NSD

NSD 3.2.4

• Support DLV records.
• New option 'tcp-query-count:', to limit the maximum number of DNS queries on a single tcp connection.
• New option 'tcp-timeout:', to override the default tcp timeout. The option can also be set at build time, --with-tcp-timeout.
• New option 'notify-retry:', to configure how many times NSD should retry a NOTIFY message.
• New options 'ipv4-edns-size:' and 'ipv6-edns-size:', to set your preferred EDNS buffer size.

• Bugfix #269: Additional c99 syntax.
• Bugfix #276: Zonec prints debug data to stderr.
• Bugfix #286: Document verbosity levels in nsd.conf manual page.
• Bugfix #288: Ignore SIGHUP to child processes.
• Fix typo in include file for setusercontext.

• UDP/IPv4 sockets have new options set that will disable the DF flag in IP packets.

NSD 3.2.3

• Bug #236: Allow RRs before the SOA in a zonefile.
• Bug #229: Remove the C99 code.
• Bug #253: Don't put NS RRs in a response with QTYPE=DNSKEY.
• Bug #263: Make TSIG algorithm comparison case insensitive.
• Bug #266: Build failed on systems without strptime.
• Fix install hickup.
• Fix to use 4096 EDNS limit for IPv6 on Linux.

NSD 3.2.2

• Off-by-one buffer overflow fix while processing the QUESTION section.
• Return BADVERS when NSD does not implement the VERSION level of the request, instead of 0x1FORMERR.
• Bugfix #234.
• Bugfix #235.
• Reset 'error occurred' after notifying an error occurred at the $TTL or $ORIGIN directive (Otherwise, the whole zone is skipped because the error is reset after reading the SOA).
• Minor bugfixes.

NSD 3.2.1

• New configuration option 'allow-afxr-fallback', "yes" by default. If set to "no", NSD will never do AXFR fallback, even if the master does not support IXFR.
• Allow file rotation on nsd.log.
• The new nsd-patch options -s and -o allows you to skip writing zonefiles and store the output directly to a database file, respectively.

• When configuring, don't do strptime test when cross-compiling.
• Bug #230: Output non-error messages to stdout.
• Better error message when ixfr.db old file format is read.
• Bug #218: shared UDP query for all interfaces.
• Bug #222: Remove bashism from nsdc script.
• Nicer check for SHA-256 functionality.
• Fixed some minor memory leaks that occured on reload.
• nsdc: check if a lockfile has not gone stale, when lock failed.
• Bugfix strptime compatibility function.

• NSD will now fallback to AXFR, only if the master does not support IXFR.
• You can adjust nsdc patch to skip textfile patching. This will increase the patching process, but will not output to zonefiles anymore. By default, this is turned off.

NSD 3.2.0

• AXFR/TCP fallback in case of failing IXFR zone transfers.
• RFC 4635: support for hmac-sha1 and hmac-sha256 TSIG algorithm identifiers, "Bugfix #130".
• Configure the source ip-address for notifies (master) and zone requests (slave) in nsd.conf, "Bugfix #148".
• nsd-notify and nsd-xfer allow you to configure the outgoing hostname and source port, in addition to the source address.
• Additional debug and verbose log messages.

• Only normalize dnames in rdatas when rrtype is listed in RFC 4034, section 6.2: Canonical RR Form, following draft-ietf-dnsext-dnssec-bis-updates (affects RRSIG and NSEC records).
• Typo in zonec manpage.
• Bugfix in log_finalize.
• Fix race condition between nsdc patch and server reload.

• IMPORTANT: Format of ixfr.db has changed. When you are planning an upgrade to the new NSD release, make sure to process the old ixfr.db before starting the new release (by running nsdc patch).
• IXFR is transmitted over TCP by default instead of UDP. If you want to continue the use of IXFR/UDP, please modify your zone configuration file to: request-xfr: UDP 1.2.3.4 tsigkey
• We strongly recommend to enable TSIG if you send IXFR over UDP. When all masters fail to transmit IXFR/UDP, slave will fallback to IXFR/TCP and eventually AXFR/TCP.
• nsd-patch prints errors to stderr instead of stdout.

NSD 3.1.1

• The number of maximum interfaces allowed is configurable with --with-max_interfaces (thanks John Lightsey).

