This release fixes a number of bugs. It fixes a number of corner
case differences for the output more similar to Bind. The configure
sources are compatible with the new autoconf 2.70.
PR: 253026
Submitted by: jaap@NLnetLabs.nl (maintainer)
This release contains the DNS Flag Day 2020 fixes. This sets the
default EDNS buffer size to 1232, that should reduce fragmentation.
https://dnsflagday.net/2020/
There is a new feature where it is possible to list an interface by
name. This pulls in the IP addresses associated with the interface
at server start.
FEATURES:
- Follow DNS flag day 2020 advice and
set default EDNS message size to 1232.
- Merged PR #113 with fixes. Instead of listing an IP-address to
listen on, an interface name can be specified in nsd.conf, with
ip-address: eth0. The IP-addresses for that interface are then used.
- Port TSIG code for openssl 3.0.0-alpha6.
BUG FIXES:
- Fix make install with --with-pidfile="".
- Merge #115 from millert: Fix strlcpy() usage. From OpenBSD.
- Merge #117: mini_event.h (4.3.2 and 4.3.1) on OpenBSD cannot find
fd_set - patch.
- Fix that configure checks for EVP_sha256 to detect openssl, because
HMAC_CTX_new is deprecated in 3.0.0.
- Fix#119: fix compile warnings from new gcc.
- Fix#119: warn when trying to parse a directory.
- Merge PR #121: Increase log level of recreated database from
WARNING to ERR.
- Remove unused space from LIBS on link line.
- Updated date in nsd -v output.
PR: 250203
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
Relnotes: https://www.nlnetlabs.nl/news/2020/Oct/08/nsd-4.3.3-released/
BUG FIXES:
- Fix#70: error: 'fd_set' undeclared.
- Fix#71: error: 'for' loop initial declaration used outside C99
mode.
- Fix to move declarations out of for loops in event test too.
- Fix#76: cpuid typedef for Hurd, DragonflyBSD compile.
- Fix#75: configure test for sched_setaffinity, and use
cpuset_setaffinity otherwise. Also test for presence of sysconf.
- Fix#74: GNU Hurd fix cast from pointer to integer of different size.
- Fix for #74, #75: cpuset test for header contents and provide code.
- Fix#78: Fix SO_SETFIB error on FreeBSD.
- Merge PR #83 from noloader: Fix GNU HURD sched_setaffinity compile.
- Fix#80: NetBSD and implicit declaration of reallocarray.
- Fix unknown u_long in util.c for Issue #80 .
- Merge PR #86 from noloader: Use precious variables for GREP, EGREP,
SED, AWK, LEX and YACC.
- For PR #86: Fix that programs loaded after CFLAGS and stuff is
set, specifically the compiler, so that it can work if it needs
special flags from that. Fix that lex only needs to support -i
if actually defined, otherwise the output included in the source
tarball can be used.
- Merge PR #90 by phicoh: O_CLOEXEC should be FD_CLOEXEC.
- Merge PR #92 by tonysgi: Fix typo.
- Merge PR #91 by gearnode: nsd-control-setup recreate certificates.
The '-r' option recreates certificates. Without it it creates them
if they do not exist, and does not modify them otherwise.
PR: 245666
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
This port incorporates also the proposed bug fix at bug #242367
Major changes:
This release adds cpu affinity. By pinning a server process to a
specific cpu, having a separate network card also for that cpu, and
an interface address also for that server process, the throughput is
increased. This increases performance of the nameserver.
Sparse TSIG signing support is removed, to comply with the latest tsig
standard update draft.
There is a feature to drop update queries, with opcode UPDATE,
with nsd.conf option drop-updates.
4.3.0
=========
FEATURES:
- Fix to use getrandom() for randomness, if available.
- Fix#56: Drop sparse TSIG signing support in NSD.
Sign every axfr packet with TSIG, according to the latest
draft-ietf-dnsop-rfc2845bis-06, Section 5.3.1.
- Merge pull request #59 from buddyns: add FreeBSD support
for conf key ip-transparent.
- Add feature to pin server processes to specific cpus.
- Add feature to pin IP addresses to selected server processes.
- Set process title to identify individual processes.
- Merge PR#22: minimise-any: prefer polular and not large RRset,
from Daisuke Higashi.
- Add support for SO_BINDTODEVICE on Linux.
- Add support for SO_SETFIB on FreeBSD.
- Add feature to drop queries with opcode UPDATE.
BUG FIXES:
- Fix fname null check of fname in namedb_read_zonefile.
- Fix implicit cast of size in udb_radnode_array_grow.
- Fix ignore of return value of ssl_printf in remote.c.
- Fix unused check of fd in parent_handle_reload_command.
- Attempt to fix signedness of nscount lookup in ixfr query_process.
- Fix identical branches for ssl_print of errors in remote.c.
- Fix type cast bounds, signedness of opt_rdlen in edns_parse_record.
- Fix to separate header and data lines in parse_zone_list_file.
- Fix to define max number of EDNS records we are willing to
spend time on.
- Fix size of string len and capacity type cast in udbradtree.
