Releases: NLnetLabs/nsd
NSD 4.10.1
NSD 4.10.1
This release consists primarily of bug fixes.
@bilias implemented mutual TLS authentication for zone transfers. Please consult the nsd.conf manual for details on the newly introduced configuration options tls-auth-port and tls-auth-xfr-only.
@orlitzky provided integration for the OpenRC init system.
Version 4.10.0 was the first release to integrate simdzone. Build issues on OpenBSD releases before 5.6, Gentoo and Solaris have been reported and fixed. The fallback parser, used on systems that lack SSE4.2 and AVX2 instruction sets, contained some bugs with regards to state keeping and under certain circumstances a use after free bug was encountered in buffer management.
4.10.1
FEATURES:
- Merge #352 from orlitzky: contrib: add OpenRC service script, config file, and tmpfiles entry.
- Merge #337 from bilias: Mutual TLS-AUTH.
BUG FIXES:
- Fix incorrect punctuation of log messages.
- Fix for #317, document more text on pidfile permissions.
- Fix #334: RFC8482 behavior documentation.
- Fix for OpenSSL 3.0 deprecated functions.
- Merge #341: Fix allow-query wording in nsd.conf.5.in.
- Fix test script from making spurious output.
- Fix cpu_affinity and socket_partitioning tests for --enable-log-role.
- Fix #344: Update simdzone.
- Fix #347: Adjust verbosity for TLS (+TCP) to be 5.
- Merge #348: Move TLS logging to verbosity level 5.
- For #347: Also adjust verbosity of log message for remaining TCP connections.
- Merge #349: log file name before loading.
- Use MAKE variable rather than make command directly in Makefile.
- Serialize WKS RRs using numeric values rather than names.
- Fix propagation of Makefile targets to simdzone.
- Do not log ACL mismatch on followed CNAMEs.
- Fix link of xfr-inspect for libssl dependency.
- Initialize tls_auth_port and tls_auth_xfr_only options.
- Merge #358: Fix Hurd build error due to log_err.
- Update simdzone to fix detection of AVX2 support.
simdzone 0.1.1
FEATURES:
- Test to verify configure.ac and Makefile.in are correct.
- Add support for reading from stdin if filename is "-".
- Add support for building with Oracle Developer Studio 12.6.
- Add support for "time" service for Well-Know Services (WKS) RR.
BUG FIXES:
- Fix makefile dependencies.
- Fix makefile to use source directory for build dependencies.
- Fix changelog to reflect v0.1.0 release.
- Update makefile to not use target-specific variables.
- Fix makefile clean targets.
- Fix state keeping in fallback scanner for contiguous and quoted.
- Fix bug in name scanner.
- Fix type mnemonic parsing in fallback parser.
- Fix endian.h to include machine/endian.h on OpenBSD releases before 5.6.
- Fix use after free on buffer resize.
- Fix parsing of numeric protocols in WKS RRs.
- Make devclean target depend on realclean target.
- Fix detection of AVX2 support by checking generic AVX support by the processor and operating system (#222).
CHANGES:
- Make relative includes relative to current working directory.
- Split Autoconf and CMake compiler tests for supported SIMD instructions.
NSD 4.10.1rc2
NSD 4.10.1rc2
This release consists primarily of bug fixes.
@bilias implemented mutual TLS authentication for zone transfers. Please
consult the nsd.conf manual for details on the newly introduced configuration
options tls-auth-port and tls-auth-xfr-only.
@orlitzky provided integration for the OpenRC init system.
Version 4.10.0 was the first release to integrate simdzone. Build issues on
OpenBSD releases before 5.6, Gentoo and Solaris have been reported and fixed.
The fallback parser, used on systems that lack SSE4.2 and AVX2 instruction
sets, contained some bugs with regards to state keeping and under certain
circumstances a use after free bug was encountered in buffer management.
4.10.1
FEATURES:
- Merge #352 from orlitzky: contrib: add OpenRC service script, config
file, and tmpfiles entry. - Merge #337 from bilias: Mutual TLS-AUTH.
