NSD 4.14.2rc1

This release addresses a bug in the processing of IXFRs when adding and deleting RRs in collated IXFRs within the same network packet.

4.14.2

BUG FIXES:

• Merge #477: Improve ignored old serial log message.
• Fix in IXFR processing, to commit the collected RRs before
  deletions.

NSD_4_14_1_REL

The previous release promised reduced memory footprint from refactored RDATA storage (and it did for the vast majority of cases), but just after the release, we received a report that NSD was consuming more memory for specific kind of zones (with RRsets consisting of many RRs).
This release has that addressed so that NSD now consumes less memory in all cases and circumstances.
Other than that, this release contains bug fixes, among others some that emerged with the new RDATA storage code from the previous release.

4.14.1

FEATURES:

• Merge #469 from jschlyter: Add container build files

BUG FIXES:

• Fix to note DSYNC RFC9859 reference.
• Fix to note reference for NXNAME in comment.
• Merge #470 from jschlyter: Update path to default container
  configuration and entrypoint
• Fix rr-test.tdir so AMTRELAY relay field is "." with type 0
• Fix checkconf.tdir test to anticipate default values for
  send-buffer-size and receive-buffer-size when configured with 0
• skip dns-cookies.tdir test with restricted unpriviledged userns
• Fix #474: metrics output with zone statistics to change
  disallowed characters in metric names to underscores.
• Fix that non normalized NSEC next owner names are preserved.
• Fix to preserve case in literal dnames in RR types RRSIG,
  IPSECKEY, TALINK, DSYNC and AMTRELAY.
• Fix for #474: Fix metrics name for zone statistics for
  the queries_total to have disallowed characters changed
  to underscores.
• Fix to silence restricted userns check in test script.
• Fix #475 info: axfr for domain from not-verified.
• Fix metrics to clear server variable after close and log error
  on allocation failure.
• Fix to escape slashes when they appear in the zone name for a
  pattern zonefile that is created. Also for per zone statistics.
• Merge #472: Reduce memory usage with zones with RRsets
  consisting of many RRs.
• Fix man page for ip-address, add text about process numbers,
  bindtodevice and setfib.
• Fix systemd signalling so that it does not reload for too long.
  The reload is not signalled to systemd, so that long operations
  can complete, without systemd acting on a timer to stop them.

NSD 4.14.0rc1

The previous release promised reduced memory footprint from refactored RDATA storage (and it did for the vast majority of cases), but just after the release, we received a report that NSD was consuming more memory for specific kind of zones (with RRsets consisting of many RRs). This release will have that addressed so that NSD now consumes less memory in all cases and circumstances. A blog post highlighting these memory reductions will be posted with the actual release (next week).

Other than that, this release contains bug fixes, among others some that emerged with the new RDATA storage code from the previous release.

4.14.1

FEATURES:

• Merge #469 from jschlyter: Add container build files
  BUG FIXES:
• Fix to note DSYNC RFC9859 reference.
• Fix to note reference for NXNAME in comment.
• Merge #470 from jschlyter: Update path to default container
  configuration and entrypoint
• Fix rr-test.tdir so AMTRELAY relay field is "." with type 0
• Fix checkconf.tdir test to anticipate default values for
  send-buffer-size and receive-buffer-size when configured with 0
• skip dns-cookies.tdir test with restricted unpriviledged userns
• Fix #474: metrics output with zone statistics to change
  disallowed characters in metric names to underscores.
• Fix that non normalized NSEC next owner names are preserved.
• Fix to preserve case in literal dnames in RR types RRSIG,
  IPSECKEY, TALINK, DSYNC and AMTRELAY.
• Fix for #474: Fix metrics name for zone statistics for
  the queries_total to have disallowed characters changed
  to underscores.
• Fix to silence restricted userns check in test script.
• Fix #475 info: axfr for domain from not-verified.
• Fix metrics to clear server variable after close and log error
  on allocation failure.
• Fix to escape slashes when they appear in the zone name for a
  pattern zonefile that is created. Also for per zone statistics.
• Merge #472: Reduce memory usage with zones with RRsets
  consisting of many RRs.

NSD 4.14.0

This release consists of a refactor of the RDATA storage, reducing the memory
footprint of NSD, and various bug fixes.

