SUMMARY:
Some features, such as multi master check option that does not upgrade
from the first master that answers, but picks the best one.
Additional section handling for type SRV. And bug fixes.
FEATURES:
- multi-master-check: yes can be used to check all masters for the
last version, using the higher version from the configured masters,
from Manabu Sonoda.
- Support RR type OPENPGPKEY from RFC 7929.
- Can config key algorithms with the digest name, eg. 'sha256'.
- configure --disable-radix-tree for about 15% lower memory usage.
- for type SRV add A/AAAA to the additional section (if possible),
just like we already do for type MX.
- more extensible edns option handling.
BUG FIXES:
- Fix compile warnings about unused result from write and strtol.
and signcompare in minmax retrytime.
- Fix#812: fix that make depend fails after distribution.
- Fix#817: xfrd update failed loop.
- Add robustness against unallocated data in nsec3 trees.
- Fix README spelling error of BSD license (reported by Joerg Jung).
- Fix multimaster for not tried full zone transfer for a expired zone.
- Fix#827: fix compile with openssl 1.1.0 with api=1.1.0.
PR: 213021
Submitted by: maintainer
- Restore configurable IPV6 option. Upstream integrated fix for issue.
- FEATURES:
* When tcp is more than half full, use short timeout for tcp session.
* Patch for {max,min}-{refresh,retry}-time from YAMAGUCHI Takanori.
* Fix#790: size-limit-xfr can stop NSD from downloading infinite zone transfer
data size, from Toshifumi Sakaguchi.
Fixes CVE-2016-6173 JVN#63359718 JPCERT#91251865.
- BUGFIXES:
* Fix build without IPv6, patch from Zdenek Kaspar.
* Fix#783: Trying to run a root server without having configured it silently
gives wrong answers.
* Fix#782: Serve DS record but parent zone has no NS record.
* Fix nsec3 missing for nsec3 signed parent and child for DS at zonecut.
PR: 211693
Submitted by: jaap@NLnetLabs.nl (maintainer)
Security: CVE-2016-6173
Security: https://vuxml.FreeBSD.org/freebsd/7d08e608-5e95-11e6-b334-002590263bf5.html
MFH: 2016Q3
Remove the IPv6 option that is causing builds to fail when it is
disabled. The issue does not affect package users, as it was a default
option.
The issue has been fixed upstream [1] and will be included/renabled
in the next version update.
While I'm here:
* Switch to USES=ssl
* Add --enable-ipv6 in CONNFIGURE_ARGS to ensure it's explicitly enabled
[1] https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=800
PR: 211303
Reported by: <vfx9as gmail com>
Approved by: maintainer <jaap NLnetLabs nl>
MFH: 2016Q3
- add ability to build agains openssl or libressl from ports
- add MUNIN_PLUGIN_IMPLIES= BIND8_STATS
- use @sample macro in pkg-plist for nsd.conf
- s/exec/postexec/ pkg-plist
FEATURES:
- #732: tcp-mss, outgoing-tcp-mss options for nsd.conf, patch
from Daisuke Higashi.
- #739: zonefile changes when mtime is small are detected on reload,
if filesystem supports precision mtime values.
- RR type CSYNC (RFC7477) syntax is supported.
BUG FIXES:
- take advantage of arc4random_uniform if available, patch from
Loganaden Velvindron.
- Fix flto check for OSX clang.
- Define _DEFAULT_SOURCE with _BSD_SOURCE for glibc 2.20 on Linux.
- Fix#736: segfault during zone transfer.
- Fix#744: Fix that NSD replies for configured but unloaded zone
with SERVFAIL, not REFUSED.
PR: 207951
Submitted by: jaap@NLnetLabs.nl (maintainer)
MFH: 2016Q1
Major Bug Bug Fixes:
- This release fixes segfault after start when many interfaces are in use.
- This version returns the EDNS bad version response with the AD flag
unset for improved conformance.