BUG FIXES:
- Fix incorrect punctuation of log messages.
- Fix for #317, document more text on pidfile permissions.
- Fix #334: RFC8482 behavior documentation.
- Fix for OpenSSL 3.0 deprecated functions.
- Merge #341: Fix allow-query wording in nsd.conf.5.in.
- Fix test script from making spurious output.
- Fix cpu_affinity and socket_partitioning tests for --enable-log-role.
- Fix #344: Update simdzone.
- Fix #347: Adjust verbosity for TLS (+TCP) to be 5.
- Merge #348: Move TLS logging to verbosity level 5.
- For #347: Also adjust verbosity of log message for remaining TCP
connections. - Merge #349: log file name before loading.
- Use MAKE variable rather than make command directly in Makefile.
- Serialize WKS RRs using numeric values rather than names.
- Fix propagation of Makefile targets to simdzone
- Do not log ACL mismatch on followed CNAMEs.
simdzone 0.1.1
FEATURES:
- Test to verify configure.ac and Makefile.in are correct.
- Add support for reading from stdin if filename is "-".
- Add support for building with Oracle Developer Studio 12.6.
- Add support for "time" service for Well-Know Services (WKS) RR.
BUG FIXES:
- Fix makefile dependencies.
- Fix makefile to use source directory for build dependencies.
- Fix changelog to reflect v0.1.0 release.
- Update makefile to not use target-specific variables.
- Fix makefile clean targets.
- Fix state keeping in fallback scanner for contiguous and quoted.
- Fix bug in name scanner.
- Fix type mnemonic parsing in fallback parser.
- Fix endian.h to include machine/endian.h on OpenBSD releases before 5.6.
- Fix use after free on buffer resize.
CHANGES:
- Make relative includes relative to current working directory.
NSD 4.10.1rc1
NSD 4.10.1rc1
This release consists primarily of bug fixes.
@bilias implemented mutual TLS authentication for zone transfers. Please
consult the nsd.conf manual for details on the newly introduced configuration
options tls-auth-port and tls-auth-xfr-only.
@orlitzky provided integration for the OpenRC init system.
Version 4.10.0 was the first release to integrate simdzone. Build issues on
OpenBSD releases before 5.6, Gentoo and Solaris have been reported and fixed.
The fallback parser, used on systems that lack SSE4.2 and AVX2 instruction
sets, contained some bugs with regards to state keeping and under certain
circumstances a use after free bug was encountered in buffer management.
4.10.1
FEATURES:
- Merge #352 from orlitzky: contrib: add OpenRC service script, config
file, and tmpfiles entry. - Merge #337 from bilias: Mutual TLS-AUTH.
BUG FIXES:
- Fix incorrect punctuation of log messages.
- Fix for #317, document more text on pidfile permissions.
- Fix #334: RFC8482 behavior documentation.
- Fix for OpenSSL 3.0 deprecated functions.
- Merge #341: Fix allow-query wording in nsd.conf.5.in.
- Fix test script from making spurious output.
- Fix cpu_affinity and socket_partitioning tests for --enable-log-role.
- Fix #344: Update simdzone.
- Fix #347: Adjust verbosity for TLS (+TCP) to be 5.
- Merge #348: Move TLS logging to verbosity level 5.
- For #347: Also adjust verbosity of log message for remaining TCP
connections. - Merge #349: log file name before loading.
- Use MAKE variable rather than make command directly in Makefile.
- Serialize WKS RRs using numeric values rather than names.
- Fix propagation of Makefile targets to simdzone
- Do not log ACL mismatch on followed CNAMEs.
simdzone 0.1.1
FEATURES:
- Test to verify configure.ac and Makefile.in are correct.
- Add support for reading from stdin if filename is "-".
- Add support for building with Oracle Developer Studio 12.6.
- Add support for "time" service for Well-Know Services (WKS) RR.
BUG FIXES:
- Fix makefile dependencies.
