This release fixes memory leaks when reading zonefiles
and processing zone transfers.
4.1.20
================
BUG FIXES:
- Fix memory leak in zone file read of unknown rr formatted RRs.
- Fix memory leak when rehashing nsec3 after axfr or zonefile read,
in the selectively allocated precompiled nsec3 hashes.
Also changed to DISTVERSION
Submitted by: jaap@NLnetLabs.nl (maintainer)
Approved by: tcberner (mentor, implicit)
This release has features for saving memory and faster notification.
With --enable-packed, 33% memory savings could be had, or something
along that size. Notification of secondary servers happens in parallel,
and has faster timeouts. More sockets are used for zone transfers.
This speeds up communication with a larger set of servers. Additionally
a bug is fixed for dual-loaded parent-and-child zone configured at the
same time, when one of the zones has not loaded properly.
FEATURES:
- xfr-inspect, it is not installed, it prints xfr files from /tmp
made with 'make xfr-inspect' in the source dir.
- retry timeout between sending notifies dropped from 15 to 3 sec.
- NSD sends 16 notifies simultaneously.
- configure --enable-packed reduces memory usage, at expense of
unaligned reads. Saves about 17%.
- Save memory by selectively allocate precompiled nsec3 hashes,
saves about 16% memory.
- make ip-transparent option work on OpenBSD.
- Save about 2% memory by changing usage count size in name tree.
- Fix#2871: Increase number of sockets for xfrd transfers.
BUG FIXES:
- Fix gcc 7.1.1 warnings.
- Fix writev compile warning on FreeBSD.
- Fix#1446: A corrupted zone file "propagates" to good ones.
- nsd-control zonestatus prints wait time between attempts, for zones
that are in that waiting time.
- Fix collision printout of nsec3 to print name, hash and reverse.
- Fix#1567: Change crit to err log level for gettimeofday failure.
Add defines for compile without syslog.
- Fix crash for DS query when parent and child zones both configured
in nsd.conf and parent zone has not loaded properly.
PR: 224025
Submitted by: jaap@NLnetLabs.nl (maintainer)
Features:
- zone parser parses type AVC (it has TXT format).
- Fix#1272: use writev to put tcp length field with data for outgoing
zone transfer requests.
Bugfixes:
- Fix potential null pointer in nsec3 adjustment tree.
- Fix text format of deletes for CDS and CDNSKEY, single 0 to represent
empty base64 or hex string.
PR: 220939
Submitted by: jaap@NLnetLabs.nl (maintainer)
features:
- zone parser can parse acronyms for algorithms ED25519 and ED448.
- Fix 1243: Option to make NSD emit really minimal responses,
minimal-responses: yes in nsd.conf.
bug fixes:
- Calculate new udb index after growing the array, fix from
Chaofeng Liu.
- Fix missing _t to _type conversion for disable-radix-tree option.
- Printout serial error with hint it may be too big.
- Fix 1228: OpenSSL include is not guarded with HAVE_SSL
- Patch for expire state in multi-master when masters includes
broken master, from Manabu Sonoda.
- minor manpage fix.
PR: 218873
Submitted by: jaap@NLnetLabs.nl (maintainer)
- Noting NSD changelog, recent update renamed _t typedefs because POSIX
reserves them. The 4.1.15 update missed a few conversion.
- Unbreak RADIXTREE. No PORTREVISION change as port would not have built.
PR: 217640
Reported by: Max Kostikov <max@kostikov.co>
Submitted by: w.schwarzenfeld@utanet.at (the suggested diff)
jaap@NLnetLabs.nl (maintainer - the port patch)
Obtained from: nsd svn r4741
SUMMARY:
Some features, such as multi master check option that does not upgrade
from the first master that answers, but picks the best one.
Additional section handling for type SRV. And bug fixes.
FEATURES:
- multi-master-check: yes can be used to check all masters for the
last version, using the higher version from the configured masters,
from Manabu Sonoda.
- Support RR type OPENPGPKEY from RFC 7929.
- Can config key algorithms with the digest name, eg. 'sha256'.
- configure --disable-radix-tree for about 15% lower memory usage.
- for type SRV add A/AAAA to the additional section (if possible),
just like we already do for type MX.
