Sunday, November 20, 2011

Friday, September 23, 2011

Neutrinos faster than light?

I'm really hoping it is true, that neutrinos are actually travelling faster than light! As is usually the case with potential breakthroughs in physics, the evidence is complicated.

It would be wonderful if it had been a simple race between light and neutrinos, and the neutrinos arriving first. Sadly, it is not as simple as this.

In reality, "trains" of millions and millions of neutrinos are generated in Switzerland, from where they travel straight through the earth, to be detected in an experiment in Italy. Over three years of measurements, 16111 neutrinos have been recorded and timed.

Each train of neutrinos is 10500 nanoseconds long, and the average neutrino is measured to appear 60 nanoseconds earlier than expected.  The problem is that of the millions of neutrinos sent, only a few get detected.

So when the arrival of a neutrino is measured, it is not certain if it is one from the beginning of the 10500 nanosecond long train, or one at the end.

If the train of neutrinos were exactly uniform, you could just take the average travel time, and be done with it. In the end the length of the train would average out. The problem is that the density of neutrinos being sent is absolutely not uniform.

Through crafty statistics however, and by measuring the precise density shape of the train in Switzerland, it is however possible to still generate an average travel time. And this is the number that is being reported, between 50 and 70 nanoseconds too fast (more or less).

This corresponds to around 180 18 meters at the speed of light. The distance to between where the beam starts and where it is measured is known to 20 centimeters precise, so that is not a problem. It also appears that the very best timekeeping people in the whole world have been involved in making sure the clocks are running correctly.

It is an impressive effort. It would have been a lot easier if we could just organize a race between a neutrino and a photon. The result now reported is statistical in nature, but the statistics are impressive. It should however be realized that a lot of calculations are needed to get the 60ns number, and a mistake could hide anywhere.

The result can be compared to trying to measure if a (real) train runs on schedule by timing when people walk out of the train station. If you keep that up long enough, you will be able to get results - but a lot of things could mess with your measurements!

On a final note, it might well turn out that neutrinos do not travel faster than light, but that there is another reason why we are getting these results. That might in itself be almost as interesting!

Saturday, July 23, 2011

A prior art post: wifi OR bluetooth for powersaving

While singing my lovely son to sleep just now, an idea popped up in my head which I'm hoping is not yet patented. If it isn't, this post should kill any chances of that ever happening. Here goes.

Bluetooth and Wifi on smartphones both draw power, even when there is no actual Wifi or Bluetooth connection active - the mere act of listening for a potential pairing costs energy.

However, when I'm on my home Wifi, I am never on Bluetooth. When I'm connected to Bluetooth, I'm never eager for a wireless connection.

Thus, wouldn't it be nice if there was a piece of software that shutdown the Bluetooth listener if connected to Wifi? And if that Wifi goes out of range, turn off the Bluetooth again. If that leads to a connection, shut down the Wifi listener.

I'm pretty sure that for many use cases (people with wifi at home and at the office, and bluetooth handsfree in the car), this would save like.. joules per day! ;-)

This post was of course inspired by my phone shutting down while I was reading the web while singing my son to sleep.

So - feel free to make this appear on the Android market or the appstore. And who knows, it might be there already.

Friday, July 22, 2011

PowerDNS Authoritative Server 3.0 has been released!


Available from:
 * http://downloads.powerdns.com/releases/pdns-3.0.tar.gz
 * http://downloads.powerdns.com/releases/rpm/pdns-static-3.0-1.x86_64.rpm
 * http://downloads.powerdns.com/releases/deb/pdns-static_3.0-1_amd64.deb
 * http://downloads.powerdns.com/releases/rpm/pdns-static-3.0-1.i386.rpm
 * http://downloads.powerdns.com/releases/deb/pdns-static_3.0-1_i386.deb

These files also come with GPG signatures (append .sig).

RHEL/CentOS "native" RPMs are usually contributed by Kees Monshouwer
(thanks!) pretty quickly after a release on:
http://www.monshouwer.eu/download/3th_party/pdns-server/

The release notes are also available, with clickable links, on 
http://doc.powerdns.com/changelog.html#changelog-auth-3-0

Warning
Version 3.0 of the PowerDNS Authoritative Server is a major upgrade. Please refer to Section 1, “From PowerDNS Authoritative Server 2.9.x to 3.0” for important information on correct and stable operation, as well as notes on performance and memory use.
Known issues as of RC3 include:
  • Not all new features are fully documented yet
[Note]Note
Released on the 22nd of July 2011
RC1 released on the 4th of April 2011
RC2 released on the 19th of April 2011
RC3 released on the 19th of July 2011
Version 3.0 of the PowerDNS Authoritative Server brings a number of important features, as well as over two years of accumulated bug fixing.
The largest news in 3.0 is of course the advent of DNSSEC. Not only does PowerDNS now (finally) support DNSSEC, we think that our support of this important protocol is among the easiest to use available. In addition, all important algorithms are supported.
Complete detail can be found in Chapter 12, Serving authoritative DNSSEC data. The goal of 'PowerDNSSEC' is to allow existing PowerDNS installations to start serving DNSSEC with as little hassle as possible, while maintaining performance and achieving high levels of security.
Tutorials and examples of how to use DNSSEC in PowerDNS can be found linked from http://powerdnssec.org.
PowerDNS Authoritative Server 3.0 development has been made possible by the financial and moral support of:

This release has received exceptional levels of community support, and we'd like to thank the following people in addition to those mentioned explicitly below: Peter Koch (DENIC), Olaf Kolkman (NLNetLabs), Wouter Wijngaards (NLNetLabs), Marco Davids (SIDN), Markus Travaille (SIDN), Leen Besselink, Antoin Verschuren (SIDN), Olafur Gudmundsson (IETF), Dan Kaminsky (Recursion Ventures), Roy Arends (Nominet), Miek Gieben (SIDN), Stephane Bortzmeyer (AFNIC), Michael Braunoeder (nic.at), Peter van Dijk, Maik Zumstrull, Jose Arthur Benetasso Villanova (Locaweb), Stefan Schmidt, Roland van Rijswijk (Surfnet), Paul Bakker (Brainspark/Fox-IT), Mathew Hennessy, Johannes Kuehrer (Austrian World4You GmbH), Marc van de Geijn (bHosted.nl), Stefan Arentz and Martin van Hensbergen (Fox-IT), Christof Meerwald, Detlef Peeters, Jack Lloyd, Frank Altpeter, frederik danerklint, Vasiliy G Tolstov, Brielle Bruns, Evan Hunt, Ralf van der Enden, Marc Laros, Serge Belyshev, Christian Hofstaedtler, Charlie Smurthwaite, Nikolaos Milas, ..
Changes between RC3 and final:
  • Slight tweak to the pipebackend to ease DNSSEC operations (commit 2239commit 2247). Also fix pipebackend support in pdnssec tool (commit 2244).
  • Upgrade the experimental native Lua backend to the latest version from Frederik Danerklint (commit 2240) and include this backend in the .deb packages (commit 2242)
  • Remove IPv6 dependency, it was only possible to run master/slave operations on a server with at least one IPv6 address. Some very old virtualized setups turned out to have no IPv6 at all. Fix incommit 2246.

Changes between RC2 and RC3:
  • PowerDNS Authoritative Server could not be configured to use an IPv6 based resolving backend. Solved in commit 2191.
  • LDAP backend reconfigured the timezone (TZ) setting of the daemon, leading to confusing logfile entries. Fixed by Christian Hofstaedtler in commit 2913, closing ticket 313.
  • Non-DNSSEC capable backends could crash on DNSSEC queries. Fixed in commit 2194 and commit 2196 (thanks to Charlie Smurthwaite) closing ticket 360.
  • Errors looking up a UID or GID were reported confusingly ('Success'), fixed in commit 2195, closing ticket 359.
  • Fix compilation against older MySQL, client libraries (commit 2198commit 2199commit 2204), especially for older RHEL/CentOS. Also addresses the failure to look in lib64 directory for PostgreSQL.
  • Sqlite3 needs write access not just to its database file, but also to the directory it is in. If this wasn't the case, no useful error message was provided. Improvement in commit 2202.
  • Update of MongoDB backend (commit 2203commit 2212).
  • 'pdnssec hash-zone-record' emitted an inverted warning about narrow NSEC3 hashes. Spotted by Jan-Piet Mens, fix in commit 2205.
  • PowerDNS can fill out default fields for SOA records, but neglected to do so if the SOA record was matched by an incoming ANY question. Spotted by Marc Laros & others. Fixes ticket 357, code incommit 2206.
  • PowerDNS would mistreat binary data in TXT records. Fix in commit 2207. Again spotted by Jan-Piet Mens. Closes ticket 356.
  • Add experimental Lua backend by our star contributor Fredrik Danerklint. commit 2208.
  • Christoph Meerwald discovered our RRSIG freshness checking checked more than the intended RRSIG (on the SOA record). Fix in commit 2209.
  • Christoph Meerwald discovered we got confused by TSIG signed EDNS-adorned queries, since we expected the EDNS OPT pseudorecord to be the very last record. Fix in commit 2214.
  • Christoph Meerwald discovered that when using SOA outgoing editing we would sign and THEN edit. This was not productive. Fixed in commit 2215.
  • Add missing-but-documented pdnssec command 'disable-dnssec'. Spotted by Craig Whitmore. Plus fixed misleading --help output. Code in commit 2216.
  • By popular demand, a tweak which makes an overloaded database no longer restart PowerDNS but to drop queries until the database is available again. Code in commit 2217, lightly tested. Enable by setting 'overload-queue-lengh=100' (for example).
  • By suggestion of Miek Gieben of SIDN, add SOA-EDIT mode 'EPOCH' which sets the SOA serial number to the 'UNIX time'. Implemented in commit 2218.
  • Added some US export control & ECCN to documentation, needed because of DNSSEC content. Update in commit 2219.
  • Fix up various spelling mistakes and badly formatted messages (commit 2220 and commit 2221) by Maik Zumstrull and 'anonymous'.
  • After a lot of thought, we now handle CNAMEs to names outside our knowledge ('bailiwick') exactly as in BIND 9.8.0, even though our way was standards compliant too. It confused things. Update incommit 2222 and commit 2224.
  • Tweak sqlite3 library location detection for newer Ubuntu versions. Change in commit 2223.
  • DNSSEC SQL schema improvements allowing for the use of constraints and foreign keys in commit 2225, by Gerald Gruenberg, closing ticket 371.
  • Add support for EDNS option 'edns-subnet', based on draft-vandergaast-edns-client-subnet (commit 2226commit 2228commit 2229commit 2230commit 2231commit 2233).
  • Silence SIGCHLD warning from Perl when used to power 'pipe' backends (commit 2232).
  • Add experimental support, off by default, for draft-edns-subnet. See commit 2233 and commit 2239 for details how to use this feature.
  • PostgreSQL and LDAP backends can now deal with a restart of their respective servers. Many thanks to Peter van Dijk for debugging and Nikolaos Milas for supplying a reproduction path of the problem (& much nagging). Fixes in commit 2233 and commit 2235.
  • Jan-Piet Mens discovered that records inserted by Lua on zone retrieval did not get correct 'ordername' and 'auth' fields for DNSSEC. Fixed in commit 2174.
  • Silenced various relevant and less relevant compilation warnings (commit 2175). Thanks to Serge Belyshev for pointing out the error in our ways.
  • Steve Bauer discovered we would cache empty recursive answers in some cases. Addressed in commit 2176.
  • James Cloos reported that 'pdnssec check-zone' tripped over SRV records. Fixed this, and added check-zone to the regression tests. Code in commit 2177.
  • DNSSEC regression tests were added in commits 2178217921822186 We test against the fine tools from NLNetLabs.
  • Secure DNSSEC delegations to ourselves picked wrong zone to serve the DS record from. Fixed in commit 2180commit 2181commit 2183. reported by Niek Willems of InterNLnet.
  • Stef Van Dessel suggested we made our RPMs state explicitly that they need glibc 2.4 on Linux. Code in commit 2184.
  • John Leach discovered our MySQL based backends would wait for ages on a failing MySQL server. The patch merged in commit 2189 reduces the timeout significantly, which is especially useful with haproxy and mysqlproxy.
  • commit 2190 fixes a crash reported by Marc Laros when using a non-DNSSEC capable backend. Should also improve non-DNSSEC performance.

