Features:
* TCP writev support.
Bugfixes:
* Fix build on OpenBSD (thanks Oliver Peter).
* Prioritize notify sender for requesting XFR (thanks Ilya dBakulin).
* Fix crash in zonec if TXT string too long (thanks Ilya Bakulin).
* tzset before chroot for correct timezone (thanks Camiel Dobbelaar).
* Fix --disable-full-prehash bug when nsdc patch happens while ixfr too,
it did not rehash the new database.
* Bugfix #464: Conditionally define MAXHOSTNAMELEN.
Bugfixes:
* Bugfix #461 (VU#517036 CVE-2012-2979): NSD denial of service vulnerability
from DNS packet when using --enable-zone-stats.
* Bugfix #460: man page correction - identity.
* Fix for nsd-patch segfault if zone has been removed from nsd.conf
NSD 3.2.12
Bugfixes
Fix for VU#624931 CVE-2012-2978: NSD denial of service
vulnerability from non-standard DNS packet from any host on
the internet.
NSD 3.2.11
Features
Fallback to AXFR if IXFR is unknown at the primary. NSD considers
IXFR unknown at the primary if there is a negative response
for the IXFR RRtype. This does not override the value for
'allow-axfr-fallback'.
Allow for reading in new DNSKEY algorithm mnemonics (RFC5155,
RFC5702, RFC5933, and RFC6605 (ECDSA)).
Zone statistics, enable with --enable-zone-stats. This stores
the BIND8 stats per zone in a configurable statistics file.
This option does not scale and should therefore not be enabled
when serving many zones.
Support for TLSA RRtype (DANE).
Bugfixes
Fix for qtype ANY for a wildcard domain in NSEC signed zone:
Don't add the wildcard domain NSEC into the answer section.
Instead, put the wildcard expanded NSEC into the answer section
and keep the wildcard domain NSEC in the authority section.
Fix for accept spinning reported by OpenBSD.
Fix restart failed due to bad ixfr packet because of zone
removed from nsd.conf.
Bugfix #453: typo in nsdc man page.
Operational notes
NSD uses the query name for dname compression again (Fix#235
had as side effect that this didn't happen anymore and is hereby
undone).
Bugfixes:
* Bugfix #421: Truncate pidfile on shutdown, before unlink.
* Bugfix #423: Fix slow zone transfer processing due to
'Fix is_existing flag for ENT' bugfix.
* Bugfix #430: Fix segfault when MAX_INTERFACES set to more than 65K.
* Fix configure.ac strptime check for gcc 4.6.2, acx_nlnetlabs.m4 update
NSD 3.2.9
Features:
* Minimize responses to reduce truncation: NSD will only add optional
records to the authority and additional sections when the response size
does not exceed the minimal response size.
* The minimal response size is 512 (no-EDNS), 1480 (EDNS/IPv4),
1220 (EDNS/IPv6), or the advertized EDNS buffer size if that is smaller
than the EDNS default.
* The feature is enabled by default. You can disable it by configuring NSD
with --disable-minimal-responses.
* Less NSEC3 prehashing. This will make NSD handle zone transfers faster,
but will decrease the performance of NXDOMAIN and wildcard NODATA responses.
Full prehashing is enabled by default. If you want less NSEC3 prehashing,
configure NSD with --disable-full-prehash. Thanks Secure64 for the patch.
Bugfixes:
* Bugfix #302: nsd accepts XFR but refuses to re-read the slave zone.
* Bugfix #365: set patch style and zonec verbose for nsdc.
* First step of bug #369: RRSIG DNSKEY sets zone to be treated DNSSEC.
* Bugfix #375: typos in nsd.conf.5.
* Bugfix #381: Binary escaped and transfers.
* Bugfix #397: Don't allow relative domain names as origin in $INCLUDE
directives.
* Fix printout of IPSECKEY by nsd-patch.
* Fix is_existing flag for ENT when domain that has a shared ENT is deleted
by IXFR. (ENT == Empty Non-Terminal)
* Fix bug if the zonefile is changed for a secondary but stored transfers
are applied, and stop it from applying ixfr to empty zone. The zone is
flagged with error and AXFR-ed.
* Fix to have no authority NS set processing for CNAMEs.
