Releases
NSD 3.2.15
Feb 4, 2013
Features
- Support for ILNP RR types: NID, L32, L64, LP (RFC6742).
- RRL, --enable-ratelimit at configure time and config options.
- TSIG initialization only fails when there is no digest found at all.
Bugfixes
- Bugfix #478: Declaration after statement (for gcc 2.95).
- Bugfix #483: Better error message in case of TSIG error.
- Bugfix #485: TTL should not be greater than 2^31 - 1.
- Fix RCODE when CNAME loop final answer does not exist, should return NXDOMAIN as stated by RFC 6604.
- Fix --disable-full-prehash bug, where after multiple incoming IXFRs, NSEC3 can be removed unjustified.
Download: nsd-3.2.15.tar.gz
Checksum sha1:
e31a81ab7877422b34e1f163f9509cd93f395664
NSD 3.2.14
Nov 1, 2012
Features
Bugfixes
- Fix build on OpenBSD (thanks Oliver Peter).
- Prioritize notify sender for requesting XFR (thanks Ilya Bakulin).
- Fix crash in zonec if TXT string too long (thanks Ilya Bakulin).
- tzset before chroot for correct timezone (thanks Camiel Dobbelaar).
- Fix --disable-full-prehash bug when nsdc patch happens while ixfr too,
it did not rehash the new database.
- Bugfix #464: Conditionally define MAXHOSTNAMELEN.
Download: nsd-3.2.14.tar.gz
Checksum sha1:
78390145ec392b520d88c19fc99c544dd1426959
NSD 3.2.13
Jul 27, 2012
Bugfixes
-
Bugfix #461 (VU#517036 CVE-2012-2979): NSD denial of service
vulnerability from DNS packet when using --enable-zone-stats.
-
Bugfix #460: man page correction - identity.
-
Fix for nsd-patch segfault if zone has been removed from nsd.conf
(thanks Ilya Bakulin).
Download: nsd-3.2.13.tar.gz
Checksum sha1:
2cb44f75e9686fd73c7ee9765857a36a8fe5bca9
NSD 3.2.12
Jul 19, 2012
Bugfixes-
Fix for VU#624931 CVE-2012-2978: NSD denial of service
vulnerability from non-standard DNS packet from any host
on the internet.
Download: nsd-3.2.12.tar.gz
Checksum sha1:
dd8606a05525f6a493dfacb7ddfa7e1fa3c6a85b
NSD 3.2.11
Jul 9, 2012
Features
-
Fallback to AXFR if IXFR is unknown at the primary. NSD considers
IXFR unknown at the primary if there is a negative response for the
IXFR RRtype. This does not override the value for
'allow-axfr-fallback'.
-
Allow for reading in new DNSKEY algorithm mnemonics (RFC5155,
RFC5702, RFC5933, and RFC6605 (ECDSA)).
-
Zone statistics, enable with --enable-zone-stats. This stores the
BIND8 stats per zone in a configurable statistics file. This option
does not scale and should therefore not be enabled when serving
many zones.
- Support for TLSA RRtype (DANE).
Bugfixes
-
Fix for qtype ANY for a wildcard domain in NSEC signed zone: Don't
add the wildcard domain NSEC into the answer section. Instead,
put the wildcard expanded NSEC into the answer section and keep the
wildcard domain NSEC in the authority section.
- Fix for accept spinning reported by OpenBSD.
- Fix restart failed due to bad ixfr packet because of zone removed from nsd.conf.
- Bugfix #453: typo in nsdc man page.
Operational notes-
NSD uses the query name for dname compression again (Fix #235
had as side effect that this didn't happen anymore and is hereby
undone).
Download: nsd-3.2.11.tar.gz
Checksum sha1:
4b8b9293fd13b0fba2a2bff9fd11940e0d8d7448
NSD 3.2.10
Feb 15, 2012
Bugfixes
- Bugfix #421: Truncate pidfile on shutdown, before unlink.
- Bugfix #423: Fix slow zone transfer processing due to 'Fix is_existing flag for ENT' bugfix.
- Bugfix #430: Fix segfault when MAX_INTERFACES set to more than 65K.