Changes between RC1 and RC2:
  • Zone2sql sent out the wrong 'COMMIT' statement in sqlite mode. In addition, in this mode, zone2sql would not emit statements to update the domains table unless the 'slave' setting was chosen. Code in commit 2167.
  • We dropped the Authoritative Answer flag on an out-of-bailiwick CNAME referral, which was unneccessary. Code in commit 2170.
  • Kees Monshouwer discovered that we failed to detect the location of PostgreSQL on RHEL/CentOS. Fix in commit 2144. In addition, commit 2162 eases detection of MySQL on RHEL/CentOS 64 bits systems.
  • Marc Laros re-reported an old bug in the internally used 'pdns' backend where details of the SOA record were not filled out correctly. Resolved in commit 2145.
  • Jan-Piet Mens found that our TSIG signed SOA zone fresheness check was signed incorrectly. Fixed in commit 2147. Improved error messages that helped debug this issue in commit 2148commit 2149.
  • Jan-Piet Mens helped debug an issue where some servers were "almost always" unable to transfer a TSIG signed zone correctly. Turns out that the TSIG signing code used an internal timestamp and not the remote timestamp. Because of good NTP synchronization this quite often was not a problem. Fix in commit 2159.
  • Thor Spruyt of Telenet discovered that the PowerDNS code would try to emit DNS answers over TCP of over 65535 bytes long, which failed. We now truncate such answers properly. Code in commit 2150.
  • The Slave engine now reuses an existing database connection, removing the need to create a new database connection every minute (and worse, log about it). Code in commit 2153.
  • Fix a potential Year 2106 bug in the TSIG signing code. Because we care (commit 2156).
  • Added experimental support for the 'DANE' TLSA record which is used to authenticate SSL certificates via DNSSEC. commit 2161.
  • Added experimental support for the MongoDB 'NoSQL' backend, contributed by fredrik danerklint in commit 2162.

On to the release notes. Next to DNSSEC, other major new features include:

  • TSIG for authorizing and authenticating AXFR requests & incoming zone transfers (Code in 2024202520332034). This allows for retrieving TSIG protected content, as well as serving it.
  • Per zone also-notify.
  • MyDNS compatible backend, allowing for 'instantaneous' migration from this authoritative nameserver. Code in commit 1418, contributed by Jonathan Oddy.
  • PowerDNS can now slave zones over IPv6 and notify IPv6 remotes of updates. Already. Code in commit 2009 and beyond.
  • Lua based incoming zone editing, allowing masters or signing slaves to add information to the zone they will (re-)serve. Implemented in commit 2065. To enable, use LUA-AXFR-SCRIPT zone metadata setting.
  • Native Oracle backend with full DNSSEC support. Contributed by Maik Zumstrull, then at the Steinbuch Centre for Computing at the Karlsruhe Institute of Technology.
  • "Also-notify" support, implemented by Aki Tuomi in commit 1400. Support for Generic SQL backends and for the BIND backend. Further code in commit 1360.
  • Support for binding to thousands of IP addresses, code in commit 1443.
  • Generic MySQL backend now supports stored procedures. Implemented in commit 2084, closing ticket 231.
  • Generic ODBC backend compiles again, and is reported to work for some users that need it. Code contributed in ticket 309, author unknown.
  • Massively parallel slaving infrastructure, able to check the freshness of thousands of remote zones per second, plus perform many incoming zone transfers simultaneously. Sponsored by Tyler Hall, code in 144915001859
  • Core DNS logic replaced completely to deal with the brave new world of DNSSEC.
Bugs fixed:
  • sqlite2 and sqlite3 backends used MySQL-style escaping, leading to SQL errors in some cases. Discovered by Sten Spans. Fixed in commit 1342.
  • Internal webserver no longer prints '1e2%'. Bug rediscovered by Jeff Sipek. Fixed in commit 1342.
  • PowerDNS would refuse to serve domain names with spaces in them, or otherwise non-printable characters. Addressed in commit 2081.
  • PowerDNS can now serve escaped labels, as described by RFC 4343. Data should be present in backends in that escaped form. Code in commit 2089.
  • In some cases, we would include duplicate CNAMEs. In addition, we would hand out a full root-referral when not configured to in some cases (ticket ticket 223). Discovered by Andreas Jakum, fixed incommit 1344.
  • Shane Kerr discovered we would corrupt DNS transaction IDs from the packet cache on big endian systems. Fix in commit 1346, closing ticket 222.
  • PowerDNS did not use RFC 1982 serial arithmetic, leading to a SOA serial number of 1 to be regarded as older than 4400000000, when in fact it is 'newer'. Issue (re-)discovered by Jan-Piet Mens.
  • BIND backend got confused of a zone's filename changed after a configuration reload. Fix in commit 1347, closing ticket 228.
  • When restarted by the Guardian, PowerDNS will perform a full multi-threaded cache cleanup, which took a long time and could crash. Fix in commit 1364.
  • Under artificial circumstances, PowerDNS would never clean its packet cache. Found by Marcus Goller, fix in commit 1399 and commit 1408. This update also retunes the cleanup frequency.
  • Packetcache would cache things it should not have been caching. Fixes in commits 1407148818691880
  • When processing incoming notifications, the BIND backend was case-sensitive, and would disregard notifications in the wrong case. Discovered by 'Dolphin', fix in commit 1420.
  • The init.d script did not mention the 'reload' command. Code in commit 1463, closes ticket 233.
  • Generic SQL Backends would sometimes emit obscure error messages. Fix in commit 2049.
  • PowerDNS would be confused by embedded NULs in domain names, and would also mess up the escaping of some characters. Fix in commit 1468commit 1469commit 1478commit 1480,
  • SOA queries for the name of a delegation point were not referred. Fix in commit 1466, closing ticket 224. In addition, queries for AAAA for a CNAMEd record pointing to a name with no AAAA would deliver a direct SOA, without the CNAME in between. Fix in commit 1542commit 1607. Also, wildcard CNAMEs pointing to a record without the type requested suffered from the same issue, fix incommit 1543.
  • On processing an incoming AXFR, once an MX or SRV record had been seen, all future fields got a 'priority' entry as well. This had no operational impact, but looked messy. Fixed in commit 1437.
  • Aki Tuomi discovered that the BIND zonefile parser would misrepresent 'something IN MX 15 @'. Fix in commit 1621.
  • Marco Davids discovered the BIND zonefile parser would trip over really long lines. Fix in commit 1624commit 1625.
  • Thomas Mieslinger discovered that our webserver would only be started after dropping privileges, which could cause problems. Fix in commit 1629.
  • Zone2sql did quite often not do exactly what was required, which users fixed by editing the SQL output. Revamped in commit 2032.
  • An Ubuntu user discovered in Launchpad bug 600479 that restarting database threads cost a lot of memory. Normally this is rare, except in case of problems. Addressed in commit 1676.
  • BIND backend could crash under (very) high load with very large numbers of zones (hundreds of thousands). Fixed in commit 1690.
  • Miek Gieben and Marco Davids spotted that PowerDNS would answer the version.bind query in the IN class too. Bug reported via twitter! Fix in commit 1709.
  • Marcus Lauer and the OpenDNSSEC project discovered that outgoing notifications did not carry the 'aa' flag. Fixed in commit 1746.
  • Debugging PowerDNS, or backgrounding it, could cause crashes. Fixed by Anders Kaseorg in commit 1747.
  • Fixed a bug that could cause crashes on launching thousands of backend connections. Never observed to occur, but who knows. Fix in commit 1792.
  • Under some circumstances, large answers could be truncated in mid-record. While technically legal, this upset a number of resolver implementations (including the PowerDNS Recursor!). Fixed incommit 1830, re-closes ticket 200.
  • Jan Piet Mens and Florian Weimer discovered we had problems dealing with escaped labels and escaped TXT fields. Fixed in commit 2000.
  • After 2.2 billion queries, statistics would wrap oddly. Fix in commit 2019, closing ticket 327.
Improvements:
  • Long TXT records are now split into 255-byte components automatically. Implemented in commit 1340, reported by Darren Gamble in ticket 188.
  • When receiving large numbers of notifications, PowerDNS would check these synchronously, leading to a slowdown for other services. Fixed in commit 2058, problem diagnosed by Richard Poole of Heart Internet.
  • Fixed compilation on newer compilers and newer versions of Boost. Changes in 1345 (closes ticket 227), 13911394142514271428142914401653, thanks to Ruben Kerkhof and others.
  • Moved Generic PostgreSQL backend over to the newer E'' style escapes. commit 2094.
  • Compilation fixes for Mac OS X 10.5.7 in commit 1389, thanks to Tobias Markmann.
  • We can now bind to scoped IPv6 addresses, lack spotted by Darren Gamble. Part of the fix is in commit 2018.
  • Built-in query cache can now also cache queries which lead to multiple answers. Code in commit 2069.
  • Prodded on by Jan Piet Mens, we now support 'unknown types' (which look like TYPE65534).
  • Add 'slave-renotify' to retransmit notifies for slaved zones, which is helpful when acting as a 'signing slave' for a hidden master. Code in commit 1950.
  • No longer let zone2sql and zone2ldap import BIND 'hint' zones. commit 1998.
  • Allow for timestamps to explicitly be specified in (s)econds. Code in commit 1398, closing ticket 250.
  • Zones with URL and MBOXFW records can be transferred over AXFR, code in commit 1464.
  • Maik Zumstrull cleaned up the BIND Backend makefile, plus taught our init.d script to read /etc/default/pdns. Code in commit 1601commit 1602.
  • Generic SQL backends now support multiple masters in the domains table. Code in commit 1857. Additionally, masters can also have :port numbers. Code in commit 1858.