- Fix makefile to use source directory for build dependencies.
- Fix changelog to reflect v0.1.0 release.
- Update makefile to not use target-specific variables.
- Fix makefile clean targets.
- Fix state keeping in fallback scanner for contiguous and quoted.
- Fix bug in name scanner.
- Fix type mnemonic parsing in fallback parser.
- Fix endian.h to include machine/endian.h on OpenBSD releases before 5.6.
- Fix use after free on buffer resize.
CHANGES:
- Make relative includes relative to current working directory.
NSD 4.10.0
NSD 4.10.0
Version 4.10.0 integrates simdzone and drops the Flex+Bison zone
parser.
NSD used a Flex+Bison based zone parser since version 1.4.0. The parser
served NSD well, but zones have increased in size and zone loading
performance has been problematic for some users.
With the integration of simdzone
(https://github.com/NLnetLabs/simdzone),
performance of loading zones and IXFRs is drastically improved. Quick
measurements show improvements ranging anywhere from 3.8x to 1.6x,
depending on zone size and database type, though the improvements will
be less noticable for NSEC3 zones due to pre-hashing.
simdzone leverages SIMD instructions in modern CPUs to improve
throughput. Right now SSE4.2 and AVX2 instruction sets are supported,
other instruction sets will use the fallback implementation, which
still is a decent improvement over the Flex+Bison based parser.
The release has additional fixes from the release candidate. The
parse of lowercase type names is fixed and the x86_64 variable is
set to no for other machines.
4.10.0
FEATURES:
- Merge #278: Replace Flex+Bison based zone parser with simdzone.
Performance of loading zones and IXFRs is greatly improved by using
the simdzone project by NLnet Labs. The optimized presentation
format parser leverages SIMD instructions in modern CPUs to improve
throughput. Right now SSE4.2 and AVX2 instruction sets are
supported, other instruction sets will use the fallback
implementation, which still is a decent improvement over the
Flex+Bison based parser.
BUG FIXES:
- Fix that when the server truncates the pidfile, it does not follow
symbolic links. - Fix #317: nsd should not chown its PID file.
- For #317: Modify nsd service script to stop NSD from creating a pid
file that systemd is not using. - Fix #324: Clarify the purpose of contrib/bug390.patch.
- Fix IXFR requests upstream for zones with a long name. Thanks for the
report to Yuuki Wakisaka from Internet Initiative Japan Inc. - Unit test for dname subdomain test used by xfrd-tcp.c.
- Fix #329: TCP accept queues number.
- Fix that the reload handler for sigchild uses signal_add, and also
that the signal handler is restored when done. - Fix that when server verify is done it resets the sigchild handler.
- Fix makedist.sh for simdzone inclusion.
- Fix makedist.sh to remove simdzone git tracking information and
scripting temporaries from tarball. - Fix error output of makedist.sh.
- Use simdzone version with name parser fix.
- Bump simdzone version to fix OpenBSD build issues.
- Bump simdzone to include minor fixes.
NSD_4_10_0_RC1
NSD 4.10.0rc1 is available:
Version 4.10.0 integrates simdzone and drops the Flex+Bison zone parser.
NSD used a Flex+Bison based zone parser since version 1.4.0. The parser served
NSD well, but zones have increased in size and zone loading performance has
been problematic for some users.
With the integration of simdzone (https://github.com/NLnetLabs/simdzone),
performance of loading zones and IXFRs is drastically improved. Quick
measurements show improvements ranging anywhere from 3.8x to 1.6x depending
on zone size and database type, though the improvements will be less noticable
for NSEC3 zones due to pre-hashing.
simdzone leverages SIMD instructions in modern CPUs to improve throughput.
Right now SSE4.2 and AVX2 instruction sets are supported, other instruction
sets will use the fallback implementation, which still is a decent improvement
over the Flex+Bison based parser.
The release candidate window will be longer this time as simdzone is rather
new and while it has been tested on various architectures and operating
systems, it is likely problems will pop-up due to sheer amount of code. Please
consider giving this release candidate a good run and report any problems.
