728 3.1. Configuring PDNS on Microsoft Windows
4730 You can specify program parameters in the pdns.conf file which
4731 should be located in pdns directory (ie. C:\Program
4734 To see a list of available parameters you can run pdns.exe
4739 A default configuration file has been supplied with the
4741 __________________________________________________________
4743 3.2. Running PDNS on Microsoft Windows
4745 If you installed pdns on Windows NT, 2000 or XP you can run
4748 This is how to do it: Go to services (Start->Settings->Control
4749 Panel->Administrative Tools->Services) and locate PDNS (you
4750 should have registered the program as a NT service during the
4753 Double-click on PDNS and push the start button. You should now
4754 see a progress bar that gets to the end and see the status
4755 change to 'Started'.
4757 This is the same as starting pdns like this: pdns.exe
4760 If you haven't registered pdns as a service during the
4761 installation you can do so from the commandline by starting
4762 pdns like this: pdns.exe --register-service
4764 You can run pdns as a standard console program by using a
4765 command prompt or Start->Run... This way you can specify
4766 command-line parameters (see the documentation for commandline
4769 If you chose to add a PowerDNS menu to the start menu during
4770 the installation you can start pdns using the pdns shortcut in
4772 __________________________________________________________
4774 Chapter 4. Basic setup: configuring database connectivity
4776 This chapter shows you how to configure the Generic MySQL
4777 backend, which we like a lot. But feel free to use any of the
4778 myriad other backends. This backend is called 'gmysql', and
4779 needs to be configured in pdns.conf. Add the following lines,
4780 adjusted for your local setup:
4782 gmysql-host=127.0.0.1
4784 gmysql-dbname=pdnstest
4786 Remove any earlier launch statements. Also remove the
4787 bind-example-zones statement as the bind module is no longer
4792 Make sure that you can actually resolve the hostname of your
4793 database without accessing the database! It is advised to
4794 supply an IP address here to prevent chicken/egg problems!
4798 Be very very sure that you configure the *g*mysql backend and
4799 not the mysql backend. See Section A.5. If you use the 'mysql'
4800 backend things will only appear to work.
4802 Now start PDNS using the monitor command:
4803 # /etc/init.d/pdns monitor
4805 15:31:30 About to create 3 backend threads
4806 15:31:30 [gMySQLbackend] Failed to connect to database: Error: U
4807 nknown database 'pdnstest'
4808 15:31:30 [gMySQLbackend] Failed to connect to database: Error: U
4809 nknown database 'pdnstest'
4810 15:31:30 [gMySQLbackend] Failed to connect to database: Error: U
4811 nknown database 'pdnstest'
4813 This is as to be expected - we did not yet add anything to
4814 MySQL for PDNS to read from. At this point you may also see
4815 other errors which indicate that PDNS either could not find
4816 your MySQL server or was unable to connect to it. Fix these
4819 General MySQL knowledge is assumed in this chapter, please do
4820 not interpret these commands as DBA advice!
4821 __________________________________________________________
4823 4.1. Example: configuring MySQL
4825 Connect to MySQL as a user with sufficient privileges and issue
4826 the following commands:
4827 create table domains (
4828 id INT auto_increment,
4829 name VARCHAR(255) NOT NULL,
4830 master VARCHAR(128) DEFAULT NULL,
4831 last_check INT DEFAULT NULL,
4832 type VARCHAR(6) NOT NULL,
4833 notified_serial INT DEFAULT NULL,
4834 account VARCHAR(40) DEFAULT NULL,
4838 CREATE UNIQUE INDEX name_index ON domains(name);
4840 CREATE TABLE records (
4841 id INT auto_increment,
4842 domain_id INT DEFAULT NULL,
4843 name VARCHAR(255) DEFAULT NULL,
4844 type VARCHAR(6) DEFAULT NULL,
4845 content VARCHAR(255) DEFAULT NULL,
4846 ttl INT DEFAULT NULL,
4847 prio INT DEFAULT NULL,
4848 change_date INT DEFAULT NULL,
4852 CREATE INDEX rec_name_index ON records(name);
4853 CREATE INDEX nametype_index ON records(name,type);
4854 CREATE INDEX domain_id ON records(domain_id);
4856 create table supermasters (
4857 ip VARCHAR(25) NOT NULL,
4858 nameserver VARCHAR(255) NOT NULL,
4859 account VARCHAR(40) DEFAULT NULL
4862 GRANT SELECT ON supermasters TO pdns;
4863 GRANT ALL ON domains TO pdns;
4864 GRANT ALL ON records TO pdns;
4866 Now we have a database and an empty table. PDNS should now be
4867 able to launch in monitor mode and display no errors:
4868 # /etc/init.d/pdns monitor
4870 15:31:30 PowerDNS 1.99.0 (Mar 12 2002, 15:00:28) starting up
4871 15:31:30 About to create 3 backend threads
4872 15:39:55 [gMySQLbackend] MySQL connection succeeded
4873 15:39:55 [gMySQLbackend] MySQL connection succeeded
4874 15:39:55 [gMySQLbackend] MySQL connection succeeded
4876 A sample query sent to the database should now return quickly
4878 $ host www.test.com 127.0.0.1
4879 www.test.com A record currently not present at localhost
4881 And indeed, the control console now shows:
4882 Mar 12 15:41:12 We're not authoritative for 'www.test.com', se
4883 nding unauth normal response
4885 Now we need to add some records to our database:
4887 mysql> INSERT INTO domains (name, type) values ('test.com', 'N
4889 INSERT INTO records (domain_id, name, content, type,ttl,prio)
4890 VALUES (1,'test.com','localhost ahu@ds9a.nl 1','SOA',86400,NUL
4892 INSERT INTO records (domain_id, name, content, type,ttl,prio)
4893 VALUES (1,'test.com','dns-us1.powerdns.net','NS',86400,NULL);
4894 INSERT INTO records (domain_id, name, content, type,ttl,prio)
4895 VALUES (1,'test.com','dns-eu1.powerdns.net','NS',86400,NULL);
4896 INSERT INTO records (domain_id, name, content, type,ttl,prio)
4897 VALUES (1,'www.test.com','199.198.197.196','A',120,NULL);
4898 INSERT INTO records (domain_id, name, content, type,ttl,prio)
4899 VALUES (1,'mail.test.com','195.194.193.192','A',120,NULL);
4900 INSERT INTO records (domain_id, name, content, type,ttl,prio)
4901 VALUES (1,'localhost.test.com','127.0.0.1','A',120,NULL);
4902 INSERT INTO records (domain_id, name, content, type,ttl,prio)
4903 VALUES (1,'test.com','mail.test.com','MX',120,25);
4905 If we now requery our database, www.test.com should be present:
4906 $ host www.test.com 127.0.0.1
4907 www.test.com A 199.198.197.196
4909 $ host -v -t mx test.com 127.0.0.1
4913 Query about test.com for record types MX
4915 Query done, 1 answer, authoritative status: no error
4916 test.com 120 IN MX 25 mail.test.com
4917 Additional information:
4918 mail.test.com 120 IN A 195.194.193.192
4920 To confirm what happened, issue the command SHOW * to the
4923 corrupt-packets=0,latency=0,packetcache-hit=2,packetcache-miss
4924 =5,packetcache-size=0,
4925 qsize-a=0,qsize-q=0,servfail-packets=0,tcp-answers=0,tcp-queri
4927 timedout-packets=0,udp-answers=7,udp-queries=7,
4930 The actual numbers will vary somewhat. Now enter QUIT and start
4931 PDNS as a regular daemon, and check launch status:
4932 # /etc/init.d/pdns start
4934 # /etc/init.d/pdns status
4935 pdns: 8239: Child running
4936 # /etc/init.d/pdns dump
4937 pdns: corrupt-packets=0,latency=0,packetcache-hit=0,packetcach
4939 packetcache-size=0,qsize-a=0,qsize-q=0,servfail-packets=0,tcp-
4941 tcp-queries=0,timedout-packets=0,udp-answers=0,udp-queries=0,
4943 You now have a working database driven nameserver! To convert
4944 other zones already present, use the zone2sql described in
4946 __________________________________________________________
4948 4.1.1. Common problems
4950 Most problems involve PDNS not being able to connect to the
4953 Can't connect to local MySQL server through socket
4954 '/tmp/mysql.sock' (2)
4955 Your MySQL installation is probably defaulting to
4956 another location for its socket. Can be resolved by
4957 figuring out this location (often /var/run/mysqld.sock),
4958 and specifying it in the configuration file with the
4959 gmysql-socket parameter.
4961 Another solution is to not connect to the socket, but to
4962 127.0.0.1, which can be achieved by specifying
4963 gmysql-host=127.0.0.1.
4965 Host 'x.y.z.w' is not allowed to connect to this MySQL server
4966 These errors are generic MySQL errors. Solve them by
4967 trying to connect to your MySQL database with the MySQL
4968 console utility mysql with the parameters specified to
4969 PDNS. Consult the MySQL documentation.
4970 __________________________________________________________
4972 Chapter 5. Dynamic resolution using the PipeBackend
4974 Also included in the PDNS distribution is the PipeBackend. The
4975 PipeBackend is primarily meant for allowing rapid development
4976 of new backends without tight integration with PowerDNS. It
4977 allows end-users to write PDNS backends in any language. A perl
4978 sample is provided. The PipeBackend is also very well suited
4979 for dynamic resolution of queries. Example applications include
4980 DNS based loadbalancing, geo-direction, DNS based failover with
4983 The Pipe Backend also has a separate chapter in the backends
4984 appendix, see Section A.1.
4988 The Pipe Backend currently does not function under FreeBSD 4.x
4989 and 5.x, probably due to unfavorable interactions between its
4990 threading implementation and the fork system call.
4992 Interestingly, the Linux PowerDNS binary running under the
4993 Linuxulator on FreeBSD does work.
4994 __________________________________________________________
4996 5.1. Deploying the PipeBackend with the BindBackend
4998 Included with the PDNS distribution is the example.pl backend
4999 which has knowledge of the example.com zone, just like the
5000 BindBackend. To install both, add the following to your
5004 pipe-command=location/of/backend.pl
5006 Please adjust the pipe-command statement to the location of the
5007 unpacked PDNS distribution. If your backend is slow, raise
5008 pipe-timeout from its default of 2000ms. Now launch PDNS in
5009 monitor mode, and perform some queries. Note the difference
5010 with the earlier experiment where only the BindBackend was
5011 loaded. The PipeBackend is launched first and thus gets queried
5012 first. The sample backend.pl script knows about:
5014 * webserver.example.com A records pointing to 1.2.3.4,
5016 * www.example.com CNAME pointing to webserver.example.com
5017 * MBOXFW (mailbox forward) records pointing to
5018 powerdns@example.com. See the smtpredir documentation for
5019 information about MBOXFW.
5021 For more information about how to write exciting backends with
5022 the PipeBackend, see Appendix A.
5023 __________________________________________________________
5025 Chapter 6. Logging & Monitoring Authoritative Server performance
5027 In a production environment, you will want to be able to
5028 monitor PDNS performance. For this purpose, currently two
5029 methods are available, the webserver and the init.d dump, show
5030 and mrtg, commands. Furthermore, PDNS can perform a
5031 configurable amount of operational logging. This chapter also
5032 explains how to configure syslog for best results.
5033 __________________________________________________________
5037 To launch the internal webserver, add a webserver statement to
5038 the pdns.conf. This will instruct the PDNS daemon to start a
5039 webserver on localhost at port 8081, without password
5040 protection. Only local users (on the same host) will be able to
5041 access the webserver by default. The webserver lists a lot of
5042 information about the PDNS process, including frequent queries,
5043 frequently failing queries, lists of remote hosts sending
5044 queries, hosts sending corrupt queries etc. The webserver does
5045 not allow remote management of the daemon. The following
5046 nameserver related configuration items are available:
5049 If set to anything but 'no', a webserver is launched.
5052 Address to bind the webserver to. Defaults to 127.0.0.1,
5053 which implies that only the local computer is able to
5054 connect to the nameserver! To allow remote hosts to
5055 connect, change to 0.0.0.0 or the physical IP address of
5059 If set, viewers will have to enter this plaintext
5060 password in order to gain access to the statistics.
5063 Port to bind the webserver to. Defaults to 8081.
5064 __________________________________________________________
5066 6.2. Via init.d commands
5068 As mentioned before, the init.d commands dump, show and mrtg
5069 fetch data from a running PDNS process. Especially mrtg is
5070 powerful - it outputs data in a format that is ready for
5071 processing by the MRTG graphing tool.
5073 MRTG can make insightful graphics on the performance of your
5074 nameserver, enabling the operator to easily spot trends. MRTG
5076 http://people.ee.ethz.ch/~oetiker/webtools/mrtg/mrtg.html
5080 WorkDir: /var/www/mrtg
5082 Options[_]: growright,nopercent
5085 #---------------------------------------------------------------
5087 Target[udp-queries]: `/etc/init.d/pdns mrtg udp-queries udp-answers`
5088 Options[udp-queries]: growright,nopercent,perminute
5089 MaxBytes[udp-queries]: 600000
5090 AbsMax[udp-queries]: 600000
5091 Title[udp-queries]: Queries per minute
5092 PageTop[udp-queries]: <H2>Queries per minute</H2>
5093 WithPeak[udp-queries]: ymwd
5094 YLegend[udp-queries]: queries/minute
5095 ShortLegend[udp-queries]: q/m
5096 LegendI[udp-queries]: udp-questions
5097 LegendO[udp-queries]: udp-answers
5100 Target[perc-failed]: `/etc/init.d/pdns mrtg udp-queries udp-answers`
5101 Options[perc-failed]: growright,dorelpercent,perminute
5102 MaxBytes[perc-failed]: 600000
5103 AbsMax[perc-failed]: 600000
5104 Title[perc-failed]: Queries per minute, with percentage success
5105 PageTop[perc-failed]: <H2>Queries per minute, with percentage success</H
5107 WithPeak[perc-failed]: ymwd
5108 YLegend[perc-failed]: queries/minute
5109 ShortLegend[perc-failed]: q/m
5110 LegendI[perc-failed]: udp-questions
5111 LegendO[perc-failed]: udp-answers
5114 Target[packetcache-rate]: `/etc/init.d/pdns mrtg packetcache-hit udp-que
5116 Options[packetcache-rate]: growright,dorelpercent,perminute
5117 Title[packetcache-rate]: packetcache hitrate
5118 MaxBytes[packetcache-rate]: 600000
5119 AbsMax[packetcache-rate]: 600000
5120 PageTop[packetcache-rate]: <H2>packetcache hitrate</H2>
5121 WithPeak[packetcache-rate]: ymwd
5122 YLegend[packetcache-rate]: queries/minute
5123 ShortLegend[packetcache-rate]: q/m
5124 LegendO[packetcache-rate]: total
5125 LegendI[packetcache-rate]: hit
5127 Target[packetcache-missrate]: `/etc/init.d/pdns mrtg packetcache-miss ud
5129 Options[packetcache-missrate]: growright,dorelpercent,perminute
5130 Title[packetcache-missrate]: packetcache MISSrate
5131 MaxBytes[packetcache-missrate]: 600000
5132 AbsMax[packetcache-missrate]: 600000
5133 PageTop[packetcache-missrate]: <H2>packetcache MISSrate</H2>
5134 WithPeak[packetcache-missrate]: ymwd
5135 YLegend[packetcache-missrate]: queries/minute
5136 ShortLegend[packetcache-missrate]: q/m
5137 LegendO[packetcache-missrate]: total
5138 LegendI[packetcache-missrate]: MISS
5140 Target[latency]: `/etc/init.d/pdns mrtg latency`
5141 Options[latency]: growright,nopercent,gauge
5142 MaxBytes[latency]: 600000
5143 AbsMax[latency]: 600000
5144 Title[latency]: Query/answer latency
5145 PageTop[latency]: <H2>Query/answer latency</H2>
5146 WithPeak[latency]: ymwd
5147 YLegend[latency]: usec
5148 ShortLegend[latency]: usec
5149 LegendO[latency]: latency
5150 LegendI[latency]: latency
5152 Target[recursing]: `/etc/init.d/pdns mrtg recursing-questions recursing-
5154 Options[recursing]: growright,nopercent,gauge
5155 MaxBytes[recursing]: 600000
5156 AbsMax[recursing]: 600000
5157 Title[recursing]: Recursive questions/answers
5158 PageTop[recursing]: <H2>Recursing questions/answers</H2>
5159 WithPeak[recursing]: ymwd
5160 YLegend[recursing]: queries/minute
5161 ShortLegend[recursing]: q/m
5162 LegendO[recursing]: recursing-questions
5163 LegendI[recursing]: recursing-answers
5165 __________________________________________________________
5167 6.3. Operational logging using syslog
5169 (logging-facility is available from 1.99.10 and onwards)
5171 This chapter assumes familiarity with syslog, the unix logging
5172 device. PDNS logs messages with different levels. The more
5173 urgent the message, the lower the 'priority'. By default, PDNS
5174 will only log messages with an urgency of 3 or lower, but this
5175 can be changed using the loglevel setting in the configuration
5176 file. Setting it to 0 will eliminate all logging, 9 will log
5179 By default, logging is performed under the 'DAEMON' facility
5180 which is shared with lots of other programs. If you regard
5181 nameserving as important, you may want to have it under a
5182 dedicated facility so PDNS can log to its own files, and not
5183 clutter generic files.
5185 For this purpose, syslog knows about 'local' facilities,
5186 numbered from LOCAL0 to LOCAL7. To move PDNS logging to LOCAL0,
5187 add logging-facility=0 to your configuration.
5189 Furthermore, you may want to have separate files for the
5190 differing prioties - preventing lower priority messages from
5191 obscuring important ones.
5193 A sample syslog.conf might be:
5194 local0.info -/var/log/pdns.info
5195 local0.warn -/var/log/pdns.warn
5196 local0.err /var/log/pdns.err
5198 Where local0.err would store the really important messages. For
5199 performance and diskspace reasons, it is advised to audit your
5200 syslog.conf for statements also logging PDNS activities. Many
5201 syslog.confs have a '*.*' statement to /var/log/syslog, which
5202 you may want to remove.
5204 For performance reasons, be especially certain that no large
5205 amounts of synchronous logging take place. Under Linux, this is
5206 indicated by filenames not starting with a '-' - indicating a
5207 synchronous log, which hurts performance.
5209 Be aware that syslog by default logs messages at the configured
5210 priority and higher! To log only info messages, use
5212 __________________________________________________________
5214 Chapter 7. Security settings & considerations
5218 PDNS has several options to easily allow it to run more
5219 securely. Most notable are the chroot, setuid and setgid
5220 options which can be specified.
5222 For additional information on PowerDNS security, PowerDNS
5223 security incidents and PowerDNS security policy, see Section
5225 __________________________________________________________
5227 7.1.1. Running as a less privileged identity
5229 By specifying setuid and setgid, PDNS changes to this identity
5230 shortly after binding to the privileged DNS ports. These
5231 options are highly recommended. It is suggested that a separate
5232 identity is created for PDNS as the user 'nobody' is in fact
5233 quite powerful on most systems.
5235 Both these parameters can be specified either numerically or as
5236 real names. You should set these parameters immediately if they
5238 __________________________________________________________
5240 7.1.2. Jailing the process in a chroot
5242 The chroot option secures PDNS to its own directory so that
5243 even if it should become compromised and under control of
5244 external influences, it will have a hard time affecting the
5247 Even though this will hamper hackers a lot, chroot jails have
5248 been known to be broken.
5252 When chrooting PDNS, take care that backends will be able to
5253 get to their files. Many databases need access to a UNIX domain
5254 socket which should live within the chroot. It is often
5255 possible to hardlink such a socket into the chroot dir.
5257 When running with master or slave support, be aware that many
5258 operating systems need access to specific libraries (ofen
5259 /lib/libnss*) in order to support resolution of domain names!
5260 You can also hardlink these.
5262 The default PDNS configuration is best chrooted to ./, which
5263 boils down to the configured location of the controlsocket.
5265 This is achieved by adding the following to pdns.conf:
5266 chroot=./, and restarting PDNS.
5267 __________________________________________________________
5271 In general, make sure that the PDNS process is unable to
5272 execute commands on your backend database. Most database
5273 backends will only need SELECT privilege. Take care to not
5274 connect to your database as the 'root' or 'sa' user, and
5275 configure the chosen user to have very slight privileges.
5277 Databases empathic-ally do not need to run on the same machine
5278 that runs PDNS! In fact, in benchmarks it has been discovered
5279 that having a separate database machine actually improves
5282 Separation will enhance your database security highly.
5284 __________________________________________________________
5286 Chapter 8. Virtual hosting
5288 It may be advantageous to run multiple separate PDNS
5289 installations on a single host, for example to make sure that
5290 different customers cannot affect each others zones. PDNS fully
5291 supports running multiple instances on one host.
5293 To generate additional PDNS instances, copy the init.d script
5294 pdns to pdns-name, where name is the name of your virtual
5295 configuration. Must not contain a - as this will confuse the
5298 When you launch PDNS via this renamed script, it will seek
5299 configuration instructions not in pdns.conf but in
5300 pdns-name.conf, allowing for separate specification of
5303 Be aware however that the init.d force-stop will kill all PDNS
5305 __________________________________________________________
5307 Chapter 9. Performance
5311 In general, best performance is achieved on recent Linux 2.6
5312 kernels and using MySQL, although many of the largest PowerDNS
5313 installations are based on PostgreSQL. FreeBSD appears to
5314 achieve lower packet rates both for the PowerDNS recursor as
5315 for the authoritative nameserver, this is still being
5316 investigated. No comparative measurements have been done for
5317 Solaris installations.
5319 On Linux, make sure to read Section 9.2.
5321 Database servers can require configuration to achieve decent
5322 performance. It is especially worth noting that several vendors
5323 ship PostgreSQL with a slow default configuration.
5324 __________________________________________________________
5326 9.2. Native Posix Thread Library vs LinuxThreads
5328 To get the best performance under Linux, especially on SMP
5329 systems, the use of NPTL is advised. The difference in
5330 performance can be over a factor of ten in some circumstances.
5332 NPTL is the default library on modern Linux distributions, so
5333 there is generally not a problem, except if you use a
5334 statically compiled version that, for portability reasons,
5335 defaults to LinuxThreads. This includes all .deb's and .rpm's
5336 provided by us up to and including 2.9.18.
5338 When running a PowerDNS-provided static binary of 2.9.18 or
5339 lower, it may make sense to recompile, or to upgrade to a newer
5340 version, if available. When recompiling, be sure to use a
5341 supported compiler, like g++ >3.2. You might also consider
5342 moving to a distribution supplied version.
5344 A good indication that your installation might benefit from
5345 such an upgrade is to watch the 'cs' count in the output of
5346 vmstat 1. If this is very high (> 10000), you are suffering
5347 from a LinuxThreads performance problem called 'overspin'.
5349 Thanks are due to L. Bunt Jackson who noted the static
5350 compilation problem in an article in Dr. Dobb's Journal.
5351 __________________________________________________________
5353 9.3. Performance related settings
5355 Different backends will have different characteristics - some
5356 will want to have more parallel instances than others. In
5357 general, if your backend is latency bound, like most relational
5358 databases are, it pays to open more backends.
5360 This is done with the distributor-threads setting. Of special
5361 importance is the choice between 1 or more backends. In case of
5362 only 1 thread, PDNS reverts to unthreaded operation which may
5363 be a lot faster, depending on your operating system and
5366 Another very important setting cache-ttl. PDNS caches entire
5367 packets it sends out so as to save the time to query backends
5368 to assemble all data. The default setting of 10 seconds may be
5369 low for high traffic sites, a value of 60 seconds rarely leads
5372 Some PDNS operators set cache-ttl to many hours or even days,
5373 and use pdns_control purge to selectively or globally notify
5374 PDNS of changes made in the backend. Also look at the Query
5375 Cache described in this chapter. It may materially improve your
5378 To determine if PDNS is unable to keep up with packets,
5379 determine the value of the qsize-q variable. This represents
5380 the number of packets waiting for database attention. During
5381 normal operations the queue should be small.
5383 If it is known that backends will not contain CNAME records,
5384 the skip-cname setting can be used to prevent the normally
5385 mandatory CNAME lookup that is needed at least once for each
5388 Much the same holds for the wildcards setting. On by default,
5389 each non-existent query will lead to a number of additional
5390 wildcard queries. If it is known that the backends do not
5391 contain wildcard records, performance can be improved by adding
5392 wildcards=no to pdns.conf.
5394 Logging truly kills performance as answering a question from
5395 the cache is an order of magnitude less work than logging a
5396 line about it. Busy sites will prefer to turn log-dns-details
5397 and log-failed-updates off.
5398 __________________________________________________________
5402 PDNS by default uses the 'Packet Cache' to recognise identical
5403 questions and supply them with identical answers, without any
5404 further processing. The default time to live is 10 seconds. It
5405 has been observed that the utility of the packet cache
5406 increases with the load on your nameserver.
5408 Not all backends may benefit from the packetcache. If your
5409 backend is memory based and does not lead to context switches,
5410 the packetcache may actually hurt performance.
5412 The size of the packetcache can be observed with
5413 /etc/init.d/pdns show packetcache-size
5414 __________________________________________________________
5418 Besides entire packets, PDNS can also cache individual backend
5419 queries. Each DNS query leads to a number of backend queries,
5420 the most obvious additional backend query is the check for a
5421 possible CNAME. So, when a query comes in for the 'A' record
5422 for 'www.powerdns.com', PDNS must first check for a CNAME for
5425 The Query Cache caches these backend queries, many of which are
5426 quite repetitive. PDNS only caches queries with no answer, or
5427 with exactly one. In the future this may be expanded but this
5428 lightweight solution is very simple and therefore fast.
5430 Most gain is made from caching negative entries, ie, queries
5431 that have no answer. As these take little memory to store and
5432 are typically not a real problem in terms of
5433 speed-of-propagation, the default TTL for negative queries is a
5434 rather high 60 seconds.
5436 This only is a problem when first doing a query for a record,
5437 adding it, and immediately doing a query for that record again.
5438 It may then take up to 60 seconds to appear. Changes to
5439 existing records however do not fall under the negative query
5440 ttl ( negquery-cache-ttl), but under the generic query-ttl
5441 which defaults to 20 seconds.