• Try to avoid race conditions when NSD reloads and nsdc signals NSD: Update the pidfile before exiting the old server.
• Fixed memory leak when NSEC3 enabled but not needed.
• Added region destroys when erroring during zone transfers.
• Bugfix #191: nsd-checkconf allowed (max_interfaces-1) interfaces.

NSD 3.1.0

• NSD is now NSEC3 enabled by default. You can disable it by configuring NSD with --disable-nsec3.
• Added "hide-version" configuration setting, to stop NSD from answering CHAOS class version requests.
• Added bind2nsd 0.5.0 in contrib/.
• Report source and zone for denied AXFR attempts.

• Bug #172: Zone compiler gives more sane error messages.
• Manual pages are in mansun format now, which is more portable.
• Log tcp read error only when connection not reset by peer or when verbosity level >= 2.
• RRs are compared without checking TTL value.

• Default locations of nsd.db, ixfr.db, xfrd.state are changed to /var/db/nsd.

NSD 3.0.8

• Better logging for nsd-notify (show 'broken' zone)
• Bug #164: Add configuration for chkconfig to control nsd service
• Better logging when creating database failed.

• Fixed nsdc start when nsd already running: do not initialize server, since it is already running.
• Bug #163: Fixup bug where data related files are looked up in the wrong directory when chrooted with chrootdir ending with a slash.
• Bug #157: Fixup bug where nsd would return FORMERR if received an edns query with version set to zero and rdlen larger than zero.
• Fixed strptime, so that zonec will also work on systems with broken strptime (like leopard :-)).
• Do not answer nsec3 wildcard information when DO bit is not set.
• Various spelling errors.

NSD 3.0.7

• Error handling for malformed IXFRs improved.
• Bug #162 and #156: Fixed man pages, consistent syntax.

NSD 3.0.6

• Report source and zone for denied AXFR attempts.

• More elegant handling of malformed nsec3 records from a zone transfer.
• Fixup ignored return value in region-allocator.
• Added bind2nsd 0.5.0 (http://bind2nsd.sourceforge.net) in contrib/.

NSD 3.0.5

• Fixed problem with reload waiting very long. If the OS has a raging herd problem, NSD could block in a UDP operation and that process would stop reload from finishing. Made UDP sockets nonblocking.
• Made TCP listen sockets nonblocking. NSD could block in accept.
• Handle the new CERT RDATA types defined in RFC 4398 (submitted by Mans Nilsson).
• Fixed a bug where zonec would choke on unknown CERT RDATA types.
• Change nsd-notify retry timer from linear into exponential backoff (submitted by Mans Nilsson).
• Debug flag (-d) behavior changed. Nsd now also forks children when run in debug mode.
• Added verbosity mode (-V <level>) for extra operational logging.
• zonesdir default is /etc/nsd. This can be overridden in nsd.conf.
• if clients drop the tcp connection this does not result in a logfile entry, unless verbosity is set 2 or more.

NSD 3.0.4

• Added contrib/nsd.zones2nsd.conf python script to convert NSD 2 to NSD 3 config files, contributed by Stephane Bortzmeyer.
• The nsdc control script will print 'nsd startup failed' if the nsd executable does not start (due to bad permissions, bad config, ...).

• zonec will print an error when other data is put next to a CNAME.
• Fixup unaligned memory access that could occur when reading ixfr.db with a partial transfer inside.
• Fixup for the WKS RR type printout by nsd-patch and nsd-xfer.
• Error message 'could not read database CRC' now only given on error.
• ./configure --zonesdir=<directory for zone files> now works to set a default value for the zonesdir: <dir> nsd.conf directive. Set zonesdir: "" to disable the change of directory.
• Bug: reload crashes with log message 'continuing with old database', and after that no more zone updates. Manual fix is to kill -HUP, but now fixed in software to try to reload again (and again).
• Small speedup where xfrd could briefly be busy-waiting.
• If master sends IXFR with glue that is already present in the zone this is silently accepted. Printed in debug mode -L 2. To make the log file smaller.
• Exponential backoff for zones that never worked to max of 4 hours. For expired zones the SOA retry values are used.
• allow-notify acl entries 'NOKEY' match only queries without TSIG.
• Answers to valid notifies contained wrong RR counts in the header. The notifies were processed correctly, but now the acknowledgement reply is in correct DNS format.