- Fix configure.ac strptime check for gcc 4.6.2, acx_nlnetlabs.m4 update
Download: nsd-3.2.10.tar.gz
Checksum sha1:
04657cffe5087d97213b245f8281296cac86b868
NSD 3.2.9
Nov 23, 2011
Features
- Minimize responses to reduce truncation: NSD will only add
optional
records to the authority and additional sections when the response
size does not exceed the minimal response size.
The minimal response size is 512 (no-EDNS), 1480 (EDNS/IPv4),
1220 (EDNS/IPv6), or the advertized EDNS buffer size if that is
smaller than the EDNS default.
The feature is enabled by default. You can disable it by configuring
NSD with --disable-minimal-responses.
-
Less NSEC3 prehashing. This will make NSD handle zone transfers
faster, but will decrease the performance of NXDOMAIN and wildcard
NODATA responses. Full prehashing is enabled by default. If you want
less NSEC3 prehashing, configure NSD with --disable-full-prehash.
Thanks Secure64 for the patch.
Bugfixes
- Bugfix #302: nsd accepts XFR but refuses to re-read the slave zone.
- Bugfix #365: set patch style and zonec verbose for nsdc.
- First step of bug #369: RRSIG DNSKEY sets zone to be treated DNSSEC.
- Bugfix #375: typos in nsd.conf.5.
- Bugfix #381: Binary escaped and transfers.
- Bugfix #397: Don't allow relative domain names as origin in $INCLUDE directives.
- Fix printout of IPSECKEY by nsd-patch.
- Fix is_existing flag for ENT when domain that has a shared ENT is deleted by IXFR. (ENT == Empty Non-Terminal)
- Fix bug if the zonefile is changed for a secondary but stored
transfers are applied, and stop it from applying ixfr to empty zone.
The zone is flagged with error and AXFR-ed.
- Fix to have no authority NS set processing for CNAMEs.
- Fix nsd-checkconf to check tsig algorithms properly.
- Set the AA bit on responses that have an authoritative CNAME.
- Fix denial of existence response for empty non-terminal that looks
like a NSEC3-only domain (but has data below it).
Operational notes- nsd.db version number increased because NSD 3.2.7 and earlier
zonec is not compatible due to the TXT strings change. Please
run nsdc rebuild before running NSD 3.2.9 and later versions.
Download: nsd-3.2.9.tar.gz
Checksum sha1:
66e17e5801e94da1a21f0f2a4dd7a4ab4ffe0dd9
NSD 3.2.8
Mar 22, 2011
Bugfixes
- Do setusercontext before chroot, otherwise login.conf etc. are required inside chroot.
- Bugfix #216: Fix leak of compressiontable when the domain table increases in size.
- Bugfix #348: Don't include header/library path if OpenSSL is in /usr.
- Bugfix #350: Refused notifies should log client ip.
- Bugfix #352: Fix hard coded paths in man pages.
- Bugfix #354: The realclean target deletes a bit too much.
- Bugfix #357, make xfrd quit with many zones.
- Bugfix #362: outgoing-interface and v4 vs. v6 leads to spurious warning messages.
- Bugfix #363: nsd-checkconf -v does not print outgoing-interface ok.
- Bugfix: nsd-checkconf -o outgoing-interface omits NOKEY.
- Undo Bugfix #235: Don't skip dname compression, messes up packets that do need compression.
Operational notes
- Use 'make clean' to clean up files that make created.
- Use 'make realclean' to also clean up files that were generated by running ./configure.
- Use 'make devclean' to also clean up autoconf, autoheader files.
Download: nsd-3.2.8.tar.gz
Checksum sha1:
e8db690a09f53152f0dca6e4fbfabcc89003fced
NSD 3.2.7
Jan 24, 2011
Bugfixes
- Bugfix #253: Don't put NS RRs in a response with QTYPE=DS.
- Bugfix #320: use arcrandom(4) for QID generation if available.
- Bugfix #328: nsd-checkconf overrun.
- Bugfix #343: nsdc update fix.
- Bugfix #347: Wrong NSEC3 returned for nodata response QTYPE=DS no delegation.
- Bugfix: Allow for huge amount of strings in TXT (and other) records.
- Bugfix: nsdc can now deal with tsig algorithms other than hmac-md5.
- Fixed several parts in the documentation, including #306, #345.
Download: nsd-3.2.7.tar.gz
Checksum sha1:
1fc4af1831f64b76e1dc5c82b353770f9186de15
NSD 3.2.6
Aug 2, 2010
Features- Expand command line option '-a' and config option 'ip-address:'
with port number.
