forked from gdnsd/gdnsd
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathNEWS.old
2146 lines (2004 loc) · 112 KB
/
NEWS.old
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
2.99.9950-beta - 2019-01-27
Beta-quality pre-release of 3.0.0 for integration/live testing
Note this is not a real release, and there are no guarantees!
Please see the separate file VERSION3.md - there's too much NEWS!
------
* TCP DNS implementation significantly revamped (again) with the DNS
Stateful Operations (DSO) draft in mind, and the testsuite was upgraded
to test it much more exhaustively now. DSO protocol details are not yet
implemented, but all of the basic logic is. The code is also more
efficient, especially in the case of pipelined requests. Timeout
behaviors and various parameter defaults/limits have changed as well.
* EDNS Padding support added, with a new per-listener boolean option
"tcp_pad". Only supported on TCP listeners at this time. Defaults off
for normal TCP listeners and defaults on for "tcp_proxy" listeners.
"tcp_proxy" is intended for testing encrypted transports, and this will
help mitigate length analysis attacks against that traffic.
* Bugfix for the configuration of "tcp_proxy" listeners: the code was meant
to reject this option on a port 53 listener, but instead it was
rejecting the option anytime the global default "dns_port" option was
set to its normal value of 53.
* Forward-ported from 2.4.x: bugfix for FreeBSD IPv6 with traffic routed to
an IP that's bound to the loopback
* Reverted the detection and rejection of post-2018 GeoLite2-City databases
with auto_dc_coords that was added in 2.3.1, as MaxMind later reversed
course and decided to keep the coordinates in the databases.
* Default compiler flags for hardening updated with newer stack-protection
features from recent GCC, and also Intel's CET flow control stuff.
2.99.9949-beta - 2019-01-09
* Bugfix: Pipelined TCP requests should now work properly (these aren't
in common use by recursors yet AFAIK).
* Socket option-setting code refactored substantially, should smooth out
any bumps caused at the kernel level by pointlessly re-setting
already-set options on sockets taken over via replace.
* UDP send and receive buffer sizes are now no longer subject to heuristic
auto-tuning guesswork. If an explicit value is not configured, OS
defaults are left alone.
* TCP PROXY (v1 and v2) protocol support can now be optionally enabled via
the new per-listener option "tcp_proxy". This enables preservation of
recursors' source IP information for GeoIP lookups when proxying in TCP
DNS connections, and is primarily intended for testing DNS-over-TLS
deployment strategies using an external TLS proxy daemon. See the
documentation for the "tcp_proxy" config option for more information.
2.99.9945-beta - 2018-12-21
* Bugfix: Parsing $INCLUDE without an origin argument should work
correctly now (it was setting incorrect origin values)
* On Linux, runtime threads for zone and geoip data reloads now increase
their niceness if the daemon was started with negative niceness (as is
the case in the recommended unit files and init scripts), so that their
heavy lifting doesn't compete so hard with the important DNS I/O
threads for priority.
2.99.9944-beta - 2018-12-12
* Support for building and loading out-of-tree DSO plugins is removed. The
existing "plugins" from the source tree still work exactly as before from
the end-user point of view, but are compiled into the main daemon. We no
longer install DSOs (or other shared libs) or headers for building 3rd
party DSOs against. This is the first compatibility-breaking step
towards overhauling all related things for 4.x in the future.
* RFC 7873 EDNS Cookie support added. Enabled and automatic by default.
There's 3 new optional config params (to disable, to use a persistent
master key for syncing loadbalanced/anycast cookies, and to set a
UDP response size limit for uncookied client requests) and 4 new stats
counters, see docs and/or VERSION3.md for more details!
* RFC 8482 "Refuse ANY" implemented, with a fixed behavior of returning a
synthetic HINFO RR to ANY queries over all protocols. This also removes
our previous behavior of responding with truncation (TC=1) to ANY over
UDP and forcing those queries over to TCP.
* Query packets are now parsed much more robustly, generating more FORMERR
and/or NOTIMP responses to inputs we would've dropped without response
before, and also signalling EDNS support (response OPT RR) in edge cases
where we wouldn't have bothered before, which should help with future
proofing and moving standards forward. This doesn't really impact
live/common traffic from present-day real clients.
* UDPv6: New separate param "max_edns_response_v6" (vs existing
"max_edns_response" which is now v4-only), defaulting to 1212 to avoid
problematic fragmentation issues on the live Internet.
* TCPv6: Hardcoded minimal MTU/MSS to avoid MTU and/or fragmentation issues
that could cause loss or performance impact (tuned similar to above).
* Bugfix for NSID: only respond with NSID when the client requests it!
* "tcp_timeout" min/def/max values changed from 5/15/60 to 5/37/1080.
* Fixed socket option limits: a few cases were inconsistent with the
documented, intended minimum and maximums.
* Removed the auto-serial misfeature
* Removed the gdnsd-specific $ADDR_LIMIT_V[46] zonefile directives
* Killed support for DOS (\r\n) line endings in the config and zone parsers
* The "DNSSEC OK" (DO) bit of client EDNS headers is now tracked as a stat
and reflected in responses.
* New build dependency: libsodium 1.x
* New testsuite dependency: Perl Net::DNS module version 1.03 or higher (we
used to bundle a forked old version, this catches us up with current and
gets the copied code out of our repo, and enables testing future/fancier
things).
* The ragel-generated rfc1035 zonefile parser's generated C code size was
reduced substantially with various tricks and fixups; it's not nearly as
bloated as it was before!
* The djbdns zonefile parser was removed. It never made it past being a
very limited and experimental backend, and the time to remove it is now
during the major-version breakage cycle, instead of later when coming
feature work will necessitate it.
