NSD_4_10_0_RC1

NSD 4.10.0rc1 is available:

Version 4.10.0 integrates simdzone and drops the Flex+Bison zone parser.

NSD used a Flex+Bison based zone parser since version 1.4.0. The parser served
NSD well, but zones have increased in size and zone loading performance has
been problematic for some users.

With the integration of simdzone (https://github.com/NLnetLabs/simdzone),
performance of loading zones and IXFRs is drastically improved. Quick
measurements show improvements ranging anywhere from 3.8x to 1.6x depending
on zone size and database type, though the improvements will be less noticable
for NSEC3 zones due to pre-hashing.

simdzone leverages SIMD instructions in modern CPUs to improve throughput.
Right now SSE4.2 and AVX2 instruction sets are supported, other instruction
sets will use the fallback implementation, which still is a decent improvement
over the Flex+Bison based parser.

The release candidate window will be longer this time as simdzone is rather
new and while it has been tested on various architectures and operating
systems, it is likely problems will pop-up due to sheer amount of code. Please
consider giving this release candidate a good run and report any problems.

4.10.0

FEATURES:

• Merge #278: Replace Flex+Bison based zone parser with simdzone.
  Performance of loading zones and IXFRs is greatly improved by using
  the simdzone project by NLnet Labs. The optimized presentation format
  parser leverages SIMD instructions in modern CPUs to improve throughput.
  Right now SSE4.2 and AVX2 instruction sets are supported, other
  instruction sets will use the fallback implementation, which still is
  a decent improvement over the Flex+Bison based parser.

BUG FIXES:

• Fix that when the server truncates the pidfile, it does not follow
  symbolic links.
• Fix #317: nsd should not chown its PID file.
• For #317: Modify nsd service script to stop NSD from creating a
  pid file that systemd is not using.
• Fix #324: Clarify the purpose of contrib/bug390.patch.
• Fix IXFR requests upstream for zones with a long name. Thanks for
  the report to Yuuki Wakisaka from Internet Initiative Japan Inc.
• Unit test for dname subdomain test used by xfrd-tcp.c.
• Fix #329: TCP accept queues number.
• Fix that the reload handler for sigchild uses signal_add, and
  also that the signal handler is restored when done.
• Fix that when server verify is done it resets the sigchild handler.
• Fix makedist.sh for simdzone inclusion.
• Fix makedist.sh to remove simdzone git tracking information and
  scripting temporaries from tarball.
• Fix error output of makedist.sh.
• Use simdzone version with name parser fix.
• Bump simdzone version to fix OpenBSD build issues.

NSD 4.9.1

NSD 4.9.1

This release fixes the builds scripts in the release of version 4.9.0.

Version 4.9.0 adds support for DNS Catalog Zones (RFC 9432) version "2".

Both producer and consumer roles for catalog zones are implemented, but
only a single consumer zone is allowed. The "coo" property, relevant
when multiple consumer zones can be configured, is therefore not
supported. The "group" property is. Consult the nsd.conf man page for
details on how to configure and use catalog zones.

Thanks to Fredrik Pettai from Sunet for providing feedback and testing
DNS Catalog Zones.

4.9.1

BUG FIXES:

• Use rooted temporary path in makedist.sh.

NSD 4.9.0

NSD 4.9.0

This release adds support for DNS Catalog Zones (RFC 9432) version "2".

Both producer and consumer roles for catalog zones are implemented, but
only a single consumer zone is allowed. The "coo" property, relevant
when multiple consumer zones can be configured, is therefore not
supported. The "group" property is. Consult the nsd.conf man page for
details on how to configure and use catalog zones.

Thanks to Fredrik Pettai from Sunet for providing feedback and testing
DNS Catalog Zones.

4.9.0

FEATURES:

• Merge #315: Allow SOA apex queries to otherwise with allow-query
  protected zones for clients matching a provide-xfr rule, because
  clients that are allowed to transfer the zone need to be able to
  query SOA at the apex preceding the actual transfer.
• Merge #304: Support for Catalog zones version "2" as specified in
  RFC 9432. Both the consumer as well as the producer role are
  implemented, but only a single catalog consumer zone is allowed.
  The "coo" property, only relevant with multiple catalog consumer,
  is therefore not supported. The "group" property is supported.
  Have a look at the nsd.conf man page for details on how to
  configure and use catalog zones.