Bugfixes- Bugfix #314: correctly print NSEC next field, escape spaces and
fix label overflows.
Operational notes
- Configure options --disable-dnssec, --disable-nsid, --disable-tsig
are removed.
- Configure option --max-interfaces is renamed to --max-ips.
Download: nsd-3.2.6.tar.gz
Checksum sha1:
7857df4c34a10f63c8100ae806f12f6035397773
NSD 3.2.5
Apr 14, 2010
Features
- New option 'nsid:', to specify the NSID (Bugfix #298).
- The default chroot can be set with --with-chroot=dir.
If not set, by default chroot will not be used (thanks Jakob Schlyter).
- Optimized zonec and b64_pton compatibility code (thanks Martin Svec).
- Optimized memory allocations. Use mmap/munmap instead of malloc/free.
Experimental, by default off. Enable it at build time with
--enable-mmap (thanks Martin Svec).
Bugfixes
- NSD will not start if chroot is configured, but changing root is
not possible (it used to ignore the badly configured chroot).
- Make use of the more secure strl* functions.
- Bugfix #303: spelling error.
Operational notes- NSID support is now enabled by default.
Download: nsd-3.2.5.tar.gz
Checksum sha1:
90678506145a7a4cf62fbb266013abb8ad464484
NSD 3.2.4
Jan 6, 2010
Features
- Support DLV records.
- New option 'tcp-query-count:', to limit the maximum number of DNS
queries on a single tcp connection.
- New option 'tcp-timeout:', to override the default tcp timeout.
The option can also be set at build time, --with-tcp-timeout.
- New option 'notify-retry:', to configure how many times NSD should
retry a NOTIFY message.
- New options 'ipv4-edns-size:' and 'ipv6-edns-size:', to set your
preferred EDNS buffer size.
Bugfixes
- Bugfix #269: Additional c99 syntax.
- Bugfix #276: Zonec prints debug data to stderr.
- Bugfix #286: Document verbosity levels in nsd.conf manual page.
- Bugfix #288: Ignore SIGHUP to child processes.
- Fix typo in include file for setusercontext.
Operational notes- UDP/IPv4 sockets have new options set that will disable the DF flag
in IP packets.
Download: nsd-3.2.4.tar.gz
Checksum sha1:
ca94d6c1e53c3ff9d46d3fc7ca56d43590a91a8f
NSD 3.2.3
Aug 17, 2009
Bugfixes
- Bug #236: Allow RRs before the SOA in a zonefile.
- Bug #229: Remove the C99 code.
- Bug #253: Don't put NS RRs in a response with QTYPE=DNSKEY.
- Bug #263: Make TSIG algorithm comparison case insensitive.
- Bug #266: Build failed on systems without strptime.
- Fix install hickup.
- Fix to use 4096 EDNS limit for IPv6 on Linux.
Download: nsd-3.2.3.tar.gz
Checksum sha1:
2afcc6e1086eef7f5e538c7d837f628f83a19a86
NSD 3.2.2
May 18, 2009
Bugfixes
- Off-by-one buffer overflow fix while processing the QUESTION section.
- Return BADVERS when NSD does not implement the VERSION level of the
request, instead of 0x1FORMERR.
- Bugfix #234.
- Bugfix #235.
- Reset 'error occurred' after notifying an error occurred at the $TTL or
$ORIGIN directive (Otherwise, the whole zone is skipped because the
error is reset after reading the SOA).
- Minor bugfixes.
Download: nsd-3.2.2.tar.gz
Checksum sha1:
23fc0be5d447ea852acd49f64743c96403a091fa
NSD 3.2.1
Jan 19, 2009
Features
- New configuration option 'allow-afxr-fallback', "yes" by default. If
set to "no", NSD will never do AXFR fallback, even if the master
does not support IXFR.
- Allow file rotation on nsd.log.
- The new nsd-patch options -s and -o allows you to skip writing
zonefiles and store the output directly to a database file,
respectively.
Bugfixes
- When configuring, don't do strptime test when cross-compiling.
- Bug #230: Output non-error messages to stdout.
- Better error message when ixfr.db old file format is read.
- Bug #218: shared UDP query for all interfaces.