* Various minor / less-notable bugfixes
2.99.9942-beta - 2018-10-11
* Documentation improvements/fixups
* A few minor fixes and docs updates from testing on FreeBSD 11.2
* Dumped any pretense of MacOS support, as it's been untested for many
MacOS and gdnsd releases and unlikely to work anymore, and seems
pointless to support when they sell no servers and don't allow emulation.
2.99.9930-beta - 2018-10-05
* New config option 'nsid_ascii', as a simpler variant for defining NSID
data bytes which happen to map to ASCII printable strings.
* Old config option 'edns_client_subnet' restored (was removed in
previous betas), allows turning off edns-client-subnet support.
* Minor change to edns-client-subnet RFC interpretations: send FORMERR
in all cases when the family field is not IPv4 or IPv6 (has no
practical impact on real world requests).
* Minor updates to the example initscript
* Minor QA-related updates to the source
2.99.9161-beta - 2018-10-03
* Daemon replacement is now much more operationally transparent:
** Stats counter data is handed off; it no longer rolls over to zero like
it would on a full stop -> start. The "uptime" stat now reflects the
uptime of the stats themselves, which could be considerably longer
than the uptime of the current daemon process.
** ACME DNS-01 challenge data is handed off as well, so that replacement
doesn't effectively flush all the active ephemeral challenge data.
** gdnsdctl now actually enforces its timeout, at least loosely.
** The server's control socket now correctly and effectively blocks all
state-changing operations that it should during the critical window of
the replacement process (pretty much everything but the gdnsdctl
commands "stats", "states", and "status"), and it does so with a
unique response type (RESP_LATR) that lets the client know it's being
denied for this reason instead of some other generic failure and it
can/should retry on a fresh connection later.
** gdnsdctl pays attention to the above RESP_LATR (and other "soft"
communication failures which could be caused by really bad timing with
a replace/stop operation on the daemon) and retries the transaction on
a fresh connection once per second until it goes through successfully
(or truly fails), or until it reaches its overall timeout.
** The net effect of these changes is that they closed up the final
loopholes to make gdnsdctl<->daemon operations fully reliable for
multiple indepedent actors. You could have several different admins,
scripts, CM tools, and cronjobs firing off concurrent or overlapping
state-changing gdnsdctl commands like "replace" (for config updates or
a package/binary update), "reload-zones", "acme-dns-01", etc, and all
of them will eventually succeed or fail correctly (i.e. they won't
artificially fail because of conflict). None of them will ever lie
about the real, user-facing meaning of their successful exit values
(e.g. that when "gdnsdctl reload-zones" exits successfully, the new
data is already visible to queries, regardless of whatever else was
going on).
* gdnsd has a new flag '-i' for idempotent start/daemonize (reports
success instead of failure if it detects another running instance)
* gdnsdctl has a similar new flag '-i' which means "ignore dead daemon"
for certain actions where that makes sense, returning success if
there's no live daemon to connect to. "gdnsdctl -i stop" is
effectively an idempotent stop, but "idempotent" is the wrong word for
what it does to "replace", "reload-zones", and "acme-dns-01-flush".
For those actions, it's more like "succeed if the daemon is dead,
because a new daemon in the future will implicitly start with the state
changes I was trying to notify any optionally-alive daemon of"
* gdnsdctl also gained the new flag "-o" for one-shot mode, which disables
retries, causing commands to (pointlessly?) fail if they collide with
the critical time window of a replace operation.
* An example Linux LSB-style sysv initscript is provided that does
most of the same setup/security stuff as the example systemd unit
* Version and PID info are now always logged at startup
* Builds for the x32 ABI (x86_64 ILP32) now get 64-bit stat counters,
which are otherwise only generally available in builds for *P64 ABIs.
* Several corner-case bugfixes for the control socket code
* Lots of other cleanup and minor correction
2.99.1729-beta - 2018-09-21
* Systemd unit file example updated to add required declarations about
managing the run directory
* Fixed failure to start if no zone data was defined
* A few other minor and relatively-invisible resiliency fixes
2.99.42-beta - 2018-09-20
* Fixed various pedantic and/or racy issues around permissions of the run
directory and the control socket.
* A couple minor cleanups for error messages and docs
2.99.9-beta - 2018-09-18
* Fixed three related bugs in MX/SRV record validation during zone
loading which could have caused duplicated warnings, negated the
intended effect of zones_strict_data just for the MX/SRV case, and
also failed to reject huge MX/SRV RR sets, if zones_strict_data
was true.
* Main daemon now ignores old options '-f', '-s', and '-x' to ease
transition of scripts/tools
* 'make install' no longer checks for the 'gdnsd' user
* Various documentation fixups and minor cleanup
2.99.8-beta - 2018-09-17
*** Bugfixes:
* Fixed bug where ancillary programs like gdnsdctl were using the same
syslog identifier 'gdnsd' as the main daemon, which was confusing.
* Fixed a very long-standing bug (back to 1.x somewhere) that allowed
zonefiles to specify CNAME alongside other RRs in certain ways while
evading the intended failure to load the zone. CNAMEs created in this
manner wouldn't actually be used for real CNAME aliasing at runtime,
but could be seen in direct queries for qtype=CNAME. Doesn't seem
worth a separate bugfix release for 2.x.
*** Feature changes:
* Zone-local CNAMEs are (once again, like 2.x) followed when generating
response packets.
* Dynamic CNAME target values emitted via DYNC RRs can no longer point
into same-zone data.
* VERSION3.md was updated to reflect these. See previous commit c9fc7de
for a fuller explanation of these changes.
* CLI option '-T' renamed to '-R' to reduce confusion, and all log
outputs related to the replace process had their clarity improved.
2.99.7-beta - 2018-09-13
* Fixed bugs that would cause an error exit on startup when
certain plugin configuration stanzas were (legally) empty sets.