- more extensible edns option handling.
BUG FIXES:
- Fix compile warnings about unused result from write and strtol.
and signcompare in minmax retrytime.
- Fix#812: fix that make depend fails after distribution.
- Fix#817: xfrd update failed loop.
- Add robustness against unallocated data in nsec3 trees.
- Fix README spelling error of BSD license (reported by Joerg Jung).
- Fix multimaster for not tried full zone transfer for a expired zone.
- Fix#827: fix compile with openssl 1.1.0 with api=1.1.0.
PR: 213021
Submitted by: maintainer
- Restore configurable IPV6 option. Upstream integrated fix for issue.
- FEATURES:
* When tcp is more than half full, use short timeout for tcp session.
* Patch for {max,min}-{refresh,retry}-time from YAMAGUCHI Takanori.
* Fix#790: size-limit-xfr can stop NSD from downloading infinite zone transfer
data size, from Toshifumi Sakaguchi.
Fixes CVE-2016-6173 JVN#63359718 JPCERT#91251865.
- BUGFIXES:
* Fix build without IPv6, patch from Zdenek Kaspar.
* Fix#783: Trying to run a root server without having configured it silently
gives wrong answers.
* Fix#782: Serve DS record but parent zone has no NS record.
* Fix nsec3 missing for nsec3 signed parent and child for DS at zonecut.
PR: 211693
Submitted by: jaap@NLnetLabs.nl (maintainer)
Security: CVE-2016-6173
Security: https://vuxml.FreeBSD.org/freebsd/7d08e608-5e95-11e6-b334-002590263bf5.html
MFH: 2016Q3
Remove the IPv6 option that is causing builds to fail when it is
disabled. The issue does not affect package users, as it was a default
option.
The issue has been fixed upstream [1] and will be included/renabled
in the next version update.
While I'm here:
* Switch to USES=ssl
* Add --enable-ipv6 in CONNFIGURE_ARGS to ensure it's explicitly enabled
[1] https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=800
PR: 211303
Reported by: <vfx9as gmail com>
Approved by: maintainer <jaap NLnetLabs nl>
MFH: 2016Q3
- add ability to build agains openssl or libressl from ports
- add MUNIN_PLUGIN_IMPLIES= BIND8_STATS
- use @sample macro in pkg-plist for nsd.conf
- s/exec/postexec/ pkg-plist
FEATURES:
- #732: tcp-mss, outgoing-tcp-mss options for nsd.conf, patch
from Daisuke Higashi.
- #739: zonefile changes when mtime is small are detected on reload,
if filesystem supports precision mtime values.
- RR type CSYNC (RFC7477) syntax is supported.
BUG FIXES:
- take advantage of arc4random_uniform if available, patch from
Loganaden Velvindron.
- Fix flto check for OSX clang.
- Define _DEFAULT_SOURCE with _BSD_SOURCE for glibc 2.20 on Linux.
- Fix#736: segfault during zone transfer.
- Fix#744: Fix that NSD replies for configured but unloaded zone
with SERVFAIL, not REFUSED.
PR: 207951
Submitted by: jaap@NLnetLabs.nl (maintainer)
MFH: 2016Q1
Major Bug Bug Fixes:
- This release fixes segfault after start when many interfaces are in use.
- This version returns the EDNS bad version response with the AD flag
unset for improved conformance.
Minor Buf Fixes:
- Fix#701: Fix that AD=1 set in a BADVERS response.
- Fix typo in zonec.c inside error message.
- Fix#711: Document that debug-mode yes is used for staying
attached to the supervisor console.
- Document verbosity 3 prints more information.
- nsd-checkconf warns for master zones with no zonefile statement.
- Fix start failure when many file descriptors are in use.
- The servfail rcode is not printed with a space in the middle.
- print failed token for config syntax error or parse error.
PR: 204533
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
Sponsored by: DK Hostmaster A/S
FEATURES:
- RFC7553 RR Type URI support.
- removed hardcoded interface limit, --with-max-ips removed.
- Admitted axfrs are logged at verbosity 1. Refused at verbosity 2.
Major BUG FIXES:
- Fix NSID response for short edns sizes.