4.14.0

FEATURES:

• Fix #137: Adds tcp-listen-queue: number config option to set
  the TCP backlog. And the default for the listen TCP backlog is
  set to -1 on BSDs and Linux.
• Merge #444: Refactor RDATA storage to reduce memory footprint

BUG FIXES:

• Fix empty debug statement body in catalog consumer zone process.
• Merge #459: Check for libfstrm version >= 0.4.
• For #459: Add configure check for fstrm_tcp_writer_options_init
  in addition to the check for fstrm_iothr_init.
• Merge #460: Add XDP_OBJ fixing link errors for XDP.
• Fix XDP build error with --enable-checking
• Resolve warnings about mixed declaration and code and unused variable
• Fix confusing report for default send and receive buffer-size by
  nsd-checkconf
• Fix to log more details when send-buffer-size or receive-buffer-size
  is not granted, on verbosity level 2.
• Update in acx_nlnetlabs.m4 to version 49.
• Update in acx_nlnetlabs.m4 to version 50, with cache value for
  malloc function check.
• Update acx_nlnetlabs.m4 to version 51, with nonstring unknown
  attribute warning fix.
• Merge #466: Do not delete nodes from non-existent zone's NSEC3 hash
  trees

simdzone 0.2.4

BUG FIXES:

• Correct lengths for GOST R 34.10-2012 and SM3 delegation signer (DS) digest
  algorithms
• Require the AMTRELAY relay field to be . for the no gateway relay type as
  specified by RFC 8777 (#257)

NSD 4.14.0rc1

This release consists of a refactor of the RDATA storage, reducing the memory footprint of NSD, and various bug fixes.

4.14.0

FEATURES:

• Fix #137: Adds tcp-listen-queue: number config option to set
  the TCP backlog. And the default for the listen TCP backlog is
  set to -1 on BSDs and Linux.
• Merge #444: Refactor RDATA storage to reduce memory footprint

BUG FIXES:

• Fix empty debug statement body in catalog consumer zone process.
• Merge #459: Check for libfstrm version >= 0.4.
• For #459: Add configure check for fstrm_tcp_writer_options_init
  in addition to the check for fstrm_iothr_init.
• Merge #460: Add XDP_OBJ fixing link errors for XDP.
• Fix XDP build error with --enable-checking
• Resolve warnings about mixed declaration and code and unused variable
• Fix confusing report for default send and receive buffer-size by
  nsd-checkconf
• Fix to log more details when send-buffer-size or receive-buffer-size
  is not granted, on verbosity level 2.
• Update in acx_nlnetlabs.m4 to version 49.
• Update in acx_nlnetlabs.m4 to version 50, with cache value for
  malloc function check.
• Update acx_nlnetlabs.m4 to version 51, with nonstring unknown
  attribute warning fix.
• Merge #466: Do not delete nodes from non-existent zone's NSEC3 hash
  trees

simdzone 0.2.4

BUG FIXES:

• Correct lengths for GOST R 34.10-2012 and SM3 delegation signer (DS) digest
  algorithms
• Require the AMTRELAY relay field to be . for the no gateway relay type as
  specified by RFC 8777 (#257)

NSD 4.13.0

This release enables some commonly used features by default, and introduces
experimental support for AF_XDP sockets that can be enabled with the
--enable-xdp feature flag (see https://nsd.docs.nlnetlabs.nl/en/latest/xdp.html).

4.13.0

FEATURES:

• Use '(all)' and '(none)' for the socket server affinity
  log output instead of '*' and '-'.
• The --enable-bind8-stats feature, was already enabled by default,
  is described as enabled by default in usage.
• The --enable-zone-stats feature is enabled by default. It can be
  turned on with config like zonestats: "%s".
• The --enable-ratelimit feature is enabled by default. The
  ratelimit value is off by default. It can be turned on with
  config like rrl-ratelimit: 200.
• The --enable-dnstap feature is enabled by default. If fstrm-devel
  or protobuf-c are not found by configure it prints an error.
  It can be turned on with config like dnstap-enable: yes.
• Change default for send-buffer-size to 4m, to mitigate a
  cross-layer issue where the UDP socket send buffers are
  exhausted waiting for ARP/NDP resolution. Thanks to Reflyable
  for the report.
• Disable TLSv1.2 if TLSv1.3 is available.
• Merge #449: Add useful logging for XoT transfers.
• Merge #425: Add experimental XDP (AF_XDP) support for UDP traffic
• Merge #455: --with-dbdir option for configure to set the base
  directory for the xfrd zone timer state file, the zone list file
  and the cookie secrets file. Thanks Simon Josefsson.
• Merge #456: Spelling fixes in metrics.c. Thanks Simon Josefsson.