* SIGUSR1 properly handled for extmon_helper as well
2.99.6-beta - 2018-09-12
* Minor cleanups from Coverity analysis: mostly workarounds to
avoid false positives, but also two actual resource leaks fixed
(memory and directory handles when reload-zones failed)
* SIGUSR1 properly handled during takeover replacement spawn
2.99.5-beta - 2018-09-11
Beta-quality pre-release of 3.0.0 for integration/live testing
Note this is not a real release, and there are no guarantees!
Please see the separate file VERSION3.md - there's too much NEWS!
2.4.0 - 2018-02-15
* plugin_multifo: added "ignore_health" parameter. If "ignore_health" is
true, all addresses are added to the result set regardless of health, but
the up_thresh and TTL effects still happen, and the final resource-level
state still reflects the overall state as it would without
"ignore_health", for meta-plugin consumption.
2.3.1 - 2018-02-15
* GeoIP2: Detect coordinate-free post-2018 GeoLite2-City databases, and
refuse to use them with auto_dc_coords. cf:
https://blog.maxmind.com/2018/01/02/discontinuation-of-the-geolite-legacy-databases/
* GeoIP2: fixed the handling of automatic, coordinate-based mapping for
networks with no coordinates (e.g. anon-proxy, satellite). These now
return the default datacenter ordering as documented, which is how GeoIP1
has always behaved. The GeoIP2 code was calculating distances for these
networks based on literal 0,0 coordinates since the code was introduced.
* Removed illegal malloc function attributes (could cause optimizer bugs?
no known reports)
* Removed useless/invalid syslog.target dependency from systemd unit
* Fix testsuite breakage with system Net::DNS
* Various minor code-quality / docs / logs / errmsg / spelling fixups
2.3.0 - 2017-11-20
*** Bugfixes:
* Comments at the end of RRs using RFC 3597 syntax now work properly with
whitespace, fixes Github issue 147.
* UDPv6 listening sockets no longer fail fatally if IPV6_DONTFRAG cannot be
set on them, possibly fixing Github issue 115 for some OpenVZ+Debian
installations.
*** Features:
* any_mitigation - New boolean config option, default true. When
enabled, gdnsd sends empty truncated responses to ANY queries over
UDP, which mitigates their use in amplified reflection attacks and
forces legitimate clients to use TCP for these queries. In the
future, the behavior of this option may be relaxed in combination with
other more-general mitigation strategies such as RRL and/or cookies.
* The configuration language's $include{} directive now supports
including whole directories or glob wildcards. The previous behavior
was to treat the include pathname as a singular literal filename. The
new behavior first checks whether the pathname is the literal name of
an existing directory. If so, all files within will be included (as
if the glob pattern "/*" were appended), and it will not be an error
if no matching files exist. Otherwise, the pathname is treated as a
glob wildcard match, and it will be an error if no matches exist.
* plugin_extmon has a new per-service option 'max_proc' which defaults to
zero. If non-zero, this sets the limit on the number of concurrent
commands that will be run. If the limit is exceeded, excess commands are
rescheduled for 0.1 seconds later. After a few runs, the processes will
be spread out enough to run without running into the limit. This avoids
thundering herds of subprocess executions at startup in large
configurations. Contributed by ScaleEngine / Alan Jude.
* CAA records are now natively supported in the normal rdata format from
RFC 6844. CAA records continue to be supported in RFC 3597 generic
format as well, although this is not recommended going forward.
* plugin_geoip has a new top-level option "undefined_datacenters_ok", which
allows resources to leave some of their map's datacenters undefined.
Enabling this can be dangerous, see warnings in the documentation.
2.2.4 - 2016-04-14
* libmaxminddb 1.2.0+ compatibility, using the new interface.
* Note that libmaxminddb's 1.2.0 release is a shared library runtime
compatibility barrier for gdnsd; compiling gdnsd against <1.2.0 and
running against >= 1.2.0 (or vice-versa) is not supported, and the
daemon will exit with an error message indicating this if it happens.
For distributions, you may simply want to make 1.2.0 a required
minimum for gdnsd going forward. This situation is unfortunate, but
there's no clean way to avoid it given upstream broke the undocumented
(but only!) database iteration interface's assumptions in 1.1.5, then
broke them again in 1.2.0 while introducing the new interface.
2.2.3 - 2016-03-23
* Workaround for libmaxminddb 1.1.5 compatibility
* Added a Documentation= tag in the systemd unit file template
* A few typo fixes in the documentation
2.2.2 - 2016-01-06
*** Bugs fixed:
* Fixed a bug (introduced in 2.2.1) in HTTP monitoring when using the
"vhost" parameter.
* The code now falls back from F_OFD_SETLK to F_SETLK at runtime if the
runtime environment differs from the compile-time one.
* Changed the binary "Build Info" string to make the build
reproducible (do not include e.g. host or date information).
* Several updates to qa scripts/tools to keep up with recent changes
* A few trivial warning/analysis cleanups that should be no-op
2.2.1 - 2015-08-05
*** Bugs fixed:
* extfile plugin - if the addresses/CNAMEs for a given extfile
service_type are not listed in natural sort order in the configuration,
extfile will update the wrong items (sorting bug).
* rfc1035 zonefile reloading - Directory scanning (SIGUSR1, or automatic
periodic scanning on a non-inotify system) would treat all zonefiles as
changed and reload them all, without first filtering them on whether
their stat() data had changed since the previous scan. Not really a
functional issue, but certainly wasteful and noisy.
* HTTP monitoring - was not sending any User-Agent string, now sends
"User-Agent: gdnsd-monitor"
2.2.0 - 2014-12-30
*** Bugfixes:
* fix for zero-length configuration strings causing assertion failure
in developer-debug builds
* fix for crash/assertfail if admin_state file contents are
defined by the user as an array instead of a hash
* restored the logging of monitored state transitions, which was
omitted in earlier 2.x releases but present in 1.x.