NSD 3.0.3

• Bug #152: NSD would not use the identity from nsd.conf, fixed.
• Bug #153: When running with thousands of secondary zones, NSD would run out of UDP sockets. Caused crash on FreeBSD, errors on Linux ('out of file descriptors'), depending on ulimits. Fixed.
• Fixed getaddrinfo error message to be more descriptive.
• Fallback to ip4 if getaddrinfo fails for ip6.
• Will no longer lose a notify message during reloads (IPC).
• Will no longer lose transfer in progress when notified for that zone.
• Nicer error when operator forgets to rebuild after deleting a zone.

NSD 3.0.2

• Nice error from zonec on a wrong configuration zone name.
• Nicer warning from zonec when starting secondary zone with no zone file for the first time.
• nsdc makes more portable use of 'which' (for SunOS5.9/bash2.05).
• Bug #143: Improved handling of zonesdir: directive and relative pidfile, database, diff file, xfrdfile paths in nsdc.sh and nsd-patch. They would not find the files.
• Bug #144: LOC RRtype default values for precision wrong. Fixed.
• Bug #145: NSD failed to reload cases of simultaneous zone transfer.
• Bug #146: NSD fails to write to xfrdfile when chrooted. Fixed. Also fix for difffile when chrooted.
• Bug #147: NSD runs out of memory. Fixed, memory is reused. Occurred when running NSD with very big zones and large updates.
• nsd -L 1 logging is smaller, -L 2 contains all debug information. (only available for debug compiles).
• Bug #149: Fixed text for NOTAUTH error code. When notify is not authorised REFUSED error code returned instead.

NSD 3.0.1

• nsd-patch prints SOA record at start of zone files.

NSD 3.0.0

• nsd-patch prints SOA record at start of zone files: NSD requests but does not provide IXFR transfers; NSD keeps track of SOA timeouts for secondary zones.
• TSIG authentication supported: For queries, for notifies, for zone transfers.
• NOTIFY messages of zone updates, incoming and outgoing.
• DNAME type is supported, including CNAME synthesis.
• config file, nsd.conf(5), place to put TSIG keys, server settings, and lists of ip-addresses/ranges for AXFR/IXFR and NOTIFY.
• Prepared for NSEC3 (--enable-nsec3), experimental code for testing in workshops.
• Prepared for NSID (--enable-nsid), experimental code for testing in workshops.

• Contains all bug fixes from 2.3.5 and before.
• The sighandler() bug is fixed more thoroughly, by using pipes for interprocess communication.
• CNAMEs are followed by the server to different zones and information from that zone is returned. This saves a followup query.
• Bug fixes (ported) 2.3.6: nsd-notify will retry max 15 times 5 second retries; Bug #105: nsdc lacks locking, fixed locking for root user; Bug #134: nsd: make -N <large number> work again; Bug #135: Typo in locking code for nsdc, fixed; uninitialised variable fixed; unaligned memory access (on Solaris SPARC), in zonec LOC parsing, fixed; Bug #138: nsd aborts trying to bind all interfaces if ip6 is not enabled, instead it will fallback to ip4; Bug #139: resync timer for stats to whole minute; Bug #140: NSD did not clear CD bit on authoritative answers; Bug #141: NSD did not clear flags on a formerror reply.

• config file needed, nsd.conf(5) supersedes nsd.zones and nsdc.conf.
• AXFR transfers are denied by default. Allow in config file.
• Zones only become secondary with "request-xfr:" items in config file.
• NSD produces "ixfr.db" file with a journal of zone transfers. Use nsdc patch to merge changes back to zone files and remake db.
• NSD produces "xfrd.state" file with zone timeout information. The file is text formatted.
• NSD sends notifies automatically, nsd-notify is deprecated and will be removed from the package.
• NSD requests AXFR/IXFR and reloads the updates automatically, nsd-xfer is deprecated and will be removed from the package.
• Check your config file with nsd-checkconf.

NSD 2.3.7

• Bug #149: Fixed text for NOTAUTH error code.
• Fixed getaddrinfo error message to be more descriptive.
• Fallback to IPv4 if getaddrinfo fails for IPv6.
• Type WKS printed wrong from nsd-xfer. Fixup in call to getservbyport.
• No warning on time_t to int conversion in log_file().