BUG FIXES:

• Fix punctuation of nsd -h output for the -a option.
• Fix checkconf unit test for when metrics are not enabled.
• Prometheus metrics tests require --enable-zone-stats.
• Add unit test for socket server affinity log output.
• Move xfrd-tcp unit test to its own file.
• Fix contrib/nsd.spec to omit configure flags that are default or
  that do not exist.
• Fix to remove mention of obsolete root-server option.
• Fix mention of draft-rrtypes and root-server configure options.
• Fix ci workflow for enable dnstap.
• Fix to remove use of sprintf from metrics.
• Fix for fstrm and protobuf-c for ci workflow coverity-scan.
• Fix for parallel build of dnstap protoc-c output.
• Fix to remove unneeded mkdir from Makefile.
• Fix dnstap to use protoc and keep dnstap_config.h unchanged if
  possible.
• Fix to provide doc for --enable-systemd.
• Fix to remove debug printout for configure dnstap header.
• Fix #441: SystemD script for NSD prevents using chroot.
• Fix to add checks for compression pointers and too long dnames in
  internal dname routines, dname_make and ixfr dname_length.
• Fix to remove shell assignment operator from Makefile for DATE.
• make depend.
• Fix bitwise operators in conditional expressions with parentheses.
• Fix conditional expressions with parentheses for bitwise and.
• Merge #445: contrib/nsd.openrc.in: use supervise-daemon and
  add need net.
• Fix #446 nsd_size_db_in_mem_bytes (size.db.mem) metric not
  updated on reload.
• Merge #447: Minimize disruptions on reconfig.
• For #447: Updated simdzone to latest commit. With the padding
  test changes.
• For #447: use need_to_send_reload to detect if a reload is issued.
• For #447: acl_list_equal already tests for TSIG key changes, so
  removed the duplicate checks.
• For #447: log crypto error with the SSL_write error.
• Update simdzone with support for --enable-pie.
• Merge #454 from jaredmauch: handle rare case but seen in
  production where data->query is NULL.

simdzone 0.2.3

FEATURES:

• check_pie: match nsd support (#253).

BUG FIXES:

• Fix tests to initialize padding (#252).
• Fix for #253, add acx_nlnetlabs.m4 in the repo and allow CFLAGS passed to
  configure to set the flags.

NSD 4.13.0rc1

This release enables some commonly used features by default, and introduces
experimental support for AF_XDP sockets that can be enabled with the
--enable-xdp feature flag (see https://nsd.docs.nlnetlabs.nl/en/latest/xdp.html).

4.13.0

FEATURES:

• Use '(all)' and '(none)' for the socket server affinity
  log output instead of '*' and '-'.
• The --enable-bind8-stats feature, was already enabled by default,
  is described as enabled by default in usage.
• The --enable-zone-stats feature is enabled by default. It can be
  turned on with config like zonestats: "%s".
• The --enable-ratelimit feature is enabled by default. The
  ratelimit value is off by default. It can be turned on with
  config like rrl-ratelimit: 200.
• The --enable-dnstap feature is enabled by default. If fstrm-devel
  or protobuf-c are not found by configure it prints an error.
  It can be turned on with config like dnstap-enable: yes.
• Change default for send-buffer-size to 4m, to mitigate a
  cross-layer issue where the UDP socket send buffers are
  exhausted waiting for ARP/NDP resolution. Thanks to Reflyable
  for the report.
• Disable TLSv1.2 if TLSv1.3 is available.
• Merge #449: Add useful logging for XoT transfers.
• Merge #425: Add experimental XDP (AF_XDP) support for UDP traffic
• Merge #455: --with-dbdir option for configure to set the base
  directory for the xfrd zone timer state file, the zone list file
  and the cookie secrets file. Thanks Simon Josefsson.
• Merge #456: Spelling fixes in metrics.c. Thanks Simon Josefsson.