*** Features:
* If the admin_state file exists but doesn't parse correctly, that will
now be a fatal error for startup or checkconf. Previously the error was
logged but startup/checkconf was successful.
* plugin_geoip: Support for MaxMind GeoIP2 databases. Requires
libmaxminddb at build time to enable, which is a new optional build
dependency.
* plugin_geoip: Added v6->v4 translations for 64:ff9b::/96, the 'Well
Known Prefix' from RFC6052 used for e.g. NAT64.
* The http stats server now supports atomic flush-after-fetch behavior if
given the query argument '?f=1', so that the stat counts are 'since last
flush' instead of 'since startup'. The flushed state is shared between
all clients using the argument. Does not affect stats for clients not
using the argument.
* New optional compile-time dependency on libunwind. If available,
dmn_assert() in developer builds and certain fatal errors in production
builds will produce stack backtraces before terminating the process.
* Security is a little tighter by default now on Linux due to prctl()
PR_SET_NO_NEW_PRIVS, which may interfere with existing plugin_extmon
configurations if they're running privileged binaries (set[ug]id,
capabilities). If this interferes with your configuration, it can be
disabled via the global option 'weaker_security => true'.
* The shipped gdnsd.service systemd unit file now defaults to more secure
settings (e.g. private tmp, no homedir access, readonly system fs, no
device access, etc). These can be overridden by the user without
editing the defaults in e.g. /etc/systemd/system/gdnsd.d/custom.conf.
*** Other:
* The range, default, and effects of the zones_rfc1035_quiesce option
have changed. The zones_rfc1035_min_quiesce option is now deprecated
and useless and will generate a harmless warning on startup. This
shouldn't be a pragmatic issue for most users.
* Related to the above: the code no longer makes heuristic attempts to
determine the effective filesystem timestamp accuracy of the zones
directory on startup by writing temporary test files to it.
* A warning is now generated if the 'zones_rfc1035_auto' option is not set
explicitly, because the default value is likely to change from 'true' to
'false' in a future version.
* The 'listen => scan' feature is now deprecated, but continues to
function and issues a deprecation warning when used. Please either
migrate to 'listen => any' (the current default) or file a bug
indicating why that doesn't work for your platform/use-case!
* Ragel 6.x is now a hard build dependency for all builds. Previously it
was required for building from git, but not from tarballs.
* Perl version dependency has been raised from 5.8.1 to 5.10.1
* Testsuite now also requires JSON::PP (which comes with Perl 5.13.9+, but
may need to be installed for older ones).
* sysd/gdnsd.service is now always generated in the build tree from the
template, even if --without-systemdsystemunitdir and/or no systemd
detected at all, to give more options for how packagers handle things.
* Minor plugin API updates (most would just need a recompile).
* A number of less-visible refactorings for quality and/or performance.
2.1.1 - 2014-12-30
*** Bugfixes backported from master branch:
* Fixed incorrect error-handling code for the sendmmsg() syscall, which
could have caused an unnecessary additional dropped packet and/or
bad error messages after failing to send one or more packets from a set.
* The per-address level udp_recv_width option is now correctly limited to
a value of 64 (previously it was being incorrectly limited to 32).
* plugin_multifo no longer pointlessly limits to 64 addrs per family
* plugin_extmon bugfix for bad timeout/interval behavior if either >255s
* if the stats http socket failed to bind() on startup, the daemon
could carry on anyways, causing it to bind to a different, arbitrary
port number
* Fixed autoconf 2.63 compat when running autoreconf (broken in 2.1.0)
2.1.0 - 2014-10-14
*** Bugfixes:
* Fixed JSON stats output (was malformed; missing commas
in the service state portion of the output).
* Several relatively-benign deficiencies related to
daemonization, logging, and/or process control were fixed
throughout the source tree.
* Path MTU Discovery is now properly disabled on UDPv6 sockets
* Syslog output was not being generated if compiled using
--with-systemd, but not actually running under systemd.
(obviated/fixed by the changes below)
*** Systemd build/install changes:
* The --with-systemd configure flag no longer exists,
there is no dependency on systemd libraries or headers,
and all Linux builds inherently support detecting systemd
and being compatible with it.
* Support for systemd watchdog timers was removed as the
gdnsd implementation served zero functional purpose
other than to add more systemd-related code bloat.
* A (path-templated) unit file for gdnsd is now generated
and installed on applicable systems. If gdnsd will be
run as a systemd service, this unit file *must* be used!
Some of the settings within are critical to the proper
operation of gdnsd under systemd. The installation
path can be overridden from the pkg-config-based default
via --with-systemdsystemunitdir=DIR. Generation and
installation can be avoided on systems which have
systemd installed via --without-systemdsystemunitdir.
*** syslog/stdio behavior (relevant mostly for initscripts):
* New commandline flag "-x" suppresses syslog output completely.
(This is intended for testsuites and linting invocations of
checkconf and such, not for runtime use).
* When the gdnsd binary hasn't fully daemonized yet (meaning the
initial process has not yet exited, regardless of command/mode),
Info- and Debug- level messages are output to stdout, while
messages of severity Warning and higher are output to stderr
(unless we're running under systemd, in which case we stop using
stdio as soon as syslog is open to avoid journal duplicates).
Everything is mirrored to syslog regardless unless the -x cmdline
flag is used.
* If you don't want any gdnsd command output interfering with e.g.
your consistent ANSI-colored init system output, redirect both to
/dev/null. If you'd rather not have "normal" noise, but would
still like errors and serious issues to show through to the user,
just direct stdout to /dev/null.