- Fix that for expired zones NSD performs an AXFR and accepts newer
and older serial numbers.
PR: 203231
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
Sponsored by: DK Hostmaster A/S
Major Features:
- RFC 7344: CDS and CDNSKEY (read record types).
- per zone statistics with --enable-zone-stats
- Disabled use of SSLv3 in nsd-control.
- Synthesize CNAMEs with same TTL as DNAME.
- nsd-checkconf -f prints out full name of pidfile (with dir). [1]
PR: 197291,
196449 [1]
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl>,
Adam Zaleski <adam@zaleski.org> [1]
- Use nsd instead of bind user
This release has new features and bugfixes. In nsd.conf you can
configure database: "" this makes NSD not use the large mmapped nsd.db
file, but instead read and write the zonefiles in text format, which
saves about 50% of the memory usage. Also zonefile reading and
writing has been optimised to be faster, as well as processing time
for zone transfers. NSD writes the (changed) zonefiles every hour.
The new nsd-checkzone tool reports if a zonefile parses so you can check
it before reading it into the daemon.
A bug is fixed where NSD 4 causes rising load average and memory
consumption on Linux systems, which is caused by a bug in Linux that
slowly deteriorates system performance by repeated recursive forks.
Full release notes: http://open.nlnetlabs.nl/pipermail/nsd-users/2014-September/002007.html
PR: 193332
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
Sponsored by: DK Hostmaster A/S
Remove libevent as libevent2 is providing a good compatibility interface as well
as providing better performances.
Remove custom patches from libevent2 and install libevent2 the regular way
Mark ports abusing private fields of the libevent1 API as broken
Import a patch from fedora to have honeyd working with libevent2
Remove most of the patches necessary to find the custom installation we used to
have for libevent2
With hat: portmgr
- remove PKG-INSTALL from post-install (not used with staging)
- move pkg-install and pkg-deinstall into pkg-plist
Approved by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer, per PM)
- Convert LIB_DEPENDS to new format [1]
- Remove leading article from COMMENT
- Switch to options helpers
- Conditional installation of docs is not needed with stage
- Don't show pkg-message twice
PR: ports/186693 [1]
Submitted by: Denis Generalov <gd.workbox@gmail.com>
Approved by: maintainer
Added STAGING support
Added LICENSE (NSD3CLAUSE) statement
Other small changes to make portlint more happy
PR: 186631
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
- Cleanup rc script
FEATURES:
- recognizes ip-address and interface as synonyms for convenience.
- Support for EUI48 and EUI64 RR types enabled by default (RFC 7043).
- Support for CAA RRtype (RFC 6844).
- NSID can be set with "ascii_somestring" in ascii.
BUG FIXES:
- Fix xfrd when zone transfer TCP contains zero length packets.
- Fix for NSEC3 zones where parent zone is co-hosted, also NSEC3,
because AXFRs overwrote nsec3 administration in the child zone.
- Fix that bad IXFR updates do not result in double SOA records,
and that an AXFR is started (attempted) when the zone state seems
to be inconsistent with the master's zone state.
- Log ip address for sendto and sendmmsg failures.
- Fix segfaults after read of zones with rr type WKS from zonefile.
- Seed PRNG for openssl at start of daemon, fixes SSL connection issue.
- Bugfix #534: IXFR query loop over UDP for zones that are unchanged.
- (same as in 3.2.16): fix wildcard cname to nxdomain repeated rrset.
- (same as in 3.2.16): Bugfix #542: Match RRSIG TTL with SOA TTL in
negative response.
- Check if configure in srcdir collides with outofdir build.
- Fix#546: output format errors in nsd_munin_ (Thanks Tom Hendrikx).
- Fix printout of high-chars in TXT on NetBSD.
PR: ports/186308
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
For all new features, see
http://www.nlnetlabs.nl/svn/nsd/tags/NSD_4_0_0_REL/doc/NSD-4-features
This version replaces the nsdc control program with nsd-control.
This requires some manual setup with nsd-control-setup and editing
of the config files. nsd-control is incompatible with nsdc so when
that is used in scripts, these should be adapted.
NSD 3 is still supported as dns/nsd3.
PR: 183888
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl>