Minor Buf Fixes:
- Fix#701: Fix that AD=1 set in a BADVERS response.
- Fix typo in zonec.c inside error message.
- Fix#711: Document that debug-mode yes is used for staying
attached to the supervisor console.
- Document verbosity 3 prints more information.
- nsd-checkconf warns for master zones with no zonefile statement.
- Fix start failure when many file descriptors are in use.
- The servfail rcode is not printed with a space in the middle.
- print failed token for config syntax error or parse error.
PR: 204533
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
Sponsored by: DK Hostmaster A/S
FEATURES:
- RFC7553 RR Type URI support.
- removed hardcoded interface limit, --with-max-ips removed.
- Admitted axfrs are logged at verbosity 1. Refused at verbosity 2.
Major BUG FIXES:
- Fix NSID response for short edns sizes.
- Fix that for expired zones NSD performs an AXFR and accepts newer
and older serial numbers.
PR: 203231
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
Sponsored by: DK Hostmaster A/S
Major Features:
- RFC 7344: CDS and CDNSKEY (read record types).
- per zone statistics with --enable-zone-stats
- Disabled use of SSLv3 in nsd-control.
- Synthesize CNAMEs with same TTL as DNAME.
- nsd-checkconf -f prints out full name of pidfile (with dir). [1]
PR: 197291,
196449 [1]
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl>,
Adam Zaleski <adam@zaleski.org> [1]
- Use nsd instead of bind user
This release has new features and bugfixes. In nsd.conf you can
configure database: "" this makes NSD not use the large mmapped nsd.db
file, but instead read and write the zonefiles in text format, which
saves about 50% of the memory usage. Also zonefile reading and
writing has been optimised to be faster, as well as processing time
for zone transfers. NSD writes the (changed) zonefiles every hour.
The new nsd-checkzone tool reports if a zonefile parses so you can check
it before reading it into the daemon.
A bug is fixed where NSD 4 causes rising load average and memory
consumption on Linux systems, which is caused by a bug in Linux that
slowly deteriorates system performance by repeated recursive forks.
Full release notes: http://open.nlnetlabs.nl/pipermail/nsd-users/2014-September/002007.html
PR: 193332
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
Sponsored by: DK Hostmaster A/S
Remove libevent as libevent2 is providing a good compatibility interface as well
as providing better performances.
Remove custom patches from libevent2 and install libevent2 the regular way
Mark ports abusing private fields of the libevent1 API as broken
Import a patch from fedora to have honeyd working with libevent2
Remove most of the patches necessary to find the custom installation we used to
have for libevent2
With hat: portmgr
- remove PKG-INSTALL from post-install (not used with staging)
- move pkg-install and pkg-deinstall into pkg-plist
Approved by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer, per PM)
- Convert LIB_DEPENDS to new format [1]
- Remove leading article from COMMENT
- Switch to options helpers
- Conditional installation of docs is not needed with stage
- Don't show pkg-message twice
PR: ports/186693 [1]
Submitted by: Denis Generalov <gd.workbox@gmail.com>
Approved by: maintainer
Added STAGING support
Added LICENSE (NSD3CLAUSE) statement
Other small changes to make portlint more happy
PR: 186631
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
- Cleanup rc script
FEATURES:
- recognizes ip-address and interface as synonyms for convenience.
- Support for EUI48 and EUI64 RR types enabled by default (RFC 7043).
- Support for CAA RRtype (RFC 6844).
- NSID can be set with "ascii_somestring" in ascii.
BUG FIXES:
- Fix xfrd when zone transfer TCP contains zero length packets.
- Fix for NSEC3 zones where parent zone is co-hosted, also NSEC3,
because AXFRs overwrote nsec3 administration in the child zone.
- Fix that bad IXFR updates do not result in double SOA records,
and that an AXFR is started (attempted) when the zone state seems
to be inconsistent with the master's zone state.
- Log ip address for sendto and sendmmsg failures.
- Fix segfaults after read of zones with rr type WKS from zonefile.