* (The previous behavior was nothing to stdout, warning+ to stderr
and sometimes info and debug to stderr as well, but sometimes
nothing was output to any stdio anywhere, and was inconsistent
depending on flags/command/situation).
*** Misc changes:
* Documentation added for log_stats option
* Final stats output at daemon shutdown restored; was removed during a
refactor some time ago and I forgot to get it working again.
* Lots of misc improvements to the build and qa stuff. Notably the
default build will now use aggressive security-hardening flags on
modern GNU(-like) toolchains which support them.
*** The canonical HTTP and git-clone URL locations for the project
have changed to http://github.com/gdnsd/gdnsd . The old URLs
and git remotes will work correctly for some time, but not
indefinitely.
2.0.0 - 2014-10-02
*** Commandline / Signal changes:
* The signal for zone data reloads is now SIGUSR1, not SIGHUP.
* The action "reload" has been renamed to "reload-zones",
and sends the new SIGUSR1 signal.
* The action "force-reload" has been removed. Replace it
with invocations of "restart" if that's what you need.
* The point of the above changes is to free up SIGHUP and
"reload" for future reuse for a new reload behavior, but
get the compatibility breaking out of the way now with
the major version bump.
*** Other
* The hacky support for attempting fast reloads under systemd
has been removed completely. It's not worth the pain, and
better ideas are coming in the long run.
* UDP requests with a source port of zero will now count
as UDP "recvfail" in stats and will not be processed for reply.
Previously we tried to reply to these and ended up failing
the related sendmsg call and incrementing "sendfail".
* Default 'max_edns_response' raised from 1280 to 1410.
* UDP socket buffer default negotiation improvements
* Various perf tweaks and code cleanups
*** Please read the 2.0.0-beta news below for everything
else that's changed since 1.x.
2.0.0-beta - 2014-09-10
*** This is a beta release to get more people to try it in
tarball form prior to the official 2.0.0 release.
Please do not release stable distro packages based on this
release!
*** General feature changes:
* Static address RR-sets in zonefiles are no longer limited
to 256 RRs per-family
* Dynamic address RR-sets from plugins are no longer limited
to 64 RRs per-family.
* The default 'listen' setting is now 'any', which listens on
the IPv4 and IPv6 (if available) ANY-addresses 0.0.0.0 and
[::]. The previous interface-scanning mode can be enabled
via 'listen = scan'.
* New TTL-related options: max_ttl, min_ttl, and max_ncache_ttl
cause clamping (and warning) of zone TTL values. There is
a hard maximum on max_ttl of 268435455 (2^28-1, ~8.5 years).
* New config option 'max_edns_response' to cap edns0 response
sizes to a value smaller than that advertised by clients,
defaults to 1280.
* The timeout parameter of a service_type now defaults to
half of the specified interval.
* New service_types plugin "extfile" - allows for the consumption
of outside monitoring data via disk file in vscf format.
* Experimental support for djbdns zonefiles
* IPv6 runtime support is now a requirement, and the related
option monitor_force_v6_up was removed.
* Output data from the stats http listener has changed, please
update any parsers.
*** Dynamic address resolution changes:
* The 'DYNC' rr-type can now dynamically return address or
CNAME data at the plugin's discretion.
* The zonefile syntax for the TTLs of DYNA and DYNC RRs has changed.
It now accepts the form MAX[/MIN], where MIN defaults to half
of MAX.
* The TTL behavior for DYNA/DYNC has changed substantially:
Previously the zonefile TTL would be served as-is for 'UP'
resources, and cut in half for 'DANGER' or 'DOWN' resources.
Now, an internal TTL is calculated based on the minimum time
to the next state change between 'UP' and 'DOWN' according to
the normal monitoring intervals and anti-flap code.
This internal TTL is then clamped to the maximum and minimum
TTL values from the relevant zonefile RR.
* In cases where multiple monitored resources participate in a
plugin's decision and/or response (e.g. multifo), the internal
TTL will generally be the minimum of all involved internal
monitoring TTLs.
*** Service monitoring changes:
* CNAMEs can now be monitored entities in the general sense.
Note that this does not imply resolving external CNAMEs
for direct service checks, at least not with any current
plugins. It just means things like extmon/extfile can
provide custom monitor feedback, and they can be administrated
through the admin_state interface described below.
* plugin_static now also acts as a monitoring plugin. It sets a
fixed up/down value and optionally a fixed internal TTL value.
* The extmon, extfile, static, and null plugins support the
monitoring of CNAME resources.
* The metafo, geoip, and weighted plugins make use of CNAME
monitoring for their CNAME-based resources.
* Monitored service states are now labeled with just their
service_type and address (or CNAME), but not the plugin
and/or resource name which (first) configured them.
* Empty service_types ('service_types = []') is now legal,
and suppresses the use of the default 'up' service_type.
* The 'DANGER' state no longer exists in the built-in monitoring
system. A resource is either 'UP' or 'DOWN' at any given
time. The monitoring algorithms and thresholds haven't
changed; 'DANGER' just isn't exposed as a separate state
from 'UP'.
* plugin_extmon: the value 'fail_once' for the option
'helper_failure_action' no longer exists, as it no longer
makes sense without a visible DANGER state. The new default
is 'stasis'.
* The special service_type 'danger' no longer exists.
* The special service_type 'none' as an alias for 'up' no
longer exists. Use 'up' instead.
* The special default service_type 'default' (which used
plugin_http) no longer exists. The new default is 'up'.
*** Administrative state-forcing:
* All monitored entities can be administratively forced
UP or DOWN (optionally, with a specific monitored TTL) at
runtime.
* Additionally, plugins can register virtual entities which
have no separate real monitoring, but can be administratively
forced into a non-default state.