- Bug #222: Remove bashism from nsdc script.
- Nicer check for SHA-256 functionality.
- Fixed some minor memory leaks that occured on reload.
- nsdc: check if a lockfile has not gone stale, when lock failed.
- Bugfix strptime compatibility function.
Operational notes
- NSD will now fallback to AXFR, only if the master does not support IXFR.
- You can adjust nsdc patch to skip textfile patching. This will
increase the patching process, but will not output to zonefiles
anymore. By default, this is turned off.
Download: nsd-3.2.1.tar.gz
Checksum sha1:
2829d8f00dc9a6f13178efb80c21566f95db132a
NSD 3.2.0
Nov 10, 2008
Features
- AXFR/TCP fallback in case of failing IXFR zone transfers.
- RFC 4635: support for hmac-sha1 and hmac-sha256 TSIG algorithm
identifiers, "Bugfix #130".
- Configure the source ip-address for notifies (master) and zone
requests (slave) in nsd.conf, "Bugfix #148".
- nsd-notify and nsd-xfer allow you to configure the outgoing
hostname and source port, in addition to the source address.
- Additional debug and verbose log messages.
Bugfixes
- Only normalize dnames in rdatas when rrtype is listed in RFC 4034,
section 6.2: Canonical RR Form, following
draft-ietf-dnsext-dnssec-bis-updates (affects RRSIG and NSEC records).
- Typo in zonec manpage.
- Bugfix in log_finalize.
- Fix race condition between nsdc patch and server reload.
Operational notes
- IMPORTANT: Format of ixfr.db has changed. When you are planning an upgrade to the
new NSD release, make sure to process the old ixfr.db before starting
the new release (by running nsdc patch).
- IXFR is transmitted over TCP by default instead of UDP. If you want to
continue the use of IXFR/UDP, please modify your zone configuration
file to:
request-xfr: UDP 1.2.3.4 tsigkey
- We strongly recommend to enable TSIG if you send IXFR over UDP.
When all masters fail to transmit IXFR/UDP, slave will fallback to
IXFR/TCP and eventually AXFR/TCP.
- nsd-patch prints errors to stderr instead of stdout.
Download: nsd-3.2.0.tar.gz
Checksum sha1:
7cc37fdd10f4ad78ed58d4e1a304a4496ebaefe7
NSD 3.1.1
Jul 21, 2008
Features- The number of maximum interfaces allowed is configurable with
--with-max_interfaces (thanks John Lightsey).
Bugfixes
- Try to avoid race conditions when NSD reloads and nsdc signals NSD: Update the pidfile before exiting the old server.
- Fixed memory leak when NSEC3 enabled but not needed.
- Added region destroys when erroring during zone transfers.
- Bugfix #191: nsd-checkconf allowed (max_interfaces-1) interfaces.
Download: nsd-3.1.1.tar.gz
Checksum sha1:
5d175e2514294dba1336ab0e5421f68076af278f
NSD 3.1.0
June 23, 2008
Features
- NSD is now NSEC3 enabled by default. You can disable it by configuring NSD with --disable-nsec3.
- Added "hide-version" configuration setting, to stop NSD from answering CHAOS class version requests.
- Added bind2nsd 0.5.0 in contrib/.
- Report source and zone for denied AXFR attempts.
Bugfixes
- Bug #172: Zone compiler gives more sane error messages.
- Manual pages are in mansun format now, which is more portable.
- Log tcp read error only when connection not reset by peer or when verbosity level >= 2.
- RRs are compared without checking TTL value.
Operational notes- Default locations of nsd.db, ixfr.db, xfrd.state are changed to /var/db/nsd.
Download: nsd-3.1.0.tar.gz
Checksum sha1:
4cf8dea9fcdd2e0f7a5ab8b8a7399e3ebd533cf4
NSD 3.0.8
April 18, 2008
Features
- Better logging for nsd-notify (show 'broken' zone)
- Bug #164: Add configuration for chkconfig to control nsd
service
- Better logging when creating database failed.
Bugfixes
- Fixed nsdc start when nsd already running: do not initialize
server, since it is already running.
- Bug #163: Fixup bug where data related files are looked up in the
wrong directory when chrooted with chrootdir ending with a
slash.
- Bug #157: Fixup bug where nsd would return FORMERR if received an
edns query with version set to zero and rdlen larger than zero.