5443 The default values should work fine for many sites. When
5444 tuning, keep in mind that the Query Cache mostly saves database
5445 access but that the Packet Cache also saves a lot of CPU
5446 because 0 internal processing is done when answering a question
5447 from the Packet Cache.
5448 __________________________________________________________
5450 Chapter 10. Migrating to PDNS
5452 Before migrating to PDNS a few things should be considered.
5454 PDNS does not operate as a 'slave' or 'master' server with all
5456 Only the Generic SQL, OpenDBX and BIND backends have the
5457 ability to act as master or slave.
5459 To migrate, the zone2sql tool is provided.
5461 Additionally, the PowerDNS source comes with a number of
5462 diagnostic tools, which can be helpful in verifying proper
5463 PowerDNS operation, versus incumbent nameservers. See Chapter
5464 20 for more details.
5465 __________________________________________________________
5469 Zone2sql parses Bind named.conf files and zonefiles and outputs
5470 SQL on standard out, which can then be fed to your database.
5472 Zone2sql understands the Bind master file extension '$GENERATE'
5473 and will also honour '$ORIGIN' and '$TTL'.
5475 For backends supporting slave operation (currently only the
5476 Generic PostgreSQL, Generic MySQL and BIND backend), there is
5477 also an option to keep slave zones as slaves, and not convert
5478 them to native operation.
5480 By default, zone2sql outputs code suitable for the
5481 mysqlbackend, but it can also generate SQL for the Generic
5482 PostgreSQL, Generic MySQL and Oracle backends. The following
5483 commands are available:
5486 Output in a bare format, suitable for further parsing.
5487 The output is formatted as follows:
5489 domain_id<TAB>'qname'<TAB>'qtype'<TAB>'content'<TAB>pr
5493 Output in format suitable for the default configuration
5494 of the Generic MySQL backend.
5497 Output in format suitable for the default configuration
5498 of the Generic PostgreSQL backend.
5504 Output in format suitable for the default configuration
5505 of the MySQL backend. Default.
5508 Parse this named.conf to find locations of zones.
5510 --on-error-resume-next
5511 Ignore missing files during parsing. Dangerous.
5514 Output in format suitable for the default configuration
5515 of the Generic Oracle backend.
5518 Maintain slave status of zones listed in named.conf as
5519 being slaves. The default behaviour is to convert all
5520 zones to native operation.
5523 Supply a value for the first domain_id generated.
5527 For Oracle and PostgreSQL output, wrap each domain in a
5528 transaction for higher speed and integrity.
5531 Be verbose during conversion.
5534 Parse only this zone file. Conflicts with --named-conf
5538 When parsing a single zone without $ORIGIN statement,
5539 set this as the zone name.
5540 __________________________________________________________
5542 Chapter 11. Recursion
5544 (only available from 1.99.8 and onwards, recursing component
5545 available since 2.9.5)
5547 From 2.9.5 onwards, PowerDNS offers both authoritative
5548 nameserving capabilities and a recursive nameserver component.
5549 These two halves are normally separate but many users insist on
5550 combining both recursion and authoritative service on one IP
5551 address. This can be likened to running Apache and Squid both
5554 However, many sites want to do this anyhow and some with good
5555 reason. For example, a setup like this allows the creation of
5556 fake domains which only exist for local users. Such domains
5557 often don't end on ".com" or ".org" but on ".intern" or
5560 PowerDNS can cooperate with either its own recursor or any
5561 other you have available to deliver recursive service on its
5564 By specifying the recursor option in the configuration file,
5565 questions requiring recursive treatment will be handed over to
5566 the IP address specified. An example configuration might be
5567 recursor=130.161.180.1, which designates 130.161.180.1 as the
5568 nameserver to handle recursive queries.
5570 As of 2.9.5, the recursing component of PowerDNS is a bit young
5571 and relatively untested but we hope people will want to use it
5572 anyhow. As an alternative, we highly advise the use of the
5573 DJBDNS dnscache (http://cr.yp.to/djbdns/dnscache.html).
5575 Take care not to point recursor to PDNS, which leads to a very
5578 By specifying allow-recursion, recursion can be restricted to
5579 netmasks specified. The default is to allow recursion from
5580 everywhere. Example: allow-recursion=192.168.0.0/24,
5581 10.0.0.0/8, 1.2.3.4.
5582 __________________________________________________________
5586 Questions carry a number of flags. One of these is called
5587 'Recursion Desired'. If PDNS is configured to allow recursion,
5588 AND such a flag is seen, AND the IP address of the client is
5589 allowed to recurse via PDNS, then the packet may be handed to
5590 the recursing backend.
5592 If a Recursion Desired packet arrives and PDNS is configured to
5593 allow recursion, but not to the IP address of the client,
5594 resolution will proceed as if the RD flag were unset and the
5595 answer will indicate that recursion was not available.
5597 It is also possible to use a resolver living on a different
5598 port. To do so, specify a recursor like this:
5599 recursor=130.161.180.1:5300.
5601 If the backend does not answer a question within a large amount
5602 of time, this is logged as 'Recursive query for remote
5603 10.96.0.2 with internal id 0 was not answered by backend within
5604 timeout, reusing id'. This may happen when using 'BIND' as a
5605 recursor as it is prone to drop queries which it can't answer
5608 To make sure that the local authoritative database overrides
5609 recursive information, PowerDNS first tries to answer a
5610 question from its own database. If that succeeds, the answer
5611 packet is sent back immediately without involving the recursor
5612 in any way. This means that for questions for which there is no
5613 answer, PowerDNS will consult the recursor for an recursive
5614 query, even if PowerDNS is authoritative for a domain! This
5615 will only cause problems if you 'fake' domains which don't
5618 If you want to create such fake domains or override existing
5619 domains, please set the allow-recursion-override feature
5620 (available as of 2.9.14).
5622 Some packets, like those asking for MX records which are needed
5623 for SMTP transport of email, can be subject to 'additional
5624 processing'. This means that a recursing nameserver is obliged
5625 to try to add A records (IP addresses) for any of the
5626 mailservers mentioned in the packet, should it have these
5627 addresses available.
5629 If PowerDNS encounters records needing such processing and
5630 finds that it does not have the data in its authoritative
5631 database, it will send an opportunistic quick query to the
5632 recursing component to see if it perhaps has such data. This
5633 question is worded such that the recursing nameserver should
5634 return immediately such as not to block the authoritative
5637 This marks a change from pre-2.9.5 behaviour where a packet was
5638 handed wholesale to the recursor in case it needed additional
5639 processing which could not proceed from the authoritative
5641 __________________________________________________________
5643 Chapter 12. PowerDNS resolver/recursing nameserver
5645 The PowerDNS recursor is part of the source tarball of the main
5646 PowerDNS distribution, but it is released separately. Starting
5647 from the version 3.0 pre-releases, there are zero known bugs or
5648 issues with the recursor. It is known to power the resolving
5649 needs of over 2 million internet connections.
5651 The documentation below is only for the 3.0 series, users of
5652 older versions are urged to upgrade!
5656 * Uses MTasker (homepage)
5657 * Can handle thousands of concurrent questions. A dual Xeon
5658 3GHz has been measured functioning very well at 9000 real
5659 life replayed packets per second, with 40% cpu idle. More
5660 testing equipment is needed to max out the recursor.
5661 * Powered by a highly modern DNS packet parser that should be
5662 resistant against many forms of buffer overflows.
5663 * Best spoofing protection that we know about, involving both
5664 source port randomisation and spoofing detection.
5665 * Uses 'connected' UDP sockets which allow the recursor to
5666 react quickly to unreachable hosts or hosts for which the
5667 server is running, but the nameserver is down. This makes
5668 the recursor faster to respond in case of misconfigured
5669 domains, which are sadly very frequent.
5670 * Special support for FreeBSD, Linux and Solaris stateful
5671 multiplexing (kqueue, epoll, completion ports).
5672 * Very fast, and contains innovative query-throttling code to
5673 save time talking to obsolete or broken nameservers.
5674 * Code is written linearly, sequentially, which means that
5675 there are no problems with 'query restart' or anything.
5676 * Relies heavily on Standard C++ Library infrastructure,
5677 which makes for little code (406 core lines).
5678 * Is very verbose in showing how recursion actually works,
5679 when enabled to do so with --verbose.
5680 * The algorithm is simple and quite nifty.
5682 The PowerDNS recursor is controlled and queried using the
5684 __________________________________________________________
5686 12.1. pdns_recursor settings
5688 At startup, the recursing nameserver reads the file
5689 recursor.conf from the configuration directory, often
5690 /etc/powerdns or /usr/local/etc. Each setting below can appear
5691 on the command line, prefixed by '--', or in the configuration
5692 file. The command line overrides the configuration file.
5694 A switch can be set to on simply by passing it, like
5695 '--daemon', and turned off explicitly by '--daemon=off' or
5698 The following settings can be configured:
5700 aaaa-additional-processing
5701 If turned on, the recursor will attempt to add AAAA IPv6
5702 records to questions for MX records and NS records. Can
5703 be quite slow as absence of these records in earlier
5704 answers does not guarantee their non-existance. Can
5705 double the amount of queries needed. Off by default.
5708 Comma separated netmasks (both IPv4 and IPv6) that are
5709 allowed to use the server. The default allows access
5710 only from RFC 1918 private IP addresses, like
5711 10.0.0.0/8. Due to the agressive nature of the internet
5712 these days, it is highly recommended to not open up the
5713 recursor for the entire internet. Questions from IP
5714 addresses not listed here are ignored and do not get an
5718 Like allow-from, except reading from file. Overrides the
5719 'allow-from' setting. To use this feature, supply one
5720 netmask per line, with optional comments preceeded by a
5721 #. Available since 3.1.5.
5724 Authoritative zones can transmit a TTL value that is
5725 lower than that specified in the parent zone. This is
5726 called a 'delegation inconsistency'. To follow RFC 2181
5727 paragraphs 5.2 and 5.4 to the letter, enable this
5728 feature. This will mean a slight deterioration of
5729 performance, and it will not solve any problems, but
5730 does make the recursor more standards compliant. Not
5731 recommended unless you have to tick an 'RFC 2181
5732 compliant' box. Off by default.
5735 Comma separated list of 'zonename=filename' pairs. Zones
5736 read from these files are served authoritatively.
5737 Example: auth-zones= ds9a.nl=/var/zones/ds9a.nl,
5738 powerdns.com=/var/zones/powerdns.com. Available since
5742 If set, chroot to this directory for more security. See
5746 Time to wait for data from TCP clients. Defaults to 2
5750 Directory where the configuration file can be found.
5753 Operate in the background, which is the default.
5759 The DNS is a public database, but sometimes contains
5760 delegations to private IP addresses, like for example
5761 127.0.0.1. This can have odd effects, depending on your
5762 network, and may even be a security risk. Therefore,
5763 since version 3.1.5, the PowerDNS recursor by default
5764 does not query private space IP addresses. This setting
5765 can be used to expand or reduce the limitations.
5768 From version 3.1.5 onwards, PowerDNS can read entropy
5769 from a (hardware) source. This is used for generating
5770 random numbers which are very hard to predict. Generally
5771 on UNIX platforms, this source will be /dev/urandom,
5772 which will always supply random numbers, even if entropy
5773 is lacking. Change to /dev/random if PowerDNS should
5774 block waiting for enough entropy to arrive.
5777 If set, this flag will export the host names and IP
5778 addresses mentioned in /etc/hosts. Available since 3.1.
5781 If running on an SMP system with enough memory, this
5782 feature forks PowerDNS so it benefits from two
5783 processors. Experimental. Renames controlsockets, so
5784 care is needed to connect to the right one using
5785 rec_control, using --socket-pid.
5788 Comma separated list of 'zonename=IP' pairs. Queries for
5789 zones listed here will be forwarded to the IP address
5790 listed. forward-zones= ds9a.nl=213.244.168.210,
5791 powerdns.com=127.0.0.1. Available since 3.1.
5793 Since version 3.1.5, multiple IP addresses can be
5794 specified. Additionally, port numbers other than 53 can
5795 be configured. Sample syntax:
5796 forward-zones=ds9a.nl=213.244.168.210:5300;127.0.0.1,
5797 powerdns.com=127.0.0.1;9.8.7.6:530, or on the command
5799 --forward-zones="ds9a.nl=213.244.168.210:5300;127.0.0.1,
5800 powerdns.com=127.0.0.1;9.8.7.6:530",
5803 Same as forward-zones, parsed from a file. Only 1 zone
5804 is allowed per line, specified as follows:
5805 ds9a.nl=213.244.168.210, 1.2.3.4:5300. No comments are
5806 allowed. Available since 3.1.5.
5809 If set, the root-hints are read from this file. If
5810 unset, default root hints are used. Available since
5814 Local IPv4 or IPv6 addresses to bind to, comma
5815 separated. Defaults to only loopback. Addresses can also
5816 contain port numbers, for IPv4 specify like this:
5817 1.2.3.4:5300, for IPv6: [::1]:5300. Port specifications
5818 are available since 3.1.2.
5821 Local port (singular) to bind to. Defaults to 53.
5824 Some DNS errors occur rather frequently and are no cause
5825 for alarm. Logging these is on by default.
5828 If set to a digit, logging is performed under this LOCAL
5829 facility. See Section 6.3>. Available from 3.1.3 and
5830 onwards. Do not pass names like 'local0'!
5833 Maximum number of cache entries. 1 million will
5834 generally suffice for most installations.
5837 A query for which there is authoritatively no answer is
5838 cached to quickly deny a record's existence later on,
5839 without putting a heavy load on the remote server. In
5840 practice, caches can become saturated with hundreds of
5841 thousands of hosts which are tried only once. This
5842 setting, which defaults to 3600 seconds, puts a maximum
5843 on the amount of time negative entries are cached.
5846 Maximum number of simultaneous incoming TCP connections
5847 allowed. Defaults to 128. Available since 2.9.18.
5850 Maximum number of simultaneous incoming TCP connections
5851 allowed per client (remote IP address). Defaults to 0,
5852 which means unlimited.
5855 Send out local queries from this address. Useful for
5858 query-local-address6
5859 Send out local IPv6 queries from this address. Disabled
5860 by default, which also disables outgoing IPv6 support. A
5861 useful setting is ::0.
5864 Don't log queries. On by default.
5866 remotes-ringbuffer-entries
5867 Number of entries in the remotes ringbuffer, which keeps
5868 statistics on who is querying your server. Can be read
5869 out using rec_control top-remotes. Defaults to 0.
5872 On by default, this makes the server authoritatively
5873 aware of: 10.in-addr.arpa, 168.192.in-addr.arpa,
5874 16-31.172.in-addr.arpa, which saves load on the AS112
5875 servers. Individual parts of these zones can still be
5876 loaded or forwarded.
5879 The PowerDNS recursor by replies to a query for
5880 'id.server' with its hostname, useful for in clusters.
5881 Use this setting to override the answer it gives.
5884 PowerDNS can change its user and group id after binding
5885 to its socket. Can be used for better security.
5888 Where to store the control socket. This option also
5889 works with the controller, rec_control.
5892 If set to non-zero, PowerDNS will assume it is being
5893 spoofed after seeing this many answers with the wrong
5897 If turned on, output impressive heaps of logging. May
5898 destroy performance under load.
5901 Print version of this binary. Useful for checking which
5902 version of the PowerDNS recursor is installed on a
5903 system. Available since 3.1.5.
5906 By default, PowerDNS replies to the 'version.bind' query
5907 with its version number. Security concious users may
5908 wish to override the reply PowerDNS issues.
5909 __________________________________________________________
5911 12.2. Controlling and querying the recursor
5913 To control and query the PowerDNS recursor, the tool
5914 rec_control is provided. This program talks to the recursor
5915 over the 'controlsocket', often stored in /var/run.
5917 As a sample command, try:
5921 When not running as root, --socket-dir=/tmp might be
5924 All rec_control commands are documented below:
5927 Dumps the entire cache to the filename mentioned. This
5928 file should not exist already, PowerDNS will refuse to
5929 overwrite it. While dumping, the recursor will not
5933 Retrieve a statistic. For items that can be queried, see
5936 get-parameter parameter1 parameter2 ../term>
5937 Retrieve a configuration parameter. All parameters from
5938 the configuration and command line can be queried.
5941 Check if server is alive.
5944 Request shutdown of the recursor.
5947 Reload data about all authoritative and forward zones.
5948 The configuration file is also scanned to see if the
5949 auth-domain, forward-domain and export-etc-hosts
5950 statements have changed, and if so, these changes are
5954 Shows the top-20 most active remote hosts. Statistics
5955 are over the last 'remotes-ringbuffer-entries' queries,
5956 which defaults to 0.
5958 wipe-cache domain0. [domain1. domain2.]
5959 Wipe entries from the cache. This is useful if, for
5960 example, an important server has a new IP address, but
5961 the TTL has not yet expired. Multiple domain names can
5962 be passed. For versions before 3.1, you must terminate a
5963 domain with a .! So to wipe powerdns.org, issue
5964 'rec_control wipe-cache powerdns.org.'. For later
5965 versions, the dot is optional.
5967 Note that deletion is exact, wiping 'com.' will leave
5968 'www.powerdns.com.' untouched!
5972 As of 3.1.7, this command also wipes the negative query cache
5973 for the specified domain.
5977 Don't just wipe 'www.somedomain.com', its NS records or CNAME
5978 target may still be undesired, so wipe 'somedomain.com' as
5981 The command 'get' can query a large number of statistics, which
5982 are detailed in Section 12.5.
5984 More details on what 'throttled' queries and the like are can
5985 be found below in Section 12.4.
5986 __________________________________________________________
5988 12.3. PowerDNS Recursor performance
5990 To get the best out of the PowerDNS recursor, which is
5991 important if you are doing thousands of queries per second,
5992 please consider the following.
5994 * Limit the size of the cache to a sensible value. Cache hit
5995 rate does not improve meaningfully beyond 4 million
5996 max-cache-entries, reducing the memory footprint reduces
5998 * Compile using g++ 4.1 or later. This compiler really does a
5999 good job on PowerDNS, much better than 3.4 or 4.0.
6000 * Consider performing a 'profiled build' as described in the
6001 README. This is good for a 20% performance boost in some
6003 * When running with >3000 queries per second, and running
6004 Linux versions prior to 2.6.17 on some motherboards, your
6005 computer may spend an inordinate amount of time working
6006 around an ACPI bug for each call to gettimeofday. This is
6007 solved by rebooting with 'clock=tsc' or upgrading to a
6009 The above is relevant if dmesg shows Using pmtmr for
6011 * A busy server may need hundreds of file descriptors on
6012 startup, and deals with spikes better if it has that many
6013 available later on. Linux by default restricts processes to
6014 1024 file descriptors, which should suffice most of the
6015 time, but Solaris has a default limit of 256. This can be
6016 raised using the ulimit command. FreeBSD has a default
6017 limit that is high enough for even very heavy duty use.
6018 * If you need it, try --fork, this will fork the daemon into
6019 two halves, allowing it to benefit from a second CPU. This
6020 feature almost doubles performance, but is a bit of a hack.
6022 Following the instructions above, you should be able to attain
6023 very high query rates.
6024 __________________________________________________________
6028 12.4.1. Anti-spoofing
6030 The PowerDNS recursor 3.0 uses a fresh UDP source port for each
6031 outgoing query, making spoofing around 64000 times harder. This
6032 raises the bar from 'easily doable given some time' to 'very
6033 hard'. Under some circimstances, 'some time' has been measured
6034 at 2 seconds. This technique was first used by dnscache by Dan
6037 In addition, PowerDNS detects when it is being sent too many
6038 unexpected answers, and mistrusts a proper answer if found
6039 within a clutch of unexpected ones.
6041 This behaviour can be tuned using the spoof-nearmiss-max.
6042 __________________________________________________________
6046 PowerDNS implements a very simple but effective nameserver.
6047 Care has been taken not to overload remote servers in case of
6048 overly active clients.
6050 This is implemented using the 'throttle'. This accounts all
6051 recent traffic and prevents queries that have been sent out
6052 recently from going out again.
6054 There are three levels of throttling.
6056 * If a remote server indicates that it is lame for a zone,
6057 the exact question won't be repeated in the next 60
6059 * After 4 ServFail responses in 60 seconds, the query gets
6061 * 5 timeouts in 20 seconds also lead to query suppression.
6062 __________________________________________________________
6066 The rec_control get command can be used to query the following
6067 keys, either single keys or multiple keys at once:
6068 all-outqueries counts the number of outgoing UDP queries since star
6070 answers0-1 counts the number of queries answered within 1 milis
6072 answers100-1000 counts the number of queries answered within 1 secon
6074 answers10-100 counts the number of queries answered within 100 mil
6076 answers1-10 counts the number of queries answered within 10 mili
6078 answers-slow counts the number of queries answered after 1 second
6079 cache-entries shows the number of entries in the cache
6080 cache-hits counts the number of cache hits since starting
6081 cache-misses counts the number of cache misses since starting
6082 chain-resends number of queries chained to existing outstanding qu
6084 client-parse-errors counts number of client packets that could not be pa
6086 concurrent-queries shows the number of MThreads currently running
6087 dlg-only-drops number of records dropped because of delegation only
6089 negcache-entries shows the number of entries in the Negative answer c
6091 noerror-answers counts the number of times it answered NOERROR since
6093 nsspeeds-entries shows the number of entries in the NS speeds map
6094 nsset-invalidations number of times an nsset was dropped because it no l
6096 nxdomain-answers counts the number of times it answered NXDOMAIN sinc
6098 outgoing-timeouts counts the number of timeouts on outgoing UDP querie
6100 qa-latency shows the current latency average
6101 questions counts all End-user initiated queries with the RD bi
6103 resource-limits counts number of queries that could not be performed
6104 because of resource limits
6105 server-parse-errors counts number of server replied packets that could n
6107 servfail-answers counts the number of times it answered SERVFAIL sinc
6109 spoof-prevents number of times PowerDNS considered itself spoofed,
6110 and dropped the data
6111 sys-msec number of CPU milliseconds spent in 'system' mode
6112 tcp-client-overflow number of times an IP address was denied TCP access
6113 because it already had too many connections
6114 tcp-outqueries counts the number of outgoing TCP queries since star
6116 tcp-questions counts all incoming TCP queries (since starting)
6117 throttled-out counts the number of throttled outgoing UDP queries
6119 throttle-entries shows the number of entries in the throttle map
6120 unauthorized-tcp number of TCP questions denied because of allow-from
6122 unauthorized-udp number of UDP questions denied because of allow-from
6124 unexpected-packets number of answers from remote servers that were unex
6125 pected (might point to spoofing)
6126 uptime number of seconds process has been running (since 3.
6128 user-msec number of CPU milliseconds spent in 'user' mode
6130 In the rrd/ subdirectory a number of rrdtool scripts is
6131 provided to make nice graphs of all these numbers.
6133 Every half our or so, the recursor outputs a line with
6134 statistics. More infrastructure is planned so as to allow for
6135 Cricket or MRTG graphs. To force the output of statistics, send
6136 the process a SIGUSR1. A line of statistics looks like this:
6137 Feb 10 14:16:03 stats: 125784 questions, 13971 cache entries, 309 negati
6138 ve entries, 84% cache hits, outpacket/query ratio 37%, 12% throttled
6140 This means that there are 13791 different names cached, which
6141 each may have multiple records attached to them. There are 309
6142 items in the negative cache, items of which it is known that
6143 don't exist and won't do so for the near future. 84% of
6144 incoming questions could be answered without any additional
6145 queries going out to the net.
6147 The outpacket/query ratio means that on average, 0.37 packets
6148 were needed to answer a question. Initially this ratio may be
6149 well over 100% as additional queries may be needed to actually
6150 recurse the DNS and figure out the addresses of nameservers.
6152 Finally, 12% of queries were not performed because identical
6153 queries had gone out previously, saving load servers worldwide.
6154 __________________________________________________________
6158 As of version 3.1.7 of the PowerDNS Recursor, it is possible to
6159 modify resolving behaviour using simple scripts written in the
6160 Lua programming language.
6164 This functionality is expected to change from version to
6165 version as additional scripting needs become apparant!
6167 These scripts can be used to quickly override dangerous
6168 domains, for load balancing or for legal or commercial
6171 As of 3.1.7, queries can be intercepted in two places: before
6172 the resolving logic starts to work, plus after the resolving
6173 process failed to find a correct answer for a domain.
6174 __________________________________________________________
6176 12.6.1. Configuring Lua scripts
6178 In order to load scripts, the PowerDNS Recursor must have Lua
6179 support built in. The packages distributed from the PowerDNS
6180 website have this language enabled, other distributions may
6181 differ. To compile with Lua support, use: LUA=1 make or LUA=1
6182 gmake as the case may be. Paths to the Lua include files and
6183 binaries may be found near the top of the Makefile.
6185 If lua support is available, a script can be configured either
6186 via the configuration file, or at runtime via the rec_control
6187 tool. Scripts can be reloaded or unloaded at runtime with no
6188 interruption in operations. If a new script contains syntax
6189 errors, the old script remains in force.
6191 On the commandline, or in the configuration file, the setting
6192 lua-dns-script can be used to supply a full path to a 'lua'
6195 At runtime, rec_control reload-lua-script can be used to either
6196 reload the script from its current location, or, when passed a
6197 new filename, load one from a new location. A failure to parse
6198 the new script will leave the old script in working order.
6200 Finally, rec_control unload-lua-script can be used to remove
6201 the currently installed script, and revert to unmodified
6203 __________________________________________________________
6205 12.6.2. Writing Lua PowerDNS Recursor scripts
6207 Once a script is loaded, PowerDNS looks for two functions:
6208 preresolve and nxdomain. Either or both of these can be absent,
6209 in which case the corresponding functionality is disabled.
6211 preresolve is called before any DNS resolution is attempted,
6212 and if this function indicates it, it can supply a direct
6213 answer to the DNS query, overriding the internet. This is
6214 useful to combat botnets, or to disable domains unacceptable to
6215 an organization for whatever reason.
6217 nxdomain is called after the DNS resolution process has run its
6218 course, but ended in an 'NXDOMAIN' situation, indicating that
6219 the domain or the specific record does not exist. This can be
6220 used for various purposes.