* Fix nsd-checkconf to check tsig algorithms properly.
* Set the AA bit on responses that have an authoritative CNAME.
* Fix denial of existence response for empty non-terminal that looks like
a NSEC3-only domain (but has data below it).
Operational notes:
nsd.db version number increased because NSD 3.2.7 and earlier zonec is not
compatible due to the TXT strings change. Please run nsdc rebuild before
running NSD 3.2.9 and later versions.
Bugfixes:
* Do setusercontext before chroot, otherwise login.conf etc. are required inside chroot.
* Bugfix #216: Fix leak of compressiontable when the domain table increases in size.
* Bugfix #348: Don't include header/library path if OpenSSL is in /usr.
* Bugfix #350: Refused notifies should log client ip.
* Bugfix #352: Fix hard coded paths in man pages.
* Bugfix #354: The realclean target deletes a bit too much.
* Bugfix #357, make xfrd quit with many zones.
* Bugfix #362: outgoing-interface and v4 vs. v6 leads to spurious warning messages.
* Bugfix #363: nsd-checkconf -v does not print outgoing-interface ok.
* Bugfix: nsd-checkconf -o outgoing-interface omits NOKEY.
* Undo Bugfix #235: Don't skip dname compression, messes up packets that do need compression.
Operational notes:
* Use 'make clean' to clean up files that make created.
* Use 'make realclean' to also clean up files that were generated by running ./configure.
* Use 'make devclean' to also clean up autoconf, autoheader files.
NSD 3.2.7:
Bugfixes:
* Bugfix #253: Don't put NS RRs in a response with QTYPE=DS.
* Bugfix #320: use arcrandom(4) for QID generation if available.
* Bugfix #328: nsd-checkconf overrun.
* Bugfix #343: nsdc update fix.
* Bugfix #347: Wrong NSEC3 returned for nodata response QTYPE=DS no delegation.
* Bugfix: Allow for huge amount of strings in TXT (and other) records.
* Bugfix: nsdc can now deal with tsig algorithms other than hmac-md5.
* Fixed several parts in the documentation, including #306, #345.
Features:
* New option 'nsid:', to specify the NSID (Bugfix #298).
* The default chroot can be set with --with-chroot=dir.
If not set, by default chroot will not be used.
* Optimized zonec and b64_pton compatibility code.
* Optimized memory allocations. Use mmap/munmap instead of malloc/free.
Experimental, by default off. Enable it at build time with --enable-mmap.
Bugfixes:
* NSD will not start if chroot is configured,
but changing root is not possible
* Make use of the more secure strl* functions.
* Bugfix #303: spelling error.
Operational notes:
* NSID support is now enabled by default.
* Support DLV records.
* New option 'tcp-query-count:', to limit the maximum number of DNS
queries on a single tcp connection.
* New option 'tcp-timeout:', to override the default tcp timeout.
The option can also be set at build time, --with-tcp-timeout.
* New option 'notify-retry:', to configure how many times NSD should
retry a NOTIFY message.
* New options 'ipv4-edns-size:' and 'ipv6-edns-size:', to set your
preferred EDNS buffer size.
* Ignore SIGHUP to child processes.
* UDP/IPv4 sockets have new options set that will disable the DF
flag in IP packets.
* Bug #236: Allow RRs before the SOA in a zonefile.
* Bug #229: Remove the C99 code.
* Bug #253: Don't put NS RRs in a response with QTYPE=DNSKEY.
* Bug #263: Make TSIG algorithm comparison case insensitive.
* Bug #266: Build failed on systems without strptime.
* Fix install hickup.
* Fix to use 4096 EDNS limit for IPv6 on Linux.
Allows nsd-patch to directly work on the database without intermediate
zonefile. Allow file rotation for nsd.log. Allow disabling AXFR
fallback.
Fix off-by-one during query processing.
- improved IXFR support
- support for hmac-sha1 and hmac-sha256 in TSIG
- selection of source ip for notifies and zone requests
- NSEC3 is enabled by default
- option to disable CHAOS version support
- bugfixes
- better logging for nsd-notify and db creation failures
- nsdc start checks if nsd is already running
- fix loading data from files with relative names when chrootdir ends
with a slash
- fix a case when nsd would return FORMERR for edns queries with version
0 and rdlen larger than 0.