Monday, June 13, 2011

As a community service, the glibc 2.14 'fixed bugs' with descriptions

Hi everybody,
 
The venerable GNU C Library just saw the release of 2.14. Within the release notes there is a list of bug numbers that are addressed by this release. Some of these are highlighted in the release notes, but most aren't.

I did some scripting and here is a lightly edited list of things fixed. I added a link to bug 10149, you can guess the URL for the rest. I bolded things that might actually hit my programs (and who knows, yours):

(potentially) security related:
   Bug 10149 - stack guard should lead with zero byte to gain protections
   Bug 11892 - putenv()/setenv() unbounded alloca()
   Bug 12393 - ld.so: insecure handling of privileged programs' RPATHs with
   Bug 12671 - multiple vulnerabilities in netdb.h/aliases.h/glob.h

Rest:
   Bug 386 - pthread_create returns ENOMEM but should return EAGAIN
   Bug 6420 - Mtrace deadlock
   Bug 7101 - getopt message for ambiguous options could be more helpful
   Bug 10138 - Outdated config.guess/sub
   Bug 10157 - Wrong value for sysconf(_SC_CPUTIME) or
   Bug 11099 - INT_FIELD_MAYBE_NULL changed behaviour on x86_64
   Bug 11257 - need finer control of group unioning in /etc/nsswitch.conf
   Bug 11558 - No way to set some options in /etc/resolv.conf
   Bug 11634 - tst-audit6.c doesn't compile without AVX support
   Bug 11697 - pt_chown doesn't work when the PTY's gid is already correct
   Bug 11724 - ld.so - Initialization and Termination Functions incorrectly
   Bug 11781 - Interoperability problems between malloc hook and GCC 4.5.0
   Bug 11799 - si_code is not SI_USER on raise()
   Bug 11820 - sys/user.h requires additional header in x86_64 to define
   Bug 11857 - Missing documentation in regex.h
   Bug 11895 - pselect incorrecly handles small negative timeouts on old
   Bug 11901 - __libc_message(do_abort = 1) will deadlock if called from malloc
   Bug 11952 - glibc may use uninitialized DTV slot, return NULL for
   Bug 12052 - posix_spawn() nonconformance (POSIX_SPAWN_SETSCHEDPARAM)
   Bug 12083 - aio_init() treatment of aio_num argument looks buggy
   Bug 12350 - Resolver doesn't save RES_SNGLKUP/RES_SNGLKUPREOP state in
   Bug 12420 - On AMD64 linux, getcontext resets FPU exception mask.
   Bug 12432 - backtrace() fails with recursive function on 64-bit
   Bug 12445 - printf() stack corruption in case of positional parameters +
   Bug 12453 - Broken thread local storage (TLS) initialization
   Bug 12454 - Inconsistency detected by ld.so: dl-deps.c: 622:
   Bug 12460 - AVX audit test failures with gcc 4.6
   Bug 12469 - Race condition in configure.in check for necessary ranlib
   Bug 12489 - prelinking ldso causes binaries to segfault upon startup
   Bug 12509 - dlopen(path_to_lib, RTLD_LOCAL|RTLD_NOLOAD) leaks memory
   Bug 12510 - elf/dl-lookup.c: STB_GNU_UNIQUE/ELF_RTYPE_CLASS_COPY lookup
   Bug 12511 - elf/dl-lookup.c: STB_GNU_UNIQUE/ELF_RTYPE_CLASS_COPY lookup
   Bug 12518 - memcpy acts randomly (and differently) with overlapping areas
   Bug 12527 - Off by one bug with ftell() with fmemopen()
   Bug 12583 - fnmatch: integer overflow in computation of the required
   Bug 12587 - sysconf(_SC_*CACHE) returns 0 for all caches on some CPUs.
   Bug 12597 - SSE4 strncmp failure
   Bug 12625 - mntent operations provide no indication of failure due to
   Bug 12626 - __backtrace_symbols_fd uses of out-of-scope storage in stack
   Bug 12631 - wcp[n]cpy are required by POSIX 2008
   Bug 12650 - Memory leak with dlopen() and thread-local storage variables
   Bug 12653 - undefined references to ssse3 routines when trying to link
   Bug 12655 - fix a comment in sysdeps/unix/sysv/linux/sys/syscall.h
   Bug 12684 - Multi-request DNS lookups do not properly fall back to
   Bug 12685 - fopen doesn't honor last byte of valid modes
   Bug 12713 - coreutils-8.12 "make check" thinks glibc-2.13's "getcwd()" is
   Bug 12714 - getaddrinfo(AF_INET6) does not return scope_id info provided
   Bug 12717 - declaration of getnameinfo() is not POSIX compliant
   Bug 12723 - pathconf for a FIFO returns a different value than fpathconf
   Bug 12724 - fclose violates POSIX 2008 on seekable input streams
   Bug 12734 - resolver failures without even sending a query.
   Bug 12766 - SEGV in error_at_line(3)
   Bug 12775 - Typo in sysdeps/x86_64/fpu/e_powl.S
   Bug 12782 - POSIX strerror_r quality of implementation
   Bug 12792 - perror violates POSIX regarding ferror status
   Bug 12795 - bits/resource.h is outdated
   Bug 12811 - regexec/re_search consumes huge amounts of memory
   Bug 12813 - Linux x86_64: glibc should prefer the vDSO over vsyscalls