6222 Both functions are passed the IP address of the requestor, plus
6223 the name and type being requested. In return, these functions
6224 indicate if they have taken over the request, or want to let
6225 normal proceedings take their course. Beyond version 3.1.7, the
6226 IP address on which the question was received is inserted
6227 immediately after the IP address of the requestor - so in that
6228 case there are 4 parameters.
6230 If a function has taken over a request, it should return an
6231 rcode (usually 0), and specify a table with records to be put
6232 in the answer section of a packet. An interesting rcode is
6233 NXDOMAIN (3, or pdns.NXDOMAIN), which specifies the
6234 non-existence of a domain. Returning -1 and an empty table
6235 signifies that the function chose not to intervene.
6237 A minimal sample script:
6239 function nxdomain ( ip, domain, qtype )
6240 print ("nxhandler called for: ", ip, domain, qtype)
6243 if qtype ~= pdns.A then return -1, ret end -- only A records
6244 if not string.find(domain, "^www%.") then return -1, ret end -- only
6245 things that start with www.
6246 if not matchnetmask(ip, "10.0.0.0/8", "192.168.0.0/16") then return -
6247 1, ret end -- only interfere with local queries
6248 ret[1]={qtype=pdns.A, content="127.1.2.3"} -- add IN A 127.1.2.3
6249 ret[2]={qtype=pdns.A, content="127.3.2.1"} -- add IN A 127.3.2.1
6250 return 0, ret -- return no error, plus records
6255 Please do NOT use the above sample script in production!
6256 Responsible NXDomain redirection requires more attention to
6259 Note that the domain is passed to the Lua function terminated
6260 by a '.'. A more complete sample script is provided as
6261 powerdns-example-script.lua in the PowerDNS Recursor
6264 The answer content format is (nearly) identical to the storage
6265 in the PowerDNS Authoritative Server database, or as in zone
6266 files. The exception is that, unlike in the database, there is
6267 no 'prio' field, which means that an MX record with priority 25
6268 pointing to 'smtp.mailserver.com' would be encoded as '25
6269 smtp.mailserver.com.'.
6271 Useful return 'rcodes' include 0 for "no error" and
6272 pdns.NXDOMAIN for "NXDOMAIN".
6274 Fields that can be set in the return table include:
6277 Content of the record, as specified above in 'zone file
6278 format'. No default, mandatory field.
6281 Place of this record. Defaults to 1, indicating 'Answer'
6282 section. Can also be 2, for Authority of 3 for
6283 Additional. When using this rare feature, always emit
6284 records with 'Place' in ascending order. This field is
6288 qname of the answer, the 'name' of the record. Defaults
6289 to the name of the query, which is almost always correct
6290 except when specifying additional records or rolling out
6294 Currently the numerical qtype of the answer, defaulting
6295 to '1' which is an A record. Can be also be specified as
6296 pdns.A, or pdns.CNAME etc.
6299 Time to live of a record. Defaults to 3600. Be sure not
6300 to specify differing TTLs within answers with an
6301 identical qname. While this will be encoded in DNS,
6302 actual results may be undesired.
6306 The result table must have indexes that start at 1! Otherwise
6307 the first or confusingly the last entry of the table will be
6308 ignored. A useful technique is to return data using: return 0,
6309 {{qtype=1, content="1.2.3.4"}, {qtype=1, content="4.3.2.1"}} as
6310 this will get the numbering right automatically.
6312 The function matchnetmask(ip, netmask1, netmask2..) (or
6313 matchnetmask(ip, {netmask1, netmask2})) is available to match
6314 incoming queries against a number of netmasks. If any of these
6315 matches, the function returns true.
6317 To log messages with the main PowerDNS Recursor process, use
6318 pdnslog(message). Available since 3.1.8.
6319 __________________________________________________________
6321 12.7. Design and Engineering of the PowerDNS Recursor
6325 This section is aimed at programmers wanting to contibute to
6326 the recursor, or to help fix bugs. It is not required reading
6327 for a PowerDNS operator, although it might prove interesting.
6329 The PowerDNS Recursor consists of very little code, the core
6330 DNS logic is less than a thousand lines.
6332 This smallness is achieved through the use of some fine
6333 infrastructure: MTasker, MOADNSParser, MPlexer and the C++
6334 Standard Library/Boost. This page will explain the conceptual
6335 relation between these components, and the route of a packet
6336 through the program.
6337 __________________________________________________________
6339 12.7.1. The PowerDNS Recursor
6341 The Recursor started out as a tiny project, mostly a technology
6342 demonstration. These days it consists of the core plus 9000
6343 lines of features. This combined with a need for very high
6344 performance has made the recursor code less accessible than it
6345 was. The page you are reading hopes to rectify this situation.
6346 __________________________________________________________
6348 12.7.2. Synchronous code using MTasker
6350 The original name of the program was syncres, which is still
6351 reflected in the filename syncres.cc, and the class SyncRes.
6352 This means that PowerDNS is written naively, with one thread of
6353 execution per query, synchronously waiting for packets,
6354 Normally this would lead to very bad performance (unless
6355 running on a computer with very fast threading, like possibly
6356 the Sun CoolThreads family), so PowerDNS employs MTasker for
6357 very fast userspace threading.
6359 MTasker, which was developed separately from PowerDNS, does not
6360 provide a full multithreading system but restricts itself to
6361 those features a nameserver needs. It offers cooperative
6362 multitasking, which means there is no forced preemption of
6363 threads. This in turn means that no two MThreads ever really
6364 run at the same time.
6366 This is both good and bad, but mostly good. It means PowerDNS
6367 does not have to think about locking. No two threads will ever
6368 be talking to the DNS cache at the same time, for example.
6370 It also means that the recursor could block if any operation
6373 The core interaction with MTasker are the waitEvent() and
6374 sendEvent() functions. These pass around PacketID objects.
6375 Everything PowerDNS needs to wait for is described by a
6376 PacketID event, so the name is a bit misleading. Waiting for a
6377 TCP socket to have data available is also passed via a
6378 PacketID, for example.
6380 The version of MTasker in PowerDNS is newer than that described
6381 at the MTasker site, with a vital difference being that thet
6382 waitEvent() structure passes along a copy of the exact PacketID
6383 sendEvent() transmitted. Furthermore, threads can trawl through
6384 the list of events being waited for and modify the respective
6385 PacketIDs. This is used for example with near miss packets:
6386 packets that appear to answer questions we asked, but differ in
6387 the DNS id. On seeing such a packet, the recursor trawls
6388 through all PacketIDs and if it finds any nearmisses, it
6389 updates the PacketID::nearMisses counter. The actual PacketID
6390 thus lives inside MTasker while any thread is waiting for it.
6391 __________________________________________________________
6395 The Recursor uses a separate socket per outgoing query. This
6396 has the important benefit of making spoofing 64000 times
6397 harder, and additionally means that ICMP errors are reported
6398 back to the program. In measurements this appears to happen to
6399 one in ten queries, which would otherwise take a two-second
6400 timeout before PowerDNS moves on to another nameserver.
6402 However, this means that the program routinely needs to wait on
6403 hundreds or even thousands of sockets. Different operating
6404 systems offer various ways to monitor the state of sockets or
6405 more generally, filedescriptors. To abstract out the differing
6406 strategies (select, epoll, kqueue, completion ports), PowerDNS
6407 contains MPlexer classes, all of which descend from the
6408 FDMultiplexer class.
6410 This class is very simple and offers only five important
6411 methods: addReadFD(), addWriteFD(), removeReadFD(),
6412 removeWriteFD() and run.
6414 The arguments to the add functions consist of an fd, a
6415 callback, and a boost::any variable that is passed as a
6416 reference to the callback.
6418 This might remind you of the MTasker above, and it is indeed
6419 the same trick: state is stored within the MPlexer. As long as
6420 a filedescriptor remains within either the Read or Write active
6421 list, its state will remain stored.
6423 On arrival of a packet (or more generally, when an FD becomes
6424 readable or writable, which for example might mean a new TCP
6425 connection), the callback is called with the aforementioned
6426 reference to its parameter.
6428 The callback is free to call removeReadFD() or removeWriteFD()
6429 to remove itself from the active list.
6431 PowerDNS defines such callbacks as newUDPQuestion(),
6432 newTCPConnection(), handleRunningTCPConnection().
6434 Finally, the run() method needs to be called whenever the
6435 program is ready for new data. This happens in the main loop in
6436 pdns_recursor.cc. This loop is what MTasker refers to as the
6437 kernel. In this loop, any packets or other MPlexer events get
6438 translated either into new MThreads within MTasker, or into
6439 calls to sendEvent(), which in turn wakes up other MThreads.
6440 __________________________________________________________
6442 12.7.4. MOADNSParser
6444 Yes, this does stand for the Mother of All DNS Parsers. And
6445 even that name does not do it justice! The MOADNSParser is the
6446 third attempt I've made at writing DNS packet parser and after
6447 two miserable failures, I think I've finally gotten it right.
6449 Writing and parsing DNS packets, and the DNS records it
6450 contains, consists of four things:
6452 1. Parsing a DNS record (from packet) into memory
6453 2. Generating a DNS record from memory (to packet)
6454 3. Writing out memory to user-readable zone format
6455 4. Reading said zone format into memory
6457 This gets tedious very quickly, as one needs to implement all
6458 four operations for each new record type, and there are dozens
6461 While writing the MOADNSParser, it was discovered there is a
6462 remarkable symmetry between these four transitions. DNS Records
6463 are nearly always laid out in the same order in memory as in
6464 their zone format representation. And reading is nothing but
6467 So, the MOADNSParser is built around the notion of a
6468 Conversion, and we write all Conversion types once. So we have
6469 a Conversion from IP address in memory to an IP address in a
6470 DNS packet, and vice versa. And we have a Conversion from an IP
6471 address in zone format to memory, and vice versa.
6473 This in turn means that the entire implementation of the
6474 ARecordContent is as follows (wait for it!)
6477 Through the use of the magic called c++ Templates, this one
6478 line does everything needed to perform the four operations
6481 At one point, I got really obsessed with PowerDNS memory use.
6482 So, how do we store DNS data in the PowerDNS recorsor? I
6483 mentioned memory above a lot - this means we could just store
6484 the DNSRecordContent objects. However, this would be wasteful.
6486 For example, storing the following:
6487 www.ds9a.nl 3600 IN CNAME outpost.ds9a.nl.
6489 Would duplicate a lot of data. So, what is actually stored is a
6490 partial DNS packet. To store the CNAMEDNSRecordContent that
6491 corresponds to the above, we generate a DNS packet that has
6492 www.ds9a.nl IN CNAME as its question. Then we add 3600 IN CNAME
6493 outpost.ds9a.nl. as its answer. Then we chop off the question
6494 part, and store the rest in the www.ds9a.nl IN CNAME key in our
6497 When we need to retrieve www.ds9a.nl IN CNAME, the inverse
6498 happens. We find the proper partial packet, prefix it with a
6499 question for www.ds9a.nl IN CNAME, and expand the resulting
6500 packet into the answer 3600 IN CNAME outpost.ds9a.nl..
6502 Why do we go through all these motions? Because of DNS
6503 compression, which allows us to omit the whole .ds9a.nl. part,
6504 saving us 9 bytes. This is amplified when storing multiple MX
6505 records which all look more or less alike. This optimization is
6506 not performed yet though.
6508 Even without compression, it makes sense as all records are
6509 automatically stored very compactly.
6511 The PowerDNS recursor only parses a number of well known record
6512 types and passes all other information across verbatim - it
6513 doesn't have to know about the content it is serving.
6514 __________________________________________________________
6516 12.7.5. The C++ Standard Library / Boost
6518 C++ is a powerful language. Perhaps a bit too powerful at
6519 times, you can turn a program into a real freakshow if you so
6522 PowerDNS generally tries not to go overboard in this respect,
6523 but we do build upon a very advanced part of the Boost C++
6524 library: boost::multi index container.
6526 This container provides the equivalent of SQL indexes on
6527 multiple keys. It also implements compound keys, which PowerDNS
6530 The main DNS cache is implemented as a multi index container
6531 object, with a compound key on the name and type of a record.
6532 Furthermore, the cache is sequenced, each time a record is
6533 accessed it is moved to the end of the list. When cleanup is
6534 performed, we start at the beginning. New records also get
6535 inserted at the end. For DNS correctness, the sort order of the
6536 cache is case insensitive.
6538 The multi index container appears in other parts of PowerDNS,
6539 and MTasker as well.
6540 __________________________________________________________
6542 12.7.6. Actual DNS Algorithm
6544 The DNS rfcs do define the DNS algorithm, but you can't
6545 actually implement it exactly that way, it was written in 1987.
6547 Also, like what happened to HTML, it is expected that even
6548 non-standards conforming domains work, and a sizeable fraction
6549 of them is misconfigured these days.
6551 Everything begins with SyncRes::beginResolve(), which knows
6552 nothing about sockets, and needs to be passed a domain name,
6553 dns type and dns class which we are interested in. It returns a
6554 vector of DNSResourceRecord objects, ready for writing either
6555 into an answer packet, or for internal use.
6557 After checking if the query is for any of the hardcoded domains
6558 (localhost, version.bind, id.server), the query is passed to
6559 SyncRes::doResolve, together with two vital parameters: the
6560 depth and beenthere set. As the word recursor implies, we will
6561 need to recurse for answers. The depth parameter documents how
6562 deep we've recursed already.
6564 The beenthere set prevents loops. At each step, when a
6565 nameserver is queried, it is added to the beenthere set. No
6566 nameserver in the set will ever be queried again for the same
6567 question in the recursion process - we know for a fact it won't
6568 help us further. This prevents the process from getting stuck
6571 SyncRes::doResolve first checks if there is a CNAME in cache,
6572 using SyncRes::doCNAMECacheCheck, for the domain name and type
6573 queried and if so, changes the query (which is passed by
6574 reference) to the domain the CNAME points to. This is the cause
6575 of many DNS problems, a CNAME record really means start over
6578 This is followed by a call do SyncRes::doCacheCheck, which
6579 consults the cache for a straight answer to the question (as
6580 possibly rerouted by a CNAME). This function also consults the
6581 so called negative cache, but we won't go into that just yet.
6583 If this function finds the correct answer, and the answer
6584 hasn't expired yet, it gets returned and we are (almost) done.
6585 This happens in 80 to 90% of all queries. Which is good, as
6586 what follows is a lot of work.
6590 1. beginResolve() - entry point, does checks for hardcoded
6592 2. doResolve() - start of recursion process, gets passed depth
6593 of 0 and empty beenthere set
6594 3. doCNAMECacheCheck() - check if there is a CNAME in cache
6595 which would reroute the query
6596 4. doCacheCheck() - see if cache contains straight answer to
6597 possibly rerouted query.
6599 If the data we were queried for was in the cache, we are almost
6600 done. One final step, which might as well be optional as nobody
6601 benefits from it, is SyncRes::addCruft. This function does
6602 additional processing, which means that if the query was for
6603 the MX record of a domain, we also add the IP address of the
6605 __________________________________________________________
6607 12.7.7. The non-cached case
6609 This is where things get interesting, because we start out with
6610 a nearly empty cache and have to go out to the net to get
6613 The way DNS works, if you don't know the answer to a question,
6614 you find somebody who does. Initially you have no other place
6615 to go than the root servers. This is embodied in the
6616 SyncRes::getBestNSNamesFromCache method, which gets passed the
6617 domain we are interested in, as well as the depth and beenthere
6618 parameters mentioned earlier.
6620 From now on, assume our query will be for www.powerdns.com..
6621 SyncRes::getBestNSNamesFromCache will first check if there are
6622 NS records in cache for www.powerdns.com., but there won't be.
6623 It then checks powerdns.com. NS, and while these records do
6624 exist on the internet, the recursor doesn't know about them
6625 yet. So, we go on to check the cache for com. NS, for which the
6626 same holds. Finally we end up checking for . NS, and these we
6627 do know about: they are the root servers and were loaded into
6628 PowerDNS on startup.
6630 So, SyncRes::getBestNSNamesFromCache fills out a set with the
6631 names of nameservers it knows about for the . zone.
6633 This set, together with the original query www.powerdns.com
6634 gets passed to SyncRes::doResolveAt. This function can't yet go
6635 to work immediately though, it only knows the names of
6636 nameservers it can try. This is like asking for directions and
6637 instead of hearing take the third right you are told go to 123
6638 Fifth Avenue, and take a right - the answer doesn't help you
6639 further unless you know where 123 Fifth Avenue is.
6641 SyncRes::doResolveAt first shuffles the nameservers both
6642 randomly and on performance order. If it knows a nameserver was
6643 fast in the past, it will get queried first. More about this
6646 Ok, here is the part where things get a bit scary. How does
6647 SyncRes::doResolveAt find the IP address of a nameserver? Well,
6648 by calling SyncRes::getAs (get A records), which in turn
6649 calls.. SyncRes::doResolve. Hang on! That's where we came from!
6650 Massive potential for loops here. Well, it turns out that for
6651 any domain which can be resolved, this loop terminates. We do
6652 pass the beenthere set again, which makes sure we don't keep on
6653 asking the same questions to the same nameservers.
6655 Ok, SyncRes::getAs will give us the IP addresses of the chosen
6656 root-server, because these IP addresses were loaded on startup.
6657 We then ask these IP addresses (nameservers can have several)
6658 for its best answer for www.powerdns.com.. This is done using
6659 the LWRes class and specifically LWRes::asyncresolve, which
6660 gets passed domain name, type and IP address. This function
6661 interacts with MTasker and MPlexer above in ways which needn't
6662 concern us now. When it returns, the LWRes object contains the
6663 best answers the queried server had for our domain, which in
6664 this case means it tells us about the nameservers of com., and
6667 All the relevant answers it gives are stored in the cache (or
6668 actually, merged), after which SyncRes::doResolveAt (which we
6669 are still in) evaluates what to do now.
6671 There are 6 options:
6673 1. The final answer is in, we are done, return to
6674 SyncRes::doResolve and SyncRes::beginResolve
6675 2. The nameserver we queried tells us the domain we asked for
6676 authoritatively does not exist. In case of the
6677 root-servers, this happens when we query for
6678 www.powerdns.kom. for example, there is no kom.. Return to
6679 SyncRes::beginResolve, we are done.
6680 3. A lesser form - it tells us it is authoritative for the
6681 query we asked about, but there is no record matching our
6682 type. This happens when querying for the IPv6 address of a
6683 host which only has an IPv4 address. Return to
6684 SyncRes::beginResolve, we are done.
6685 4. The nameserver passed us a CNAME to another domain, and we
6686 need to reroute. Go to SyncRes::doResolve for the new
6688 5. The namserver did not know about the domain, but does know
6689 who does, a referral. Stay within doResolveAt and loop to
6690 these new nameservers.
6691 6. The nameserver replied saying no idea. This is called a
6692 lame delegation. Stay within SyncRes::doResolveAt and try
6693 the other nameservers we have for this domain.
6695 When not redirected using a CNAME, this function will loop
6696 until it has exhausted all nameservers and all their IP
6697 addresses. DNS is surprisingly resilient that there is often
6698 only a single non-broken nameserver left to answer queries, and
6699 we need to be prepared for that.
6701 This is the whole DNS algorithm in PowerDNS, all in less than
6702 700 lines of code. It contains a lot of tricky bits though,
6703 related to the cache.
6704 __________________________________________________________
6706 12.7.8. Some of the things we glossed over
6708 Whenever a packet is sent to a remote nameserver, the response
6709 time is stored in the SyncRes::s_nsSpeeds map, using an
6710 exponentially weighted moving average. This EWMA averages out
6711 different response times, and also makes them decrease over
6712 time. This means that a nameserver that hasn't been queried
6713 recently gradually becomes faster in the eyes of PowerDNS,
6714 giving it a chance again.
6716 A timeout is accounted as a 1s response time, which should take
6717 that server out of the running for a while.
6719 Furthermore, queries are throttled. This means that each query
6720 to a nameserver that has failed is accounted in the s_throttle
6721 object. Before performing a new query, the query and the
6722 nameserver are looked up via shouldThrottle. If so, the query
6723 is assumed to have failed without even being performed. This
6724 saves a lot of network traffic and makes PowerDNS quick to
6725 respond to lame servers.
6727 It also offers a modicum of protection against birthday attack
6728 powered spoofing attempts, as PowerDNS will not innundate a
6729 broken server with queries.
6731 The negative query cache we mentioned earlier caches the cases
6732 2 and 3 in the enumeration above. This data needs to be stored
6733 separately, as it represents non-data. Each negcache query
6734 entry is the name of the SOA record that was presented with the
6735 evidence of non-existance. This SOA record is then retrieved
6736 from the regular cache, but with the TTL that originally came
6737 with the NXDOMAIN (case 2) or NXRRSET (case 3).
6738 __________________________________________________________
6740 12.7.9. The Recursor Cache
6742 As mentioned before, the cache stores partial packets. It also
6743 stores not the Time To Live of records, but in fact the Time To
6744 Die. If the cache contains data, but it is expired, that data
6745 should not be deemed present. This bit of PowerDNS has proven
6746 tricky, leading to deadlocks in the past.
6748 There are some other very tricky things to deal with. For
6749 example, through a process called more details, a domain might
6750 have more nameservers than listed in its parent zone. So, there
6751 might only be two nameservers for powerdns.com. in the com.
6752 zone, but the powerdns.com zone might list more.
6754 This means that the cache should not, when talking to the com.
6755 servers later on, overwrite these four nameservers with only
6756 the two copies the com. servers pass us.
6758 However, in other cases (like for example for SOA and CNAME
6759 records), new data should overwrite old data.
6761 Note that PowerDNS deviates from RFC 2181 (section 5.4.1) in
6763 __________________________________________________________
6765 12.7.10. Some small things
6767 The server-side part of PowerDNS (pdns_recursor.cc), which
6768 listens to queries by end-users, is fully IPv6 capable using
6769 the ComboAddress class. This class is in fact a union of a
6770 struct sockaddr_in and a struct sockaddr_in6. As long as the
6771 sin_family (or sin6_family) and sin_port members are in the
6772 same place, this works just fine, allowing us to pass a
6773 ComboAddress*, cast to a sockaddr* to the socket functions. For
6774 convenience, the ComboAddress also offers a length() method
6775 which can be used to indicate the length - either
6776 sizeof(sockaddr_in) or sizeof(sockaddr_in6).
6778 Access to the recursor is governed through the NetmaskGroup
6779 class, which internally contains Netmaks, which in turn contain
6781 __________________________________________________________
6783 Chapter 13. Master/Slave operation & replication
6785 PDNS offers full master and slave semantics for replicating
6786 domain information. Furthermore, PDNS can benefit from native
6787 database replication.
6788 __________________________________________________________
6790 13.1. Native replication
6792 Native replication is the default, unless other operation is
6793 specifically configured. Native replication basically means
6794 that PDNS will not send out DNS update notifications, nor will
6795 react to them. PDNS assumes that the backend is taking care of
6796 replication unaided.
6798 MySQL replication has proven to be very robust and well suited,
6799 even over transatlantic connections between badly peering ISPs.
6800 Other PDNS users employ Oracle replication which also works
6803 To use native replication, configure your backend storage to do
6804 the replication and do not configure PDNS to do so.
6805 __________________________________________________________
6807 13.2. Slave operation
6809 On launch, PDNS requests from all backends a list of domains
6810 which have not been checked recently for changes. This should
6811 happen every 'refresh' seconds, as specified in the SOA record.
6812 All domains that are unfresh are then checked for changes over
6813 at their master. If the SOA serial number there is higher, the
6814 domain is retrieved and inserted into the database. In any
6815 case, after the check the domain is declared 'fresh', and will
6816 only be checked again after 'refresh' seconds have passed.
6820 Slave support is OFF by default, turn it on by adding slave to
6821 the configuration. The same holds for master operation. Both
6822 can be on simultaneously.
6824 PDNS also reacts to notifies by immediately checking if the
6825 zone has updated and if so, retransfering it.
6827 All backends which implement this feature must make sure that
6828 they can handle transactions so as to not leave the zone in a
6829 half updated state. MySQL configured with either BerkeleyDB or
6830 InnoDB meets this requirement, as do PostgreSQL and Oracle. The
6831 Bindbackend implements transaction semantics by renaming files
6832 if and only if they have been retrieved completely and parsed
6835 Slave operation can also be programmed using several
6836 pdns_control commands, see Section B.1.1. The 'retrieve'
6837 command is especially useful as it triggers an immediate
6838 retrieval of the zone from the configured master.
6840 Since 2.9.21, PowerDNS supports multiple masters. For the BIND
6841 backend, the native BIND configuration language suffices to
6842 specify multiple masters, for SQL based backends, list all
6843 master servers separated by commas in the 'master' field of the
6845 __________________________________________________________
6847 13.2.1. Supermaster automatic provisioning of slaves
6849 PDNS can recognize so called 'supermasters'. A supermaster is a
6850 host which is master for domains and for which we are to be a
6851 slave. When a master (re)loads a domain, it sends out a
6852 notification to its slaves. Normally, such a notification is
6853 only accepted if PDNS already knows that it is a slave for a
6856 However, a notification from a supermaster carries more
6857 persuasion. When PDNS determines that a notification comes from
6858 a supermaster and it is bonafide, PDNS can provision the domain
6859 automatically, and configure itself as a slave for that zone.
6861 Before a supermaster notification succeeds, the following
6862 conditions must be met:
6864 * The supermaster must carry a SOA record for the notified
6866 * The supermaster IP must be present in the 'supermaster'
6868 * The set of NS records for the domain, as retrieved by the
6869 slave from the supermaster, must include the name that goes
6870 with the IP address in the supermaster table
6872 So, to benefit from this feature, a backend needs to know about
6873 the IP address of the supermaster, and how PDNS will be listed
6874 in the set of NS records remotely, and the 'account' name of
6875 your supermaster. There is no need to fill the account name out
6876 but it does help keep track of where a domain comes from.
6877 __________________________________________________________
6879 13.3. Master operation
6881 When operating as a master, PDNS sends out notifications of
6882 changes to slaves, which react to these notifications by
6883 querying PDNS to see if the zone changed, and transferring its
6884 contents if it has. Notifications are a way to promptly
6885 propagate zone changes to slaves, as described in RFC 1996.