BUG FIXES:

• Fix punctuation of nsd -h output for the -a option.
• Fix checkconf unit test for when metrics are not enabled.
• Prometheus metrics tests require --enable-zone-stats.
• Add unit test for socket server affinity log output.
• Move xfrd-tcp unit test to its own file.
• Fix contrib/nsd.spec to omit configure flags that are default or
  that do not exist.
• Fix to remove mention of obsolete root-server option.
• Fix mention of draft-rrtypes and root-server configure options.
• Fix ci workflow for enable dnstap.
• Fix to remove use of sprintf from metrics.
• Fix for fstrm and protobuf-c for ci workflow coverity-scan.
• Fix for parallel build of dnstap protoc-c output.
• Fix to remove unneeded mkdir from Makefile.
• Fix dnstap to use protoc and keep dnstap_config.h unchanged if
  possible.
• Fix to provide doc for --enable-systemd.
• Fix to remove debug printout for configure dnstap header.
• Fix #441: SystemD script for NSD prevents using chroot.
• Fix to add checks for compression pointers and too long dnames in
  internal dname routines, dname_make and ixfr dname_length.
• Fix to remove shell assignment operator from Makefile for DATE.
• make depend.
• Fix bitwise operators in conditional expressions with parentheses.
• Fix conditional expressions with parentheses for bitwise and.
• Merge #445: contrib/nsd.openrc.in: use supervise-daemon and
  add need net.
• Fix #446 nsd_size_db_in_mem_bytes (size.db.mem) metric not
  updated on reload.
• Merge #447: Minimize disruptions on reconfig.
• For #447: Updated simdzone to latest commit. With the padding
  test changes.
• For #447: use need_to_send_reload to detect if a reload is issued.
• For #447: acl_list_equal already tests for TSIG key changes, so
  removed the duplicate checks.
• For #447: log crypto error with the SSL_write error.
• Update simdzone with support for --enable-pie.
• Merge #454 from jaredmauch: handle rare case but seen in
  production where data->query is NULL.

simdzone 0.2.3

FEATURES:

• check_pie: match nsd support (#253).

BUG FIXES:

• Fix tests to initialize padding (#252).
• Fix for #253, add acx_nlnetlabs.m4 in the repo and allow CFLAGS passed to
  configure to set the flags.

NSD 4.12.0

This release introduces Prometheus metrics that can be configured with
enable-metrics (see nsd.conf(5)).

nsd 4.12.0

FEATURES:

• Merge #418: Support for DSYNC, EID, NIMLOC, SINK, TALINK, DOA,
  AMTRELAY and IPN resource record types.
• Merge #420: Zones get state "old-serial" with
  nsd-control zonestatus when the served serial is older than
  the one received by the transfer daemon.
• Merge #429: Add prometheus metrics

BUG FIXES:

• Fix re-enable to configure dns-cookies from config file, which was
  accidentally removed with the 4.11.1 release.
• Fix #426: nsd crashes with patterns in config_apply_pattern.
• Fix for #430: Confusing documentation: word "outgoing".
• Fix for #430: Confusing documentation: word "outgoing". Add wording
  to tcp-count, xfrd-tcp-max, xfrd-tcp-pipeline options.
• Fix that nsec3 prehash after a full transfer can create the nsec3
  zone trees if they are needed.
• Fix in nsd-mem for a zone with ixfr data.
• Fix ixfr read routine for use after the temp region is freed of rr.
• Fix ixfr file read to manage numlist in temp domains.
• Fix nsd-mem to clean ixfr storage.
• Fix log print assert in server sockets for printing '-' empty.
• Fix notify_fmt test for xfrd file location.
• Fix sanitizer warnings in read_uint32.
• Fix sanitizer warning in tsig write of zero length mac and otherdata.
• Fix to please sanitizer for ixfr store of data in cancelled state.
• Fix multiple zone transfers in one reload so that xfrd does not
  check the update as failed and restart the transfer.
• Fix read of ixfr file with rdata subdomain.
• Fix test checkconf for metrics options.
• Updated simdzone to include fixes for NSAP-PTR, LOC,
  uninitialized reads, and comment nit.
• Fix #436: Fix print of RR type NSAP-PTR.
• Fix unit test call to zone_parse_string and initialize padding.
• Fix escape more characters when printing an RR type with an
  unquoted string.
• Fix memory leak in the process of addzone.
• Fix to update common.sh for speed of kill_pid.
• Fix nsd-checkzone ixfr create cleanup on exit.

simdzone 0.2.2

FEATURES:

• Support for EID, NIMLOC, SINK, TALINK, DSYNC, DOA, AMTRELAY
  and IPN RR types.