Locale:
   Bug 9730 - sv_FI time format does not match fi_FI
   Bug 9732 - dz_BT Dzongkha collation order
   Bug 9809 - Please add Kurdish locale for Kurdish Sorani (CKB)
   Bug 11258 - es_CR locale update
   Bug 11487 - [Patch] to fix yesexpr and noexpr to use Po (Yes) and Jo (No)
   Bug 11532 - Support old DOS Lithuanian character sets in iconv
   Bug 11578 - sync glibc Latin American paper sizes with CLDR 1.8.1
   Bug 11653 - Incorrect LC_MONETARY symbol of es_NI.utf-8
   Bug 11668 - Paper Size is wrong for locale es_NI (A4 -> Letter)
   Bug 11837 - GB18030-2005 is not supported!
   Bug 11869 - LANGUAGE not taken into account unless LC_MESSAGES is set to
   Bug 11945 - Month names in Russian Localization should be in lowercase
   Bug 11947 - New locale for Meadow Mari language
   Bug 11987 - missing info on first day of week in Slovenian (sl_SI) locale
   Bug 12158 - Please add the new lij_IT locale
   Bug 12178 - New locale wae_CH, request for inclusion
   Bug 12200 - Please add the new yue_HK locale file
   Bug 12346 - Estonia (et_EE) joins the eurozone on Jan 1 2011
   Bug 12449 - Please add the new lb_LU locale
   Bug 12541 - update for indian locale for U+20B9 (New Rupee Symbol)
   Bug 12545 - [PATCH] localedef: fix error check for size_t < 0
   Bug 12551 - New locales for Swahili (Kenya and Tanzania)
   Bug 12582 - Incorrect date and time formats in en_SG locale
   Bug 12611 - New locale for Fulah (Senegal)
   Bug 12601 - iconv(3) doesn't handle invalid sequence properly
   Bug 12660 - Recent changes in tk_TM locale
   Bug 12681 - New locale for Bemba (Zambia)
   Bug 12711 - changes required for adding new currency symbol in indian
   Bug 12738 - Please add the new os_RU locale
   Bug 12746 - Encoding mismatch in se_NO file
   Bug 12777 - iconv mapping of U+0385 in CP1258 is likely incorrect
   Bug 12788 - [PATCH] setlocale sets the locale of LC_ALL incorrect to 'C'
   Bug 12814 - ISO-2022-JP-2 conversion of U+20AC gives strange result

Tuesday, April 5, 2011

PowerDNS Authoritative Server 3.0RC1 released! Now with DNSSEC!


I'm very proud to announce the first Release Candidate for PowerDNS Authoritative Server 3.0, now with full support for DNSSEC, TSIG, IPv6 master/slave, per-zone metadata and Lua zone editing. The DNSSEC support is 'fully automatic' - if everything goes well, all that is required is to set 'pdnssec secure-zone powerdns.com' and your zone is secured.

Read on for more information! To download, head to http://powerdnssec.org/downloads 


[Warning]Warning
Version 3.0 of the PowerDNS Authoritative Server is a major upgrade. Please refer to Section 1, “From PowerDNS Authoritative Server 2.9.x to 3.0” for important information on correct and stable operation, as well as notes on performance and memory use.
Known issues as of RC1 include:
  • Not all new features are documented yet
  • Queries for 'empty non-terminals' may give confusing results
  • We are not 100% convinced all corner cases of NSEC3/NXDOMAIN give correct responses. Common cases function well
  • DNSSEC has only been benchmarked up to 2000 queries/second but not beyond
  • A lot more database connections are made and released
[Note]Note
RC1 released on the 4th of April 2011
Version 3.0 of the PowerDNS Authoritative Server brings a number of important features, as well as over two years of accumulated bug fixing.
The largest news in 3.0 is of course the advent of DNSSEC. Not only does PowerDNS now (finally) support DNSSEC, we think that our support of this important protocol is among the easiest to use available. In addition, all important algorithms are supported.
Complete detail can be found in Chapter 12, Serving authoritative DNSSEC data. The goal of 'PowerDNSSEC' is to allow existing PowerDNS installations to start serving DNSSEC with as little hassle as possible, while maintaining performance and achieving high levels of security.
Tutorials and examples of how to use DNSSEC in PowerDNS can be found linked from http://powerdnssec.org.
This release has received exceptional levels of community support, and we'd like to thank the following people in addition to those mentioned explicitly below: Peter Koch (DENIC), Olaf Kolkman (NLNetLabs), Wouter Wijngaards (NLNetLabs), Marco Davids (SIDN), Markus Travaille (SIDN), Leen Besselink, Antoin Verschuren (SIDN), Olafur Gudmundsson (IETF), Dan Kaminsky (Recursion Ventures), Roy Arends (Nominet), Miek Gieben (SIDN), Stephane Bortzmeyer (AFNIC), Michael Braunoeder (nic.at), Peter van Dijk, Maik Zumstrull, Jose Arthur Benetasso Villanova (Locaweb), Stefan Schmidt, Roland van Rijswijk (Surfnet), Paul Bakker (Brainspark/Fox-IT), Mathew Hennessy, Johannes Kuehrer (Austrian World4You GmbH), Marc van de Geijn (bHosted.nl), Stefan Arentz and Martin van Hensbergen (Fox-IT), Christof Meerwald, Detlef Peeters, Jack Lloyd, Frank Altpeter, frederik danerklint, Vasiliy G Tolstov, Brielle Bruns, Evan Hunt, Ralf van der Enden.
On to the release notes. Next to DNSSEC, other major new features include:

  • TSIG for authorizing and authenticating AXFR requests & incoming zone transfers (Code in 2024202520332034). This allows for retrieving TSIG protected content, as well as serving it.
  • Per zone also-notify.
  • MyDNS compatible backend, allowing for 'instantaneous' migration from this authoritative nameserver. Code in commit 1418, contributed by Jonathan Oddy.
  • PowerDNS can now slave zones over IPv6 and notify IPv6 remotes of updates. Already. Code in commit 2009 and beyond.
  • Lua based incoming zone editing, allowing masters or signing slaves to add information to the zone they will (re-)serve. Implemented in commit 2065. To enable, use LUA-AXFR-SCRIPT zone metadata setting.
  • Native Oracle backend with full DNSSEC support. Contributed by Maik Zumstrull, then at the Steinbuch Centre for Computing at the Karlsruhe Institute of Technology.
  • "Also-notify" support, implemented by Aki Tuomi in commit 1400. Support for Generic SQL backends and for the BIND backend. Further code in commit 1360.
  • Support for binding to thousands of IP addresses, code in commit 1443.
  • Generic MySQL backend now supports stored procedures. Implemented in commit 2084, closing ticket 231.
  • Generic ODBC backend compiles again, and is reported to work for some users that need it. Code contributed in ticket 309, author unknown.
  • Massively parallel slaving infrastructure, able to check the freshness of thousands of remote zones per second, plus perform many incoming zone transfers simultaneously. Sponsored by Tyler Hall, code in 144915001859
  • Core DNS logic replaced completely to deal with the brave new world of DNSSEC.
Bugs fixed:
  • sqlite2 and sqlite3 backends used MySQL-style escaping, leading to SQL errors in some cases. Discovered by Sten Spans. Fixed in commit 1342.
  • Internal webserver no longer prints '1e2%'. Bug rediscovered by Jeff Sipek. Fixed in commit 1342.
  • PowerDNS would refuse to serve domain names with spaces in them, or otherwise non-printable characters. Addressed in commit 2081.
  • PowerDNS can now serve escaped labels, as described by RF4343. Data should be present in backends in that escaped form. Code in commit 2089.
  • In some cases, we would include duplicate CNAMEs. In addition, we would hand out a full root-referral when not configured to in some cases (ticket ticket 223). Discovered by Andreas Jakum, fixed in commit 1344.
  • Shane Kerr discovered we would corrupt DNS transaction IDs from the packet cache on big endian systems. Fix in commit 1346, closing ticket 222.
  • PowerDNS did not use RF1982 serial arithmetic, leading to a SOA serial number of 1 to be regarded as older than 4400000000, when in fact it is 'newer'. Issue (re-)discovered by Jan-Piet Mens.
  • BIND backend got confused of a zone's filename changed after a configuration reload. Fix in commit 1347, closing ticket 228.
  • When restarted by the Guardian, PowerDNS will perform a full multi-threaded cache cleanup, which took a long time and could crash. Fix in commit 1364.
  • Under artificial circumstances, PowerDNS would never clean its packet cache. Found by Marcus Goller, fix in commit 1399 and commit 1408. This update also retunes the cleanup frequency.
  • Packetcache would cache things it should not have been caching. Fixes in commits 1407148818691880
  • When processing incoming notifications, the BIND backend was case-sensitive, and would disregard notifications in the wrong case. Discovered by 'Dolphin', fix in commit 1420.
  • The init.d script did not mention the 'reload' command. Code in commit 1463, closes ticket 233.
  • Generic SQL Backends would sometimes emit obscure error messages. Fix in commit 2049.
  • PowerDNS would be confused by embedded NULs in domain names, and would also mess up the escaping of some characters. Fix in commit 1468commit 1469commit 1478commit 1480,
  • SOA queries for the name of a delegation point were not referred. Fix in commit 1466, closing ticket 224. In addition, queries for AAAA for a CNAMEd record pointing to a name with no AAAA would deliver a direct SOA, without the CNAME in between. Fix in commit 1542commit 1607. Also, wildcard CNAMEs pointing to a record without the type requested suffered from the same issue, fix in commit 1543.
  • On processing an incoming AXFR, once an MX or SRV record had been seen, all future fields got a 'priority' entry as well. This had no operational impact, but looked messy. Fixed in commit 1437.
  • Aki Tuomi discovered that the BIND zonefile parser would misrepresent 'something IN MX 15 @'. Fix in commit 1621.
  • Marco Davids discovered the BIND zonefile parser would trip over really long lines. Fix in commit 1624commit 1625.
  • Thomas Mieslinger discovered that our webserver would only be started after dropping privileges, which could cause problems. Fix in commit 1629.
  • Zone2sql did quite often not do exactly what was required, which users fixed by editing the SQL output. Revamped in commit 2032.
  • An Ubuntu user discovered in Launchpad bug 600479 that restarting database threads cost a lot of memory. Normally this is rare, except in case of problems. Addressed in commit 1676.
  • BIND backend could crash under (very) high load with very large numbers of zones (hundreds of thousands). Fixed in commit 1690.
  • Miek Gieben and Marco Davids spotted that PowerDNS would answer the version.bind query in the IN class too. Bug reported via twitter! Fix in commit 1709.
  • Marcus Lauer and the OpenDNSSEC project discovered that outgoing notifications did not carry the 'aa' flag. Fixed in commit 1746.
  • Debugging PowerDNS, or backgrounding it, could cause crashes. Fixed by Anders Kaseorg in commit 1747.
  • Fixed a bug that could cause crashes on launching thousands of backend connections. Never observed to occur, but who knows. Fix in commit 1792.
  • Under some circumstances, large answers could be truncated in mid-record. While technically legal, this upset a number of resolver implementations (including the PowerDNS Recursor!). Fixed in commit 1830, re-closes ticket 200.
  • Jan Piet Mens and Florian Weimer discovered we had problems dealing with escaped labels and escaped TXT fields. Fixed in commit 2000.
  • After 2.2 billion queries, statistics would wrap oddly. Fix in commit 2019, closing ticket 327.
Improvements:
  • Long TXT records are now split into 255-byte components automatically. Implemented in commit 1340, reported by Darren Gamble in ticket 188.
  • When receiving large numbers of notifications, PowerDNS would check these synchronously, leading to a slowdown for other services. Fixed in commit 2058, problem diagnosed by Richard Poole of Heart Internet.
  • Fixed compilation on newer compilers and newer versions of Boost. Changes in 1345 (closes ticket 227), 13911394142514271428142914401653, thanks to Ruben Kerkhof and others.
  • Moved Generic PostgreSQL backend over to the newer E'' style escapes. commit 2094.
  • Compilation fixes for Mac OS X 10.5.7 in commit 1389, thanks to Tobias Markmann.
  • We can now bind to scoped IPv6 addresses, lack spotted by Darren Gamble. Part of the fix is in commit 2018.
  • Built-in query cache can now also cache queries which lead to multiple answers. Code in commit 2069.
  • Prodded on by Jan Piet Mens, we now support 'unknown types' (which look like TYPE65534).
  • Add 'slave-renotify' to retransmit notifies for slaved zones, which is helpful when acting as a 'signing slave' for a hidden master. Code in commit 1950.
  • No longer let zone2sql and zone2ldap import BIND 'hint' zones. commit 1998.
  • Allow for timestamps to explicitly be specified in (s)econds. Code in commit 1398, closing ticket 250.
  • Zones with URL and MBOXFW records can be transferred over AXFR, code in commit 1464.
  • Maik Zumstrull cleaned up the BIND Backend makefile, plus taught our init.d script to read /etc/default/pdns. Code in commit 1601commit 1602.
  • Generic SQL backends now support multiple masters in the domains table. Code in commit 1857. Additionally, masters can also have :port numbers. Code in commit 1858.