BUG FIXES:

• Fix to sync the tests script file common.sh.
• Update test script file common.sh.
• Fix #306: Missing AC_SUBST(dbdir) breaks installation with 4.8.0.
• Fix for #306: Create directory for xfrd.state and zone.list files
  in make install.
• Merge #307 from anandb-ripencc: Many improvements to the nsd.conf
  man page.
• Fix #308: Deprecate "multi-master-check" in favour of
  "multi-primary-check".
• Merge #309: More RFC 8499 compliance.
• Fix control-reconfig-xfrd test for zonestatus primary that is
  printed by nsd-control zonestatus.
• Move acx_nlnetlabs.m4 to version 47, with crypt32 check.
• Move acx_nlnetlabs.m4 to version 48, with ssp and getaddrinfo
  include check.
• Fix #313: nsd 4.8 stats with implausible spikes.
• Fix compile with memclean for xfrd nsd.db close.
• In xfrd del secondary zone, the timer could perhaps have
  event_added, and if so, it would not be event_del if a tcp
  connection is active at the time. This could cause the libevent
  event lists to fail. Also fix to make sure to set event_added for
  the nsd-control ssl nonblocking handshake and check event_added
  there too, for extra certainty.
• Merge #316: Fix to reap defunct children by the reload process that
  emerged when some serve child processes were still serving TCP
  request while the others had already quit, while the reload process
  was waiting for the signal from the backup/old main process that all
  children exited.
• Fix (also from Merge #316) to reap exited children more frequently
  from server main loop for processes that exited during reload, but
  missed the initial reaping at start of the main loop because they
  took somewhat longer to exit.
• Fix timing sensitivity in ixfr_outsync test.
• Test if debug is available in do-tests.
• Enforce timeout from NSD in ixfr_gone test.
• Update expressions in ixfr_and_restart test.
• Make algorithm explicit in control-repattern test.
• Switch algorithm to hmac-256 for testplan_mess test.
• Replace multiple strcat and strcpy by snprintf.

NSD 4.8.0

NSD 4.8.0

This release introduces PROXYv2 support and faster statistics gathering,
removes the database option and fixes bugs.

The proxy protocol support is an implementation of PROXYv2 for NSD.
It can be configured with proxy-protocol-port: portnum with the port
number of the interface on which proxy traffic is handled. The
interface can support proxy traffic for UDP, TCP and TLS.

The removal of the "database: nsd.db" option removes unneeded code. It
stored secondary zones in binary format. Zone files are used instead.
This turns out to be about the same speed, for file access, and use
much less memory. Plain text is also easier to deal with when inspecting
the contents. Intended improvements in zone parser speed are expected
to further enhance the performance, making it faster than the binary
database.

The option to turn the database off with "" was introduced in 4.1.7
in 2015. It is now removed, and the 'database:' option is ignored for
backwards compatibility, also the commandline '-f' option is ignored for
backwards compatibility. This means NSD can start even though the option
is present, and can then transfer zones from the primary and serve them.

Statistics are processed faster. NSD now uses shared memory to convey
the statistics from the server processes to the xfrd process. This is
faster, and also works while a reload is in progress. The statistics are
no longer written over the command pipes between processes, and so do
not wait for the processes. It is similar to how zone-stats have been
implemented. It works for both stats and stats_noreset.

Thanks to Sunet for sponsoring the proxy protocol, and providing
useful feedback in the early testing of the proxy protocol.

4.8.0

FEATURES:

• Merge #281: Proxy protocol. An implementation of PROXYv2 for NSD.
  It can be configured with proxy-protocol-port: portnum with the
  port number of the interface on which proxy traffic is handled.
  The interface can support proxy traffic for UDP, TCP and TLS.
• Merge #301: improve the logging of ixfr fallbacks to axfr.
• Merge #305: faster stats. Statistics can be gathered while a reload
  is in progress.

BUG FIXES:

• Merge #282: Improve nsd.conf man page.
• Fix unused but set variable warning.
• Fix #283: Compile failure in remote.c when --disable-bind8-stats
  and --without-ssl are specified.
• Fix #284: dnstap_collector.c: SOCK_NONBLOCK is not available on
  Mac/Darwin.
• Fix unused variable warning in unit test of udb.
• Merge #287: Update nsd.conf.5.in.
• Fix autoconf 2.69 warnings in configure.
• Merge #295: Update e-mail addresses, add ref to support contracts
• Fix for interprocess communication to set quit sync command from
  main process explicitly.
• Fix processing of consolidated IXFRs.
• Remove on-disk database.
• Answer first query for connections accepted just before reload.
• Fix: Always instate write handler after reading a query over TCP.
• Fix #14: Set timeout to 3s when servicing remaining TCP connections.
• Merge #302: Test package fixes. Correct Auxfiles, kill_from_pidfile
  function and fix drop_updates, rr-test and xfr_update tests.
• Fix unit test kill_from_pidfile function for nonexistent files
  because the argument is evaluated before the test expression.
• Fix rr-test to also convert the contents of the just written output
  file.
• Fix test set to remove -f nsd.db and rm nsd.db commands.
• Fix test set to remove difffile option.