- Fix to protect rrcount in tsig_find_rr from overflow.
- Annotate radix_find_prefix_node not reachable trail code.
- Fix to protect rrcount in packet_find_notify_serial from overflow.
- Fix to close socket on error in create_tcp_accept_sock.
- Fix to log on failure to chmod for socket for remote control.
- Fix to remove unneeded if in open of socket for remote control.
- Fix to restore input parameter on call failure in create_dirs.
- Please checker by terminating and initialising string read
by remote control.
- Fix to define upper bounds on rr counts read from untrusted packet
data.
- Separate acl_addr_match_range functions for ip4 and ip6, to
please checkers.
- Avoid unused variable warning in new match_range_v4 function.
- Fix whitespace in nsd.conf.sample.in, patch from Paul Wouters.
- use-systemd is ignored in nsd.conf, when NSD is compiled with
libsystemd it always signals readiness, if possible.
- Note that use-systemd is not necessary and ignored in man page.
- Fix unreachable code in ssl set options code.
- Fix bad shift in assertion code analyzer complaint.
- Fix responses for IXFR so that the authority section is not echoed
in the response.
- Merge PR#60: Minor portability fixes from michaelforney, with
avoid pointer arithmetic on void* and avoid unnecessary VLA.
- Fix that the retry wait does not exceed one day for zone transfers.
CHANGES:
- Set FD_CLOEXEC on opened sockets.
PR: 244886, 242367[2]
Submitted by: Jaap Akkerhuis <jaap@nlnetlabs.nl> (maintainer)
Reported by: Leo Vandewoestijne <freebsd@dns.company> [2]
Relnotes: https://github.com/NLnetLabs/nsd/blob/NSD_4_3_0_REL/doc/ChangeLog
This release fixes memory leaks when reading zonefiles
and processing zone transfers.
4.1.20
================
BUG FIXES:
- Fix memory leak in zone file read of unknown rr formatted RRs.
- Fix memory leak when rehashing nsec3 after axfr or zonefile read,
in the selectively allocated precompiled nsec3 hashes.
Also changed to DISTVERSION
Submitted by: jaap@NLnetLabs.nl (maintainer)
Approved by: tcberner (mentor, implicit)
This release has features for saving memory and faster notification.
With --enable-packed, 33% memory savings could be had, or something
along that size. Notification of secondary servers happens in parallel,
and has faster timeouts. More sockets are used for zone transfers.
This speeds up communication with a larger set of servers. Additionally
a bug is fixed for dual-loaded parent-and-child zone configured at the
same time, when one of the zones has not loaded properly.
FEATURES:
- xfr-inspect, it is not installed, it prints xfr files from /tmp
made with 'make xfr-inspect' in the source dir.
- retry timeout between sending notifies dropped from 15 to 3 sec.
- NSD sends 16 notifies simultaneously.
- configure --enable-packed reduces memory usage, at expense of
unaligned reads. Saves about 17%.
- Save memory by selectively allocate precompiled nsec3 hashes,
saves about 16% memory.
- make ip-transparent option work on OpenBSD.
- Save about 2% memory by changing usage count size in name tree.
- Fix#2871: Increase number of sockets for xfrd transfers.
BUG FIXES:
- Fix gcc 7.1.1 warnings.
- Fix writev compile warning on FreeBSD.
- Fix#1446: A corrupted zone file "propagates" to good ones.
- nsd-control zonestatus prints wait time between attempts, for zones
that are in that waiting time.
- Fix collision printout of nsec3 to print name, hash and reverse.
- Fix#1567: Change crit to err log level for gettimeofday failure.
Add defines for compile without syslog.
- Fix crash for DS query when parent and child zones both configured
in nsd.conf and parent zone has not loaded properly.
PR: 224025
Submitted by: jaap@NLnetLabs.nl (maintainer)
Features:
- zone parser parses type AVC (it has TXT format).
- Fix#1272: use writev to put tcp length field with data for outgoing
zone transfer requests.
Bugfixes:
- Fix potential null pointer in nsec3 adjustment tree.
- Fix text format of deletes for CDS and CDNSKEY, single 0 to represent
empty base64 or hex string.
PR: 220939
Submitted by: jaap@NLnetLabs.nl (maintainer)
features:
- zone parser can parse acronyms for algorithms ED25519 and ED448.
- Fix 1243: Option to make NSD emit really minimal responses,
minimal-responses: yes in nsd.conf.
bug fixes:
- Calculate new udb index after growing the array, fix from
Chaofeng Liu.
- Fix missing _t to _type conversion for disable-radix-tree option.
- Printout serial error with hint it may be too big.
- Fix 1228: OpenSSL include is not guarded with HAVE_SSL
- Patch for expire state in multi-master when masters includes
broken master, from Manabu Sonoda.
- minor manpage fix.
PR: 218873
Submitted by: jaap@NLnetLabs.nl (maintainer)
- Noting NSD changelog, recent update renamed _t typedefs because POSIX
reserves them. The 4.1.15 update missed a few conversion.
- Unbreak RADIXTREE. No PORTREVISION change as port would not have built.