6889 Master support is OFF by default, turn it on by adding master
6890 to the configuration. The same holds for slave operation. Both
6891 can be on simultaneously.
6893 Left open by RFC 1996 is who is to be notified - which is
6894 harder to figure out than it sounds. All slaves for this domain
6895 must receive a notification but the nameserver only knows the
6896 names of the slaves - not the IP addresses, which is where the
6897 problem lies. The nameserver itself might be authoritative for
6898 the name of its secondary, but not have the data available.
6900 To resolve this issue, PDNS tries multiple tactics to figure
6901 out the IP addresses of the slaves, and notifies everybody. In
6902 contrived configurations this may lead to duplicate
6903 notifications being sent out, which shouldn't hurt.
6905 Some backends may be able to detect zone changes, others may
6906 chose to let the operator indicate which zones have changed and
6907 which haven't. Consult the documentation for your backend to
6908 see how it processes changes in zones.
6910 To help deal with slaves that may have missed notifications, or
6911 have failed to respond to them, several override commands are
6912 available via the pdns_control tool (Section B.1.1):
6914 pdns_control notify domain
6915 This instructs PDNS to notify all IP addresses it
6916 considers to be slaves of this domain.
6918 pdns_control notify-host domain ip-address
6919 This is truly an override and sends a notification to an
6920 arbitrary IP address. Can be used in 'also-notify'
6921 situations or when PDNS has trouble figuring out who to
6922 notify - which may happen in contrived configurations.
6923 __________________________________________________________
6925 Chapter 14. Fancy records for seamless email and URL integration
6927 PDNS also supports so called 'fancy' records. A Fancy Record is
6928 actually not a DNS record, but it is translated into one.
6929 Currently, two fancy records are implemented, but not very
6930 useful without additional unreleased software. For
6931 completeness, they are listed here. The software will become
6932 available later on and is part of the Express and PowerMail
6935 These records imply extra database lookups which has a
6936 performance impact. Therefore fancy records are only queried
6937 for if they are enabled with the fancy-records command in
6941 This record denotes an email forward. A typical entry
6944 support@yourdomain.com MBOXFW you@yourcompany.
6947 When PDNS encounters a request for an MX record for
6948 yourdomain.com it will, if fancy records are enabled,
6949 also check for the existence of an MBOXFW record ending
6950 on '@yourdomain.com', in which case it will hand out a
6951 record containing the configured smtpredirector. This
6952 server should then also be able to access the PDNS
6953 database to figure out where mail to
6954 support@yourdomain.com should go to.
6957 URL records work in much the same way, but for HTTP. A
6960 yourdomain.com URL http://somewhere.else.com/y
6963 A URL record is converted into an A record containing
6964 the IP address configured with the urlredirector
6965 setting. On that IP address a webserver should live that
6966 knows how to redirect yourdomain.com to
6967 http://somewhere.else.com/yourdomain.
6968 __________________________________________________________
6970 Chapter 15. Index of all Authoritative Server settings
6972 All PDNS Authoritative Server settings are listed here,
6973 excluding those that originate from backends, which are
6974 documented in the relevant chapters.
6977 Behaviour pre 2.9.10: When not allowing AXFR
6978 (disable-axfr), DO allow from these IP addresses or
6981 Behaviour post 2.9.10: If set, only these IP addresses
6982 or netmasks will be able to perform AXFR.
6985 By specifying allow-recursion, recursion can be
6986 restricted to netmasks specified. The default is to
6987 allow recursion from everywhere. Example:
6988 allow-recursion=192.168.0.0/24, 10.0.0.0/8, 1.2.3.4.
6990 allow-recursion-override=on|off
6991 By specifying allow-recursion-override, local data even
6992 about hosts that don't exist will override the internet.
6993 This allows you to generate zones that don't really
6994 exist on the internet. Does increase the number of SQL
6995 queries for hosts that truly don't exist, also not in
6999 Seconds to store packets in the PacketCache. See Section
7003 If set, chroot to this directory for more security. See
7007 Location of configuration directory (pdns.conf)
7010 Name of this virtual configuration - will rename the
7011 binary image. See Chapter 8.
7014 Debugging switch - don't use.
7019 default-soa-name=...
7020 name to insert in the SOA record if none set in the
7024 Do not allow zone transfers. Before 2.9.10, this could
7025 be overridden by allow-axfr-ips.
7028 Do not listen to TCP queries. Breaks RFC compliance.
7030 distributor-threads=...
7031 Default number of Distributor (backend) threads to
7032 start. See Chapter 9.
7034 do-ipv6-additional-processing=...
7035 Perform AAAA additional processing.
7038 Process URL and MBOXFW records. See Chapter 14.
7040 guardian | --guardian=yes | --guardian=no
7041 Run within a guardian process. See Section B.2.
7044 Provide a helpful message
7047 Which backends to launch and order to query them in. See
7051 On by default as of 2.1. Checks local data first before
7052 recursing. See Chapter 11.
7055 Load this module - supply absolute or relative path. See
7059 Local IP address to which we bind. You can specify
7060 multiple addresses separated by commas or whitespace. It
7061 is highly advised to bind to specific interfaces and not
7062 use the default 'bind to any'. This causes big problems
7063 if you have multiple IP addresses. Unix does not provide
7064 a way of figuring out what IP address a packet was sent
7065 to when binding to any.
7068 Local IPv6 address to which we bind. You can specify
7069 multiple addresses separated by commas or whitespace.
7072 The port on which we listen. Only one port possible.
7074 log-failed-updates=...
7075 If set to 'no', failed Windows Dynamic Updates will not
7079 If set to 'no', informative-only DNS details will not
7080 even be sent to syslog, improving performance. Available
7081 from 2.5 and onwards.
7083 logging-facility=...
7084 If set to a digit, logging is performed under this LOCAL
7085 facility. See Section 6.3. Available from 1.99.9 and
7086 onwards. Do not pass names like 'local0'!
7089 Amount of logging. Higher is more. Do not set below 3
7092 Turn on master support. Boolean.
7095 Maximum number of cache entries. 1 million will
7096 generally suffice for most installations. Available
7099 max-queue-length=...
7100 If this many packets are waiting for database attention,
7101 consider the situation hopeless and respawn.
7103 max-tcp-connections=...
7104 Allow this many incoming TCP DNS connections
7108 Default directory for modules. See Section B.3.
7110 negquery-cache-ttl=...
7111 Seconds to store queries with no answer in the Query
7112 Cache. See Section 9.3.2.
7115 Do not attempt to read the configuration file.
7118 Do not attempt to shuffle query results.
7121 This is the server ID that will be returned on an EDNS
7122 NSID query. Defaults to the host name.
7124 out-of-zone-additional-processing |
7125 --out-of-zone-additional-processing=yes |
7126 --out-of-zone-additional-processing=no
7127 Do out of zone additional processing. This means that if
7128 a malicious user adds a '.com' zone to your server, it
7129 is not used for other domains and will not contaminate
7130 answers. Do not enable this setting if you run a public
7131 DNS service with untrusted users. Off by default.
7134 Seconds to store queries with an answer in the Query
7135 Cache. See Section 9.3.2.
7137 query-local-address=...
7138 The IP address to use as a source address for sending
7139 queries. Useful if you have multiple IPs and pdns is not
7140 bound to the IP address your operating system uses by
7141 default for outgoing packets.
7143 query-logging | query-logging=yes | query-logging=no
7144 Hints to a backend that it should log a textual
7145 representation of queries it performs. Can be set at
7149 Maximum number of miliseconds to queue a query. See
7152 recursive-cache-ttl=...
7153 Seconds to store recursive packets in the PacketCache.
7157 If set, recursive queries will be handed to the recursor
7158 specified here. See Chapter 11.
7160 send-root-referral | --send-root-referral=yes |
7161 --send-root-referral=no | --send-root-referral=lean
7162 If set, PowerDNS will send out old-fashioned
7163 root-referrals when queried for domains for which it is
7164 not authoritative. Wastes some bandwidth but may solve
7165 incoming query floods if domains are delegated to you
7166 for which you are not authoritative, but which are
7167 queried by broken recursors. Available since 2.9.19.
7169 Since 2.9.21, it is possible to specify 'lean' root
7170 referrals, which waste less bandwidth.
7173 If set, change group id to this gid for more security.
7177 If set, change user id to this uid for more security.
7180 skip-cname | --skip-cname=yes | --skip-cname=no
7181 Do not perform CNAME indirection for each query. Has
7182 performance implications. See Chapter 7.
7184 slave-cycle-interval=60
7185 Schedule slave up-to-date checks of domains whose status
7186 is unknown every .. seconds. See Chapter 14.
7189 Our smtpredir MX host. See Chapter 14.
7191 soa-expire-default=604800
7194 soa-minimum-ttl=3600
7195 Default SOA minimum ttl.
7197 soa-refresh-default=10800
7198 Default SOA refresh.
7200 soa-retry-default=3600
7203 soa-serial-offset=...
7204 If your database contains single-digit SOA serials and
7205 you need to host .DE domains, this setting can help
7206 placate their 6-digit SOA serial requirements. Suggested
7207 value is to set this to 1000000 which adds 1000000 to
7208 all SOA Serials under that offset.
7211 Where the controlsocket will live. See Section B.1.
7213 strict-rfc-axfrs | --strict-rfc-axfrs=yes |
7214 --strict-rfc-axfrs=no
7215 Perform strictly RFC conformant AXFRs, which are slow,
7216 but needed to placate some old client tools.
7219 Where we send hosts to that need to be url redirected.
7222 version-string=anonymous|powerdns|full|custom
7223 When queried for its version over DNS (dig chaos txt
7224 version.bind @pdns.ip.address), PowerDNS normally
7225 resonds truthfully. With this setting you can overrule
7226 what will be returned. Set the version-string to 'full'
7227 to get the default behaviour, to 'powerdns' to just make
7228 it state 'served by PowerDNS - http://www.powerdns.com'.
7229 The 'anonymous' setting will return a ServFail, much
7230 like Microsoft nameservers do. You can set this response
7231 to a custom value as well.
7233 webserver | --webserver=yes | --webserver=no
7234 Start a webserver for monitoring. See Chapter 6.
7236 webserver-address=...
7237 IP Address of webserver to listen on. See Chapter 6.
7239 webserver-password=...
7240 Password required for accessing the webserver. See
7244 Port of webserver to listen on. See Chapter 6.
7247 Check for wildcard URL records.
7250 Honor wildcards in the database. On by default. Turning
7251 this off has performance implications, see Chapter 9.
7252 __________________________________________________________
7254 Chapter 16. Index of all Authoritative Server metrics
7256 16.1. Counters & variables
7258 A number of counters and variables are set during PDNS
7259 Authoritative Server operation. These can be queried with the
7260 init.d dump, show and mrtg commands, or viewed with the
7262 __________________________________________________________
7267 Number of corrupt packets received
7270 Average number of microseconds a packet spends within
7274 Number of packets which were answered out of the cache
7277 Number of times a packet could not be answered out of
7281 Amount of packets in the packetcache
7284 Size of the queue before the transmitting socket.
7287 Number of packets waiting for database attention
7290 Amount of packets that could not be answered due to
7294 Number of answers sent out over TCP
7297 Number of questions received over TCP
7300 Amount of packets that were dropped because they had to
7301 wait too long internally
7304 Number of answers sent out over UDP
7307 Number of questions received over UDP
7308 __________________________________________________________
7310 16.1.2. Ring buffers
7312 Besides counters, PDNS also maintains the ringbuffers. A
7313 ringbuffer records events, each new event gets a place in the
7314 buffer until it is full. When full, earlier entries get
7315 overwritten, hence the name 'ring'.
7317 By counting the entries in the buffer, statistics can be
7318 generated. These statistics can currently only be viewed using
7319 the webserver and are in fact not even collected without the
7322 The following ringbuffers are available:
7324 Log messages (logmessages)
7327 Queries for existing records but for a type we don't have
7329 Queries for, say, the AAAA record of a domain, when only
7330 an A is available. Queries are listed in the following
7331 format: name/type. So an AAA query for pdns.powerdns.com
7332 looks like pdns.powerdns.com/AAAA.
7334 Queries for non-existing records within existing
7335 domains(nxdomain-queries)
7336 If PDNS knows it is authoritative over a domain, and it
7337 sees a question for a record in that domain that does
7338 not exist, it is able to send out an authoritative 'no
7339 such domain' message. Indicates that hosts are trying to
7340 connect to services really not in your zone.
7342 UDP queries received (udp-queries)
7343 All UDP queries seen.
7345 Remote server IP addresses (remotes)
7346 Hosts querying PDNS. Be aware that UDP is anonymous -
7347 person A can send queries that appear to be coming from
7350 Remotes sending corrupt packets (remote-corrupts)
7351 Hosts sending PDNS broken packets, possibly meant to
7352 disrupt service. Be aware that UDP is anonymous - person
7353 A can send queries that appear to be coming from person
7356 Remotes querying domains for which we are not auth
7358 It may happen that there are misconfigured hosts on the
7359 internet which are configured to think that a PDNS
7360 installation is in fact a resolving nameserver. These
7361 hosts will not get useful answers from PDNS. This buffer
7362 lists hosts sending queries for domains which PDNS does
7365 Queries that could not be answered due to backend errors
7367 For one reason or another, a backend may be unable to
7368 extract answers for a certain domain from its storage.
7369 This may be due to a corrupt database or to inconsistent
7370 data. When this happens, PDNS sends out a 'servfail'
7371 packet indicating that it was unable to answer the
7372 question. This buffer shows which queries have been
7375 Queries for domains that we are not authoritative for
7377 If a domain is delegated to a PDNS instance, but the
7378 backend is not made aware of this fact, questions come
7379 in for which no answer is available, nor is the
7380 authority. Use this ringbuffer to spot such queries.
7381 __________________________________________________________
7383 Chapter 17. Supported record types and their storage
7385 This chapter lists all record types PDNS supports, and how they
7386 are stored in backends. The list is mostly alphabetical but
7387 some types are grouped.
7389 The PowerDNS Recursor can serve and store all record types,
7390 regardless of wether these are explicitly supported.
7393 The A record contains an IP address. It is stored as a
7394 decimal dotted quad string, for example:
7398 The AAAA record contains an IPv6 address. An example:
7399 '3ffe:8114:2000:bf0::1'.
7401 AFSDB (since 2.9.21)
7402 Specialised record type for the 'Andrew Filesystem'.
7403 Stored as: '#subtype hostname', where subtype is a
7407 Specialised record type for storing certificates,
7408 defined in RFC 2538.
7411 The CNAME record specifies the canonical name of a
7412 record. It is stored plainly. Like all other records, it
7413 is not terminated by a dot. A sample might be
7414 'webserver-01.yourcompany.com'.
7416 DNSKEY (since 2.9.21)
7417 The DNSKEY DNSSEC record type is fully supported, as
7418 described in RFC 3757. Note that while PowerDNS can
7419 store, retrieve and serve DNSSEC records, no further
7420 DNSSEC processing is performed.
7423 The DS DNSSEC record type is fully supported, as
7424 described in RFC 3757. Note that while PowerDNS can
7425 store, retrieve and serve DNSSEC records, no further
7426 DNSSEC processing is performed.
7429 Hardware Info record, used to specify CPU and operating
7430 system. Stored with a single space separating these two,
7431 example: 'i386 Linux'.
7434 The KEY record is fully supported. For its syntax, see
7438 The LOC record is fully supported. For its syntax, see
7439 RFC 1876. A sample content would be: '51 56 0.123 N 5 54
7440 0.000 E 4.00m 1.00m 10000.00m 10.00m'
7443 The MX record specifies a mail exchanger host for a
7444 domain. Each mail exchanger also has a priority or
7445 preference. This should be specified in the separate
7446 field dedicated for that purpose, often called 'prio'.
7449 Naming Authority Pointer, RFC 2915. Stored as follows:
7451 '100 50 "s" "z3950+I2L+I2C" "" _z3950._tcp.gatech.
7454 The fields are: order, preference, flags, service,
7455 regex, replacement. Note that the replacement is not
7456 enclosed in quotes, and should not be. The replacement
7457 may be omitted, in which case it is empty. See also RFC
7458 2916 for how to use NAPTR for ENUM (E.164) purposes.
7461 Nameserver record. Specifies nameservers for a domain.
7462 Stored plainly: 'ns1.powerdns.com', as always without a
7466 The NSEC DNSSEC record type is fully supported, as
7467 described in RFC 3757. Note that while PowerDNS can
7468 store, retrieve and serve DNSSEC records, no further
7469 DNSSEC processing is performed.
7472 Reverse pointer, used to specify the host name belonging
7473 to an IP or IPv6 address. Name is stored plainly:
7474 'www.powerdns.com'. As always, no terminating dot.
7477 Responsible Person record, as described in RFC 1183.
7478 Stored with a single space between the mailbox name and
7479 the more-information pointer. Example
7480 'peter.powerdns.com peter.people.powerdns.com', to
7481 indicate that peter@powerdns.com is responsible and that
7482 more information about peter is available by querying
7483 the TXT record of peter.people.powerdns.com.
7485 RRSIG (since 2.9.21)
7486 The RRSIG DNSSEC record type is fully supported, as
7487 described in RFC 3757. Note that while PowerDNS can
7488 store, retrieve and serve DNSSEC records, no further
7489 DNSSEC processing is performed.
7492 The Start of Authority record is one of the most complex
7493 available. It specifies a lot about a domain: the name
7494 of the master nameserver ('the primary'), the hostmaster
7495 and a set of numbers indicating how the data in this
7496 domain expires and how often it needs to be checked.
7497 Further more, it contains a serial number which should
7498 rise on each change of the domain.
7500 The stored format is:
7502 primary hostmaster serial refresh retry expire default_t
7505 Besides the primary and the hostmaster, all fields are
7506 numerical. PDNS has a set of default values:
7508 Table 17-1. SOA fields
7510 primary default-soa-name configuration option
7511 hostmaster hostmaster@domain-name
7513 refresh 10800 (3 hours)
7515 expire 604800 (1 week)
7516 default_ttl 3600 (1 hour)
7518 The fields have complicated and sometimes controversial
7519 meanings. The 'serial' field is special. If left at 0,
7520 the default, PDNS will perform an internal list of the
7521 domain to determine highest change_date field of all
7522 records within the zone, and use that as the zone serial
7523 number. This means that the serial number is always
7524 raised when changes are made to the zone, as long as the
7525 change_date field is being set.
7528 SPF records can be used to store Sender Permitted From
7531 SSHFP (since 2.9.21)
7532 The SSHFP record type, used for storing Secure Shell
7533 (SSH) fingerprints, is fully supported. A sample from
7535 123456789abcdef67890123456789abcdef67890'.
7538 SRV records can be used to encode the location and port
7539 of services on a domain name. When encoding, the
7540 priority field is used to encode the priority. For
7541 example, '_ldap._tcp.dc._msdcs.conaxis.ch SRV 0 100 389
7542 mars.conaxis.ch' would be encoded with 0 in the priority
7543 field and '100 389 mars.conaxis.ch' in the content
7547 The TXT field can be used to attach textual data to a
7548 domain. Text is stored plainly.
7549 __________________________________________________________
7551 Chapter 18. HOWTO & Frequently Asked Questions
7553 This chapter contains a number of FAQs and HOWTOs.
7554 __________________________________________________________
7556 18.1. Getting support, free and paid FAQ
7558 PowerDNS is an open source program so you may get help from the
7559 PowerDNS users' community or from its authors. You may also
7560 help others (please do).
7562 The PowerDNS company provides free support on the public
7563 mailing lists, and can help or support you in private as well.
7564 For first class and rapid support, please contact
7567 More information about the PowerDNS community, and its mailing
7568 lists, can be found on its Wiki.
7570 Below, please find a list of common questions asked on our
7571 public mailing lists.
7574 A: Please try harder :-) Specifically, before people
7575 will be able to help you, they need to know a lot about
7576 your system. If you list more details, chances are
7577 you'll get better answers.
7579 Q: I have a question, what details should I supply?
7580 A: Start out with stating what you think should be
7581 happening. Quite often, wrong expectations are the
7582 actual proble. Furthermore, which database backend you
7583 use, your operating system, which version of PowerDNS
7584 you use and where you got it from (RPM, .DEB, tar.gz).
7585 If you compiled it yourself, what were the ./configure
7588 If at *all* possible, supply the actual name of your
7589 domain and the IP address of your server(s).
7591 Q: Where should I send my question?
7592 A: To a mailinglist. Please email the authors directly
7593 only if you previously entered a support contract with
7594 them, or are considering doing so. For mailing list
7595 details, see the mailinglists page.
7597 Questions about using PowerDNS should be sent to the
7598 pdns-users list, questions about compiler errors or
7599 feature requests to pdns-dev.
7601 Before posting, read all FAQs.
7603 Q: My information is confidential, must I send it to the
7605 If you desire privacy, please consider entering a
7606 support relationship with us, in which case you can
7607 email <pdns.bd@trilab.com>.
7608 __________________________________________________________
7610 18.2. Using and Compiling PowerDNS FAQ
7612 In the course of compiling and using PowerDNS, many questions
7613 may arise. Here are some we've heard earlier or questions we
7614 expect people may have. Please read this list before mailing
7617 If you don't see your question answered here, please check out
7618 the Wiki FAQ, but do note that it is user-editable and not
7619 under our constant control.
7621 Q: I get this entry a lot of times in my log file:
7622 Authoritative empty NO ERROR to 1.2.3.4 for
7623 'powerdns.nl' (AAAA)..
7624 As the name implies, this is not an error. It tells you
7625 there are questions for a domain which exists in your
7626 database, but for which no record of the requested type
7627 exists. To get rid of this error, add
7628 log-dns-details=off to your configuration.
7630 Q: Can I launch multiple backends simultaneously?
7631 A: You can. This might for example be useful to keep an
7632 existing BIND configuration around but to store new
7633 zones in, say MySQL. The syntax to use is
7634 'launch=bind,gmysql'.
7636 Q: PowerDNS does not give authoritative answers, how come?
7637 A: This is almost always not the case. An authoritative
7638 answer is recognized by the 'AA' bit being set. Many
7639 tools prominently print the number of Authority records
7640 included in an answer, leading users to conclude that
7641 the absence or presence of these records indicates the
7642 authority of an answer. This is not the case.
7644 Verily, many misguided country code domain operators
7645 have fallen into this trap and demand authority records,
7646 even though these are fluff and quite often misleading.
7647 Invite such operators to look at section 6.2.1 of RFC
7648 1034, which shows a correct authoritative answer without
7649 authority records. In fact, none of the non-deprecated
7650 authoritative answers shown have authority records!
7652 Sorry for sounding like DJB on this, but we get so many
7653 misguided questions about authority..
7655 Q: Which backend should I use? There are so many!
7656 A: If you have no external constraints, the Generic
7657 MySQL (gmysql) and Generic PostgreSQL (gpgsql) ones are
7658 probably the most used and complete. By all means do not
7659 use the non-generic MySQL backend, which is deprecated
7660 and only available for older installations.
7662 The Oracle backend also has happy users, we know of no
7663 deployments of the DB2 backend. The BIND backend is
7664 pretty capable too in fact, but many prefer a relational
7667 Q: I'm trying to build from SVN but I get lots of weird errors!
7668 A: Read the 'HACKING' file, it lists the build
7669 requirements (mostly autoconf, automake, libtool). In
7670 many cases, it may be easier to build from the source
7671 distribution though. More information for developers is
7672 available on the PowerDNS Open Source Community Wiki.
7674 Q: When compiling I get errors about 'sstream' and
7675 'ostringstream', or BITSPERCHAR
7676 A: Your gcc is too old. Versions 2.95.2 and older are
7677 not supported. Many distributions have improved gcc
7678 2.95.2 with an ostringstream implementation, in which
7679 case their 2.95.2 is also supported.
7681 Q: PowerDNS crashes when I install the pdns-static .deb on
7683 A: Indeed. Install the .debs that come with Debian or
7684 recompile PowerDNS yourself. If not using MySQL, the
7685 crashes will go away if you remove setuid and setgid
7686 statements from the configuration.
7688 Q: Why don't my slaves act on notifications and transfer my
7690 A: Raise the serial number of your zone. In most
7691 backends, this is the first digit of the SOA contents
7692 field. If this number is lower to equal to that on a
7693 slave, it will not consider your zone updated.
7695 Q: Master or Slave support is not working, PDNS is not picking
7697 A: The Master/Slave apparatus is off by default. Turn it
7698 on by adding a slave and/or master statement to the
7699 configuration file. Also, check that the configured
7700 backend is master or slave capable.
7702 Q: My masters won't allow PowerDNS to access zones as it is
7703 using the wrong local IP address
7704 A: Mark Bergsma contributed the query-local-address
7705 setting to tell PowerDNS which local IP address to use.
7707 Q: I compiled PowerDNS myself and I see weird problems,
7709 A: There are known issues between gcc <3.2 and PowerDNS
7710 on Linux SMP systems. The exact cause is not known but
7711 moving to our precompiled version always fixes the
7712 problems. If you compile yourself, use a recent gcc!
7714 Q: I see this a lot: Backend error: Failed to execute
7715 mysql_query, perhaps connection died?
7716 A: Check your MySQL timeout, it may be set too low. This
7717 can be changed in the my.cnf file.
7719 Q: PowerDNS does not answer queries on all my IP addresses and
7720 I've ignored the warning I got about that at startup
7721 A: Please don't ignore what PowerDNS says to you.
7722 Furthermore, read Chapter 15 about the local-address
7723 setting, and use it to specify which IP addresses
7724 PowerDNS should listen on.
7726 Q: Can I use a MySQL database with the Windows version of
7728 A: You can. MySQL support is supplied through the ODBC
7729 backend, which is compiled into the main binary. So if
7730 you want to use MySQL you can change the pdns.conf file,
7731 which is located in the PowerDNS for Windows directory,
7732 to use the correct ODBC data sources. If you don't know
7733 how to use ODBC with MySQL:
7735 + Download MyODBC from http://www.mysql.com/
7736 + Install the MySQL ODBC driver.