NSD 2.3.6

• nsd-notify will retry max 15 times 5 second retries.
• Patch from Stephane to allow xfer in parallel added to contrib.

• Bug #105: nsdc lacks locking, fixed locking for root user.
• Bug #134: nsd: make -N <large number> work again.
• Bug #135: Typo in locking code for nsdc, fixed.
• Uninitialised variable (found in nsd3 debugging) fixed.
• Unaligned memory access (on Solaris SPARC, from nsd3 debugging), in zonec LOC parsing, fixed.
• Removed unused named8_stats ptr.
• Bug #138: nsd aborts trying to bind all interfaces if ip6 is not enabled, instead it will fallback to ip4.
• Bug #139: resync stats to whole period.
• Bug #140: NSD did not clear CD bit on authoritative answers.
• Bug #141: NSD did not clear flags on a formerror reply.
• tsig null ptr when size set, fixed.
• Bug #144: LOC RRtype defaults not according to RFC1876.

NSD 2.3.5

• Bug #132: regression, nsd: fix compile with --disable-ipv6
• Makefile: remove gnuisms

NSD 2.3.4

• Unknown type codes for type code numbers > 48 and < 97 work again. (this implies --enable-checking can be enabled again)
• nsd: sighandler() fixes
• Bug #118: nsd: nsd_notify waits for a response. Will retry the notify after a timeout.
• Bug #124: $(DESTDIR) was added to Makefile.in.
• Bug #128: zonec: parser can handle \\ at the end of a string.
• zonec: lexer: add \r to the newline delimeter
• zonec: use strtol with an explicit base 10 as parameter. (Scott Rose, Roy Arends)
• nsd-xfer: print human readable error codes. Change logging to be more in line with the rest.

NSD 2.3.3

• Apply the correct patch to nsdc.sh.in.

NSD 2.3.2

• Bug #101: add support for the SPF record.

• Bug #100: replaced non-portable use of timegm(3) with portable implementation (mktime_from_utc).
• Bug #103: nsd: trim the SOA's TTL to the MINIMUM value when returning a negative answer.
• Bug #104: nsd: add a time_t timestamp to the log when logging to a file.
• Bug #105: nsdc: use a lock file when rebuilding the database (patch by Jakob Schlyter/Ted Lindgreen/Sebastian/Ondrej Sury).
• Bug #106: zonec: don't walk all 256 NSEC windows when that is not needed.
• Bug #107: zonec: fixed a crash when encountering bad unknown rdata.
• nsd: Don't print: "error: nsd is already running as <pid>, stopping" when in fact NSD continues to run.
• nsd: Minimize the race window in sig_handler().

• We are now using a SHA-1 digest on the NSD tarball.

NSD 2.3.1

• zonec: Don't crash when generating error messages outside of zone files.
• nsd: when logging to a file the pid is now printed.
• nsd: Reset 'boot' time in statistics when reloading the database, since the statistics are reset to 0 on a reload.
• nsd-xfer.c: Added '-a' option to specify local address to connect from. Original patch supplied by Walter Hop <nsd@walter.transip.nl>.
• Bug #98: Allow mnemonics for DS and RRSIG algorithm field.

NSD 2.3.0

• DNSSEC is now enabled by default. NSD should be fully compliant with RFC4033, RFC4034, and RFC4035.

• nsd: Ensure that the number of -a flags does not exceed the maximum specified by MAX_INTERFACES in config.h.
• nsd-xfer: Use serial number arithmetic (RFC1982) for the zone serial check
• nsdc: Don't pass (fake) serial number to nsd-xfer if the zone file does not exist.
• zonec: Loading many zones would cause namedb_find_zone to slow down, performance patch by Kazunori Fujiwara.
• Bug #96: nsd-xfer did not handle 8-bit domain names correctly.

NSD 2.2.1

• The message priority is now included when logging to a file.

• Zero length RDATA using the unknown RR notation was not working (except for the APL RR type).
• Bug #93: './configure' error message containing a comma must be properly bracketed.
• Bug #94: nsd-xfer: Handle unexpected EOF when receiving AXFR data. Timeout if no data is received for more than 120 seconds (see the TCP_TIMEOUT parameter in config.h).
• Bug #95: An owner starting with an asterisk label ("*") was being treated as its own wildcard child.