- Seed PRNG for openssl at start of daemon, fixes SSL connection issue.
- Bugfix #534: IXFR query loop over UDP for zones that are unchanged.
- (same as in 3.2.16): fix wildcard cname to nxdomain repeated rrset.
- (same as in 3.2.16): Bugfix #542: Match RRSIG TTL with SOA TTL in
negative response.
- Check if configure in srcdir collides with outofdir build.
- Fix#546: output format errors in nsd_munin_ (Thanks Tom Hendrikx).
- Fix printout of high-chars in TXT on NetBSD.
PR: ports/186308
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
For all new features, see
http://www.nlnetlabs.nl/svn/nsd/tags/NSD_4_0_0_REL/doc/NSD-4-features
This version replaces the nsdc control program with nsd-control.
This requires some manual setup with nsd-control-setup and editing
of the config files. nsd-control is incompatible with nsdc so when
that is used in scripts, these should be adapted.
NSD 3 is still supported as dns/nsd3.
PR: 183888
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl>
- Add EUI_RRTYPES option
While here:
- Remove leading article from COMMENT
- Convert tab to space in WWW: line
PR: ports/180741
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
Features
* Support for ILNP RR types: NID, L32, L64, LP (RFC6742).
* RRL, --enable-ratelimit at configure time and config options.
* TSIG initialization only fails when there is no digest found at all.
Bugfixes
* Bugfix #478: Declaration after statement (for gcc 2.95).
* Bugfix #483: Better error message in case of TSIG error.
* Bugfix #485: TTL should not be greater than 2^31 - 1.
* Fix RCODE when CNAME loop final answer does not exist,
should return NXDOMAIN as stated by RFC 6604.
* Fix --disable-full-prehash bug, where after multiple incoming IXFRs,
NSEC3 can be removed unjustified.
PR: 175837
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
- Trim header
Changes:
* Bugfixes
* New Feature: Use of writev, to improve TCP response time
PR: ports/173261
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
Feature safe: yes
BUG FIXES:
- Fix for VU#624931 CVE-2012-2978: NSD denial of service
vulnerability from non-standard DNS packet from any host
on the internet.
PR: ports/170001
Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
Security: CVE-2012-2978
literal name_enable wherever possible, and ${name}_enable
when it's not, to prepare for the demise of set_rcvar().
In cases where I had to hand-edit unusual instances also
modify formatting slightly to be more uniform (and in
some cases, correct). This includes adding some $FreeBSD$
tags, and most importantly moving rcvar= to right after
name= so it's clear that one is derived from the other.
Bugfixes:
Do setusercontext before chroot, otherwise login.conf etc. are required inside chroot.
Bugfix #216: Fix leak of compressiontable when the domain table increases in size.
Bugfix #348: Don't include header/library path if OpenSSL is in /usr.
Bugfix #350: Refused notifies should log client ip.
Bugfix #352: Fix hard coded paths in man pages.
Bugfix #354: The realclean target deletes a bit too much.
Bugfix #357, make xfrd quit with many zones.
Bugfix #362: outgoing-interface and v4 vs. v6 leads to spurious warning messages.
Bugfix #363: nsd-checkconf -v does not print outgoing-interface ok.
Bugfix: nsd-checkconf -o outgoing-interface omits NOKEY.
Undo Bugfix #235: Don't skip dname compression, messes up packets that do need compression.
PR: ports/155785
Submitted by: Jaap Akkerhuis <jaap _at_ nlnetlabs.nl> (maintainer)
- support reload command
- use nsdc cli has command and let it perform the actual start,stop,... of the daemon
- at start check if the database exists if not built it (this prevent the daemon to fail at starting)
- remove the now userless sleep in stop command
bump portrevision
PR: ports/152331
Submitted by: Philippe Pepiot <phil _at_ philpep.org>
Approved by: Jaap Akkerhuis <jaap _at_ NLnetLabs.nl> (maintainer)