7738 Then you can follow the instructions located in Chapter
7739 3. But instead of selecting the Microsoft Access Driver
7740 you select the MySQL ODBC Driver and configure it to use
7741 your MySQL database.
7745 For other databases for which an ODBC driver is available, the
7746 procedure is the same as this example.
7747 __________________________________________________________
7749 18.3. Backend developer HOWTO
7751 Writing backends without access to the full PDNS source means
7752 that you need to write code that can be loaded by PDNS at
7753 runtime. This in turn means that you need to use the same
7754 compiler that we do.
7756 Furthermore, your pdns_server executable must be dynamically
7757 linked. The default .rpm PDNS contains a static binary so you
7758 need to retrieve the dynamic rpm or the dynamic tar.gz or the
7759 Debian unstable ('Woody') deb. FreeBSD dynamic releases are
7762 Q: Will PDNS drivers work with other PDNS versions than they
7764 A: 'Probably'. We make no guarantees. Efforts have been
7765 made to keep the interface between the backend and PDNS
7766 as thin as possible. For example, a backend compiled
7767 with the 1.99.11 backend development kit works with
7768 1.99.10. But don't count on it. We will notify when we
7769 think an incompatible API change has occured but you are
7770 best off recompiling your driver for each new PDNS
7773 Q: What is in that DNSPacket * pointer passed to lookup!
7774 A: For reasons outlined above, you should treat that
7775 pointer as opaque and only access it via the getRemote()
7776 functions made available and documented above. The
7777 DNSPacket class changes a lot and this level of
7778 indirection allows for greater changes to be made
7779 without changing the API to the backend coder.
7781 Q: How is the PowerDNS Open Source Backend Development Kit
7783 A: MIT X11, a very liberal license permitting basically
7786 Q: Can I release the backend I wrote?
7787 A: Please do! If you tell us about it we will list you
7790 Q: Can I sell backends I wrote?
7791 A: You can. Again, if you tell us about them we will
7792 list your backend on the site. You can keep the source
7793 of your backend secret if you want, or you can share it
7794 with the world under any license of your chosing.
7796 Q: Will PowerDNS use my code in the PDNS distribution?
7797 A: If your license permits it and we like your backend,
7798 we sure will. If your license does not permit it but we
7799 like your backend anyway we may contact you.
7801 Q: My backend compiles but when I try to load it, it says
7802 'undefined symbol: BackendMakers__Fv'
7803 A: You compiled with the wrong GCC. Use GCC 3.x for
7804 Linux, 2.95.x for FreeBSD. You may want to change g++ to
7805 g++-3.0 in the Makefile, or change your path so that 3.x
7808 Q: I downloaded a dynamic copy of pdns_server but it doesn't
7809 run, even without my backend
7810 A: Run 'ldd' on the pdns_server binary and figure out
7811 what libraries you are missing. Most likely you need to
7812 install gcc 3.0 libraries, RedHat 7.1 and 7.2 have
7813 packages available, Debian installs these by default if
7814 you use the 'unstable deb' of PDNS.
7816 Q: What is this 'AhuException' I keep reading about?
7817 A: This name has historical reasons and has no
7820 Q: I need a backend but I can't write it, can you help?
7821 A: Yes, we also do custom development. Contact us at
7823 __________________________________________________________
7825 18.4. About PowerDNS.COM BV, 'the company'
7827 As of 25 November 2002, the PowerDNS nameserver and its modules
7828 are open source. This has led to a lot of questions on the
7829 future of both PowerDNS, the company and the products. This FAQ
7830 attempts to address these questions.
7832 Q: Is PowerDNS 2.9 really open source? What license?
7833 A: PowerDNS 2.9 is licensed under the GNU General Public
7834 License version two, the same license that covers the
7837 Q: Is the open source version crippled?
7838 A: It is not. Not a single byte has been omitted.
7840 Q: Is the nameserver abandoned?
7841 A: Far from it. In fact, we expect development to speed
7842 up now that we have joined the open source community.
7844 Q: Can I buy support contracts for PowerDNS?
7845 Sure, to do so, please contact us at
7846 <sales@powerdns.com>
7848 Q: Will you accept patches? We've added a feature
7849 Probably - in general, it is best to discuss your
7850 intentions and needs on the
7851 <pdns-dev@mailman.powerdns.com> (subscribe) mailinglist
7852 before doing the work. We may have suggestions or
7853 guidelines on how you should implement the feature.
7855 Q: PowerDNS doesn't work on my platform, will you port it?, Q:
7856 PowerDNS doesn't have feature I need, will you add it?
7857 Be sure to ask on the <pdns-dev@mailman.powerdns.com>
7858 (subscribe) mailinglist. You can even hire us to do work
7859 on PowerDNS if plain asking is not persuasive enough.
7860 This might be the case if we don't currently have time
7861 for your feature, but you need it quickly anyhow, and
7862 are not in a position to submit a patch implementing it.
7864 Q: Will PowerDNS Express be open sourced?
7865 Perhaps, we're not yet sure.
7867 Q: We are a Linux/Unix vendor, can we include PowerDNS?
7868 A: Please do. In fact, we'd be very happy to work with
7869 you to make this happen. Contact <ahu@ds9a.nl> if you
7870 have specific upstream needs.
7871 __________________________________________________________
7873 Chapter 19. Other tools included with PowerDNS
7875 PowerDNS comes with several tools that can be used to do
7876 various DNS related things.
7877 __________________________________________________________
7879 19.1. Notification proxy (nproxy)
7881 Available in PowerDNS 2.9.22 and later.
7883 For additional security, operators may prefer to have a 'hidden
7884 slave' that sits behind a strong firewall. This slave pulls in
7885 zones from the outside world, and stores them in a database.
7886 This database is then used by publicly accessible nameservers
7887 to publish zone data.
7889 For proper slave operation, master nameservers send out
7890 notifications to inform slaves of updates. This is not normally
7891 a problem, but when operating with a hidden slave behind a
7892 firewall, notification packets can't reach the slave.
7894 For this purpose, the PowerDNS also supplies a notification
7895 proxy. It sits outside the firewall, and accepts notifications
7896 from remote master servers. It interprets and validates these
7897 packets, and then sends on a new notification to the hidden
7900 The hidden slave then promptly retrieves an updated zone from
7903 The notification proxy, called nproxy, can be configured using
7904 the following settings:
7907 Change root to this directory for additional security.
7910 Run in the background. Defaults to true, can be turned
7911 off using '--daemon=no'.
7914 Public addresses (IPv4 and IPv6) to listen on for
7915 incoming notification packets. Defaults to "all
7916 addresses", but it is highly recommended to specify
7920 Can be used to pin the address the nproxy uses to
7921 communicate with the hidden slave. Highly recommended.
7922 Corresponds to the PowerDNS settting
7923 trusted-notification-proxy.
7926 IP address (IPv4 or IPv6) of the hidden slave, to which
7927 notifications should be relayed. This setting is
7928 mandatory, and has no default.
7931 Change to these numerical user-id and/or group-id,
7932 dropping root privileges, for additional security.
7933 __________________________________________________________
7935 Chapter 20. Tools to analyse DNS traffic
7937 DNS is highly mission critical, it is therefore necessary to be
7938 able to study and compare DNS traffic. Since 2.9.18, PowerDNS
7939 comes with three tools to aid in analysis:
7943 As of 2.9.18 these tools are somewhat rough - they have no help
7944 messages for example. They do work though.
7946 dnsreplay pcapfile [ipaddress] [port number]
7947 This program takes recorded questions and answers and
7948 replays them to a specified nameserver and reporting
7949 afterwards which percentage of answers matched, were
7952 dnswasher pcapfile output
7953 Anonymises recorded traffic, making sure it only
7954 contains DNS, and that the originating IP addresses of
7955 queries are stripped, which may allow you to send traces
7956 to our company or mailing list without violating
7957 obligations towards your customers or privacy laws.
7960 Calculates statistics without replaying traffic
7961 __________________________________________________________
7963 Appendix A. Backends in detail
7965 This appendix lists several of the available backends in more
7967 __________________________________________________________
7971 Table A-1. PipeBackend capabilities
7981 The PipeBackend allows for easy dynamic resolution based on a
7982 'Coprocess' which can be written in any programming language
7983 that can read a question on standard input and answer on
7986 To configure, the following settings are available:
7989 Command to launch as backend. Mandatory.
7992 Number of milliseconds to wait for an answer from the
7993 backend. If this time is ever exceeded, the backend is
7994 declared dead and a new process is spawned. Available
7998 If set, only questions matching this regular expression
7999 are even sent to the backend. This makes sure that most
8000 of PowerDNS does not slow down if you you reploy a slow
8001 backend. A query for the A record of 'www.powerdns.com'
8002 would be presented to the regex as 'www.powerdns.com;A'.
8003 A matching regex would be '^www.powerdns.com;.*$'.
8005 To match only ANY and A queries for www.powerdns.com,
8006 use '^www.powerdns.com;(A|ANY)$'. Please be aware that
8007 the single quotes used in this document should not be
8008 present in the configuration file, and only on the
8009 command line. In the configuration file, the previous
8010 example would be stored as:
8011 pipe-regex=^www.powerdns.com;(A|ANY)$
8013 Available since 2.8.
8015 pipebackend-abi-version
8016 This is the version of the question format that is sent
8017 to the co-process (pipe-command) for the pipe backend.
8019 If not set the default pipebackend-abi-version is 1.
8020 When set to 2, the local-ip-address field is added after
8021 the remote-ip-address. (the local-ip-address refers to
8022 the IP address the question was received on)
8023 __________________________________________________________
8025 A.1.1. PipeBackend protocol
8027 Questions come in over a file descriptor, by default standard
8028 input. Answers are sent out over another file descriptor,
8029 standard output by default.
8030 __________________________________________________________
8034 PowerDNS sends out 'HELO\t1', indicating that it wants to speak
8035 the protocol as defined in this document, version 1. A PowerDNS
8036 CoProcess must then send out a banner, prefixed by 'OK\t',
8037 indicating it launched successfully. If it does not support the
8038 indicated version, it should respond with FAIL, but not exit.
8039 Suggested behaviour is to try and read a further line, and wait
8041 __________________________________________________________
8045 Questions come in three forms and are prefixed by a tag
8046 indicating the kind:
8052 List requests, which mean that an entire zone should be
8056 Check if the coprocess is functioning
8058 The question format: pipebackend-abi-version = 1 [default]
8059 type qname qclass qtype id remote-ip-address
8061 pipebackend-abi-version = 2
8062 type qname qclass qtype id remote-ip-address
8065 Fields are tab separated, and terminated with a single \n. The
8066 remote-ip-address is the IP address of the nameserver asking
8067 the question; the local-ip-address is the IP address on which
8068 the question was received. Type is the tag above, qname is the
8069 domain the question is about. qclass is always 'IN' currently,
8070 denoting an INternet question. qtype is the kind of information
8071 desired, the record type, like A, CNAME or AAAA. id can be
8072 specified to help your backend find an answer if the id is
8073 already known from an earlier query. You can ignore it.
8074 remote-ip-address is the ip-address of the nameserver asking
8075 the question. local-ip-address is the ip-address that was
8077 __________________________________________________________
8081 Each answer starts with a tag, possibly followed by a TAB and
8085 Indicating a successful line of DATA
8088 Indicating the end of an answer - no further data
8091 Indicating a lookup failure. Also serves as 'END'. No
8095 For specifying things that should be logged. Can only be
8096 sent after a query and before an END line. After the
8097 tab, the message to be logged
8099 So letting it be known that there is no data consists if
8100 sending 'END' without anything else. The answer format:
8101 DATA qname qclass qtype ttl id content
8103 'content' is as specified in Chapter 17. A sample dialogue may
8105 Q www.ds9a.nl IN CNAME -1 213.244.168.210
8106 DATA www.ds9a.nl IN CNAME 3600 1 ws1.ds9a.nl
8107 Q ws1.ds9a.nl IN CNAME -1 213.244.168.210
8109 Q wd1.ds9a.nl IN A -1 213.244.168.210
8110 DATA ws1.ds9a.nl IN A 3600 1 1.2.3.4
8111 DATA ws1.ds9a.nl IN A 3600 1 1.2.3.5
8112 DATA ws1.ds9a.nl IN A 3600 1 1.2.3.6
8115 This would correspond to a remote webserver 213.244.168.210
8116 wanting to resolve the IP address of www.ds9a.nl, and PowerDNS
8117 traversing the CNAMEs to find the IP addresses of ws1.ds9a.nl
8118 Another dialogue might be:
8119 Q ds9a.nl IN SOA -1 213.244.168.210
8120 DATA ds9a.nl IN SOA 86400 1 ahu.ds9a.nl ...
8123 DATA ds9a.nl IN SOA 86400 1 ahu.ds9a.nl ...
8124 DATA ds9a.nl IN NS 86400 1 ns1.ds9a.nl
8125 DATA ds9a.nl IN NS 86400 1 ns2.ds9a.nl
8126 DATA ns1.ds9a.nl IN A 86400 1 213.244.168.210
8127 DATA ns2.ds9a.nl IN A 86400 1 63.123.33.135
8132 This is a typical zone transfer.
8133 __________________________________________________________
8135 A.1.1.4. Sample perl backend
8138 # sample PowerDNS Coprocess backend
8144 $|=1; # no buffering
8149 unless($line eq "HELO\t1") {
8151 print STDERR "Recevied '$line'\n";
8155 print "OK Sample backend firing up\n"; # print our banner
8159 print STDERR "$$ Received: $_";
8161 my @arr=split(/\t/);
8163 print "LOG PowerDNS sent unparseable line\n";
8168 my ($type,$qname,$qclass,$qtype,$id,$ip)=split(/\t/);
8170 if(($qtype eq "A" || $qtype eq "ANY") && $qname eq "webserver.ex
8172 print STDERR "$$ Sent A records\n";
8173 print "DATA $qname $qclass A 3600 -1
8175 print "DATA $qname $qclass A 3600 -1
8177 print "DATA $qname $qclass A 3600 -1
8180 elsif(($qtype eq "CNAME" || $qtype eq "ANY") && $qname eq "www.e
8182 print STDERR "$$ Sent CNAME records\n";
8183 print "DATA $qname $qclass CNAME 3600 -1
8184 webserver.example.com\n";
8186 elsif($qtype eq "MBOXFW") {
8187 print STDERR "$$ Sent MBOXFW records\n";
8188 print "DATA $qname $qclass MBOXFW 3600 -1
8189 powerdns\@example.com\n";
8193 print STDERR "$$ End of data\n";
8196 __________________________________________________________
8202 This backend is deprecated! Use the Generic MySQL backend which
8203 is better in all respects. It does support master/slave
8204 operation, this backend does not. See Section A.5.
8206 So stop reading here unless you already have a database filled
8207 with 'mysql' records.
8209 Table A-2. MySQL backend capabilities
8219 The MySQL Backend as present in PDNS is fixed - it requires a
8220 certain database schema to function. This schema corresponds to
8221 this create statement:
8222 CREATE TABLE records (
8223 id int(11) NOT NULL auto_increment,
8224 domain_id int(11) NOT NULL,
8225 name varchar(255) NOT NULL,
8226 type varchar(6) NOT NULL,
8227 content varchar(255) NOT NULL,
8228 ttl int(11) NOT NULL,
8229 prio int(11) default NULL,
8230 change_date int(11) default NULL,
8232 KEY name_index(name),
8233 KEY nametype_index(name,type),
8234 KEY domainid_index(domain_id)
8237 Every domain should have a unique domain_id, which should
8238 remain identical for all records in a domain. Records with a
8239 domain_id that differs from that in the domain SOA record will
8240 not appear in a zone transfer.
8242 The change_date may optionally be updated to the time_t (the
8243 number of seconds since midnight UTC at the start of 1970), and
8244 is in that case used to auto calculate the SOA serial number in
8245 case that is unspecified.
8246 __________________________________________________________
8248 A.2.1. Configuration settings
8250 WARNING! Make sure that you can actually resolve the hostname
8251 of your database without accessing the database! It is advised
8252 to supply an IP address here to prevent chicken/egg problems!
8255 Database name to connect to
8258 Database host to connect to
8261 Password to connect with
8264 MySQL socket to use for connecting
8267 MySQL table name. Defaults to 'records'.
8270 MySQL user to connect as
8271 __________________________________________________________
8275 It has been observed that InnoDB tables outperform the default
8276 MyISAM tables by a large margin. Furthermore, the default
8277 number of backends (3) should be raised to 10 or 15 for busy
8279 __________________________________________________________
8283 Table A-3. Random Backend capabilities
8290 Module name built in
8293 This is a very silly backend which is discussed in Section C.1
8294 as a demonstration on how to write a PowerDNS backend.
8296 This backend knows about only one hostname, and only about its
8297 IP address at that. With every query, a new random IP address
8300 It only makes sense to load the random backend in combination
8301 with a regular backend. This can be done by prepending it to
8302 the launch= instruction, such as launch=random,gmysql.
8307 Hostname for which to supply a random IP address.
8308 __________________________________________________________
8310 A.4. MySQL PDNS backend
8312 Table A-4. MySQL backend capabilities
8322 This is the driver that corresponds to the set of XML-RPC tools
8323 available from PowerDNS.
8326 CREATE TABLE MailForwards (
8327 Id int(10) unsigned NOT NULL auto_increment,
8328 ZoneId int(10) unsigned NOT NULL default '0',
8329 Name varchar(255) NOT NULL default '',
8330 Destination varchar(255) NOT NULL default '',
8331 Flags int(11) NOT NULL default '0',
8332 ChangeDate timestamp(14) NOT NULL,
8333 CreateDate timestamp(14) NOT NULL,
8334 Active tinyint(4) NOT NULL default '0',
8336 KEY NameIndex (Name),
8337 KEY ZoneIdIndex (ZoneId)
8341 -- Table structure for table 'Mailboxes'
8344 CREATE TABLE Mailboxes (
8345 Id int(10) unsigned NOT NULL auto_increment,
8346 ZoneId int(10) unsigned NOT NULL default '0',
8347 Name varchar(255) NOT NULL default '',
8348 Password varchar(255) NOT NULL default '',
8349 Quota int(10) unsigned NOT NULL default '0',
8350 Flags int(11) NOT NULL default '0',
8351 ChangeDate timestamp(14) NOT NULL,
8352 CreateDate timestamp(14) NOT NULL,
8353 Active tinyint(4) NOT NULL default '0',
8355 UNIQUE KEY Name (Name),
8356 KEY ZoneIdIndex (ZoneId),
8357 KEY NameIndex (Name)
8361 -- Table structure for table 'Records'
8364 CREATE TABLE Records (
8365 Id int(10) unsigned NOT NULL auto_increment,
8366 ZoneId int(10) unsigned NOT NULL default '0',
8367 Name varchar(255) NOT NULL default '',
8368 Type varchar(8) NOT NULL default '',
8369 Content varchar(255) NOT NULL default '',
8370 TimeToLive int(11) NOT NULL default '60',
8371 Priority int(11) NOT NULL default '0',
8372 Flags int(11) NOT NULL default '0',
8373 ChangeDate timestamp(14) NOT NULL,
8374 CreateDate timestamp(14) NOT NULL,
8375 Active tinyint(4) NOT NULL default '0',
8377 KEY NameIndex (Name)
8381 -- Table structure for table 'WebForwards'
8384 CREATE TABLE WebForwards (
8385 Id int(10) unsigned NOT NULL auto_increment,
8386 ZoneId int(10) unsigned NOT NULL default '0',
8387 Name varchar(255) NOT NULL default '',
8388 Destination varchar(255) NOT NULL default '',
8389 Type varchar(7) NOT NULL default 'NORMAL',
8390 Title varchar(255) NOT NULL default '',
8391 Description varchar(255) NOT NULL default '',
8392 Keywords varchar(255) NOT NULL default '',
8393 FavIcon varchar(255) NOT NULL default '',
8394 Flags int(11) NOT NULL default '0',
8395 ChangeDate timestamp(14) NOT NULL,
8396 CreateDate timestamp(14) NOT NULL,
8397 Active tinyint(4) NOT NULL default '0',
8399 KEY NameIndex (Name),
8400 KEY ZoneIdIndex (ZoneId)
8404 -- Table structure for table 'Zones'
8407 CREATE TABLE Zones (
8408 Id int(10) unsigned NOT NULL auto_increment,
8409 Name varchar(255) NOT NULL default '',
8410 Hostmaster varchar(255) NOT NULL default '',
8411 Serial int(10) unsigned NOT NULL default '0',
8412 AutoSerial tinyint(4) NOT NULL default '0',
8413 Flags int(11) NOT NULL default '0',
8414 ChangeDate timestamp(14) NOT NULL,
8415 CreateDate timestamp(14) NOT NULL,
8416 Active tinyint(4) NOT NULL default '0',
8417 TimeToLive int(11) NOT NULL default '0',
8418 OwnerId varchar(255) NOT NULL default '',
8419 Master varchar(255) NOT NULL default '',
8421 UNIQUE KEY Name (Name),
8422 KEY NameIndex (Name)
8426 It takes a number of parameters:
8429 Database name to connect to
8432 Database host to connect to
8435 Password to connect with
8438 MySQL socket to use for connecting
8441 MySQL user to connect as
8444 Pdns SOA refresh in seconds
8446 pdns-max-slave-records
8447 Maximal records to transfer
8448 __________________________________________________________
8452 It has been observed that InnoDB tables outperform the default
8453 MyISAM tables by a large margin. Furthermore, the default
8454 number of backends (3) should be raised to 10 or 15 for busy
8456 __________________________________________________________
8458 A.5. Generic MySQL and PgSQL backends
8460 Table A-5. Generic PgSQL and MySQL backend capabilities
8461 Native Yes - but PostgreSQL does not replicate
8467 Module name < 2.9.3 pgmysql
8468 Module name > 2.9.2 gmysql and gpgsql
8469 Launch name gmysql and gpgsql2 and gpgsql
8471 PostgreSQL and MySQL backend with easily configurable SQL
8472 statements, allowing you to graft PDNS on any PostgreSQL or
8473 MySQL database of your choosing. Because all database schemas
8474 will be different, a generic backend is needed to cover all
8477 The template queries are expanded using the C function
8478 'snprintf' which implies that substitutions are performed on
8479 the basis of %-place holders. To place a % in a query which
8480 will not be substituted, use %%. Make sure to fill out the
8481 search key, often called 'name' in lower case!
8483 There are in fact two backends, one for PostgreSQL and one for
8484 MySQL but they accept the same settings and use almost exactly
8485 the same database schema.
8486 __________________________________________________________
8488 A.5.1. MySQL specifics
8492 If using MySQL with 'slave' support enabled in PowerDNS you
8493 must run MySQL with a table engine that supports transactions.
8495 In practice, great results are achieved with the 'InnoDB'
8496 tables. PowerDNS will silently function with non-transaction
8497 aware MySQLs but at one point this is going to harm your
8498 database, for example when an incoming zone transfer fails.
8500 The default setup conforms to the following schema:
8501 create table domains (
8502 id INT auto_increment,
8503 name VARCHAR(255) NOT NULL,
8504 master VARCHAR(128) DEFAULT NULL,
8505 last_check INT DEFAULT NULL,
8506 type VARCHAR(6) NOT NULL,
8507 notified_serial INT DEFAULT NULL,
8508 account VARCHAR(40) DEFAULT NULL,
8512 CREATE UNIQUE INDEX name_index ON domains(name);
8514 CREATE TABLE records (
8515 id INT auto_increment,
8516 domain_id INT DEFAULT NULL,
8517 name VARCHAR(255) DEFAULT NULL,
8518 type VARCHAR(6) DEFAULT NULL,
8519 content VARCHAR(255) DEFAULT NULL,
8520 ttl INT DEFAULT NULL,
8521 prio INT DEFAULT NULL,
8522 change_date INT DEFAULT NULL,
8526 CREATE INDEX rec_name_index ON records(name);
8527 CREATE INDEX nametype_index ON records(name,type);
8528 CREATE INDEX domain_id ON records(domain_id);
8530 create table supermasters (
8531 ip VARCHAR(25) NOT NULL,
8532 nameserver VARCHAR(255) NOT NULL,
8533 account VARCHAR(40) DEFAULT NULL
8536 GRANT SELECT ON supermasters TO pdns;
8537 GRANT ALL ON domains TO pdns;
8538 GRANT ALL ON records TO pdns;
8540 Zone2sql with the --gmysql flag also assumes this layout is in
8543 This schema contains all elements needed for master, slave and
8544 superslave operation. Depending on which features will be used,
8545 the 'GRANT' statements can be trimmed to make sure PDNS cannot
8546 subvert the contents of your database.
8548 When using the InnoDB storage engine, we suggest adding the
8549 following lines to the 'create table records' command above:
8550 CONSTRAINT `records_ibfk_1` FOREIGN KEY (`domain_id`) REFERENCES `domain
8552 (`id`) ON DELETE CASCADE
8554 This automates deletion of records on deletion of a domain from
8556 __________________________________________________________
8558 A.5.2. PostgresSQL specifics
8560 The default setup conforms to the following schema, which you
8561 should add to a PostgreSQL database.
8562 create table domains (
8563 id SERIAL PRIMARY KEY,
8564 name VARCHAR(255) NOT NULL,
8565 master VARCHAR(128) DEFAULT NULL,
8566 last_check INT DEFAULT NULL,
8567 type VARCHAR(6) NOT NULL,
8568 notified_serial INT DEFAULT NULL,
8569 account VARCHAR(40) DEFAULT NULL
8571 CREATE UNIQUE INDEX name_index ON domains(name);
8573 CREATE TABLE records (
8574 id SERIAL PRIMARY KEY,
8575 domain_id INT DEFAULT NULL,
8576 name VARCHAR(255) DEFAULT NULL,
8577 type VARCHAR(6) DEFAULT NULL,
8578 content VARCHAR(255) DEFAULT NULL,
8579 ttl INT DEFAULT NULL,
8580 prio INT DEFAULT NULL,
8581 change_date INT DEFAULT NULL,
8582 CONSTRAINT domain_exists
8583 FOREIGN KEY(domain_id) REFERENCES domains(id)
8587 CREATE INDEX rec_name_index ON records(name);
8588 CREATE INDEX nametype_index ON records(name,type);
8589 CREATE INDEX domain_id ON records(domain_id);
8591 create table supermasters (
8592 ip VARCHAR(25) NOT NULL,
8593 nameserver VARCHAR(255) NOT NULL,
8594 account VARCHAR(40) DEFAULT NULL
8597 GRANT SELECT ON supermasters TO pdns;
8598 GRANT ALL ON domains TO pdns;
8599 GRANT ALL ON domains_id_seq TO pdns;
8600 GRANT ALL ON records TO pdns;
8601 GRANT ALL ON records_id_seq TO pdns;
8603 This schema contains all elements needed for master, slave and
8604 superslave operation. Depending on which features will be used,
8605 the 'GRANT' statements can be trimmed to make sure PDNS cannot
8606 subvert the contents of your database.