* The current virtual entities in use are the datacenters of
plugin_metafo and plugin_geoip. In the plugin_geoip case,
there are two levels of state-forcing for datacenters: at
the per-resource level or the map level. The more-specific
per-resource level state takes precedence over the map-
level state, and both override any state from lower-level
monitored (or forced) resources within a datacenter.
* The mechanism for forcing state is via writing to a file
named e.g. /var/lib/gdnsd/admin_state in vscf format
with lines like "192.0.2.*/http => DOWN/300", or
"geoip/map3/dc-us => UP". As shown in the first example,
glob patterns are allowed for matching entity names.
*** Daemonization changes:
* The argument "-d <rootdir>" has been replaced by "-c <cfgdir>",
e.g. "gdnsd -c /etc/gdnsd start", with a default of
${sysconfdir}/gdnsd.
* Two new configuration options for run_dir and state_dir to
override the autoconf-based defaults of e.g. [/var]/run/gdnsd
and /var/lib/gdnsd, respectively. It's probably better to
change these via ./configure args in the normal case; this
is mostly for testsuite-like stuff or multiple instances on
a single machine.
* Direct, inbuilt support for chroot() has been removed. There
are much better security container options out there today that
can be configured externally to wrap gdnsd and/or limit its
privileges. Use them!
* debug-mode is now enabled on the commandline via "-D",
and even production builds now produce some level of
debug log output.
* "startfg" has been replaced with the flag "-f", which can
be used with any of the start or restart -like actions
to remain in the foreground.
* initgroups() is now called during privdrop operations,
allowing the daemon to have the secondary group permissions
assigned to its user in /etc/group or equivalent.
* Foreground daemons participate fully in all other aspects
of daemonization (e.g. privdrop and pidfile locking)
* It is possible to properly restart a daemon instance from
background to foreground and back again; meaning "-f restart"
can take over from a regular daemon into the foreground,
and then a regular "restart" in another terminal can replace
the foreground daemon with a new background one.
* Restarts are now even more seamless than they were before.
All expensive operations are completed before attempting to
kill the previous daemon instance (even monitor initialization),
leaving only the timing gap of waiting for the old daemon to
exit in response to its death signal before binding the
listening sockets in the new daemon, however:
* In cases where SO_REUSEPORT works, the new daemon's listeners
will be bound just *before* sending that death signal to reduce
lost requests even further. Note that you'll probably
still lose a handful of requests that were in the old daemon's
socket buffers at the time of its death.
*** Trivial, previously-deprecated incompatibilities:
* plugin_weighted: no longer allows 'cnames' alongside
'addrs_v4' or 'addrs_v6' in the same resource.
* plugin_weighted: the pointless 'cnames' singleton substanza is
no longer supported; just place the entries directly in the
top level of the resource.
* The 'late_bind_secs' option was removed.
* The 'tcp_clients_per_socket' option is removed. Use
'tcp_clients_per_thread' instead.
* The 'disble_tcp' option is removed. Use 'tcp_threads = 0' instead.
* The 'zones_rfc1035_strict_startup' option is removed. Use
'zones_strict_startup' instead.
* plugin_extmon: %%IPADDR%% replaced by %%ITEM%%
* Direct support for the SPF RR-type (99) has been removed.
*** Other misc incompatibilities
* The plugin API has changed substantially; any third-party
plugins will need substantial source-level updates. See the
gdnsd-plugin-api docs.
* Support for the old, experimental edns-client-subnet option code
0x50fa has been removed; gdnsd now only supports the official,
IANA-assigned option code 0x0008.
*** Build changes
* libcap is no longer used on Linux
* --without-libcap doesn't exist anymore
* --with-rootdir doesn't exist anymore
* Perl 5.8.1+ and "perldoc" is required for building
* Preliminary systemd support via --with-systemd
1.11.5 - 2014-09-10
Bugfixes:
Remove F_PURE from rfc1035 out-of-zone check
This was causing out-of-zone data checks during
the loading of rfc1035 zonefiles to be skipped
sometimes, depending on compiler/optimizations.
Change down_thresh min value from 1 to 2.
The value "1" leads to buggy behavior, and was
never intended to be possible in the state
machine's design.
Only use EPROTO if it's available.
Build-time bugfix for OpenBSD support.
Fix Linux version detection for initial 3.x kernels
Runtime checks of the Linux kernel version
for feature support were failing on 3.x.0 kernel
versions which do not include the ".0" in the
version string.
Deprecations:
extmon: add %%ITEM%%, deprecate %%IPADDR%%
plugin_weighted: deprecate "cnames" stanza
(both of these are to smooth out the 2.x transition)
1.11.4 - 2014-07-18
Major bugfix: The SOA record returned in the auth section of
negative responses (NXDOMAIN and NODATA) had an incorrect TTL.
RFC 2308 says that auth servers should set the SOA record's
own TTL to the minimum of the real SOA TTL and the SOA
"minimum" field (aka ncache field), but gdnsd was simply using
the real SOA TTL and assuming caches looked at the
minimum/ncache field directly (which they do not).
The fallout is that if you specified a minimum/ncache
value of 3H but the TTL of the SOA record itself
was 24H, your negative answers to caches would indicate
that the answer should be cached for 24H. Luckily
many caches limit ncache durations (e.g. BIND9 defaults to
a limit of 3H), mitigating the issue somewhat, but
it's still a pretty big deal.
Bugfix: plugin_geoip was not correctly runtime-reloading
geoip databases from geoip_db_v4_overlay due to a simple
code error, which is now fixed.
1.11.3 - 2014-05-14
Important code fixes: ----------------------------------
GeoIP country code support for South Sudan
(SS) added, to support newer upstream GeoIP data.
GeoIP country code routines updated to handle
unknown country codes more gracefully.
Trivial code fixes: ------------------------------------
Avoid listening on a random pointless socket
when bind() fails on an address from interface scan.
Improved pathname formatting in various error
and warning log outputs.