NSD 4.7.0

NSD 4.7.0

This release adds a script for bash autocompletion for nsd-control. Also
nsd-control can be configured to use unencrypted operation also when
compiled without openssl. There is also a systemd service unit example
file contributed. The dnstap log service can be contacted over TCP, with
the dnstap-ip: ip option. It is also possible to use TLS, with
dnstap-tls, it is enabled by default, and can be configured with the
dnstap-server-name, dnstap-cert-bundle, dnstap-client-key-file and
dnstap-client-cert-file options. The configure option
--enable-root-server is obsolete, it is no longer used and defaults to
on. In addition, the build file should support multicore build with
flex and bison more easily.

4.7.0

FEATURES:

• Merge #263: Add bash autocompletion script for nsd-control.
• Fix #267: Allow unencrypted local operation of nsd-control.
• Merge #269 from Fale: Add systemd service unit.
• Fix #271: DNSTAP over TCP, with dnstap-ip: "127.0.0.1@3333".
• dnstap over TLS, default enabled. Configured with the
  options dnstap-tls, dnstap-tls-server-name, dnstap-tls-cert-bundle,
  dnstap-tls-client-key-file and dnstap-tls-client-cert-file.

BUG FIXES:

• Fix #239: -Wincompatible-pointer-types warning in remote.c.
• Fix configure for -Wstrict-prototypes.
• Fix #262: Zone(s) not synchronizing properly via TLS.
• Fix for #262: More error logging for SSL read failures for zone
  transfers.
• Merge #265: Fix C99 compatibility issue.
• Fix #266: Fix build with --without-ssl.
• Fix for #267: neater variable definitions.
• Fix #270: reserved identifier violation.
• Fix to clean more memory on exit of dnstap collector.
• Fix dnstap to not check socket path when using IP address.
• Fix to compile without ssl with dnstap-tls code.
• Dnstap tls code fixes.
• Fix include brackets for ssl.h include statements, instead of quotes.
• Fix static analyzer warning about nsd_event_method initialization.
• Fix #273: Large TXT record breaks AXFR.
• Fix ixfr create from adding too many record types.
• Fix cirrus script for submit to coverity scan to libtoolize
  the configure script components config.guess and config.sub.
• Fix readme status badge links.
• make depend.
• Fix for build to run flex and bison before compiling code that needs
  the headers.
• Fix to remove unused whitespace from acx_nlnetlabs.m4 and config.h.
• For #279: Note that autoreconf -fi creates the configure script
  and also the needed auxiliary files, for autoconf 2.69 and 2.71.
• Fix unused variable warning in unit test, from clang compile.
• Fix #240: Prefix messages originating from verifier.
• Fix #275: Drop unnecessary root server checks.

NSD 4.6.1

NSD 4.6.1

This release has a couple of bug fixes. The alpn is set for dns over
tls connections. And the SVCB type supports the dohpath parameter.

4.6.1

FEATURES:

• Set ALPN "dot" token during connection establishment as per RFC9103
  section 7.1 (Thanks Cesar Kuroiwa).
• Add SVCB dohpath support

BUG FIXES:

• Fix static analyzer reports, fix wrong log print when skipping xfr,
  fix to print error on pipe read fail, and assert an xfr is in
  progress during packet checks.
• Use AC_PROG_CC_STDC with autoconf versions prior to 2.70.
• Add missing documentation for zone verification.
• Fix #212: Change commandline control actions to always log.
• Merge #231 from moritzbuhl: Fix checking if nonblocking sockets work
  on OpenBSD.
• Change zone parsing to accept non-trailing newline.

NSD 4.6.0

NSD 4.6.0

This release adds the zone verification support from the CreDNS code.
There are also some bug fixes in the ixfr out code.

Zone verification can start a verifier program that reads the new zone
data. It can reject the update. Or process the new zone data. The intent
is for a DNSSEC verifier to inspect the zone before it is passed on with
zone transfer or served to clients.