BUG FIXES:

• Empty base16 and base64 in CDS and CDNSKEY can be represented
  with a '0'. As specified in Section 4 of RFC 8078.
• Initialise padding after the file buffer (#249).
• Fix type NSAP-PTR (#250).
• Fix LOC poweroften lookup (#251).

NSD 4.12.0rc1

This release introduces Prometheus metrics that can be compiled with
--enable-prometheus-metrics and configured with enable-metrics (see nsd.conf(5)).

4.12.0

FEATURES:

• Merge #418: Support for DSYNC, EID, NIMLOC, SINK, TALINK, DOA,
  AMTRELAY and IPN resource record types.
• Merge #420: Zones get state "old-serial" with
  nsd-control zonestatus when the served serial is older than
  the one received by the transfer daemon.
• Merge #429: Add prometheus metrics

BUG FIXES:

• Fix re-enable to configure dns-cookies from config file, which was
  accidentally removed with the 4.11.1 release.
• Fix #426: nsd crashes with patterns in config_apply_pattern.
• Fix for #430: Confusing documentation: word "outgoing".
• Fix for #430: Confusing documentation: word "outgoing". Add wording
  to tcp-count, xfrd-tcp-max, xfrd-tcp-pipeline options.
• Fix that nsec3 prehash after a full transfer can create the nsec3
  zone trees if they are needed.
• Fix in nsd-mem for a zone with ixfr data.
• Fix ixfr read routine for use after the temp region is freed of rr.
• Fix ixfr file read to manage numlist in temp domains.
• Fix nsd-mem to clean ixfr storage.
• Fix log print assert in server sockets for printing '-' empty.
• Fix notify_fmt test for xfrd file location.
• Fix sanitizer warnings in read_uint32.
• Fix sanitizer warning in tsig write of zero length mac and otherdata.
• Fix to please sanitizer for ixfr store of data in cancelled state.
• Fix multiple zone transfers in one reload so that xfrd does not
  check the update as failed and restart the transfer.
• Fix read of ixfr file with rdata subdomain.
• Fix test checkconf for metrics options.
• Updated simdzone to include fixes for NSAP-PTR, LOC,
  uninitialized reads, and comment nit.
• Fix #436: Fix print of RR type NSAP-PTR.
• Fix unit test call to zone_parse_string and initialize padding.
• Fix escape more characters when printing an RR type with an
  unquoted string.
• Fix memory leak in the process of addzone.
• Fix to update common.sh for speed of kill_pid.
• Fix nsd-checkzone ixfr create cleanup on exit.

simdzone 0.2.2

FEATURES:

• Support for EID, NIMLOC, SINK, TALINK, DSYNC, DOA, AMTRELAY and IPN RR types.

BUG FIXES:

• Empty base16 and base64 in CDS and CDNSKEY can be represented with a '0'.
  As specified in Section 4 of RFC 8078.
• Initialise padding after the file buffer (#249).
• Fix type NSAP-PTR (#250).
• Fix LOC poweroften lookup (#251).

NSD_4_11_1_REL: NSD 4.11.1

NSD version 4.11.0 had a serious bug in which applying updates to zones (and other modifications that require a reload, such as adding and deleting zones), could stop entirely after reception of a broken or corrupted update via zone transfer. We believe that this broken state would appear as one of the NSD processes consuming 100% CPU. Version 4.11.1 has this corrected as well as some other smaller non-critical bugs.

We strongly advise to not run NSD version 4.11.0, and if you have it deployed already, upgrade to 4.11.1 at the earliest possible opportunity.

Many thanks to the people at SUNET and netnod (Fredrik and Arvid and all the others) that helped us to get to the bottom of this critical issue!

nsd 4.11.1

BUG FIXES:

• Fix #415: Fix out of tree builds. Thanks Florian Obser (@fobser).
• Fix #414: XoT interoperability with BIND and Knot
• Fix #421: old-main can quit before the reload process received
  from old-main that it is done on the reload_listener pipe.
  Thanks Otto Retter.
• Fix whitespace in comment.
• Fix #424: Stalled updates after corrupt transfer.

simdzone 0.2.1

BUG FIXES:

• Cleanup westmere and haswell object files (#244) Thanks @fobser
• Out of tree builds (#415)
• Fix function declarations for fallback detection routine in
  isadetection.h.