Fixed two small leaks on failed reloads of plugin_geoip
'nets' database files.
Fixed another small leak on bad resource values
for geoip/metafo RR's in failed zonefiles.
Fixed some bad libev state assertions related to
timers, which may have caused racy failures in rare
cases in debug builds.
Fixed a crash-on-startup when loading certain forms of
invalid configuration input to the meta-plugins.
Build process fixes: -----------------------------------
autoconf detection of pthreads flags on newer
versions of clang improved.
automake use of objects in subdirectories has
been removed, hopefully increasing compatibility.
directory creation during "make install" cleaned up
New deprecations: -------------------------------------
The SPF RR-type has been deprecated and will generate
a warning on zonefile loading.
*** This really will be the very last release of 1.x
before 2.0.0, barring the necessity of serious
bugfixes in the 1.x code. Please pay attention
to the deprecation warnings in your log output;
all of those things will become real issues when
you upgrade to 2.x.
1.11.2 - 2014-02-27
Bugfix: HTTP stats output network send code was horribly
broken in theory, but the bugs were difficult to hit
in practice. Triggering required the combination of
a large-enough set of monitored services and smallish
TCP send buffers, such that the data wouldn't be
completely sent by the first writev() call. Was finally
noticed by someone monitoring 50+ services on a certain
type of VM instance (thanks YTS for the report!)
Bugfix: Stats output buffer calculations made more-robust.
They were too small in some very corner cases, but I
don't believe anyone ever hit this bug; it was found
via source analysis.
Bugfix: plugin_simplefo now works correctly with no
service_types specified (default http checks). This
has been broken for years. Apparently nobody uses it
this way, if at all.
*** This is a good time to re-iterate that v2.0.0 is due
sometime "soon". 2.x will have some substantial
backwards-compatibility breaks with 1.x, especially for
any 3rd party plugin. Anything that currently gives a
deprecation notice in 1.x will be removed/changed in 2.x
for sure, so look out for those in your log output. The
branch is available as it progresses at:
https://github.com/blblack/gdnsd/tree/2.x
1.11.1 - 2014-02-11
Bugfix for plugin_geoip's normalization of "nets" input data.
This bug affected some forms of un-normalized "nets" inputs,
resulting in incorrect responses (or assertfail in debug builds).
The replacement code is much simpler and more reliable, but
also slower.
Build Bugfix: plugins' dependencies on libm were being met
indirectly via libgdnsd's library deps in automake/libtool
terms. However, due to platform variances as to which
math functions are inlined, combined with the "--as-needed"
linker flag, sometimes libm was not linked for libgdnsd,
which could result in plugins not finding math symbols.
This has caused build problems on at least Ubuntu/i386 and
Ubuntu/ppc64el. The fix moved the libm deps to their
proper places in the respective Makefile.am's.
The official tarball download URLs are moving back to github
at https://github.com/blblack/gdnsd/releases/ . The old
location will continue to host the tarballs that exist
there for a while, so as not to disrupt automated things,
and this bugfix release will also be published in both
places just in case.
1.11.0 - 2013-12-06
Bugfixes:-----------
fixed edns-client-subnet issue with configurations that
enclose a geoip resource within a metafo resource: the
metafo plugin would clear the edns scope mask set by
the geoip plugin in this case, but no longer does so.
fixed a segfault that could occur when parsing an illegal
configuration for the metafo and geoip plugins.
misc improvements to warning/error outputs
misc doc fixups
Features/Changes:---
New options 'udp_threads' and 'tcp_threads' (global or
per-listen-address). Both default to 1, which is
the previous behavior. If increased, SO_REUSEPORT
is set on the affected listening sockets, and multiple
sockets are bound to the same address with separate
listening threads. If SO_REUSEPORT is not available
(as is the case for Linux kernels < 3.9), the options
will be forced down to 1.
New option 'zones_strict_data', similar to the old
'strict_data' option, upgrades zone data warnings to
full errors. Defaults false.
New commandline option '-S' temporarily enables
'zones_strict_data' regardless of config-file setting,
mostly useful for 'checkconf'
New commandline option '-s', as above for 'zones_strict_startup'
'listen' option: new values 'any' and 'scan'. 'any' uses
the ANY-addresses (IPv4 + v6 as applicable), and 'scan'
scans the interface list via getifaddrs() and configures
each valid address as a separate listener, which is still
the default behavior. A warning has been added when using
the implicit default 'scan' behavior, indicating that the
default will change to the 'any' behavior in a future
release.
PTR records no longer do additional-section processing, as
per the RFCs (not that any practical config ever made use
of it anyways)
Deprecations:-------
The use of 'cnames' in the same resource as 'addrs_v[46]'
in the 'weighted' plugin is deprecated. Please migrate
away from this by placing the cnames in a separate
resource.
'late_bind_secs' feature is deprecated, and should be
unnecessary now that we fallback to attempting
IP_FREEBIND (or the BSD equivalent) on initial bind()
failure.
'zones_rfc1035_strict_startup' option was renamed to
'zones_strict_startup' with deprecated support for
the old name.
'tcp_clients_per_socket' option was renamed to
'tcp_clients_per_thread' with deprecated support
for the old name.
'tcp_disabled' option deprecated in favor of setting
the new 'tcp_threads' option to zero.
*** NOTE *** Version 2.0.0 will be coming up soon, it could
even potentially be the very next release. 2.0.0 will contain
major feature work related to plugins, and (as the bump of
the leading version number indicates) it won't be a fully
backwards-compatible release.
Most things that have become "deprecated" over the past
several releases will have their backwards-compatibility
removed in 2.0.0, and notably the plugin API will have
substantial changes for any 3rd-party plugin code to
accommodate. You have been warned!
