SUMMARY:
Some features, such as multi master check option that does not upgrade
from the first master that answers, but picks the best one.
Additional section handling for type SRV. And bug fixes.
FEATURES:
- multi-master-check: yes can be used to check all masters for the
last version, using the higher version from the configured masters,
from Manabu Sonoda.
- Support RR type OPENPGPKEY from RFC 7929.
- Can config key algorithms with the digest name, eg. 'sha256'.
- configure --disable-radix-tree for about 15% lower memory usage.
- for type SRV add A/AAAA to the additional section (if possible),
just like we already do for type MX.
- more extensible edns option handling.
BUG FIXES:
- Fix compile warnings about unused result from write and strtol.
and signcompare in minmax retrytime.
- Fix#812: fix that make depend fails after distribution.
- Fix#817: xfrd update failed loop.
- Add robustness against unallocated data in nsec3 trees.
- Fix README spelling error of BSD license (reported by Joerg Jung).
- Fix multimaster for not tried full zone transfer for a expired zone.
- Fix#827: fix compile with openssl 1.1.0 with api=1.1.0.
PR: 213021
Submitted by: maintainer
- Restore configurable IPV6 option. Upstream integrated fix for issue.
- FEATURES:
* When tcp is more than half full, use short timeout for tcp session.
* Patch for {max,min}-{refresh,retry}-time from YAMAGUCHI Takanori.
* Fix#790: size-limit-xfr can stop NSD from downloading infinite zone transfer
data size, from Toshifumi Sakaguchi.
Fixes CVE-2016-6173 JVN#63359718 JPCERT#91251865.
- BUGFIXES:
* Fix build without IPv6, patch from Zdenek Kaspar.
* Fix#783: Trying to run a root server without having configured it silently
gives wrong answers.
* Fix#782: Serve DS record but parent zone has no NS record.
* Fix nsec3 missing for nsec3 signed parent and child for DS at zonecut.
PR: 211693
Submitted by: jaap@NLnetLabs.nl (maintainer)
Security: CVE-2016-6173
Security: https://vuxml.FreeBSD.org/freebsd/7d08e608-5e95-11e6-b334-002590263bf5.html
MFH: 2016Q3
- add ability to build agains openssl or libressl from ports
- add MUNIN_PLUGIN_IMPLIES= BIND8_STATS
- use @sample macro in pkg-plist for nsd.conf
- s/exec/postexec/ pkg-plist
FEATURES:
- #732: tcp-mss, outgoing-tcp-mss options for nsd.conf, patch
from Daisuke Higashi.
- #739: zonefile changes when mtime is small are detected on reload,
if filesystem supports precision mtime values.
- RR type CSYNC (RFC7477) syntax is supported.
BUG FIXES:
- take advantage of arc4random_uniform if available, patch from
Loganaden Velvindron.
- Fix flto check for OSX clang.
- Define _DEFAULT_SOURCE with _BSD_SOURCE for glibc 2.20 on Linux.
- Fix#736: segfault during zone transfer.
- Fix#744: Fix that NSD replies for configured but unloaded zone
with SERVFAIL, not REFUSED.
PR: 207951
Submitted by: jaap@NLnetLabs.nl (maintainer)
MFH: 2016Q1
Major Bug Bug Fixes:
- This release fixes segfault after start when many interfaces are in use.
- This version returns the EDNS bad version response with the AD flag
unset for improved conformance.
Minor Buf Fixes:
- Fix#701: Fix that AD=1 set in a BADVERS response.
- Fix typo in zonec.c inside error message.
- Fix#711: Document that debug-mode yes is used for staying
attached to the supervisor console.
- Document verbosity 3 prints more information.
- nsd-checkconf warns for master zones with no zonefile statement.
- Fix start failure when many file descriptors are in use.
- The servfail rcode is not printed with a space in the middle.
- print failed token for config syntax error or parse error.
PR: 204533
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
Sponsored by: DK Hostmaster A/S
FEATURES:
- RFC7553 RR Type URI support.
- removed hardcoded interface limit, --with-max-ips removed.
- Admitted axfrs are logged at verbosity 1. Refused at verbosity 2.
Major BUG FIXES:
- Fix NSID response for short edns sizes.
- Fix that for expired zones NSD performs an AXFR and accepts newer
and older serial numbers.
PR: 203231
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
Sponsored by: DK Hostmaster A/S
Major Features:
- RFC 7344: CDS and CDNSKEY (read record types).
- per zone statistics with --enable-zone-stats
- Disabled use of SSLv3 in nsd-control.
- Synthesize CNAMEs with same TTL as DNAME.
- nsd-checkconf -f prints out full name of pidfile (with dir). [1]
PR: 197291,
196449 [1]
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl>,
Adam Zaleski <adam@zaleski.org> [1]
- Use nsd instead of bind user
This release has new features and bugfixes. In nsd.conf you can
configure database: "" this makes NSD not use the large mmapped nsd.db
file, but instead read and write the zonefiles in text format, which
saves about 50% of the memory usage. Also zonefile reading and
writing has been optimised to be faster, as well as processing time
for zone transfers. NSD writes the (changed) zonefiles every hour.