NSD 2.2.0

• nsd-xfer: replacement program for named-xfer to perform zone transfers using AXFR. TSIG is supported by nsd-xfer but not yet by the nsd server. DNSSEC is also supported. TSIG requires OpenSSL version 0.9.7 or higher, configure using --disable-tsig if you do not have OpenSSL installed. Configure using --with-ssl=path if OpenSSL is not installed at a standard location.

• Fixed endian problem in WKS record.
• Protocol can now be specified numerically in WKS record.
• Allow escape sequences (\DDD) in TTL, RR class, and RR type.
• The zone compiler now accepts many more characters in unquoted strings such as domain name labels. The characters no longer need to be escaped with a backslash.
• Close included files after reading.
• Maximum TCP message size is now 65535 bytes. AXFR response packets are still limited to 16383 bytes for optimal compression of dnames.
• The TSIG key for AXFRs can now also be stored in the file <zonename>.tsiginfo. This makes it possible to use TSIG with multiple master servers.
• Signals are no longer blocked while performing I/O so the server should respond quicker to signals.
• Fixed parsing of LOC rdata. Fractions and altitude were not handled correctly.

Code change: New data structure 'buffer_type' for representing binary buffers that can be read, written, and resized. Data in these buffers is stored in network byte order. This data structure replaces the iobuf field of 'struct query'.

NSD 2.1.5

• Bug #90: handle \000 in TXT records correctly
• Fixed undefined behavior in the use of vsnprintf when logging messages. This caused crashes on Linux/PPC.

NSD 2.1.4

• nsdc: Fixed a typo that caused AXFRs to stop working.

NSD 2.1.3

• nsd: The pidfile can be specified using the '-P' option.

• Bug #87: allow @ in the rdata.
• Bug #88: allow ::FFFF:ipv4addr in AAAA records.
• Bug #89: Count the number of queries received over TCP, instead of the number of TCP connections.
• Zonec: when - is used as input, set the filename to 'STDIN'.
• The nsdc script handles failed AXFRs more gracefully.
• NSD emits an error when it sees bitlabels (RFC 2673).
• Only copy the CD bit when DNSSEC is enabled.

NSD 2.1.2

• NSD now fully supports unknown record types using the notation specified in RFC3597.
• Support for the following RR types has been added: WKS, X25, ISDN, RT, NSAP, PX, NAPTR, KX, CERT, DNAME, and APL. DNAME special processing is not supported.

• Bug #84: NSD now uses SIGUSR1 instead of SIGILL to report stats.
• Bug #85: Support for WKS records.
• Bug #86: The characters "#%&^[]?" can now be used without backslash in zone file domain names.
• Plugin callback return type fixed.
• The maximum message length for IPv6 UDP packets is now limited to the IPv6 minimum MTU (1280) unless the IPV6_USE_MIN_MTU socket option is supported.

NSD 2.1.1

• Bug #81: Handle unknown types correctly.
• Bug #82: Zonec: don't report "0 errors" unless -v is specified.
• Bug #83: Close zone files after parsing.
• Handle AFSDB RR type.

NSD 2.1.0

• New networking code allows a single server to handle both UDP and TCP connections. By default up to 10 simultaneous TCP connections are supported. Use the '-n' flag to change the default.

NSD 2.0.2

• Allow the use of a mnemonic for the algorithm field of a DNSKEY record.
• Behavior of the zonec -v flag has been modified. By default zonec will only print a single line with a summary of the error count.
• Bug #75: Fixed typo in previous "fix".

NSD 2.0.1

• Queries for QTYPE DS (DNSSEC) were not handled correctly in certain cases.
• Partial support for unknown RRs. Known RR types with unknown RR data format is not yet supported.
• Bug #75: Fixed bad error message when nsdc update is run for the first time.
• Bug #78: Multiple zones, each with include directives, are now compiled correctly.

NSD 2.0.0

• Experimental DNSSEC support implemented, but disabled by default. Enable using the --enable-dnssec configuration option.
• IPv6 enabled by default. Disable using the --disable-ipv6 configuration option.

• Bug #47: Domain name is now logged when a notify is received.
• Bug #70: First include all A records in the additional section, followed by AAAA records.
• Bug #77: Check length of domain name and label.
• LOC records are supported again.