1.10.1 - 2013-10-04
Bugfixes:
A faulty assert() was removed from the plugin_geoip code:
This assert failure could be triggered in a debug build
of the daemon by a carefully crafted request packet, but a
normal cache would never generate such a packet intentionally.
No known problems for non-debug builds (which should include all
"normal" builds from debs/rpms, etc), but if you're running
a debug build on the internet, it can be DoS'd with this.
plugin_geoip "nets" data normalization was buggy when presented
with certain odd sets of un-normalized networks which had
overlapping and/or mergeable subnets in the data. All known cases
are now handled correctly. In the case of a complete conflict
(exact same subnet/mask mapped to two different results explicitly),
the choice between the two variants is arbitrary and a warning is
issued (before, this resulted in load failure).
Removed debugging and gdnsd_geoip_test text output length limitations
on very long dclists.
Fixed a testsuite bug which resulted in a false failure if
the system's /usr/share/GeoIP/ contained database
formats other Country, Region, and City.
1.10.0 - 2013-09-04
Features:
The configuration syntax now supports include files.
Bugfixes:
Responses to type=ANY queries on CNAME RRs were incorrect
per the relevant RFCs. Now they're correct. I don't
believe the broken cases were broken in ways that would
matter for most users in production queries, though.
When the final line of a zonefile contained a data record
with no terminating newline, the unterminated data was
silently ignored. This now produces a proper parse error.
Made testsuite more likely to succeed when run as root,
which is still a bad idea. Also warns loudly in an
effort to reduce bug reports about testsuite failures
when running as root.
Several smaller bugfixes - minor code issues never seen in
the wild, found via valgrind, clang-analyzer, and/or Coverity.
Meta-stuff:
Travis (http://travis-ci.org) support added to automatically
run the build+test process for incoming pull requests
and new pushes to the main branches as well.
Started using Coverity's free scan tool for open source
projects, which has helped spot additional defects.
Moved general info out of README.md and into http://gdnsd.org
hosted on github pages or the INSTALL file as appropriate.
Tarball downloads are now at http://downloads.gdnsd.org as
well, but the old downloads.gdnsd.net URLs will redirect there.
Removed the pkg/ subdirectory and RPM specfiles. I'm not
really using or maintaining these personally anymore, and
they really don't belong in the upstream source anyways, as
there are too many distro/version differences to account for.
Leave that stuff to the distro packagers.
1.9.0 - 2013-07-09
Added support for the new IANA-assigned edns-client-subnet option
code, while keeping backwards compatibility with the deprecated
experimental option code as well.
JSON output format added to the HTTP stats stuff at /json (Tom Walsh)
Autotools dependencies lowered (ac-2.63, am-1.11.1, lt-2.2.6)
Bugfixes:
Weighted plugin didn't always do whole-datacenter failover correctly
when used as a sub-plugin for e.g. metafo/geoip (Alexander Clouter)
RPM specfiles updated for various package bugs (Matthias Saou)
1.8.3 - 2013-05-30
Bugfix: bad default rootdir; did not start without explicit "-d".
This bug was introduced in 1.8.2, and breaks most normal use-cases,
but unfortunately didn't break the testsuite since it always uses -d.
If 1.8.2 was failing to start for you and complaining about a failed
mkdir(), this was why.
Added t/README-NETDNS to the tarballs, was missing due to oversight.
1.8.2 - 2013-05-06
Syslog output improvements on startup, to reduce confusion:
The location of the config file is always logged
Whether the config file was found or not is always logged
The location of the rfc1035 zones directory is always logged
The count of zonefiles loaded from that directory is always logged
The log messages about failures related to ".mtime_test" have
been expanded to be clearer about how unimportant this is.
If the (existing) IPv6 basic socket test peformed at startup fails,
which tends to indicate that IPv6 has been disabled somehow or
other on the host as a whole, the default getifaddrs()-based
interface scanner will now skip over any detected IPv6 interfaces
and log a warning about the condition exactly once. Previously
it would try to bring these up, usually resulting in a fatal error.
Illegal (according to the docs and intent) "listen" option
strings of the form ":port" were succeeding with some
implementations of getaddrinfo(), which would translate
the empty address to "::1". These are now rejected correctly.
The correct way to change the default port while still using
the default interface scanning is to use the "dns_port" option.
Fixed a 64-bit unaligned access issue which cropped up in the
Debian sparc64 port.
Meta-changes (not runtime code):
Various build/test deps improved:
Ragel dep changed from 6.[67] to 6.x
autoconf lowered from 2.69 to 2.68
automake lowered from 1.11.6 to 1.11.3
Tarballs now include autogen.sh and qa/ from the repo
Testsuite made somewhat more resilient against timing
failures on very slow or overloaded hosts
Testsuite now bundles Net::DNS 0.68, and the external
dependency is removed. This solves major compatibility
problems with installed later versions of Net::DNS.
"make install" now creates various empty subdirectories
that might be useful to (or required by) the runtime daemon
"make install" warns if the default privdrop user "gdnsd"
doesn't yet exist.
1.8.1 - 2013-03-14
Bugfix: extmon configurations with more than 255 specific commands
should no longer fail on startup.
Bugfix: code should now work correctly on targets that do not allow
unaligned memory access (e.g. Sparc). 1.8.0 detected this early
in the configure process and aborted the build. Note that the
new solution relies on the non-standard gcc "packed" structure
attribute, which at least some other useful/compatible compilers
support. Patches welcome if this is an issue on others.
A few small doc updates, most notably that our versioning policy
going forward will follow http://semver.org/ , at least for
user-level changes (not necessarily the plugin API very strictly
at this time, due to its documented state of flux).
1.8.0 - 2013-02-04
Start of new stable series, 1.8.x will mostly be just bugfixes.
This entry is just a highlight of the changes from 1.6.x -> 1.8.x.