The new nsd-checkzone tool reports if a zonefile parses so you can check
it before reading it into the daemon.
A bug is fixed where NSD 4 causes rising load average and memory
consumption on Linux systems, which is caused by a bug in Linux that
slowly deteriorates system performance by repeated recursive forks.
Full release notes: http://open.nlnetlabs.nl/pipermail/nsd-users/2014-September/002007.html
PR: 193332
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
Sponsored by: DK Hostmaster A/S
- Cleanup rc script
FEATURES:
- recognizes ip-address and interface as synonyms for convenience.
- Support for EUI48 and EUI64 RR types enabled by default (RFC 7043).
- Support for CAA RRtype (RFC 6844).
- NSID can be set with "ascii_somestring" in ascii.
BUG FIXES:
- Fix xfrd when zone transfer TCP contains zero length packets.
- Fix for NSEC3 zones where parent zone is co-hosted, also NSEC3,
because AXFRs overwrote nsec3 administration in the child zone.
- Fix that bad IXFR updates do not result in double SOA records,
and that an AXFR is started (attempted) when the zone state seems
to be inconsistent with the master's zone state.
- Log ip address for sendto and sendmmsg failures.
- Fix segfaults after read of zones with rr type WKS from zonefile.
- Seed PRNG for openssl at start of daemon, fixes SSL connection issue.
- Bugfix #534: IXFR query loop over UDP for zones that are unchanged.
- (same as in 3.2.16): fix wildcard cname to nxdomain repeated rrset.
- (same as in 3.2.16): Bugfix #542: Match RRSIG TTL with SOA TTL in
negative response.
- Check if configure in srcdir collides with outofdir build.
- Fix#546: output format errors in nsd_munin_ (Thanks Tom Hendrikx).
- Fix printout of high-chars in TXT on NetBSD.
PR: ports/186308
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
For all new features, see
http://www.nlnetlabs.nl/svn/nsd/tags/NSD_4_0_0_REL/doc/NSD-4-features
This version replaces the nsdc control program with nsd-control.
This requires some manual setup with nsd-control-setup and editing
of the config files. nsd-control is incompatible with nsdc so when
that is used in scripts, these should be adapted.
NSD 3 is still supported as dns/nsd3.
PR: 183888
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl>
- Add EUI_RRTYPES option
While here:
- Remove leading article from COMMENT
- Convert tab to space in WWW: line
PR: ports/180741
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
Features
* Support for ILNP RR types: NID, L32, L64, LP (RFC6742).
* RRL, --enable-ratelimit at configure time and config options.
* TSIG initialization only fails when there is no digest found at all.
Bugfixes
* Bugfix #478: Declaration after statement (for gcc 2.95).
* Bugfix #483: Better error message in case of TSIG error.
* Bugfix #485: TTL should not be greater than 2^31 - 1.
* Fix RCODE when CNAME loop final answer does not exist,
should return NXDOMAIN as stated by RFC 6604.
* Fix --disable-full-prehash bug, where after multiple incoming IXFRs,
NSEC3 can be removed unjustified.
PR: 175837
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
- Trim header
Changes:
* Bugfixes
* New Feature: Use of writev, to improve TCP response time
PR: ports/173261
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
Feature safe: yes
BUG FIXES:
- Fix for VU#624931 CVE-2012-2978: NSD denial of service
vulnerability from non-standard DNS packet from any host
on the internet.
PR: ports/170001
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
Security: CVE-2012-2978
Bugfixes:
Do setusercontext before chroot, otherwise login.conf etc. are required inside chroot.
Bugfix #216: Fix leak of compressiontable when the domain table increases in size.
Bugfix #348: Don't include header/library path if OpenSSL is in /usr.
Bugfix #350: Refused notifies should log client ip.
Bugfix #352: Fix hard coded paths in man pages.
Bugfix #354: The realclean target deletes a bit too much.
Bugfix #357, make xfrd quit with many zones.
Bugfix #362: outgoing-interface and v4 vs. v6 leads to spurious warning messages.
Bugfix #363: nsd-checkconf -v does not print outgoing-interface ok.
Bugfix: nsd-checkconf -o outgoing-interface omits NOKEY.
Undo Bugfix #235: Don't skip dname compression, messes up packets that do need compression.
PR: ports/155785
Submitted by: Jaap Akkerhuis <jaap _at_ nlnetlabs.nl> (maintainer)
- Update to 2.2.0
With this release nsd no longer requires named-xfer to be
present on the system.
I also changed the options to a configure script.
Added file(s):
- scripts/configure.nsd
PR: ports/76412
Submitted by: Olafur Osvaldsson <oli@isnic.is>