- Fixed strptime, so that zonec will also work on systems with
broken strptime (like leopard :-)).
- Do not answer nsec3 wildcard information when DO bit is not
set.
- Various spelling errors.
Download: nsd-3.0.8.tar.gz
Checksum sha1:
a5af4f406219636934dfd16810ba9c112412680e
NSD 3.0.7
November 13th, 2007
Bugfixes
- Error handling for malformed IXFRs improved.
- Bug #162 and #156: Fixed man pages, consistent syntax.
Download: nsd-3.0.7.tar.gz
Checksum sha1:
c4038c017e270a4b0012dcaf47c67593f34ddde8
NSD 3.0.6
August 7th, 2007
Features- Report source and zone for denied AXFR attempts.
Bugfixes
- More elegant handling of malformed nsec3 records from a zone
transfer.
- Fixup ignored return value in region-allocator.
- Added bind2nsd 0.5.0 (http://bind2nsd.sourceforge.net) in
contrib/.
Download: nsd-3.0.6.tar.gz
Checksum sha1:
d285cc1f81f61b9ee6272473f7a526593623e86e
NSD 3.0.5
March 20th, 2007
Bugfixes
- Fixed problem with reload waiting very long. If the OS has a
raging herd problem, NSD could block in a UDP operation and
that process would stop reload from finishing. Made UDP sockets
nonblocking.
- Made TCP listen sockets nonblocking. NSD could block in
accept.
- Handle the new CERT RDATA types defined in RFC 4398
(submitted by Mans Nilsson).
- Fixed a bug where zonec would choke on unknown CERT RDATA
types.
- Change nsd-notify retry timer from linear into exponential
backoff (submitted by Mans Nilsson).
- Debug flag (-d) behavior changed. Nsd now also forks
children when run in debug mode.
- Added verbosity mode (-V <level>) for extra operational
logging.
- zonesdir default is /etc/nsd. This can be overridden in
nsd.conf.
- if clients drop the tcp connection this does not result in a
logfile entry, unless verbosity is set 2 or more.
Download: nsd-3.0.5.tar.gz
Checksum sha1:
e6b433e0017d51b8c3f31897053d6c7718957627
NSD 3.0.4
January 18th, 2007
Features
- Added contrib/nsd.zones2nsd.conf python script to convert NSD 2
to NSD 3 config files, contributed by Stephane Bortzmeyer.
- The nsdc control script will print 'nsd startup failed' if the
nsd executable does not start (due to bad permissions, bad config,
...).
Bugfixes
- zonec will print an error when other data is put next to a
CNAME.
- Fixup unaligned memory access that could occur when reading
ixfr.db with a partial transfer inside.
- Fixup for the WKS RR type printout by nsd-patch and
nsd-xfer.
- Error message 'could not read database CRC' now only given on
error.
- ./configure --zonesdir=<directory for zone files>
now works to set a default value for the zonesdir: <dir> nsd.conf
directive. Set zonesdir: "" to disable the change of directory.
- Bug: reload crashes with log message 'continuing with old database',
and after that no more zone updates. Manual fix is to kill -HUP,
but now fixed in software to try to reload again (and again).
- Small speedup where xfrd could briefly be busy-waiting.
- If master sends IXFR with glue that is already present in
the zone this is silently accepted. Printed in debug mode -L 2. To make
the log file smaller.
- Exponential backoff for zones that never worked to max of 4
hours. For expired zones the SOA retry values are used.
- allow-notify acl entries 'NOKEY' match only queries without
TSIG.
- Answers to valid notifies contained wrong RR counts in the
header. The notifies were processed correctly, but now the
acknowledgement reply is in correct DNS format.
Download: nsd-3.0.4.tar.gz
Checksum sha1:
e34333450a32d4683216c136218699e7f8c8367d
NSD 3.0.3
December 7th, 2006
Bugfixes
- Bug #152: NSD would not use the identity from nsd.conf,
fixed.
- Bug #153: When running with thousands of secondary zones, NSD
would run out of UDP sockets. Caused crash on FreeBSD, errors on Linux
('out of file descriptors'), depending on ulimits. Fixed.
- Fixed getaddrinfo error message to be more descriptive.
- Fallback to ip4 if getaddrinfo fails for ip6.