- don't answer nsec3 wildcard information when DO bit is not set
- fix man pages and improve consistency
- improved handling for malformed IXFRs
- report source and zone for denied AXFR requests
- improved handling of malformed nsec3 records
- fix ignored return value in region-allocator.
and to support the "inet6" option instead.
Remaining usage of USE_INET6 was solely for the benefit of the scripts
that generate the README.html files. Replace:
BUILD_DEFS+= USE_INET6
with
BUILD_DEFS+= IPV6_READY
and teach the README-generation tools to look for that instead.
This nukes USE_INET6 from pkgsrc proper. We leave a tiny bit of code
to continue to support USE_INET6 for pkgsrc-wip until it has been nuked
from there as well.
NOTE: the configuration file format has changed. Don't update blindly.
Major changes:
- integrated AXFR/IXFR support for zone transfer. IXFR is not supported
when acting as master.
- TSIG authentication support for queries, notifies and zone transfers.
- full NOTIFY support
- DNAME type is supported
- experimental support for NSEC3 and NSID, not enabled in pkgsrc
- various bug fixes.
RECOMMENDED is removed. It becomes ABI_DEPENDS.
BUILDLINK_RECOMMENDED.foo becomes BUILDLINK_ABI_DEPENDS.foo.
BUILDLINK_DEPENDS.foo becomes BUILDLINK_API_DEPENDS.foo.
BUILDLINK_DEPENDS does not change.
IGNORE_RECOMMENDED (which defaulted to "no") becomes USE_ABI_DEPENDS
which defaults to "yes".
Added to obsolete.mk checking for IGNORE_RECOMMENDED.
I did not manually go through and fix any aesthetic tab/spacing issues.
I have tested the above patch on DragonFly building and packaging
subversion and pkglint and their many dependencies.
I have also tested USE_ABI_DEPENDS=no on my NetBSD workstation (where I
have used IGNORE_RECOMMENDED for a long time). I have been an active user
of IGNORE_RECOMMENDED since it was available.
As suggested, I removed the documentation sentences suggesting bumping for
"security" issues.
As discussed on tech-pkg.
I will commit to revbump, pkglint, pkg_install, createbuildlink separately.
Note that if you use wip, it will fail! I will commit to pkgsrc-wip
later (within day).
${VARBASE}/db/nsd.db on all platforms and use user/group nsd for the
daemon to run as. Install sample configuration without .sample
extension. Take maintainership. Bump revision.
in the process. (More information on tech-pkg.)
Bump PKGREVISION and BUILDLINK_DEPENDS of all packages using libtool and
installing .la files.
Bump PKGREVISION (only) of all packages depending directly on the above
via a buildlink3 include.
FEATURES:
- NSD now fully supports unknown record types using the
notation specified in RFC3597.
- Support for the following RR types has been added: WKS, X25,
ISDN, RT, NSAP, PX, NAPTR, KX, CERT, DNAME, and APL. DNAME
special processing is not supported.
and bug fixes.
2.0.2
=============
BUG FIXES:
- Allow the use of a mnemonic for the algorithm field of a
DNSKEY record.
- Behavior of the zonec -v flag has been modified. By default
zonec will only print a single line with a summary of the
error count.
- Bug #75: Fixed typo in previous "fix".
NSD 2.0.1 release notes:
BUG FIXES:
- Queries for QTYPE DS (DNSSEC) were not handled correctly in
certain cases.
- Partial support for unknown RRs. Known RR types with
unknown RR data format is not yet supported.
- Bug #75: Fixed bad error message when nsdc update is run for
the first time.
- Bug #78: Multiple zones, each with include directives, are
now compiled correctly.
=============
BUG FIXES:
- Bug #59: NSD returns FORMERR when the query name is >= 246
bytes.
- Bug #60: Zonec runs out of file descriptors with many zones.
- Bug #61: nsdc uses /bin/sh hardwired (and should not).
- Bug #62: NSD is not able to log to a file.
- Bug #63: nsdc update and zonec are too tallkative.
- Bug #64: Answer for request of a host resolved by a
wildcard-resource-record is not understandable by dig.