4.10.0
FEATURES:
- Merge #278: Replace Flex+Bison based zone parser with simdzone.
Performance of loading zones and IXFRs is greatly improved by using
the simdzone project by NLnet Labs. The optimized presentation format
parser leverages SIMD instructions in modern CPUs to improve throughput.
Right now SSE4.2 and AVX2 instruction sets are supported, other
instruction sets will use the fallback implementation, which still is
a decent improvement over the Flex+Bison based parser.
BUG FIXES:
- Fix that when the server truncates the pidfile, it does not follow
symbolic links. - Fix #317: nsd should not chown its PID file.
- For #317: Modify nsd service script to stop NSD from creating a
pid file that systemd is not using. - Fix #324: Clarify the purpose of contrib/bug390.patch.
- Fix IXFR requests upstream for zones with a long name. Thanks for
the report to Yuuki Wakisaka from Internet Initiative Japan Inc. - Unit test for dname subdomain test used by xfrd-tcp.c.
- Fix #329: TCP accept queues number.
- Fix that the reload handler for sigchild uses signal_add, and
also that the signal handler is restored when done. - Fix that when server verify is done it resets the sigchild handler.
- Fix makedist.sh for simdzone inclusion.
- Fix makedist.sh to remove simdzone git tracking information and
scripting temporaries from tarball. - Fix error output of makedist.sh.
- Use simdzone version with name parser fix.
- Bump simdzone version to fix OpenBSD build issues.
NSD 4.9.1
NSD 4.9.1
This release fixes the builds scripts in the release of version 4.9.0.
Version 4.9.0 adds support for DNS Catalog Zones (RFC 9432) version "2".
Both producer and consumer roles for catalog zones are implemented, but
only a single consumer zone is allowed. The "coo" property, relevant
when multiple consumer zones can be configured, is therefore not
supported. The "group" property is. Consult the nsd.conf man page for
details on how to configure and use catalog zones.
Thanks to Fredrik Pettai from Sunet for providing feedback and testing
DNS Catalog Zones.
4.9.1
BUG FIXES:
- Use rooted temporary path in makedist.sh.
NSD 4.9.0
NSD 4.9.0
This release adds support for DNS Catalog Zones (RFC 9432) version "2".
Both producer and consumer roles for catalog zones are implemented, but
only a single consumer zone is allowed. The "coo" property, relevant
when multiple consumer zones can be configured, is therefore not
supported. The "group" property is. Consult the nsd.conf man page for
details on how to configure and use catalog zones.
Thanks to Fredrik Pettai from Sunet for providing feedback and testing
DNS Catalog Zones.
4.9.0
FEATURES:
- Merge #315: Allow SOA apex queries to otherwise with allow-query
protected zones for clients matching a provide-xfr rule, because
clients that are allowed to transfer the zone need to be able to
query SOA at the apex preceding the actual transfer. - Merge #304: Support for Catalog zones version "2" as specified in
RFC 9432. Both the consumer as well as the producer role are
implemented, but only a single catalog consumer zone is allowed.
The "coo" property, only relevant with multiple catalog consumer,
is therefore not supported. The "group" property is supported.
Have a look at the nsd.conf man page for details on how to
configure and use catalog zones.
BUG FIXES:
- Fix to sync the tests script file common.sh.
- Update test script file common.sh.
- Fix #306: Missing AC_SUBST(dbdir) breaks installation with 4.8.0.
- Fix for #306: Create directory for xfrd.state and zone.list files
in make install. - Merge #307 from anandb-ripencc: Many improvements to the nsd.conf
man page. - Fix #308: Deprecate "multi-master-check" in favour of
"multi-primary-check". - Merge #309: More RFC 8499 compliance.
- Fix control-reconfig-xfrd test for zonestatus primary that is
printed by nsd-control zonestatus. - Move acx_nlnetlabs.m4 to version 47, with crypt32 check.