- Will no longer lose a notify message during reloads
(IPC).
- Will no longer lose transfer in progress when notified for that
zone.
- Nicer error when operator forgets to rebuild after deleting a
zone.
Download: nsd-3.0.3.tar.gz
Checksum sha1:
3321d3826256eff683799dd2706eb92dc1bbff78
NSD 3.0.2
November 3rd, 2006
Bugfixes
- Nice error from zonec on a wrong configuration zone
name.
- Nicer warning from zonec when starting secondary zone with
no zone file for the first time.
- nsdc makes more portable use of 'which' (for
SunOS5.9/bash2.05).
- Bug #143: Improved handling of zonesdir: directive and relative
pidfile, database, diff file, xfrdfile paths in nsdc.sh and
nsd-patch. They would not find the files.
- Bug #144: LOC RRtype default values for precision wrong.
Fixed.
- Bug #145: NSD failed to reload cases of simultaneous zone
transfer.
- Bug #146: NSD fails to write to xfrdfile when chrooted. Fixed.
Also fix for difffile when chrooted.
- Bug #147: NSD runs out of memory. Fixed, memory is reused.
Occurred when running NSD with very big zones and large
updates.
- nsd -L 1 logging is smaller, -L 2 contains all debug information.
(only available for debug compiles).
- Bug #149: Fixed text for NOTAUTH error code. When notify is
not authorised REFUSED error code returned instead.
Download: nsd-3.0.2.tar.gz
Checksum sha1:
9a141e67e7d60c84aa1169061230c4761ee35608
NSD 3.0.1
September 6th, 2006
Bugfixes- nsd-patch prints SOA record at start of zone files.
Download: nsd-3.0.1.tar.gz
Checksum sha1:
37259401e1040ea99540590a9dedc519b48543e1
NSD 3.0.0
September 5th, 2006
Features
- nsd-patch prints SOA record at start of zone
files: NSD requests but does not provide IXFR transfers; NSD keeps
track of SOA timeouts for secondary zones.
- TSIG authentication supported: For queries, for notifies, for
zone transfers.
- NOTIFY messages of zone updates, incoming and
outgoing.
- DNAME type is supported, including CNAME synthesis.
- config file, nsd.conf(5), place to put TSIG keys, server
settings, and lists of ip-addresses/ranges for AXFR/IXFR and
NOTIFY.
- Prepared for NSEC3 (--enable-nsec3), experimental code for
testing in workshops.
- Prepared for NSID (--enable-nsid), experimental code for
testing in workshops.
Bugfixes
- Contains all bug fixes from 2.3.5 and before.
- The sighandler() bug is fixed more thoroughly, by using pipes for
interprocess communication.
- CNAMEs are followed by the server to different zones and
information from that zone is returned. This saves a followup
query.
- Bug fixes (ported) 2.3.6: nsd-notify will retry max 15 times 5
second retries; Bug #105: nsdc lacks locking, fixed locking for root
user; Bug #134: nsd: make -N <large number> work again; Bug #135:
Typo in locking code for nsdc, fixed; uninitialised variable fixed;
unaligned memory access (on Solaris SPARC), in zonec LOC parsing,
fixed; Bug #138: nsd aborts trying to bind all interfaces if ip6 is not
enabled, instead it will fallback to ip4; Bug #139: resync timer for
stats to whole minute; Bug #140: NSD did not clear CD bit on
authoritative answers; Bug #141: NSD did not clear flags on a formerror
reply.
Operational notes
- config file needed, nsd.conf(5) supersedes nsd.zones and
nsdc.conf.
- AXFR transfers are denied by default. Allow in config
file.
- Zones only become secondary with "request-xfr:" items in config
file.
- NSD produces "ixfr.db" file with a journal of zone transfers.
Use nsdc patch to merge changes back to zone files and remake
db.
- NSD produces "xfrd.state" file with zone timeout information.
The file is text formatted.
- NSD sends notifies automatically, nsd-notify is deprecated and
will be removed from the package.
- NSD requests AXFR/IXFR and reloads the updates automatically,
nsd-xfer is deprecated and will be removed from the package.
- Check your config file with nsd-checkconf.
Download: nsd-3.0.0.tar.gz
Checksum sha1:
353b388fdd1d5e03fb3a73738b83b617edc06392
|
