NSD 4.6.0

NSD 4.6.0

This release adds the zone verification support from the CreDNS code.
There are also some bug fixes in the ixfr out code.

Zone verification can start a verifier program that reads the new zone
data. It can reject the update. Or process the new zone data. The intent
is for a DNSSEC verifier to inspect the zone before it is passed on with
zone transfer or served to clients.

The zone verification can be enabled with enable: yes in the verify
section in nsd.conf. You can then list the interfaces the NSD listens on
while the verifier is active, so it can send queries for the new zone
contents. With verify-zones: yes zones are verified by default. The
command that is executed can be set with the verifier: ldns-verify-zone
option. With verifier-count the max number of concurrent verifiers can
be set. With the verifier-feed-zone: yes option the zone can be input
on stdin to the verifier program. A timeout to stop the verifier can be
set with the verifier-timeout option.

Per zone options can also be set for a pattern or for a zone, for zone
verification. With verify-zone the zone verification can be enabled
per zone. The verifier can be set per zone. And the verifier-feed-zone
and verifier-timeout options can be controlled per zone.

4.6.0

FEATURES:

• Port zone-verification from CreDNS to NSD4.
  BUG FIXES:
• Fix static analyzer reports on ixfrcreate temp file.
• Fixup wrong ixfrcreate fread return check.

NSD 4.5.0

This release fixes a couple of minor bugs and adds IXFR out
functionality. With this functionality NSD can respond to IXFR queries
and serve IXFR transfers downstream.

It is default disabled, that means it does not store IXFR contents for
zones by default. The response on the wire is different, also with IXFR
disabled, because it is now supported, and thus also for those zones a
reply is served, that no differential data is available.

4.5.0

FEATURES:

• Merge PR #209: IXFR out
  This adds IXFR out functionality to NSD. NSD can copy IXFRs from
  upstream to downstream clients, or create IXFRs from zonefiles.
  The options store-ixfr: yes and create-ixfr: yes can be used to
  turn this on. Default is turned off. The options ixfr-number and
  ixfr-size can be used to tune the number of IXFR transfers and
  total data size stored. This is configured per zone, the IXFRs
  are served to the hosts that are allowed to perform zone transfers.
  And if TSIG is configured, signed with the same key. The content
  is stored to file if a zonefile is configured for the zone, in
  the zonefile.ixfr and zonefile.ixfr.2, .. files. They contain
  readable text format. The number of IXFRs is num.rixfr in
  statistics output, also per zone if per zone statistics are enabled.
  If offline, nsd-checkzone -i can create ixfr files.
  NSD already supports requesting IXFRs, this addition allows NSD
  to serve IXFR transfers to clients.
  NSD stops responding with NOTIMPL to IXFR requests, also for zones
  that do not have IXFR enabled. The clients gets a full zone reply
  or a status reply if the serial is up to date.

BUG FIXES:

• Fix code analyzer zero divide warning.
• Fix code analyzer large value with assertion.
• Fix another code analyzer zero divide warning.
• Fix code analyzer warning about uninitialized temp storage in loop.
• Fix spelling error in comment in svcbparam_lookup_key.
• Update cirrus script FreeBSD version.

NSD 4.4.0

NSD 4.4.0

This release changes the memory allocation for outgoing zonetransfers,
and this reduces the memory footprint. The defaults for the amounts are
the same as before, but there are config options to configure the memory
usage. There are also bug fixes.

4.4.0

FEATURES:

• Merge #193: Lower memory usage of the XFRD process by default.
  Instead of preallocating all elements, they are allocated when used.
  There are options for managing the memory usage, defaults are the
  same as before. xfrd-tcp-max sets the number of sockets for tcp
  connections that xfrd can make to download zone contents. And
  xfrd-tcp-pipeline the number of simultaneous transfers over the
  same connection.

BUG FIXES:

• Fix #200: nsd-checkzone succeeds even with incorrect serial in SOA
  record.
• Merge #204 from jonathangray: correct some spelling mistakes.
• Fix to change file mode before changing file owner for the
  nsd-control unix socket file.
• Fix to document nsd-checkzone -p in the man page for nsd-checkzone.
• Fix #206: build with --without-ssl fails.
• Merge #207 Sync nsd-control-setup with unbound-control-setup to
  generate certificates with SANs.
• Fix unit tests for nds-control-setup exit code and the
  xfrd-tcp-max default.

NSD_4_3_9_REL

NSD 4.3.9

This release contains a small number of bug fixes. The reconfig failure
is fixed for cpu-affinity config re-read. Version repository and
continuous integration files are removed from the sourcecode tarball.

4.3.9

BUG FIXES:

• Fix #198: nsd-control reconfig core dump.
• Fix to remove git tracking and ci information from release tarballs.
• Fix unit tests for new answer-cookie default.
• Fix socket_partitioning unit test for FreeBSD.
• Fix SVCB test to work around older dig with drill.

NSD 4.3.8

This release fixes a crash bug in delegation answers, and fixes
in NSEC3 answers. Also compile fixes for OpenSSL. The OpenSSL 3.0
API is supported.