- Move acx_nlnetlabs.m4 to version 48, with ssp and getaddrinfo
include check. - Fix #313: nsd 4.8 stats with implausible spikes.
- Fix compile with memclean for xfrd nsd.db close.
- In xfrd del secondary zone, the timer could perhaps have
event_added, and if so, it would not be event_del if a tcp
connection is active at the time. This could cause the libevent
event lists to fail. Also fix to make sure to set event_added for
the nsd-control ssl nonblocking handshake and check event_added
there too, for extra certainty. - Merge #316: Fix to reap defunct children by the reload process that
emerged when some serve child processes were still serving TCP
request while the others had already quit, while the reload process
was waiting for the signal from the backup/old main process that all
children exited. - Fix (also from Merge #316) to reap exited children more frequently
from server main loop for processes that exited during reload, but
missed the initial reaping at start of the main loop because they
took somewhat longer to exit. - Fix timing sensitivity in ixfr_outsync test.
- Test if debug is available in do-tests.
- Enforce timeout from NSD in ixfr_gone test.
- Update expressions in ixfr_and_restart test.
- Make algorithm explicit in control-repattern test.
- Switch algorithm to hmac-256 for testplan_mess test.
- Replace multiple strcat and strcpy by snprintf.
NSD 4.8.0
NSD 4.8.0
This release introduces PROXYv2 support and faster statistics gathering,
removes the database option and fixes bugs.
The proxy protocol support is an implementation of PROXYv2 for NSD.
It can be configured with proxy-protocol-port: portnum
with the port
number of the interface on which proxy traffic is handled. The
interface can support proxy traffic for UDP, TCP and TLS.
The removal of the "database: nsd.db" option removes unneeded code. It
stored secondary zones in binary format. Zone files are used instead.
This turns out to be about the same speed, for file access, and use
much less memory. Plain text is also easier to deal with when inspecting
the contents. Intended improvements in zone parser speed are expected
to further enhance the performance, making it faster than the binary
database.
The option to turn the database off with "" was introduced in 4.1.7
in 2015. It is now removed, and the 'database:' option is ignored for
backwards compatibility, also the commandline '-f' option is ignored for
backwards compatibility. This means NSD can start even though the option
is present, and can then transfer zones from the primary and serve them.
Statistics are processed faster. NSD now uses shared memory to convey
the statistics from the server processes to the xfrd process. This is
faster, and also works while a reload is in progress. The statistics are
no longer written over the command pipes between processes, and so do
not wait for the processes. It is similar to how zone-stats have been
implemented. It works for both stats and stats_noreset.
Thanks to Sunet for sponsoring the proxy protocol, and providing
useful feedback in the early testing of the proxy protocol.
4.8.0
FEATURES:
- Merge #281: Proxy protocol. An implementation of PROXYv2 for NSD.
It can be configured with proxy-protocol-port: portnum with the
port number of the interface on which proxy traffic is handled.
The interface can support proxy traffic for UDP, TCP and TLS. - Merge #301: improve the logging of ixfr fallbacks to axfr.
- Merge #305: faster stats. Statistics can be gathered while a reload
is in progress.
BUG FIXES:
- Merge #282: Improve nsd.conf man page.
- Fix unused but set variable warning.
- Fix #283: Compile failure in remote.c when --disable-bind8-stats
and --without-ssl are specified. - Fix #284: dnstap_collector.c: SOCK_NONBLOCK is not available on
Mac/Darwin. - Fix unused variable warning in unit test of udb.
- Merge #287: Update nsd.conf.5.in.
- Fix autoconf 2.69 warnings in configure.
- Merge #295: Update e-mail addresses, add ref to support contracts
- Fix for interprocess communication to set quit sync command from
main process explicitly. - Fix processing of consolidated IXFRs.
- Remove on-disk database.
- Answer first query for connections accepted just before reload.
- Fix: Always instate write handler after reading a query over TCP.
- Fix #14: Set timeout to 3s when servicing remaining TCP connections.