8608 Zone2sql with the --gpgsql flag also assumes this layout is in
8611 With PostgreSQL, you may have to run 'createdb powerdns' first
8612 and then connect to that database with 'psql powerdns', and
8613 feed it the schema above.
8614 __________________________________________________________
8616 A.5.3. Oracle specifics
8618 Generic Oracle support is only available since version 2.9.18.
8619 The default setup conforms to the following schema, which you
8620 should add to an Oracle database. You may need or want to add
8621 'namespace' statements.
8622 create table domains (
8624 name VARCHAR(255) NOT NULL,
8625 master VARCHAR(128) DEFAULT NULL,
8626 last_check INT DEFAULT NULL,
8627 type VARCHAR(6) NOT NULL,
8628 notified_serial INT DEFAULT NULL,
8629 account VARCHAR(40) DEFAULT NULL,
8632 create sequence DOMAINS_ID_SEQUENCE;
8633 create index DOMAINS$NAME on Domains (NAME);
8636 CREATE TABLE records (
8637 id number(11) not NULL,
8638 domain_id INT DEFAULT NULL REFERENCES Domains(ID) ON DELET
8640 name VARCHAR(255) DEFAULT NULL,
8641 type VARCHAR(6) DEFAULT NULL,
8642 content VARCHAR(255) DEFAULT NULL,
8643 ttl INT DEFAULT NULL,
8644 prio INT DEFAULT NULL,
8645 change_date INT DEFAULT NULL,
8649 create index RECORDS$NAME on RECORDS (NAME);
8650 create sequence RECORDS_ID_SEQUENCE;
8652 create table supermasters (
8653 ip VARCHAR(25) NOT NULL,
8654 nameserver VARCHAR(255) NOT NULL,
8655 account VARCHAR(40) DEFAULT NULL
8659 This schema contains all elements needed for master, slave and
8660 superslave operation. Depending on which features will be used,
8661 'GRANT' statements can be trimmed to make sure PDNS cannot
8662 subvert the contents of your database.
8664 Zone2sql with the --gpgsql flag also assumes this layout is in
8667 Inserting records is a bit different compared to MySQL and
8668 PostgreSQL, you should use:
8669 insert into domains (id,name,type) values (domains_id_sequence.nextval,'
8670 netherlabs.nl','NATIVE');
8672 Furthermore, use the goracle-tnsname setting to specify which
8673 TNSNAME the Generic Oracle Backend should be connectiong to.
8674 There are no goracle-dbname, goracle-host or goracle-port
8675 settings, their equivalent is in /etc/tnsnames.ora.
8676 __________________________________________________________
8678 A.5.4. Basic functionality
8680 4 queries are needed for regular lookups, 4 for 'fancy records'
8681 which are disabled by default and 1 is needed for zone
8684 The 4+4 regular queries must return the following 6 fields, in
8688 This is the 'right hand side' of a DNS record. For an A
8689 record, this is the IP address for example.
8692 TTL of this record, in seconds. Must be a real value, no
8693 checking is performed.
8696 For MX records, this should be the priority of the mail
8697 exchanger specified.
8700 The ASCII representation of the qtype of this record.
8701 Examples are 'A', 'MX', 'SOA', 'AAAA'. Make sure that
8702 this field returns an exact answer - PDNS won't
8703 recognise 'A ' as 'A'. This can be achieved by using a
8704 VARCHAR instead of a CHAR.
8707 Each domain must have a unique domain_id. No two domains
8708 may share a domain_id, all records in a domain should
8709 have the same. A number.
8712 Actual name of a record. Must not end in a '.' and be
8713 fully qualified - it is not relative to the name of the
8716 Please note that the names of the fields are not relevant, but
8719 As said earlier, there are 8 SQL queries for regular lookups.
8720 To configure them, set 'gmysql-basic-query' or
8721 'gpgsql-basic-query', depending on your choice of backend. If
8722 so called 'MBOXFW' fancy records are not used, four queries
8726 Default: select content,ttl,prio,type,domain_id,name
8727 from records where type='%s' and name='%s' This is the
8728 most used query, needed for doing 1:1 lookups of
8729 qtype/name values. First %s is replaced by the ASCII
8730 representation of the qtype of the question, the second
8734 Default: select content,ttl,prio,type,domain_id,name
8735 from records where type='%s' and name='%s' and
8736 domain_id=%d Used for doing lookups within a domain.
8737 First %s is replaced by the qtype, the %d which should
8738 appear after the %s by the numeric domain_id.
8741 For doing ANY queries. Also used internally. Default:
8742 select content,ttl,prio,type,domain_id,name from records
8743 where name='%s' The %s is replaced by the qname of the
8747 For doing ANY queries within a domain. Also used
8748 internally. Default: select
8749 content,ttl,prio,type,domain_id,name from records where
8750 name='%s' and domain_id=%d The %s is replaced by the
8751 name of the domain, the %d by the numerical domain id.
8753 The last query is for listing the entire contents of a zone.
8754 This is needed when performing a zone transfer, but sometimes
8758 To list an entire zone. Default: select
8759 content,ttl,prio,type,domain_id,name from records where
8761 __________________________________________________________
8763 A.5.5. Master/slave queries
8765 Most installations will have zero need to change the following
8766 settings, but should the need arise, here they are:
8769 Called to determine the master of a zone. Default:
8770 select master from domains where name='%s' and
8774 Called to retrieve (nearly) all information for a
8775 domain: Default: select
8776 id,name,master,last_check,notified_serial,type from
8777 domains where name='%s'
8779 info-all-slaves-query
8780 Called to retrieve all slave domains Default: select
8781 id,name,master,last_check,type from domains where
8785 Called to determine if a certain host is a supermaster
8786 for a certain domain name. Default: select account from
8787 supermasters where ip='%s' and nameserver='%s');
8790 Called to add a domain as slave after a supermaster
8791 notification. Default: insert into domains
8792 (type,name,master,account)
8793 values('SLAVE','%s','%s','%s')
8796 Called during incoming AXFR. Default: insert into
8797 records (content,ttl,prio,type,domain_id,name) values
8798 ('%s',%d,%d,'%s',%d,'%s')
8801 Called to update the last notified serial of a master
8802 domain. Default: update domains set notified_serial=%d
8805 update-lastcheck-query
8806 Called to update the last time a slave domain was
8807 checked for freshness. Default: update domains set
8808 notified_serial=%d where id=%d
8810 info-all-master-query
8811 Called to get data on all domains for which the server
8812 is master. Default: select
8813 id,name,master,last_check,notified_serial,type from
8814 domains where type='MASTER'
8817 Called to delete all records of a zone. Used before an
8818 incoming AXFR. Default: delete from records where
8820 __________________________________________________________
8822 A.5.6. Fancy records
8824 If PDNS is used with so called 'Fancy Records', the 'MBOXFW'
8825 record exists which specifies an email address forwarding
8826 instruction, wildcard queries are sometimes needed. This is not
8827 enabled by default. A wildcard query is an internal concept -
8828 it has no relation to *.domain-type lookups. You can safely
8829 leave these queries blank.
8832 Can be left blank. See above for an explanation.
8833 Default: select content,ttl,prio,type,domain_id,name
8834 from records where type='%s' and name like '%s'
8837 Can be left blank. See above for an explanation.
8838 Default: select content,ttl,prio,type,domain_id,name
8839 from records where type='%s' and name like '%s' and
8840 domain_id=%d Used for doing lookups within a domain.
8843 For doing wildcard ANY queries. Default: select
8844 content,ttl,prio,type,domain_id,name from records where
8847 wildcard-any-id-query
8848 For doing wildcard ANY queries within a domain. Default:
8849 select content,ttl,prio,type,domain_id,name from records
8850 where name like '%s' and domain_id=%d
8851 __________________________________________________________
8853 A.5.7. Settings and specifying queries
8855 The queries above are specified in pdns.conf. For example, the
8856 basic-query would appear as:
8857 gpgsql-basic-query=select content,ttl,prio,type,domain_id,na
8858 me from records where type='%s' and name='%s'
8860 When using the Generic PostgreSQL backend, they appear as
8861 above. When using the generic MySQL backend, change the
8862 "gpgsql-" prefix to "gmysql-".
8864 Queries can span multiple lines, like this:
8865 gpgsql-basic-query=select content,ttl,prio,type,domain_id,na
8867 where type='%s' and name='%s'
8869 Do not wrap statements in quotes as this will not work. Besides
8870 the query related settings, the following configuration options
8871 are available, where one should substitute 'gmysql', 'gpgsql',
8872 'godbc' or 'goracle' for the prefix 'backend'. So
8873 'backend-dbname' can stand for 'gpgsql-dbname' or
8874 'gmysql-dbname' etc.
8877 Database name to connect to
8880 Database host to connect to. WARNING: When specified as
8881 a hostname a chicken/egg situation might arise where the
8882 database is needed to resolve the IP address of the
8883 database. It is best to supply an IP address of the
8887 Database port to connect to.
8889 gmysql-socket (only for MySQL!)
8890 Filename where the MySQL connection socket resides.
8891 Often /tmp/mysql.sock or /var/run/mysqld/mysqld.sock.
8894 Password to connect with
8897 PgSQL user to connect as
8898 __________________________________________________________
8900 A.5.8. Native operation
8902 For native operation, either drop the FOREIGN KEY on the
8903 domain_id field, or (recommended), make sure the domains table
8904 is filled properly. To add a domain, issue the following:
8905 insert into domains (name,type) values ('powerdns.com','NATI
8908 The records table can now be filled by with the domain_id set
8909 to the id of the domains table row just inserted.
8910 __________________________________________________________
8912 A.5.9. Slave operation
8914 The PostgreSQL backend is fully slave capable. To become a
8915 slave of the 'powerdns.com' domain, execute this:
8916 insert into domains (name,master,type) values ('powerdns.com
8917 ','213.244.168.217','SLAVE');
8919 And wait a while for PDNS to pick up the addition - which
8920 happens within one minute. There is no need to inform PDNS that
8921 a new domain was added. Typical output is:
8922 Apr 09 13:34:29 All slave domains are fresh
8923 Apr 09 13:35:29 1 slave domain needs checking
8924 Apr 09 13:35:29 Domain powerdns.com is stale, master serial
8926 Apr 09 13:35:30 [gPgSQLBackend] Connected to database
8927 Apr 09 13:35:30 AXFR started for 'powerdns.com'
8928 Apr 09 13:35:30 AXFR done for 'powerdns.com'
8929 Apr 09 13:35:30 [gPgSQLBackend] Closing connection
8931 From now on, PDNS is authoritative for the 'powerdns.com' zone
8932 and will respond accordingly for queries within that zone.
8934 Periodically, PDNS schedules checks to see if domains are still
8935 fresh. The default slave-cycle-interval is 60 seconds, large
8936 installations may need to raise this value. Once a domain has
8937 been checked, it will not be checked before its SOA refresh
8938 timer has expired. Domains whose status is unknown get checked
8939 every 60 seconds by default.
8940 __________________________________________________________
8942 A.5.10. Superslave operation
8944 To configure a supermaster with IP address 10.0.0.11 which
8945 lists this installation as 'autoslave.powerdns.com', issue the
8947 insert into supermasters ('10.0.0.11','autoslave.powerdns.co
8950 From now on, valid notifies from 10.0.0.11 that list a NS
8951 record containing 'autoslave.powerdns.com' will lead to the
8952 provisioning of a slave domain under the account 'internal'.
8953 See Section 13.2.1 for details.
8954 __________________________________________________________
8956 A.5.11. Master operation
8958 The PostgreSQL backend is fully master capable with automatic
8959 discovery of serial changes. Raising the serial number of a
8960 domain suffices to trigger PDNS to send out notifications. To
8961 configure a domain for master operation instead of the default
8962 native replication, issue:
8963 insert into domains (name,type) values ('powerdns.com','MAST
8966 Make sure that the assigned id in the domains table matches the
8967 domain_id field in the records table!
8968 __________________________________________________________
8972 Table A-6. Oracle backend capabilities
8981 Oracle backend with easily configurable SQL statements,
8982 allowing you to graft PDNS on any Oracle database of your
8985 PowerDNS is currently ascertaining if this backend can be
8986 distributed in binary form without violating Oracle licensing.
8987 In the meantime, the source code to the Oracle backend is
8988 available in the pdns distribution.
8990 The following configuration settings are available:
8992 oracle-debug-queries
8993 Output all queries to disk for debugging purposes.
8996 Output all queries to disk for timing purposes.
8998 oracle-uppercase-database
8999 Change all domain names to uppercase before querying
9003 Oracle database name to connect to.
9006 PDNS can set the ORACLE_HOME environment variable from
9007 within the executable, allowing execution of the daemon
9008 from init.d scripts where ORACLE_HOME may not yet be
9012 PDNS can set the ORACLE_SID environment variable from
9013 within the executable, allowing execution of the daemon
9014 from init.d scripts where ORACLE_SID may not yet be set.
9017 Oracle username to connect as.
9020 Oracle password to connect with.
9022 The generic Oracle backend can be configured to use
9023 user-specified queries. The following are the default queries
9026 oracle-forward-query
9027 select content, TimeToLive, Priority, type, ZoneId,
9028 nvl(ChangeDate,0) from Records where name = :name and
9031 oracle-forward-query-by-zone
9032 select content, TimeToLive, Priority, type, ZoneId,
9033 nvl(ChangeDate,0) from records where name = :name and
9034 type = :type and ZoneId = :id
9036 oracle-forward-any-query
9037 select content, TimeToLive, Priority, type, ZoneId,
9038 nvl(ChangeDate,0) from records where name = :name
9041 select content, TimeToLive, Priority, type, ZoneId,
9042 nvl(ChangeDate, 0), name from records where ZoneId = :id
9043 __________________________________________________________
9045 A.6.1. Setting up Oracle for use with PowerDNS
9047 To setup a database that corresponds to these default queries,
9048 issue the following as Oracle user sys:
9049 create user powerdns identified by YOURPASSWORD;
9050 grant connect to powerdns;
9052 create tablespace powerdns datafile '/opt/oracle/oradata/ora
9054 size 256M extent management local autoallocate;
9056 alter user powerdns quota unlimited on powerdns;
9058 As user 'powerdns' continue with:
9059 create table Domains (
9060 ID number(11) NOT NULL,
9061 NAME VARCHAR(255) NOT NULL,
9062 MASTER VARCHAR(128) DEFAULT NULL,
9063 LAST_CHECK INT DEFAULT NULL,
9064 TYPE VARCHAR(6) NOT NULL,
9065 NOTIFIED_SERIAL INT DEFAULT NULL,
9066 ACCOUNT VARCHAR(40) DEFAULT NULL,
9068 )tablespace POWERDNS;
9070 create index DOMAINS$NAME on Domains (NAME) tablespace POWERDNS;
9071 create sequence DOMAINS_ID_SEQUENCE;
9073 create table Records
9075 ID number(11) NOT NULL,
9076 ZoneID number(11) default NULL REFERENCES Domains(ID) ON DE
9078 NAME varchar2(255) default NULL,
9079 TYPE varchar2(6) default NULL,
9080 CONTENT varchar2(255) default NULL,
9081 TimeToLive number(11) default NULL,
9082 Priority number(11) default NULL,
9083 CreateDate number(11) default NULL,
9084 ChangeDate number(11) default NULL,
9086 )tablespace POWERDNS;
9088 create index RECORDS$NAME on RECORDS (NAME) tablespace POWERDNS;
9089 create sequence RECORDS_ID_SEQUENCE;
9091 To insert records, either use zone2sql with the --oracle
9092 setting, or execute sql along the lines of:
9093 insert into domains (id,name,type) values (domains_id_sequence.nextval,'
9094 netherlabs.nl','NATIVE');
9095 insert into Records (id,ZoneId, name,type,content,TimeToLive,Priority) s
9096 elect RECORDS_ID_SEQUENCE.nextval,id ,'netherlabs.nl', 'SOA', 'ahu.casem
9097 a.net. hostmaster.ds9a.nl. 2000081401 28800 7200 604800 86400', 3600, 0
9098 from Domains where name='netherlabs.nl';
9099 insert into Records (id,ZoneId, name,type,content,TimeToLive,Priority) s
9100 elect RECORDS_ID_SEQUENCE.nextval,id ,'netherlabs.nl', 'NS', 'ahu.casema
9101 .net', 3600, 0 from Domains where name='netherlabs.nl';
9102 insert into Records (id,ZoneId, name,type,content,TimeToLive,Priority) s
9103 elect RECORDS_ID_SEQUENCE.nextval,id ,'netherlabs.nl', 'NS', 'ns1.pine.n
9104 l', 3600, 0 from Domains where name='netherlabs.nl';
9105 insert into Records (id,ZoneId, name,type,content,TimeToLive,Priority) s
9106 elect RECORDS_ID_SEQUENCE.nextval,id ,'netherlabs.nl', 'NS', 'ns2.pine.n
9107 l', 3600, 0 from Domains where name='netherlabs.nl';
9108 insert into Records (id,ZoneId, name,type,content,TimeToLive,Priority) s
9109 elect RECORDS_ID_SEQUENCE.nextval,id ,'netherlabs.nl', 'A', '213.244.168
9110 .210', 3600, 0 from Domains where name='netherlabs.nl';
9111 insert into Records (id,ZoneId, name,type,content,TimeToLive,Priority) s
9112 elect RECORDS_ID_SEQUENCE.nextval,id ,'netherlabs.nl', 'MX', 'outpost.ds
9113 9a.nl', 3600, 10 from Domains where name='netherlabs.nl';
9116 For performance reasons it is best to specify --transactions
9118 __________________________________________________________
9120 A.7. Generic SQLite backend (2 and 3)
9122 Table A-7. Generic SQLite backend capabilities
9127 Module name gsqlite and gsqlite3
9128 Launch name gsqlite and gsqlite3
9130 This backend retrieves all data from a SQLite database, which
9131 is a RDBMS that's embedded into the application itself, so you
9132 won't need to be running a seperate server process. It also
9133 reduces overhead, and simplifies installation. At
9134 http://www.sqlite.org you can find more information about
9137 As this is a generic backend, built on top of the gSql
9138 framework, you can specify all queries as documented in Generic
9139 MySQL and PgSQL backends.
9141 SQLite exists in two incompatible versions, numbered 2 and 3,
9142 and from 2.9.21 onwards, PowerDNS supports both. It is
9143 recommended to go with version 3 as it is newer, has better
9144 performance and is actively maintained. To use version 3,
9145 choose 'launch=gsqlite3'.
9146 __________________________________________________________
9148 A.7.1. Compiling the SQLite backend
9150 Before you can begin compiling PowerDNS with the SQLite backend
9151 you need to have the SQLite utility and library installed on
9152 your system. You can download these from
9153 http://www.sqlite.org/download.html, or you can use packages
9154 (if your distribution provides those).
9156 When you've installed the library you can use: ./configure
9157 --with-modules="gsqlite" or ./configure
9158 --with-modules="gsqlite3" to configure PowerDNS to use the
9159 SQLite backend. Compilation can then proceed as usual.
9161 SQLite is included in most PowerDNS binary releases.
9162 __________________________________________________________
9164 A.7.2. Setting up the database
9166 Before you can use this backend you first have to set it up and
9167 fill it with data. The default setup conforms to the following
9169 create table domains (
9170 id INTEGER PRIMARY KEY,
9171 name VARCHAR(255) NOT NULL,
9172 master VARCHAR(128) DEFAULT NULL,
9173 last_check INTEGER DEFAULT NULL,
9174 type VARCHAR(6) NOT NULL,
9175 notified_serial INTEGER DEFAULT NULL,
9176 account VARCHAR(40) DEFAULT NULL
9179 CREATE UNIQUE INDEX name_index ON domains(name);
9181 CREATE TABLE records (
9182 id INTEGER PRIMARY KEY,
9183 domain_id INTEGER DEFAULT NULL,
9184 name VARCHAR(255) DEFAULT NULL,
9185 type VARCHAR(6) DEFAULT NULL,
9186 content VARCHAR(255) DEFAULT NULL,
9187 ttl INTEGER DEFAULT NULL,
9188 prio INTEGER DEFAULT NULL,
9189 change_date INTEGER DEFAULT NULL
9192 CREATE INDEX rec_name_index ON records(name);
9193 CREATE INDEX nametype_index ON records(name,type);
9194 CREATE INDEX domain_id ON records(domain_id);
9196 create table supermasters (
9197 ip VARCHAR(25) NOT NULL,
9198 nameserver VARCHAR(255) NOT NULL,
9199 account VARCHAR(40) DEFAULT NULL
9202 This schema contains all elements needed for master, slave and
9203 superslave operation.
9205 After you have created the database you probably want to fill
9206 it with data. If you have a BIND zonefile it's as easy as:
9207 zone2sql --zone=myzonefile --gmysql | sqlite powerdns.sqlite,
9208 but you can also use AXFR (or insert data manually).
9210 To communicate with a SQLite database, use either the 'sqlite'
9211 or 'sqlite3' program, and feed it SQL.
9212 __________________________________________________________
9214 A.7.3. Using the SQLite backend
9216 The last thing you need to do is telling PowerDNS to use the
9220 launch=gsqlite # or gsqlite3
9221 gsqlite-database=<path to your SQLite database> # or gsqli
9224 Then you can start PowerDNS and it should notify you that a
9225 connection to the database was made.
9226 __________________________________________________________
9230 Table A-8. DB2 backend capabilities
9239 PowerDNS is currently ascertaining if this backend can be
9240 distributed in binary form without violating IBM DB2 licensing.
9242 The DB2 backend executes the following queries:
9245 select Content, TimeToLive, Priority, Type, ZoneId, 0 as
9246 ChangeDate, Name from Records where Name = ? and type =
9249 Forward By Zone Query
9250 select Content, TimeToLive, Priority, Type, ZoneId, 0 as
9251 ChangeDate, Name from Records where Name = ? and Type =
9255 select Content, TimeToLive, Priority, Type, ZoneId, 0 as
9256 ChangeDate, Name from Records where Name = ?
9259 select Content, TimeToLive, Priority, Type, ZoneId, 0 as
9260 ChangeDate, Name from Records where ZoneId = ?
9262 Configuration settings:
9265 Server name to connect to. Defaults to 'powerdns'. Make
9266 sure that your nameserver is not needed to resolve an IP
9267 address needed to connect as this might lead to a
9268 chicken/egg situation.
9271 Username to connect as. Defaults to 'powerdns'.
9274 Password to connect with. Defaults to 'powerdns'.
9275 __________________________________________________________
9277 A.9. Bind zone file backend
9279 Table A-9. Bind zone file backend capabilities
9285 Module name none (built in)
9288 The BindBackend started life as a demonstration of the
9289 versatility of PDNS but quickly gained in importance when there
9290 appeared to be demand for a Bind 'workalike'.
9292 The BindBackend parses a Bind-style named.conf and extracts
9293 information about zones from it. It makes no attempt to honour
9294 other configuration flags, which you should configure (when
9295 available) using the PDNS native configuration.
9298 Outputs all known parameters related to the bindbackend
9301 Loads the 'example.com' zone which can be queried to
9302 determine if PowerDNS is functioning without configuring
9303 database backends. This feature is no longer supported
9304 from 2.9.21 onwards.
9307 Location of the Bind configuration file to parse.
9309 bind-check-interval=
9310 How often to check for zone changes. See 'Operation'
9314 Enable Huffman compression on zone data. Currently saves
9315 around 20% of memory actually used, but slows down
9317 __________________________________________________________
9321 On launch, the BindBackend first parses the named.conf to
9322 determine which zones need to be loaded. These will then be
9323 parsed and made available for serving, as they are parsed. So a
9324 named.conf with 100.000 zones may take 20 seconds to load, but
9325 after 10 seconds, 50.000 zones will already be available. While
9326 a domain is being loaded, it is not yet available, to prevent
9329 Reloading is currently done only when a request for a zone
9330 comes in, and then only after bind-check-interval seconds have
9331 passed after the last check. If a change occurred, access to
9332 the zone is disabled, the file is reloaded, access is restored,
9333 and the question is answered. For regular zones, reloading is
9334 fast enough to answer the question which lead to the reload
9335 within the DNS timeout.
9337 If bind-check-interval is specified as zero, no checks will be
9338 performed until the pdns_control reload is given.
9339 __________________________________________________________
9341 A.9.2. Pdns_control commands
9343 bind-domain-status domain [domain]
9344 Output status of domain or domains. Can be one of 'seen
9345 in named.conf, not parsed', 'parsed successfully at
9346 <time;>' or 'error parsing at line ... at <time>'.
9349 Lists all zones that have problems, and what those
9352 bind-reload-now domain
9353 Reloads a zone from disk NOW, reporting back results.
9354 __________________________________________________________
9358 The BindBackend does not benefit from the packet cache as it is
9359 fast enough on its own. Furthermore, on most systems, there
9360 will be no benefit in using multiple CPUs for the packetcache,
9361 so a noticeable speedup can be attained by specifying
9362 distributor-threads=1 in pdns.conf.
9363 __________________________________________________________
9365 A.9.4. Master/slave configuration
9369 Works as expected. At startup, no notification storm is
9370 performed as this is generally not useful. Perhaps in the
9371 future the Bind Backend will attempt to store zone metadata in
9372 the zone, allowing it to determine if a zone has changed its
9373 serial since the last time notifications were sent out.
9375 Changes which are discovered when reloading zones do lead to
9376 notifications however.