The Mutual TLS feature allows for client authentication for XFR-over-TLS
connections, use the client-cert, client-key and client-key-pw options
to set up the certificate that NSD then uses to connect to the upstream
server to download the zone with.

The default for DNS Cookies is updated. It is now off to
stop wrong behaviour in mixed server deployments.

4.3.8

FEATURES:

• Merge #185 by cesarkuroiwa: Mutual TLS.
• Set default for answer-cookie to no. Because in server deployments
  with mixed server software, a default of yes causes issues.

BUG FIXES:

• Fix to compile with OpenSSL 3.0.0beta2.
• Fix configure detection of SSL_CTX_set_security_level.
• Fix deprecated functions use from openssl 3.0.0beta2.
• For #184: Note that all zones can be targeted by some nsd-control
  commands in the man page.
• Fixes for #185: Document client-cert, client-key and client-key-pw
  in the man page. Fix yacc semicolon. Fix unused variable warning.
  Use strlcpy instead of strncpy. Fix spelling error in error
  printout.
• Merge #187: Support using system-wide crypto policies.
• Fix #188: NSD fails to build against openssl 1.1 on CentOS 7.
• Fix sed script in ssldir split handling.
• Fix #189: nsd 4.3.7 crash answer_delegation: Assertion
  `query->delegation_rrset' failed.
• Fix #190: NSD returns 3 NSEC3 records for NODATA response.
• Fix compile failure with openssl 1.0.2.
• Fix #194: Incorrect NSEC3 response for SOA query below delegation
  point.

NSD 4.3.7

NSD 4.3.7

This release fixes a crash in dnstap. New features are XoT which provides
AXFR and IXFR over TLS, and DNS Cookies support and SVCB and HTTPS RR
type support.

For zone transfer TLS can be turned on by specifying the tls-auth-name in
the request-xfr config option, like
request-xfr: 192.0.2.1 NOKEY ns.example.com.
With the tls-cert-bundle option, in the server section, the list of
certificates for authenticating the transfers over TLS can be configured.

The DNS cookies can be turned on or off with the answer-cookie
option, and instead of a randomly generated secret, for anycast or
loadbalanced deployment, the secret can be configured with cookie-secret
or cookie-secret-file and rollover of the cookie secret can be performed
with the nsd-control commands add_cookie_secret, activate_cookie_secret
and drop_cookie_secret, using the cookie-secret-file.

The SVCB and HTTPS RR type support mean that in zone files the syntax
for these RR types can be used and is written when a zone is downloaded.
In previous versions the unknown RR type support code provided a fallback
syntax in zone files and on the wire functionality for these types.

4.3.7

FEATURES:

• Syntax of SVCB and HTTPS RR type as per draft-ietf-dnsop-svcb-https
• Client side DNS Zone Transfer-over-TLS (XoT) support as per
  draft-ietf-dprive-xfr-over-tls
• Interoperable DNS Cookies support as per RFC7873 and RFC9018

BUG FIXES:

• Fix for #170: Fix build warnings when IPv6 is disabled.
• Fix #170: Disabled IPv6 and DNSTAP enabled triggers a build error.
• Fix for #128: Skip over sendmmsg invalid argument when port is zero.
• Fix #171: Invalid negative response (NSEC3) after IXFR.
• Fix to make nsec3_chain_find_prev return NULL if one nsec3 left.
• Fix #174: NS Records below delegation are not ignored (nsd-checkzone
  also does not raise any issue).
• Fix #176: please review Loglevel on missing zonefile.
• Update the ACX_CHECK_NONBLOCKING_BROKEN test for the configure
  script.
• Fix #179: log notice and server-count.
• Update configure nonblocking test to use host.
• Fix #168: Buffer overflow in the dname_to_string() function
• Fixes for child server processes getting out of sync with the
  dnstap-collector process
• Fix gcc-11 warning on array bounds.
• Fix compile of cookies on FreeBSD without IPv6.
• Fix for loop initial declaration for nonc99 compiler
• Fix typo in xfrd-tcp.c.

NSD 4.2.4

This release fixes the regressions in the config for the minimal-responses, round-robin and log-time-ascii options, where the previous release ignored the config settings for them. Also there are some portability fixes.

4.2.4

FEATURES:

• Fix #48: Add make distclean that removes config.h made by configure.
  And add maintainer-clean that removes bison and flex output.

BUG FIXES:

• Detect fixed time memcmp for openssl 0.9.8 compatibility.
• Detect EC_KEY_new_by_curve_name for openssl 0.9.8.
• include limits.h for UINT_MAX.
• If no recvmmsg, dont use msg_flags member, but errno for error,
  where our fallback function left it, msg_flags also does not exist
  on some systems.
• Remove unused variable warning for portability.
• Fix #52: do not log transient network full errors unless higher
  verbosity is set.
• Fix regressions in configparser.y where global variables were not
  set for minimal-responses, round-robin and log-time-ascii.