[yadifa-announce] YADIFA release 2.3.7
Gery Van Emelen
Gery.VanEmelen at eurid.eu
Mon Dec 11 12:33:49 CET 2017
First things first : why not 2.3.0 ? YADIFA is part of a set of internal projects that had several releases over the last few months. In order to keep our versions consistent, we decided not to renumbered YADIFA 2.3.7 as 2.3.0.
YADIFA 2.3.7 introduces many new features and improvements in addition to some issues fixes.
More control has been given for CPU affinity. Using fake cores (ie: hyper-threaded) tends to lower performance on high-throughput systems. YADIFA will automatically detect such settings and put its threads accordingly but it's possible to manually force this behavior.
On previous version, from an update point of view, a master and a slave were behaving differently. The master was doing its computations and storing them to the journal and editing the zone, while slave was reading the journal (updated through an incremental transfer). Now the master still does the computations but only stores them in the journal. It updates the database reading the journal in the same way that slave does it. As part of this change, more update validation have been added.
* This simplifies both parts of the update and maintenance mechanism.
* This ensures that no issue (software nor hardware) will break the consistency between the master an its slaves.
A master can now be allowed to accept RRSIG records by means of an nsupdate. This is meant to be used for the external signature of the DNSKEYs by the KSK (ie: the private key is in a PKI). In that scenario, the DNSKEY record set and their signature would be added in one operation.
It's now possible to have a thread column in the log files to see what part of YADIFA is doing what.
Support has been added for libreSSL.
Several generic error codes have been made more specific.
By request, it is now possible to build YADIFA without it storing its build date and time.
By request, it is now possible to disable ECDSA support from YADIFA so it can be used on older systems.
As usual, the more technical details are in the reference manual and the README file.
* The latest version of YADIFA can be found on the web site for YADIFA http://www.yadifa.eu/download and on GitHub https://github.com/yadifa/yadifa.
* YM237.pdf (YADIFA Reference Manual) can be found on the web site http://www.yadifa.eu/documentation.
* From now on, both master and slaves are updating the zone in the same manner (journal transactions)
* Messages are now default (--enable-messages). Disable them using --disable-messages.
* Adds more (dynamic) update validation.
* Adds a build option to remove compile date and time from various help messages (--disable-build-timestamp)
* A master can now be configured to allow updating RRSIG records externally (e.g.: update add domain. RRSIG ...)
* Fixed an issue on message-enabled servers where the return address would not be captured.
* Fixes an issue where closing an (a)XFR stream could lead to a race over the file descriptors.
* Fixes an issue where an AXFR query would return a version of the zone too old to be upgradable by following incremental updates.
* Fixes an issue where zones with big-enough NSEC3 coverage (several millions NSEC3 record) could potentially reach an internal limit of the database.
* Fixes an issue where shutting down YADIFA while a zone is being downloaded (AXFR) may make it wait forever.
* Fixes an issue where the slave would complain about a missing private key.
* Fixes an issue where a specifically truncated IXFR query may make YADIFA replying with an AXFR.
* Fixes an issue where an IXFR query returning "not implemented" instead of an AXFR would be retried later as an IXFR.
* Fixes an issue where hammering reopening the logs on an overloaded server would not work properly.
* Fixes an issue on servers using the network-model 1 model (<main> : network-model 1)
* Fixes an issue where the removal in a certain order of hash/hash* related domains would end-up triggering an abort
* Fixes an issue where querying a signed domain that was deleted would answer NOERROR instead of NXDOMAIN
* Fixes an issue where a zone loaded with a journal would not be marked "dirty" and thus would not be fully dumped on disk upon kill -USR1
* Fixes an issue with network aliases not configured on all setups of --enable-messages
* Fixes an issue with the logger not releasing the log files before reconfiguration
* Fixes an issue with the journal where heavy load would prevent notification to slaves
* Supported platforms : Linux, FreeBSD, OpenBSD, OSX and Solaris
* Authoritative name server
* Load zone files
* Resource Record types:
* SOA, A, AAAA, NS, CNAME, PTR, HINFO, TXT, MX
* NAPTR, SRV, SSHFP, TLSA, WKS, DNSKEY, DS, RRSIG, NSEC, NSEC3, NSEC3PARAM
* Directives and special constructs
* TTL, ORIGIN, *(wildcard) and @
* Zone transfer
* Master & Slave
* AXFR / IXFR
* Dynamic update
* DSASHA1 (algorithm 3)
* DSASHA1 NSEC3 (algorithm 6)
* RSASHA1 (algorithm 5)
* RSASHA1 NSEC3 (algorithm 7)
* RSASHA256 NSEC3 (algorithm 8)
* RSASHA512 NSEC3 (algorithm 10)
* ECDSAP256SHA256 (algorithm 13)
* ECDSAP384SHA384 (algorithm14)
* Automatic resigning
* Improved CPU affinity control
* DNS Response Rate Limiting
* yadifa client for accessing yadifad servers
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the yadifa-announce