PR: 217640
Reported by: Max Kostikov <max@kostikov.co>
Submitted by: w.schwarzenfeld@utanet.at (the suggested diff)
jaap@NLnetLabs.nl (maintainer - the port patch)
Obtained from: nsd svn r4741
SUMMARY:
Some features, such as multi master check option that does not upgrade
from the first master that answers, but picks the best one.
Additional section handling for type SRV. And bug fixes.
FEATURES:
- multi-master-check: yes can be used to check all masters for the
last version, using the higher version from the configured masters,
from Manabu Sonoda.
- Support RR type OPENPGPKEY from RFC 7929.
- Can config key algorithms with the digest name, eg. 'sha256'.
- configure --disable-radix-tree for about 15% lower memory usage.
- for type SRV add A/AAAA to the additional section (if possible),
just like we already do for type MX.
- more extensible edns option handling.
BUG FIXES:
- Fix compile warnings about unused result from write and strtol.
and signcompare in minmax retrytime.
- Fix#812: fix that make depend fails after distribution.
- Fix#817: xfrd update failed loop.
- Add robustness against unallocated data in nsec3 trees.
- Fix README spelling error of BSD license (reported by Joerg Jung).
- Fix multimaster for not tried full zone transfer for a expired zone.
- Fix#827: fix compile with openssl 1.1.0 with api=1.1.0.
PR: 213021
Submitted by: maintainer
- Restore configurable IPV6 option. Upstream integrated fix for issue.
- FEATURES:
* When tcp is more than half full, use short timeout for tcp session.
* Patch for {max,min}-{refresh,retry}-time from YAMAGUCHI Takanori.
* Fix#790: size-limit-xfr can stop NSD from downloading infinite zone transfer
data size, from Toshifumi Sakaguchi.
Fixes CVE-2016-6173 JVN#63359718 JPCERT#91251865.
- BUGFIXES:
* Fix build without IPv6, patch from Zdenek Kaspar.
* Fix#783: Trying to run a root server without having configured it silently
gives wrong answers.
* Fix#782: Serve DS record but parent zone has no NS record.
* Fix nsec3 missing for nsec3 signed parent and child for DS at zonecut.
PR: 211693
Submitted by: jaap@NLnetLabs.nl (maintainer)
Security: CVE-2016-6173
Security: https://vuxml.FreeBSD.org/freebsd/7d08e608-5e95-11e6-b334-002590263bf5.html
MFH: 2016Q3
Remove the IPv6 option that is causing builds to fail when it is
disabled. The issue does not affect package users, as it was a default
option.
The issue has been fixed upstream [1] and will be included/renabled
in the next version update.
While I'm here:
* Switch to USES=ssl
* Add --enable-ipv6 in CONNFIGURE_ARGS to ensure it's explicitly enabled
[1] https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=800
PR: 211303
Reported by: <vfx9as gmail com>
Approved by: maintainer <jaap NLnetLabs nl>
MFH: 2016Q3
- add ability to build agains openssl or libressl from ports
- add MUNIN_PLUGIN_IMPLIES= BIND8_STATS
- use @sample macro in pkg-plist for nsd.conf
- s/exec/postexec/ pkg-plist
FEATURES:
- #732: tcp-mss, outgoing-tcp-mss options for nsd.conf, patch
from Daisuke Higashi.
- #739: zonefile changes when mtime is small are detected on reload,
if filesystem supports precision mtime values.
- RR type CSYNC (RFC7477) syntax is supported.
BUG FIXES:
- take advantage of arc4random_uniform if available, patch from
Loganaden Velvindron.
- Fix flto check for OSX clang.
- Define _DEFAULT_SOURCE with _BSD_SOURCE for glibc 2.20 on Linux.
- Fix#736: segfault during zone transfer.
- Fix#744: Fix that NSD replies for configured but unloaded zone
with SERVFAIL, not REFUSED.
PR: 207951
Submitted by: jaap@NLnetLabs.nl (maintainer)
MFH: 2016Q1
Major Bug Bug Fixes:
- This release fixes segfault after start when many interfaces are in use.
- This version returns the EDNS bad version response with the AD flag
unset for improved conformance.
Minor Buf Fixes:
- Fix#701: Fix that AD=1 set in a BADVERS response.
- Fix typo in zonec.c inside error message.
- Fix#711: Document that debug-mode yes is used for staying
attached to the supervisor console.
- Document verbosity 3 prints more information.
- nsd-checkconf warns for master zones with no zonefile statement.
- Fix start failure when many file descriptors are in use.
- The servfail rcode is not printed with a space in the middle.
- print failed token for config syntax error or parse error.
PR: 204533
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
Sponsored by: DK Hostmaster A/S
FEATURES:
- RFC7553 RR Type URI support.
- removed hardcoded interface limit, --with-max-ips removed.
- Admitted axfrs are logged at verbosity 1. Refused at verbosity 2.
Major BUG FIXES:
- Fix NSID response for short edns sizes.
- Fix that for expired zones NSD performs an AXFR and accepts newer
and older serial numbers.
PR: 203231
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
Sponsored by: DK Hostmaster A/S