Tuesday, January 11, 2011

PowerDNSSEC: packages available, ready for light production use

Dear PowerDNS Community,


With the help of many of you, we've now brought 'PowerDNSSEC' to the point where it is in light production. Several of our important domains have already been migrated to the PowerDNS Authoritative Server 3.0 prereleases.  Several PowerDNS users have done the same with their domains (please let us know!).

We are pleased to announce the regular availability of documentation, packages and tarballs for testing. On http://powerdnssec.org/downloads/packages you will find RPM/DEB for 32-bit and 64-bit Linux. On http://powerdnssec.org/downloads you will find tarballs which can be compiled on other systems.

For more information head over to http://www.powerdnssec.org (which of course is powered by PowerDNSSEC).

Documentation is on http://doc.powerdns.com/powerdnssec-auth.html

Even more information is on http://wiki.powerdns.com/trac/wiki/PDNSSEC - including how to get started, and how to get help.

In brief, PowerDNSSEC will allow you to continue operating as normal in many cases, with only slight changes to your installation. There is no need to run signing tools, nor is there a need to rotate keys or run scripts.

Particularly, if you run with Generic MySQL, Generic PostgreSQL or Generic SQLite3, you should have an easy time. A small schema update is required, plus an invocation of 'pdnssec secure-zone domain-name ; pdnssec rectify-zone domain-name' per domain you want to secure. And that should be
it.

Supported are:

  • NSEC
  • NSEC3 in ordered mode (pre-hashed records)
  • NSEC3 in narrow mode (unmodified records)
  • Zone transfers (for NSEC)
  • Import of 'standard' private keys from BIND/NSD
  • Export of 'standard' private keys
  • RSASHA1
  • RSASHA256
  • "Pure" PostgreSQL, SQLite3 & MySQL operations
  • Hybrid BIND/PostgreSQL/SQLite3/MySQL operation
  • Front-signing slaved data from legacy installations


See http://doc.powerdns.com/dnssec-supported.html for more specifications.

To join the fun, download the tarball and packages which can be found on the sites above, and let us know how it works for you!

To clarify, we do not recommend taking the current code snapshot into heavy production, but we are getting close.

Kind regards,
Bert