9377 __________________________________________________________
9381 Also works as expected. The Bind backend expects to be able to
9382 write to a directory where a slave domain lives. The incoming
9383 zone is stored as 'zonename.RANDOM' and atomically renamed if
9384 it is retrieved successfully, and parsed only then.
9386 In the future, this may be improved so the old zone remains
9387 available should parsing fail.
9388 __________________________________________________________
9392 pdns_control offers commands to communicate instructions to
9393 PowerDNS. These are detailed here.
9396 Reread the bind configuration file (named.conf). If
9397 parsing fails, the old configuration remains in force
9398 and pdns_control reports the error. Any newly discovered
9399 domains are read, discarded domains are removed from
9404 Except that with 2.9.3, they are not removed from memory.
9407 All zones with a changed timestamp are reloaded at the
9408 next incoming query for them.
9409 __________________________________________________________
9413 Table A-10. ODBC backend capabilities
9415 Master Yes (experimental)
9416 Slave Yes (experimental)
9420 The ODBC backend can retrieve zone information from any source
9421 that has a ODBC driver available.
9425 This backend is only available on PowerDNS for Windows.
9427 The ODBC backend needs data in a fixed schema which is the same
9428 as the data needed by the MySQL backend. The create statement
9430 CREATE TABLE records (
9431 id int(11) NOT NULL auto_increment,
9432 domain_id int(11) default NULL,
9433 name varchar(255) default NULL,
9434 type varchar(6) default NULL,
9435 content varchar(255) default NULL,
9436 ttl int(11) default NULL,
9437 prio int(11) default NULL,
9438 change_date int(11) default NULL,
9440 KEY name_index(name),
9441 KEY nametype_index(name,type),
9442 KEY domainid_index(domain_id)
9445 To use the ODBC backend an ODBC source has to be created, to do
9446 this see the section Installing PowerDNS on Microsoft Windows,
9449 The following configuration settings are available:
9452 Specifies the name of the data source to use.
9455 Specifies the username that has to be used to log into
9459 Specifies the user's password.
9462 Specifies the name of the table containing the zone
9465 The ODBC backend has been tested with Microsoft Access, MySQL
9466 (via MyODBC) and Microsoft SQLServer. As the SQL statements
9467 used are very basic, it is expected to work with many ODBC
9469 __________________________________________________________
9473 No longer part of PowerDNS.
9474 __________________________________________________________
9480 This documentation has moved to its own page. The information
9481 in this chapter may be outdated!
9483 The main author for this module is Norbert Sendetzky.
9485 He also maintains the LDAP backends documentation there. The
9486 information below may be outdated!
9488 Table A-11. LDAP backend capabilities
9494 __________________________________________________________
9496 A.13. OpenDBX backend
9500 The full OpenDBX documentation can be found on its own page.
9501 The information in this chapter may be outdated!
9503 The main author for this module is Norbert Sendetzky.
9505 Table A-12. OpenDBX backend capabilities
9510 Autoserial Yes (since 2.9.22)
9511 __________________________________________________________
9517 This section is a subset of the full documentation which can be
9518 found in modules/geobackend/README of the PowerDNS
9521 The main author for this module is Mark Bergsma.
9523 Table A-13. Geo backend capabilities
9530 The Geo Backend can be used to distribute queries globally
9531 using an IP-address/country mapping table, several of which are
9532 freely available online or can be acquired for a small fee.
9534 This allows visitors to be sent to a server close to them, with
9535 no appreciable delay, as would otherwise be incurred with a
9536 protocol level redirect. Additionally, the Geo Backend can be
9537 used to provide service over several clusters, any of which can
9538 be taken out of use easily, for example for maintenance
9541 The Geo Backend is in wide use, for example by the Wikimedia
9542 foundation, which uses it to power the Wikipedia global load
9545 More details can be found here, or in
9546 modules/geobackend/README, part of the PowerDNS Authoritative
9547 Server distribution.
9548 __________________________________________________________
9550 Appendix B. PDNS internals
9552 PDNS is normally launched by the init.d script but is actually
9553 a binary called pdns_server. This file is started by the start
9554 and monitor commands to the init.d script. Other commands are
9555 implemented using the controlsocket.
9556 __________________________________________________________
9560 The controlsocket is the means to contact a running PDNS
9561 daemon, or as we now know, a running pdns_server. Over this
9562 sockets, instructions can be sent using the pdns_control
9563 program. Like the pdns_server, this program is normally
9564 accessed via the init.d script.
9565 __________________________________________________________
9569 To communicate with PDNS over the controlsocket, the
9570 pdns_control command is used. The init.d script also calls
9571 pdns_control. The syntax is simple: pdns_control command
9572 arguments. Currently this is most useful for telling backends
9573 to rediscover domains or to force the transmission of
9574 notifications. See Section 13.3.
9576 Besides the commands implemented by the init.d script, for
9577 which see Section 2.3, the following pdns_control commands are
9581 Returns counts on the contents of the cache.
9584 Adds a domain to the notification list, causing PDNS to
9585 send out notifications to the nameservers of a domain.
9586 Can be used if a slave missed previous notifications or
9587 is generally hard of hearing.
9589 notify-host domain host
9590 Same as above but with operator specified IP address as
9591 destination, to be used if you know better than
9595 Purges the entire Packet Cache - see Chapter 9.
9598 Purges all entries for this exact record name - see
9602 Purges all cache entries ending on this name,
9603 effectively purging an entire domain - see Chapter 9.
9606 Purges the entire Packet Cache - see Chapter 9.
9609 Purges all entries for this exact record name - see
9613 Instructs backends that new domains may have appeared in
9614 the database, or, in the case of the Bind backend, in
9618 Instructs backends that the contents of domains may have
9619 changed. Many backends ignore this, the Bind backend
9620 will check timestamps for all zones (once queries come
9621 in for it) and reload if needed.
9624 Retrieve a slave domain from its master. Done nearly
9628 Set a configuration parameter. Currently only the
9629 'query-logging' parameter can be set.
9632 Reports the uptime of the daemon in human readable form.
9635 returns the version of a running pdns daemon.
9636 __________________________________________________________
9640 When launched by the init.d script, pdns_server wraps itself
9641 inside a 'guardian'. This guardian monitors the performance of
9642 the inner pdns_server instance which shows up in the process
9643 list of your OS as pdns_server-instance. It is also this
9644 guardian that pdns_control talks to. A STOP is interpreted by
9645 the guardian, which causes the guardian to sever the connection
9646 to the inner process and terminate it, after which it
9647 terminates itself. The init.d script DUMP and SHOW commands
9648 need to access the inner process, because the guardian itself
9649 does not run a nameserver. For this purpose, the guardian
9650 passes controlsocket requests to the control console of the
9651 inner process. This is the same console as seen with init.d
9653 __________________________________________________________
9655 B.3. Modules & Backends
9657 PDNS has the concept of backends and modules. Non-static PDNS
9658 distributions have the ability to load new modules at runtime,
9659 while the static versions come with a number of modules built
9660 in, but cannot load more.
9662 Related parameters are:
9665 Outputs all known parameters, including those of
9666 launched backends, see below.
9668 --launch=backend,backend1,backend1:name
9669 Launches backends. In its most simple form, supply all
9670 backends that need to be launched. If you find that you
9671 need to launch single backends multiple times, you can
9672 specify a name for later instantiations. In this case,
9673 there are 2 instances of backend1, and the second one is
9674 called 'name'. This means that --backend1-setting is
9675 available to configure the first or main instance, and
9676 --backend1-name-setting for the second one.
9678 --load-modules=/directory/libyourbackend.so
9679 If backends are available in nonstandard directories,
9680 specify their location here. Multiple files can be
9681 loaded if separated by commas. Only available in
9682 non-static PDNS distributions.
9685 Will list all available modules, both compiled in and in
9686 dynamically loadable modules.
9688 To run on the commandline, use the pdns_server binary. For
9689 example, to see options for the gpgsql backend, use the
9691 $ /usr/sbin/pdns_server --launch=gpgsql --help=gpgsql
9692 __________________________________________________________
9694 B.4. How PDNS translates DNS queries into backend queries
9696 A DNS query is not a straightforward lookup. Many DNS queries
9697 need to check the backend for additional data, for example to
9698 determine of an unfound record should lead to an NXDOMAIN ('we
9699 know about this domain, but that record does not exist') or an
9700 unauthoritative response.
9702 Simplified, without CNAME processing and wildcards, the
9703 algorithm is like this:
9705 When a query for a qname/qtype tuple comes in, it is requested
9706 directly from the backend. If present, PDNS adds the contents
9707 of the reply to the list of records to return. A question tuple
9708 may generate multiple answer records.
9710 Each of these records is now investigated to see if it needs
9711 'additional processing'. This holds for example for MX records
9712 which may point to hosts for which the PDNS backends also
9713 contain data. This involves further lookups for A or AAAA
9716 After all additional processing has been performed, PDNS sieves
9717 out all double records which may well have appeared. The
9718 resulting set of records is added to the answer packet, and
9721 A zone transfer works by looking up the domain_id of the SOA
9722 record of the name and then listing all records of that
9723 domain_id. This is why all records in a domain need to have the
9726 When a query comes in for an unknown domain, PDNS starts
9727 looking for SOA records of all subdomains of the qname, so
9728 no.such.powerdns.com turns into a SOA query for
9729 no.such.powerdns.com, such.powerdns.com, powerdns.com, com, ''.
9730 When a SOA is found, that zone is consulted for relevant NS
9731 instructions which lead to a referral. If nothing is found
9732 within the zone, an authoritative NXDOMAIN is sent out.
9734 If no SOA was found, an unauthoritative no-error is returned.
9736 In reality, each query for a question tuple first involves
9737 checking for a CNAME, unless that resolution has been disabled
9738 with the skip-cname option.
9740 PDNS breaks strict RFC compatibility by not always checking for
9741 the presence of a SOA record first. This is unlikely to lead to
9743 __________________________________________________________
9745 Appendix C. Backend writers' guide
9747 PDNS backends are implemented via a simple yet powerful C++
9748 interface. If your needs are not met by the PipeBackend, you
9749 may want to write your own. Before doing any PowerDNS
9750 development, please visit the wiki.
9752 A backend contains zero DNS logic. It need not look for CNAMES,
9753 it need not return NS records unless explicitly asked for,
9754 etcetera. All DNS logic is contained within PDNS itself -
9755 backends should simply return records matching the description
9760 However, please note that your backend can get queries in aNy
9761 CAsE! If your database is case sensitive, like most are (with
9762 the notable exception of MySQL), you must make sure that you do
9763 find answers which differ only in case.
9767 PowerDNS may instantiate multiple instances of your backend, or
9768 destroy existing copies and instantiate new ones. Backend code
9769 should therefore be thread-safe with respect to its static
9770 data. Additionally, it is wise if instantiation is a fast
9771 operation, with the possible exception of the first
9773 __________________________________________________________
9775 C.1. Simple read-only native backends
9777 Implementing a backend consists of inheriting from the
9778 DNSBackend class. For read-only backends, which do not support
9779 slave operation, only the following methods are relevant:
9784 virtual bool lookup(const QType &qtype, const string &qdomain, D
9785 NSPacket *pkt_p=0, int zoneId=-1)=0;
9786 virtual bool list(int domain_id)=0;
9787 virtual bool get(DNSResourceRecord &r)=0;
9788 virtual bool getSOA(const string &name, SOAData &soadata);
9791 Note that the first three methods must be implemented. getSOA()
9792 has a useful default implementation.
9794 The semantics are simple. Each instance of your class only
9795 handles one (1) query at a time. There is no need for locking
9796 as PDNS guarantees that your backend will never be called
9799 Some examples, a more formal specification is down below. A
9800 normal lookup starts like this:
9802 yb.lookup(QType::CNAME,"www.powerdns.com");
9804 Your class should now do everything to start this query.
9805 Perform as much preparation as possible - handling errors at
9806 this stage is better for PDNS than doing so later on. A real
9807 error should be reported by throwing an exception.
9809 PDNS will then call the get() method to get DNSResourceRecords
9810 back. The following code illustrates a typical query:
9811 yb.lookup(QType::CNAME,"www.powerdns.com");
9813 DNSResourceRecord rr;
9815 cout<<"Found cname pointing to '"+rr.content+"'"<<endl;
9818 Each zone starts with a Start of Authority (SOA) record. This
9819 record is special so many backends will choose to implement it
9820 specially. The default getSOA() method performs a regular
9821 lookup on your backend to figure out the SOA, so if you have no
9822 special treatment for SOA records, where is no need to
9823 implement your own getSOA().
9825 Besides direct queries, PDNS also needs to be able to list a
9826 zone, to do zone transfers for example. Each zone has an id
9827 which should be unique within the backend. To list all records
9828 belonging to a zone id, the list() method is used.
9829 Conveniently, the domain_id is also available in the SOAData
9832 The following lists the contents of a zone called
9835 if(!yb.getSOA("powerdns.com",sd)) // are we authoritative over
9837 return RCode::NotAuth; // no
9839 yb.list(sd.domain_id);
9841 cout<<rr.qname<<"\t IN "<<rr.qtype.getName()<<"\t"<<rr.content
9844 Please note that when so called 'fancy records' (see Chapter
9845 14) are enabled, a backend can receive wildcard lookups. These
9846 have a % as the first character of the qdomain in lookup.
9847 __________________________________________________________
9849 C.1.1. A sample minimal backend
9851 This backend only knows about the host "random.powerdns.com",
9852 and furthermore, only about its A record:
9854 class RandomBackend : public DNSBackend
9858 return false; // we don't support AXFR
9861 void lookup(const QType &type, const string &qdomain, DNSPacket *p, in
9864 if(type.getCode()!=QType::A || qdomain!="random.powerdns.com") // w
9865 e only know about random.powerdns.com A
9870 os<<random()%256<<"."<<random()%256<<"."<<random()%256<<"."<<rando
9872 d_answer=os.str(); // ou
9877 bool get(DNSResourceRecord &rr)
9879 if(!d_answer.empty()) {
9880 rr.qname="random.powerdns.com"; // f
9882 rr.qtype=QType::A; // A
9886 rr.content=d_answer;
9889 his was the last answer
9903 class RandomFactory : public BackendFactory
9906 RandomFactory() : BackendFactory("random") {}
9908 DNSBackend *make(const string &suffix)
9910 return new RandomBackend();
9921 BackendMakers().report(new RandomFactory);
9923 L<<Logger::Info<<" [RandomBackend] This is the randombackend ("__DAT
9924 E__", "__TIME__") reporting"<<endl;
9928 static RandomLoader randomloader;
9930 This simple backend can be used as an 'overlay'. In other
9931 words, it only knows about a single record, another loaded
9932 backend would have to know about the SOA and NS records and
9933 such. But nothing prevents us from loading it without another
9936 The first part of the code contains the actual logic and should
9937 be pretty straightforward. The second part is a boilerplate
9938 'factory' class which PDNS calls to create randombackend
9939 instances. Note that a 'suffix' parameter is passed. Real life
9940 backends also declare parameters for the configuration file;
9941 these get the 'suffix' appended to them. Note that the "random"
9942 in the constructor denotes the name by which the backend will
9945 The third part registers the RandomFactory with PDNS. This is a
9946 simple C++ trick which makes sure that this function is called
9947 on execution of the binary or when loading the dynamic module.
9949 Please note that a RandomBackend is actually in most PDNS
9950 releases. By default it lives on random.example.com, but you
9951 can change that by setting random-hostname.
9953 NOTE: this simple backend neglects to handle case properly!
9954 __________________________________________________________
9956 C.1.2. Interface definition
9960 Table C-1. DNSResourceRecord class
9961 QType qtype QType of this record
9962 string qname name of this record
9963 string content ASCII representation of right hand side
9964 u_int16_t priority priority of an MX record.
9965 u_int32_t ttl Time To Live of this record
9966 int domain_id ID of the domain this record belongs to
9967 time_t last_modified If unzero, last time_t this record was
9970 Table C-2. SOAData struct
9971 string nameserver Name of the master nameserver of this zone
9972 string hostmaster Hostmaster of this domain. May contain an @
9973 u_int32_t serial Serial number of this zone
9974 u_int32_t refresh How often this zone should be refreshed
9975 u_int32_t retry How often a failed zone pull should be retried.
9976 u_int32_t expire If zone pulls failed for this long, retire
9978 u_int32_t default_ttl Difficult
9979 int domain_id The ID of the domain within this backend. Must be
9981 DNSBackend *db Pointer to the backend that feels authoritative
9982 for a domain and can act as a slave
9986 void lookup(const QType &qtype, const string &qdomain,
9987 DNSPacket *pkt=0, int zoneId=-1)
9988 This function is used to initiate a straight lookup for
9989 a record of name 'qdomain' and type 'qtype'. A QType can
9990 be converted into an integer by invoking its getCode()
9991 method and into a string with the getCode().
9993 The original question may or may not be passed in the
9994 pointer p. If it is, you can retrieve (from 1.99.11
9995 onwards) information about who asked the question with
9996 the getRemote(DNSPacket *) method. Alternatively, bool
9997 getRemote(struct sockaddr *sa, socklen_t *len) is
10000 Note that qdomain can be of any case and that your
10001 backend should make sure it is in effect case
10002 insensitive. Furthermore, the case of the original
10003 question should be retained in answers returned by
10006 Finally, the domain_id might also be passed indicating
10007 that only answers from the indicated zone need apply.
10008 This can both be used as a restriction or as a possible
10009 speedup, hinting your backend where the answer might be
10012 If initiated succesfully, as indicated by returning
10013 true, answers should be made available over the get()
10016 Should throw an AhuException if an error occured
10017 accessing the database. Returning otherwise indicates
10018 that the query was started succesfully. If it is known
10019 that no data is available, no exception should be
10020 thrown! An exception indicates that the backend
10021 considers itself broken - not that no answers are
10022 available for a question.
10024 It is legal to return here, and have the first call to
10025 get() return false. This is interpreted as 'no data'
10027 bool list(int domain_id)
10028 Initiates a list of the indicated domain. Records should
10029 then be made available via the get() method. Need not
10030 include the SOA record. If it is, PDNS will not get
10033 Should return false if the backend does not consider
10034 itself authoritative for this zone. Should throw an
10035 AhuException if an error occured accessing the database.
10036 Returning true indicates that data is or should be
10039 bool get(DNSResourceRecord &rr)
10040 Request a DNSResourceRecord from a query started by
10041 get() of list(). If this functions returns true, rr has
10042 been filled with data. When it returns false, no more
10043 data is available, and rr does not contain new data. A
10044 backend should make sure that it either fills out all
10045 fields of the DNSResourceRecord or resets them to their
10048 The qname field of the DNSResourceRecord should be
10049 filled out with the exact qdomain passed to lookup,
10050 preserving its case. So if a query for
10051 'CaSe.yourdomain.com' comes in and your database
10052 contains dat afor 'case.yourdomain.com', the qname field
10053 of rr should contin 'CaSe.yourdomain.com'!
10055 Should throw an AhuException in case a database error
10058 bool getSOA(const string &name, SOAData &soadata)
10059 If the backend considers itself authoritative over
10060 domain name, this method should fill out the passed
10061 SOAData structure and return a positive number. If the
10062 backend is functioning correctly, but does not consider
10063 itself authoritative, it should return 0. In case of
10064 errors, an AhuException should be thrown.
10065 __________________________________________________________
10067 C.2. Reporting errors
10069 To report errors, the Logger class is available which works
10070 mostly like an iostream. Example usage is as shown above in the
10071 RandomBackend. Note that it is very important that each line is
10072 ended with endl as your message won't be visible otherwise.
10074 To indicate the importance of an error, the standard syslog
10075 errorlevels are available. They can be set by outputting
10076 Logger::Critical, Logger::Error, Logger::Warning,
10077 Logger::Notice, Logger::Info or Logger::Debug to L, in
10078 descending order of graveness.
10079 __________________________________________________________
10081 C.3. Declaring and reading configuration details
10083 It is highly likely that a backend needs configuration details.
10084 On launch, these parameters need to be declared with PDNS so it
10085 knows it should accept them in the configuration file and on
10086 the commandline. Furthermore, they will be listed in the output
10089 Declaring arguments is done by implementing the member function
10090 declareArguments() in the factory class of your backend. PDNS
10091 will call this method after launching the backend.
10093 In the declareArguments() method, the function declare() is
10094 available. The exact definitions:
10096 void declareArguments(const string &suffix="")
10097 This method is called to allow a backend to register
10098 configurable parameters. The suffix is the sub-name of
10099 this module. There is no need to touch this suffix, just
10100 pass it on to the declare method.
10102 void declare(const string &suffix, const string ¶m, const
10103 string &explanation, const string &value)
10104 The suffix is passed to your method, and can be passed
10105 on to declare. param is the name of your parameter.
10106 explanation is what will appear in the output of --help.
10107 Furthermore, a default value can be supplied in the
10110 A sample implementation:
10111 void declareArguments(const string &suffix)
10113 declare(suffix,"dbname","Pdns backend database name to con
10114 nect to","powerdns");
10115 declare(suffix,"user","Pdns backend user to connect as","p
10117 declare(suffix,"host","Pdns backend host to connect to",""
10119 declare(suffix,"password","Pdns backend password to connec
10123 After the arguments have been declared, they can be accessed
10124 from your backend using the mustDo(), getArg() and
10125 getArgAsNum() methods. The are defined as follows in the
10128 void setArgPrefix(const string &prefix)
10129 Must be called before any of the other accessing
10130 functions are used. Typical usage is
10131 'setArgPrefix("mybackend"+suffix)' in the constructor of
10134 bool mustDo(const string &key)
10135 Returns true if the variable key is set to anything but
10138 const string& getArg(const string &key)
10139 Returns the exact value of a parameter.
10141 int getArgAsNum(const string &key)
10142 Returns the numerical value of a parameter. Uses atoi()
10145 Sample usage from the BindBackend, using the bind-example-zones
10146 and bind-config parameters.
10147 if(mustDo("example-zones")) {
10148 insert(0,"www.example.com","A","1.2.3.4");
10153 if(!getArg("config").empty()) {
10156 BP.parse(getArg("config"));
10159 __________________________________________________________
10161 C.4. Read/write slave-capable backends
10163 The backends above are 'natively capable' in that they contain
10164 all data relevant for a domain and do not pull in data from
10165 other nameservers. To enable storage of information, a backend
10166 must be able to do more.
10168 Before diving into the details of the implementation some
10169 theory is in order. Slave domains are pulled from the master.
10170 PDNS needs to know for which domains it is to be a slave, and
10171 for each slave domain, what the IP address of the master is.
10173 A slave zone is pulled from a master, after which it is
10174 'fresh', but this is only temporary. In the SOA record of a
10175 zone there is a field which specifies the 'refresh' interval.
10176 After that interval has elapsed, the slave nameserver needs to
10177 check at the master ff the serial number there is higher than
10178 what is stored in the backend locally.
10180 If this is the case, PDNS dubs the domain 'stale', and
10181 schedules a transfer of data from the remote. This transfer
10182 remains scheduled until the serial numbers remote and locally
10183 are identical again.
10185 This theory is implemented by the getUnfreshSlaveInfos method,
10186 which is called on all backends periodically. This method fills
10187 a vector of SlaveDomains with domains that are unfresh and
10190 PDNS then retrieves the SOA of those domains remotely and
10191 locally and creates a list of stale domains. For each of these
10192 domains, PDNS starts a zonetransfer to resynchronise. Because
10193 zone transfers can fail, it is important that the interface to
10194 the backend allows for transaction semantics because a zone
10195 might otherwise be left in a halfway updated situation.
10197 The following excerpt from the DNSBackend shows the relevant
10203 virtual bool getDomainInfo(const string &domain, DomainInfo &
10205 virtual bool isMaster(const string &name, const string &ip);
10206 virtual bool startTransaction(const string &qname, int id);
10207 virtual bool commitTransaction();
10208 virtual bool abortTransaction();
10209 virtual bool feedRecord(const DNSResourceRecord &rr);
10210 virtual void getUnfreshSlaveInfos(vector<DomainInfo>* domains
10212 virtual void setFresh(int id);
10216 The mentioned DomainInfo struct looks like this:
10218 Table C-3. DomainInfo struct
10219 int id ID of this zone within this backend
10220 string master IP address of the master of this domain, if any
10221 u_int32_t serial Serial number of this zone
10222 u_int32_t notified_serial Last serial number of this zone that
10224 time_t last_check Last time this zone was checked over at the
10226 enum {Master,Slave,Native} kind Type of zone
10227 DNSBackend *backend Pointer to the backend that feels
10228 authoritative for a domain and can act as a slave
10230 These functions all have a default implementation that returns
10231 false - which explains that these methods can be omitted in
10232 simple backends. Furthermore, unlike with simple backends, a
10233 slave capable backend must make sure that the 'DNSBackend *db'
10234 field of the SOAData record is filled out correctly - it is
10235 used to determine which backend will house this zone.
10237 bool isMaster(const string &name, const string &ip);
10238 If a backend considers itself a slave for the domain
10239 name and if the IP address in ip is indeed a master, it
10240 should return true. False otherwise. This is a first
10241 line of checks to guard against reloading a domain
10244 void getUnfreshSlaveInfos(vector<DomainInfo>* domains)
10245 When called, the backend should examine its list of
10246 slave domains and add any unfresh ones to the domains
10249 bool getDomainInfo(const string &name, DomainInfo & di)
10250 This is like getUnfreshSlaveInfos, but for a specific
10251 domain. If the backend considers itself authoritative
10252 for the named zone, di should be filled out, and 'true'
10253 be returned. Otherwise return false.
10255 bool startTransaction(const string &qname, int id)
10256 When called, the backend should start a transaction that
10257 can be committed or rolled back atomically later on. In
10258 SQL terms, this function should BEGIN a transaction and
10259 DELETE all records.
10261 bool feedRecord(const DNSResourceRecord &rr)
10262 Insert this record.
10264 bool commitTransaction();
10265 Make the changes effective. In SQL terms, execute
10268 bool abortTransaction();
10269 Abort changes. In SQL terms, execute ABORT.
10272 Indicate that a domain has either been updated or
10273 refreshed without the need for a retransfer. This causes
10274 the domain to vanish from the vector modified by
10275 getUnfreshSlaveInfos().