The zone verification can be enabled with enable: yes in the verify
section in nsd.conf. You can then list the interfaces the NSD listens on
while the verifier is active, so it can send queries for the new zone
contents. With verify-zones: yes zones are verified by default. The
command that is executed can be set with the verifier: ldns-verify-zone
option. With verifier-count the max number of concurrent verifiers can
be set. With the verifier-feed-zone: yes option the zone can be input
on stdin to the verifier program. A timeout to stop the verifier can be
set with the verifier-timeout option.

Per zone options can also be set for a pattern or for a zone, for zone
verification. With verify-zone the zone verification can be enabled
per zone. The verifier can be set per zone. And the verifier-feed-zone
and verifier-timeout options can be controlled per zone.

4.6.0

FEATURES:

• Port zone-verification from CreDNS to NSD4.
  BUG FIXES:
• Fix static analyzer reports on ixfrcreate temp file.
• Fixup wrong ixfrcreate fread return check.

NSD 4.5.0

This release fixes a couple of minor bugs and adds IXFR out
functionality. With this functionality NSD can respond to IXFR queries
and serve IXFR transfers downstream.

It is default disabled, that means it does not store IXFR contents for
zones by default. The response on the wire is different, also with IXFR
disabled, because it is now supported, and thus also for those zones a
reply is served, that no differential data is available.

4.5.0

FEATURES:

• Merge PR #209: IXFR out
  This adds IXFR out functionality to NSD. NSD can copy IXFRs from
  upstream to downstream clients, or create IXFRs from zonefiles.
  The options store-ixfr: yes and create-ixfr: yes can be used to
  turn this on. Default is turned off. The options ixfr-number and
  ixfr-size can be used to tune the number of IXFR transfers and
  total data size stored. This is configured per zone, the IXFRs
  are served to the hosts that are allowed to perform zone transfers.
  And if TSIG is configured, signed with the same key. The content
  is stored to file if a zonefile is configured for the zone, in
  the zonefile.ixfr and zonefile.ixfr.2, .. files. They contain
  readable text format. The number of IXFRs is num.rixfr in
  statistics output, also per zone if per zone statistics are enabled.
  If offline, nsd-checkzone -i can create ixfr files.
  NSD already supports requesting IXFRs, this addition allows NSD
  to serve IXFR transfers to clients.
  NSD stops responding with NOTIMPL to IXFR requests, also for zones
  that do not have IXFR enabled. The clients gets a full zone reply
  or a status reply if the serial is up to date.

BUG FIXES:

• Fix code analyzer zero divide warning.
• Fix code analyzer large value with assertion.
• Fix another code analyzer zero divide warning.
• Fix code analyzer warning about uninitialized temp storage in loop.
• Fix spelling error in comment in svcbparam_lookup_key.
• Update cirrus script FreeBSD version.

NSD 4.4.0

NSD 4.4.0

This release changes the memory allocation for outgoing zonetransfers,
and this reduces the memory footprint. The defaults for the amounts are
the same as before, but there are config options to configure the memory
usage. There are also bug fixes.

4.4.0

FEATURES:

• Merge #193: Lower memory usage of the XFRD process by default.
  Instead of preallocating all elements, they are allocated when used.
  There are options for managing the memory usage, defaults are the
  same as before. xfrd-tcp-max sets the number of sockets for tcp
  connections that xfrd can make to download zone contents. And
  xfrd-tcp-pipeline the number of simultaneous transfers over the
  same connection.

BUG FIXES:

• Fix #200: nsd-checkzone succeeds even with incorrect serial in SOA
  record.
• Merge #204 from jonathangray: correct some spelling mistakes.
• Fix to change file mode before changing file owner for the
  nsd-control unix socket file.
• Fix to document nsd-checkzone -p in the man page for nsd-checkzone.
• Fix #206: build with --without-ssl fails.
• Merge #207 Sync nsd-control-setup with unbound-control-setup to
  generate certificates with SANs.
• Fix unit tests for nds-control-setup exit code and the
  xfrd-tcp-max default.

NSD_4_3_9_REL

NSD 4.3.9

This release contains a small number of bug fixes. The reconfig failure
is fixed for cpu-affinity config re-read. Version repository and
continuous integration files are removed from the sourcecode tarball.

4.3.9

BUG FIXES:

• Fix #198: nsd-control reconfig core dump.
• Fix to remove git tracking and ci information from release tarballs.
• Fix unit tests for new answer-cookie default.
• Fix socket_partitioning unit test for FreeBSD.
• Fix SVCB test to work around older dig with drill.