- Merge #302: Test package fixes. Correct Auxfiles, kill_from_pidfile
function and fix drop_updates, rr-test and xfr_update tests. - Fix unit test kill_from_pidfile function for nonexistent files
because the argument is evaluated before the test expression. - Fix rr-test to also convert the contents of the just written output
file. - Fix test set to remove -f nsd.db and rm nsd.db commands.
- Fix test set to remove difffile option.
NSD 4.7.0
NSD 4.7.0
This release adds a script for bash autocompletion for nsd-control. Also
nsd-control can be configured to use unencrypted operation also when
compiled without openssl. There is also a systemd service unit example
file contributed. The dnstap log service can be contacted over TCP, with
the dnstap-ip: ip
option. It is also possible to use TLS, with
dnstap-tls
, it is enabled by default, and can be configured with the
dnstap-server-name
, dnstap-cert-bundle
, dnstap-client-key-file
and
dnstap-client-cert-file
options. The configure option
--enable-root-server
is obsolete, it is no longer used and defaults to
on. In addition, the build file should support multicore build with
flex and bison more easily.
4.7.0
FEATURES:
- Merge #263: Add bash autocompletion script for nsd-control.
- Fix #267: Allow unencrypted local operation of nsd-control.
- Merge #269 from Fale: Add systemd service unit.
- Fix #271: DNSTAP over TCP, with dnstap-ip: "127.0.0.1@3333".
- dnstap over TLS, default enabled. Configured with the
options dnstap-tls, dnstap-tls-server-name, dnstap-tls-cert-bundle,
dnstap-tls-client-key-file and dnstap-tls-client-cert-file.
BUG FIXES:
- Fix #239: -Wincompatible-pointer-types warning in remote.c.
- Fix configure for -Wstrict-prototypes.
- Fix #262: Zone(s) not synchronizing properly via TLS.
- Fix for #262: More error logging for SSL read failures for zone
transfers. - Merge #265: Fix C99 compatibility issue.
- Fix #266: Fix build with --without-ssl.
- Fix for #267: neater variable definitions.
- Fix #270: reserved identifier violation.
- Fix to clean more memory on exit of dnstap collector.
- Fix dnstap to not check socket path when using IP address.
- Fix to compile without ssl with dnstap-tls code.
- Dnstap tls code fixes.
- Fix include brackets for ssl.h include statements, instead of quotes.
- Fix static analyzer warning about nsd_event_method initialization.
- Fix #273: Large TXT record breaks AXFR.
- Fix ixfr create from adding too many record types.
- Fix cirrus script for submit to coverity scan to libtoolize
the configure script components config.guess and config.sub. - Fix readme status badge links.
- make depend.
- Fix for build to run flex and bison before compiling code that needs
the headers. - Fix to remove unused whitespace from acx_nlnetlabs.m4 and config.h.
- For #279: Note that autoreconf -fi creates the configure script
and also the needed auxiliary files, for autoconf 2.69 and 2.71. - Fix unused variable warning in unit test, from clang compile.
- Fix #240: Prefix messages originating from verifier.
- Fix #275: Drop unnecessary root server checks.
NSD 4.6.1
NSD 4.6.1
This release has a couple of bug fixes. The alpn is set for dns over
tls connections. And the SVCB type supports the dohpath parameter.
4.6.1
FEATURES:
- Set ALPN "dot" token during connection establishment as per RFC9103
section 7.1 (Thanks Cesar Kuroiwa). - Add SVCB dohpath support
BUG FIXES:
- Fix static analyzer reports, fix wrong log print when skipping xfr,
fix to print error on pipe read fail, and assert an xfr is in
progress during packet checks. - Use AC_PROG_CC_STDC with autoconf versions prior to 2.70.
- Add missing documentation for zone verification.
- Fix #212: Change commandline control actions to always log.
- Merge #231 from moritzbuhl: Fix checking if nonblocking sockets work
on OpenBSD. - Change zone parsing to accept non-trailing newline.