10277 PDNS will always call startTransaction() before making calls to
10278 feedRecord(). Although it is likely that abortTransaction()
10279 will be called in case of problems, backends should also be
10280 prepared to abort from their destructor.
10282 The actual code in PDNS is currently (1.99.9):
10284 resolver.axfr(remote,domain.c_str());
10286 db->startTransaction(domain, domain_id);
10288 L<<Logger::Error<<"AXFR started for '"<<domain<<"'"<<endl;
10289 Resolver::res_t recs;
10291 while(resolver.axfrChunk(recs)) {
10292 for(Resolver::res_t::const_iterator i=recs.begin();i!=recs.end();+
10294 db->feedRecord(*i);
10297 db->commitTransaction();
10298 db->setFresh(domain_id);
10299 L<<Logger::Error<<"AXFR done for '"<<domain<<"'"<<endl;
10300 __________________________________________________________
10302 C.4.1. Supermaster/Superslave capability
10304 A backend that wants to act as a 'superslave' for a master
10305 should implement the following method:
10308 virtual bool superMasterBackend(const string &ip, const s
10309 tring &domain, const vector<DNSResourceRecord>&nsset, string *account, D
10313 This function gets called with the IP address of the potential
10314 supermaster, the domain it is sending a notification for and
10315 the set of NS records for this domain at that IP address.
10317 Using the supplied data, the backend needs to determine if this
10318 is a bonafide 'supernotification' which should be honoured. If
10319 it decides that it should, the supplied pointer to 'account'
10320 needs to be filled with the configured name of the supermaster
10321 (if accounting is desired), and the db needs to be filled with
10322 a pointer to your backend.
10324 Supermaster/superslave is a complicated concept, if this is all
10325 unclear see Section 13.2.1.
10326 __________________________________________________________
10328 C.5. Read/write master-capable backends
10330 In order to be a useful master for a domain, notifies must be
10331 sent out whenever a domain is changed. Periodically, PDNS
10332 queries backends for domains that may have changed, and sends
10333 out notifications for slave nameservers.
10335 In order to do so, PDNS calls the getUpdatedMasters() method.
10336 Like the getUnfreshSlaveInfos() function mentioned above, this
10337 should add changed domain names to the vector passed.
10339 The following excerpt from the DNSBackend shows the relevant
10345 virtual void getUpdatedMasters(vector<DomainInfo>* domains);
10346 virtual void setNotifed(int id, u_int32_t serial);
10350 These functions all have a default implementation that returns
10351 false - which explains that these methods can be omitted in
10352 simple backends. Furthermore, unlike with simple backends, a
10353 slave capable backend must make sure that the 'DNSBackend *db'
10354 field of the SOAData record is filled out correctly - it is
10355 used to determine which backend will house this zone.
10357 void getUpdatedMasters(vector<DomainInfo>* domains)
10358 When called, the backend should examine its list of
10359 master domains and add any changed ones to the
10362 bool setNotified(int domain_id, u_int32_t serial)
10363 Indicate that notifications have been queued for this
10364 domain and that it need not be considered 'updated'
10366 __________________________________________________________
10368 Appendix D. Compiling PowerDNS
10370 D.1. Compiling PowerDNS on Unix
10374 For now, see the Open Source PowerDNS site. ./configure ; make
10375 ; make install will do The Right Thing for most people.
10377 PowerDNS can becompiled with modules built in, or with modules
10378 designed to be loaded at runtime. All that is configured before
10379 compiling using the well known autoconf/automake system.
10381 To compile in modules, specify them as --with-modules="mod1
10382 mod2 mod3", substituting the desired module names. Each backend
10383 has a module name in the table at the beginning of its section.
10385 To compile a module for inclusion at runtime, which is great if
10386 you are a unix vendor, use --with-dynmodules="mod1 mod2 mod3".
10387 These modules then end up as .so files in the compiled libdir.
10389 Starting with version 2.9.18, PowerDNS requires 'Boost' to
10390 compile, it is available for most operating systems. Otherwise,
10391 see the Boost website.
10393 If your operating system does not have a Boost package, you
10394 don't need to compile all of boost just for PowerDNS. PowerDNS
10395 only uses Boost include files, so there is no need to install
10396 all of boost. Just untar the Boost distribution file and point
10397 instruct ./configure to find it, perhaps like this:
10398 $ CXXFLAGS=-I/home/bert/download/boost_1_33_0 ./configure ...
10399 __________________________________________________________
10403 Known to compile with gcc, but only since 2.9.8. AIX lacks
10404 POSIX semaphores so they need to be emulated, as with MacOS X.
10405 __________________________________________________________
10409 Works fine, but use gmake. Pipe backend is currently broken,
10410 for reasons, see Section A.1. Due to the threading model of
10411 FreeBSD, PowerDNS does not benefit from additional CPUs on the
10414 The FreeBSD Boost include files are installed in
10415 /usr/local/include, so prefix CXXFLAGS=-I/usr/local/include to
10416 your ./configure invocation.
10417 __________________________________________________________
10421 Linux is probably the best supported platform as most of the
10422 main coders are Linux users. The static DEB distribution is
10423 known to have problems on Debian 'Sid', but that doesn't matter
10424 as PowerDNS is a native part of Debian 'Sid'. Just apt-get!
10425 __________________________________________________________
10429 Did compile at one point but maintenance has lapsed. Let us
10430 know if you can provide us with a login on MacOS X or if you
10432 __________________________________________________________
10436 Compiles but then does not work very well. We hear that it may
10437 work with more recent versions of gcc, please let us know on
10438 <pdns-dev@mailman.powerdns.com>.
10439 __________________________________________________________
10443 Solaris 7 is supported, but only just. AAAA records do not work
10444 on Solaris 7. Solaris 8 and 9 work fine. The 'Sunpro' compiler
10445 has not been tried but is reported to be lacking large parts of
10446 the Standard Template Library, which PowerDNS relies on
10447 heavily. Use gcc and gmake (if available). Regular Solaris make
10448 has some issues with some PowerDNS Makefile constructs.
10450 When compiling, make sure that you have /usr/ccs/bin in your
10451 path. Furthermore, with some versions of MySQL, you may have to
10452 add "LDFLAGS=-lz" before ./configure.
10453 __________________________________________________________
10455 D.2. Compiling PowerDNS on Windows
10457 By Michel Stol (<michel@powerdns.com>).
10458 __________________________________________________________
10462 I will assume these things from you:
10464 You have the PowerDNS sources.
10465 There's not much to compile without the source files,
10468 You are using Microsoft Visual C++. If you get it to compile
10469 using a free compiler, please let us know!
10470 From the day that we began porting the UNIX PowerDNS
10471 sources to Microsoft Windows we used Microsoft Visual
10472 C++ as our development environment of choice.
10474 We used Visual C++ 6.0 to compile all sources (both
10475 standard version and SP5). Other versions (including
10476 Visual C++ .NET) are untested.
10478 You are using Microsoft Windows NT, 2000 or XP
10479 I will assume that the system where you want to compile
10480 the sources on is running Microsoft Windows NT, 2000 or
10481 XP. These are the operating systems that where found
10482 running PowerDNS for Windows.
10486 You probably can compile the sources on other Windows versions
10487 too, but that is currently untested.
10489 You are using an English Windows version.
10490 Troughout this document I will use the English names for
10491 menu items, names etc., so if you are running a
10492 non-English Windows or MSVC version you have to
10493 translate those things yourself. But I don't think that
10494 would be a big problem.
10495 __________________________________________________________
10499 Although we tried to keep PowerDNS for Windows' dependencies
10500 down to a minimum, you will still need some programs and
10501 libraries to be able to compile the sources.
10502 __________________________________________________________
10504 D.2.2.1. pthreads for Windows
10506 The pthreads for Windows library is a Windows implementation of
10507 the POSIX threads specification, which is used a lot in UNIX
10510 PowerDNS uses pthreads too, and to ease the porting process we
10511 decided not to reinvent the wheel, but to use pthreads for
10513 __________________________________________________________
10515 D.2.2.1.1. Getting pthreads for Windows
10517 Pthreads for Windows is available from anonymous ftp at
10518 ftp://sources.redhat.com/pub/pthreads-win32/. You should
10519 download the latest pthreads-YYYY-MM-DD.exe file.
10523 PowerDNS for Windows was tested with the snapshot of 2002-03-02
10526 For more information you can visit the pthreads for Windows
10527 homepage at http://sources.redhat.com/pthreads-win32/
10528 __________________________________________________________
10530 D.2.2.1.2. Installing pthreads for Windows
10532 To install the pthreads for Windows library you have to locate
10533 your pthreads-YYYY-MM-DD.exe file and start it.
10535 After starting the executable a self-extractor dialog will show
10536 up where you can specify where to extract the contents of the
10537 file. When you selected a location you can press the Extract
10538 button to extract all content to the target directory.
10540 The library is now installed, we still have to tell Visual C++
10541 where it's located though, more on that later.
10542 __________________________________________________________
10544 D.2.3. Nullsoft Installer
10546 For our installation program we used Nullsoft's Installer
10547 System (NSIS). We used NSIS because it's easy to use, versatile
10548 and free (and it uses SuperPiMP(TM) technology, but they refuse
10549 to tell us what it is ;)). If the name Nullsoft rings a bell,
10550 it's because they're the guys who made winamp.
10551 __________________________________________________________
10553 D.2.3.1. Getting the Nullsoft Installer
10555 The Nullsoft Installer can be downloaded at their website,
10556 which is located at http://www.nullsoft.com/free/nsis/. The
10557 file that you should download is called nsisXXX.exe (where XXX
10558 is the latest version).
10562 You can find the NSIS documentation at that website too.
10563 __________________________________________________________
10565 D.2.3.2. Installing the Nullsoft Installer
10567 Installing NSIS is easy. All there is to it is locating the
10568 installer and execute it. Then just follow the installation
10570 __________________________________________________________
10572 D.2.4. Setting up the build-environment
10574 Before starting Microsoft Visual C++ and compile PowerDNS for
10575 Windows, you first have to set up your build environment.
10576 __________________________________________________________
10578 D.2.4.1. Make Microsoft Visual C++ recognize *.cc and *.hh (optional)
10580 All PowerDNS source files are in the form name.cc, and all
10581 header files in the form name.hh. These extensions aren't
10582 recognized by MSVC by default, so you might want to change that
10587 Only perform this step if you want to be able to edit the *.cc
10588 and *.hh files in MSVC.
10592 If you decide to perform this step, remember that it requires
10593 modification of the Windows registry, always make a backup
10596 Ok, after that word of caution we can now proceed. You have to
10597 follow these steps:
10599 1. Start the registry editor by entering regedit.exe in the
10600 run prompt (Start->Run...).
10601 2. Right click on HKEY_CLASSES_ROOT and select New->Key. A new
10602 key will appear, change that key to ".cc", then change the
10603 default value to "cppfile"
10604 Then perform the same step for ".hh" (use "hfile" instead
10607 HKEY_CURRENT_USER\Software\Microsoft\DevStudio\6.0\Build
10608 System\Components\Platforms\Win32 (x86)\Tools\32-bit C/C++
10609 Compiler for 80x86. And add ";*.cc" to the Input_Spec value
10610 (so that it becomes "*.c;*.cpp;*.cxx;*.cc").
10614 If you happen to use another platform (like alpha) to compile
10615 the sources, you have to do the step above for that platform.
10617 HKEY_CURRENT_USER\Software\Microsoft\DevStudio\6.0\Search.
10618 And add ";*.cc;*.hh" to the FIF_Filter value (so that it
10620 "*.c;*.cpp;*.cxx;*.tli;*.h;*.tlh;*.inl;*.rc;*.cc;*.hh").
10622 HKEY_CURRENT_USER\Software\Microsoft\DevStudio\6.0\Text
10623 Editor\Tabs/Language Settings\C/C++. And add ";cc;hh" to
10624 the FileExtensions value (so that it becomes
10625 "cpp;cxx;c;h;hxx;hpp;inl;tlh;tli;rc;rc2;hh;cc").
10626 6. Close the registry editor.
10628 Now should MSVC properly recognize the files as being C++.
10629 __________________________________________________________
10631 D.2.4.2. Setting Microsoft Visual C++'s directories
10633 MSVC needs to locate some include files, libraries and
10634 executables when it has to build PowerDNS for Windows. We are
10635 now going to tell MSVC where to find those.
10637 To enter the directory dialog you have to go to
10638 Tools->Options...->Directories.
10639 __________________________________________________________
10641 D.2.4.2.1. Setting the pthreads directories
10643 When you are in the directory dialog you can add the pthreads
10644 for Windows directory.
10646 First add the include directory, to do this you have to select
10647 Include files from the Show directories for: combobox. Then
10648 press the New button and browse to the include directory of
10649 pthreads (ie. C:\pthreads\include).
10651 Then switch to Library files and add the library directory (ie.
10652 C:\pthreads\lib) using the same method as above.
10653 __________________________________________________________
10655 D.2.4.2.2. Setting the Nullsoft Installer directory
10657 While still being in the directory dialog, switch to Executable
10658 files and add the Nullsoft Installer directory (ie. C:\Program
10659 Files\NSIS) to the list.
10660 __________________________________________________________
10664 Finally, after all the reading, installing and configuring we
10665 are ready to start compiling PowerDNS for Windows.
10666 __________________________________________________________
10668 D.2.5.1. Starting the compilation
10670 To start the compilation you first have to open the PowerDNS
10671 workspace (powerdns.dsw) using explorer or from the File->Open
10672 Workspace... menu in MSVC.
10674 After you opened the workspace you can start compiling. Check
10675 all the checkboxes in the Build->Batch Build... menu and press
10678 Now cross your fingers and go make some coffee or tea while
10679 compiling PowerDNS for Windows. :)
10680 __________________________________________________________
10682 D.2.5.2. Yay! It compiled
10684 Congratulations, you have now compiled PowerDNS for Windows!
10686 All the release builds of the binaries are in the Release
10687 directory (including the generated installer). The debug builds
10688 are in the, guess what, Debug directory.
10690 Now you can start installing PowerDNS, but that's beyond the
10691 scope of this document. See the online documentation for more
10692 information about that.
10693 __________________________________________________________
10695 D.2.5.3. What if it went wrong?
10697 If the compilation fails, then try reading this article again,
10698 and again to see if you did something wrong.
10700 If you are pretty sure that it's a bug, either in the PowerDNS
10701 sources, the build system or in this article, then please send
10702 an e-mail to <pdns-dev@mailman.powerdns.com> describing your
10703 problem. We will then try to fix it.
10704 __________________________________________________________
10706 D.2.6. Miscellaneous
10708 Some miscellaneous information.
10709 __________________________________________________________
10713 Michel Stol would like to thank these people:
10716 For writing the wonderfull PowerDNS software and
10717 learning me stuff that I'd otherwise never had learned.
10720 For being great colleagues.
10722 The pthreads-win32 crew (see the pthreads-win32 CONTRIBUTORS
10724 For easing our porting process by writing a great
10725 Windows implementation of pthreads.
10727 The guys over at Nullsoft.
10728 For creating the Nullsoft Installer System (NSIS), and
10729 Winamp, the program we use every day to make a lot of
10730 noise in the office.
10731 __________________________________________________________
10733 D.2.6.2. Contact information
10735 If you have a comment, or a bug report concerning either this
10736 document or the PowerDNS sources you can contact
10737 <pdns-dev@mailman.powerdns.com>
10739 For general information about PowerDNS, the pdns server,
10740 express, documentation etc. I advice you to visit
10741 http://www.powerdns.com/
10743 If you are interested in buying PowerDNS you can send a mail to
10744 <sales@powerdns.com> or you can visit the PowerDNS website at
10745 http://www.powerdns.com/pdns/
10747 If you want to praise my work, ask me to marry you, deposit
10748 $1.000.000 on my bank account or flame me to death, then you
10749 can mail me at <michel@powerdns.com> :)
10750 __________________________________________________________
10752 D.2.6.3. Legal information
10754 Microsoft, Visual C++, Windows, Windows NT, Windows 2000,
10755 Windows XP and Win32 are either registered trademarks or
10756 trademarks of Microsoft Corporation in the U.S.A. and/or other
10759 Other product and company names mentioned herein may be the
10760 trademarks of their respective owners.
10761 __________________________________________________________
10763 Appendix E. PowerDNS license (GNU General Public License version 2)
10765 GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING,
10766 DISTRIBUTION AND MODIFICATION
10768 0. This License applies to any program or other work which
10769 contains a notice placed by the copyright holder saying it may
10770 be distributed under the terms of this General Public License.
10771 The "Program", below, refers to any such program or work, and a
10772 "work based on the Program" means either the Program or any
10773 derivative work under copyright law: that is to say, a work
10774 containing the Program or a portion of it, either verbatim or
10775 with modifications and/or translated into another language.
10776 (Hereinafter, translation is included without limitation in the
10777 term "modification".) Each licensee is addressed as "you".
10779 Activities other than copying, distribution and modification
10780 are not covered by this License; they are outside its scope.
10781 The act of running the Program is not restricted, and the
10782 output from the Program is covered only if its contents
10783 constitute a work based on the Program (independent of having
10784 been made by running the Program). Whether that is true depends
10785 on what the Program does.
10787 1. You may copy and distribute verbatim copies of the Program's
10788 source code as you receive it, in any medium, provided that you
10789 conspicuously and appropriately publish on each copy an
10790 appropriate copyright notice and disclaimer of warranty; keep
10791 intact all the notices that refer to this License and to the
10792 absence of any warranty; and give any other recipients of the
10793 Program a copy of this License along with the Program.
10795 You may charge a fee for the physical act of transferring a
10796 copy, and you may at your option offer warranty protection in
10797 exchange for a fee.
10799 2. You may modify your copy or copies of the Program or any
10800 portion of it, thus forming a work based on the Program, and
10801 copy and distribute such modifications or work under the terms
10802 of Section 1 above, provided that you also meet all of these
10805 a) You must cause the modified files to carry prominent notices
10806 stating that you changed the files and the date of any change.
10808 b) You must cause any work that you distribute or publish, that
10809 in whole or in part contains or is derived from the Program or
10810 any part thereof, to be licensed as a whole at no charge to all
10811 third parties under the terms of this License.
10813 c) If the modified program normally reads commands
10814 interactively when run, you must cause it, when started running
10815 for such interactive use in the most ordinary way, to print or
10816 display an announcement including an appropriate copyright
10817 notice and a notice that there is no warranty (or else, saying
10818 that you provide a warranty) and that users may redistribute
10819 the program under these conditions, and telling the user how to
10820 view a copy of this License. (Exception: if the Program itself
10821 is interactive but does not normally print such an
10822 announcement, your work based on the Program is not required to
10823 print an announcement.) These requirements apply to the
10824 modified work as a whole. If identifiable sections of that work
10825 are not derived from the Program, and can be reasonably
10826 considered independent and separate works in themselves, then
10827 this License, and its terms, do not apply to those sections
10828 when you distribute them as separate works. But when you
10829 distribute the same sections as part of a whole which is a work
10830 based on the Program, the distribution of the whole must be on
10831 the terms of this License, whose permissions for other
10832 licensees extend to the entire whole, and thus to each and
10833 every part regardless of who wrote it.
10835 Thus, it is not the intent of this section to claim rights or
10836 contest your rights to work written entirely by you; rather,
10837 the intent is to exercise the right to control the distribution
10838 of derivative or collective works based on the Program.
10840 In addition, mere aggregation of another work not based on the
10841 Program with the Program (or with a work based on the Program)
10842 on a volume of a storage or distribution medium does not bring
10843 the other work under the scope of this License.
10845 3. You may copy and distribute the Program (or a work based on
10846 it, under Section 2) in object code or executable form under
10847 the terms of Sections 1 and 2 above provided that you also do
10848 one of the following:
10850 a) Accompany it with the complete corresponding
10851 machine-readable source code, which must be distributed under
10852 the terms of Sections 1 and 2 above on a medium customarily
10853 used for software interchange; or,
10855 b) Accompany it with a written offer, valid for at least three
10856 years, to give any third party, for a charge no more than your
10857 cost of physically performing source distribution, a complete
10858 machine-readable copy of the corresponding source code, to be
10859 distributed under the terms of Sections 1 and 2 above on a
10860 medium customarily used for software interchange; or,
10862 c) Accompany it with the information you received as to the
10863 offer to distribute corresponding source code. (This
10864 alternative is allowed only for noncommercial distribution and
10865 only if you received the program in object code or executable
10866 form with such an offer, in accord with Subsection b above.)
10868 The source code for a work means the preferred form of the work
10869 for making modifications to it. For an executable work,
10870 complete source code means all the source code for all modules
10871 it contains, plus any associated interface definition files,
10872 plus the scripts used to control compilation and installation
10873 of the executable. However, as a special exception, the source
10874 code distributed need not include anything that is normally
10875 distributed (in either source or binary form) with the major
10876 components (compiler, kernel, and so on) of the operating
10877 system on which the executable runs, unless that component
10878 itself accompanies the executable.
10880 If distribution of executable or object code is made by
10881 offering access to copy from a designated place, then offering
10882 equivalent access to copy the source code from the same place
10883 counts as distribution of the source code, even though third
10884 parties are not compelled to copy the source along with the
10885 object code. 4. You may not copy, modify, sublicense, or
10886 distribute the Program except as expressly provided under this
10887 License. Any attempt otherwise to copy, modify, sublicense or
10888 distribute the Program is void, and will automatically
10889 terminate your rights under this License. However, parties who
10890 have received copies, or rights, from you under this License
10891 will not have their licenses terminated so long as such parties
10892 remain in full compliance.
10894 5. You are not required to accept this License, since you have
10895 not signed it. However, nothing else grants you permission to
10896 modify or distribute the Program or its derivative works. These
10897 actions are prohibited by law if you do not accept this
10898 License. Therefore, by modifying or distributing the Program
10899 (or any work based on the Program), you indicate your
10900 acceptance of this License to do so, and all its terms and
10901 conditions for copying, distributing or modifying the Program
10902 or works based on it.
10904 6. Each time you redistribute the Program (or any work based on
10905 the Program), the recipient automatically receives a license
10906 from the original licensor to copy, distribute or modify the
10907 Program subject to these terms and conditions. You may not
10908 impose any further restrictions on the recipients' exercise of
10909 the rights granted herein. You are not responsible for
10910 enforcing compliance by third parties to this License.
10912 7. If, as a consequence of a court judgment or allegation of
10913 patent infringement or for any other reason (not limited to
10914 patent issues), conditions are imposed on you (whether by court
10915 order, agreement or otherwise) that contradict the conditions
10916 of this License, they do not excuse you from the conditions of
10917 this License. If you cannot distribute so as to satisfy
10918 simultaneously your obligations under this License and any
10919 other pertinent obligations, then as a consequence you may not
10920 distribute the Program at all. For example, if a patent license
10921 would not permit royalty-free redistribution of the Program by
10922 all those who receive copies directly or indirectly through
10923 you, then the only way you could satisfy both it and this
10924 License would be to refrain entirely from distribution of the
10927 If any portion of this section is held invalid or unenforceable
10928 under any particular circumstance, the balance of the section
10929 is intended to apply and the section as a whole is intended to
10930 apply in other circumstances.
10932 It is not the purpose of this section to induce you to infringe
10933 any patents or other property right claims or to contest
10934 validity of any such claims; this section has the sole purpose
10935 of protecting the integrity of the free software distribution
10936 system, which is implemented by public license practices. Many
10937 people have made generous contributions to the wide range of
10938 software distributed through that system in reliance on
10939 consistent application of that system; it is up to the
10940 author/donor to decide if he or she is willing to distribute
10941 software through any other system and a licensee cannot impose
10944 This section is intended to make thoroughly clear what is
10945 believed to be a consequence of the rest of this License. 8. If
10946 the distribution and/or use of the Program is restricted in
10947 certain countries either by patents or by copyrighted
10948 interfaces, the original copyright holder who places the
10949 Program under this License may add an explicit geographical
10950 distribution limitation excluding those countries, so that
10951 distribution is permitted only in or among countries not thus
10952 excluded. In such case, this License incorporates the
10953 limitation as if written in the body of this License.
10955 9. The Free Software Foundation may publish revised and/or new
10956 versions of the General Public License from time to time. Such
10957 new versions will be similar in spirit to the present version,
10958 but may differ in detail to address new problems or concerns.
10960 Each version is given a distinguishing version number. If the
10961 Program specifies a version number of this License which
10962 applies to it and "any later version", you have the option of
10963 following the terms and conditions either of that version or of
10964 any later version published by the Free Software Foundation. If
10965 the Program does not specify a version number of this License,
10966 you may choose any version ever published by the Free Software
10969 10. If you wish to incorporate parts of the Program into other
10970 free programs whose distribution conditions are different,
10971 write to the author to ask for permission. For software which
10972 is copyrighted by the Free Software Foundation, write to the
10973 Free Software Foundation; we sometimes make exceptions for
10974 this. Our decision will be guided by the two goals of
10975 preserving the free status of all derivatives of our free
10976 software and of promoting the sharing and reuse of software
10981 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO
10982 WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE
10983 LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
10984 HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS"
10985 WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED,
10986 INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
10987 MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
10988 ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS
10989 WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE
10990 COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
10992 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO
10993 IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO
10994 MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE,
10995 BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL,
10996 INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR
10997 INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS
10998 OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED
10999 BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE
11000 WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY
11001 HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
11003 END OF TERMS AND CONDITIONS
11004 __________________________________________________________
11006 Appendix F. Further copyright statements
11008 F.1. AES implementation by Brian Gladman
11010 Since version 3.1.5, PowerDNS contains AES code by Brian
11011 Gladman, to which the following applies:
11013 Copyright © 1998-2007, Brian Gladman, Worcester, UK. All rights
11018 The free distribution and use of this software is allowed (with
11019 or without changes) provided that:
11021 1. source code distributions include the above copyright
11022 notice, this list of conditions and the following disclaimer;
11024 2. binary distributions include the above copyright notice,
11025 this list of conditions and the following disclaimer in their
11028 3. the name of the copyright holder is not used to endorse
11029 products built using this software without specific written
11034 This software is provided 'as is' with no explicit or implied
11035 warranties in respect of its properties, including, but not
11036 limited to, correctness and/or fitness for purpose.