diff options
| author |   florian <florian@openbsd.org> | 2020-05-14 06:07:20 +0000 |
|---|---|---|
| committer | florian <florian@openbsd.org> | 2020-05-14 06:07:20 +0000 |
| commit | a3a6752bb24d307e3bf8bde69e58132dadd07bd0 (patch) | |
| tree | dab6e52f0dfe6882b6778378544989e572eb03fd /usr.sbin/nsd/doc | |
| parent | Remove unnecessary logging messages. (diff) | |
| download | wireguard-openbsd-a3a6752bb24d307e3bf8bde69e58132dadd07bd0.tar.xz wireguard-openbsd-a3a6752bb24d307e3bf8bde69e58132dadd07bd0.zip | |
We forgot to keep ChangeLog in sync in previous updates.
Bring in the mission changes up to 4.2.4.
Also bring in doc/RELNOTES.
Both changes ease the process of syncing with upstream.
OK sthen
Diffstat (limited to 'usr.sbin/nsd/doc')
| -rw-r--r-- | usr.sbin/nsd/doc/ChangeLog | 83 | ||||
| -rw-r--r-- | usr.sbin/nsd/doc/RELNOTES | 1930 |
2 files changed, 2013 insertions, 0 deletions
diff --git a/usr.sbin/nsd/doc/ChangeLog b/usr.sbin/nsd/doc/ChangeLog index b7733ad0c86..5070b61afc6 100644 --- a/usr.sbin/nsd/doc/ChangeLog +++ b/usr.sbin/nsd/doc/ChangeLog @@ -1,5 +1,88 @@ +3 December 2019: Wouter + - Fix #52: do not log transient network full errors unless higher + verbosity is set. + - Fix checkconf test for new error output string. + - tag for 4.2.4rc1 release. + +27 November 2017 Jeroen + - Fix regressions in configparser.y + +22 November 2019: Wouter + - Fix #48: Add make distclean that removes config.h made by configure. + And add maintainer-clean that removes bison and flex output. + +18 November 2019: Wouter + - Detect fixed time memcmp for openssl 0.9.8 compatibility. + - Detect EC_KEY_new_by_curve_name for openssl 0.9.8. + - include limits.h for UINT_MAX. + - If no recvmmsg, dont use msg_flags member, but errno for error, + where our fallback function left it, msg_flags also does not exist + on some systems. + - Remove unused variable warning for portability. + +14 November 2019: Wouter + - Fix checkconf test with filenames that sort in the same order. + - Tag for 4.2.3rc1. Branch master is 4.2.4 in development. + +11 November 2019: Wouter + - Fix #44: document that remote-control is a top-level nsd.conf + attribute. + - Fix compile on OSX. + - Fix for #44: nicer top-level clause documentation. + +22 October 2019: Jeroen + - Number of different UDP handlers has been reduced to one. recvmmsg + and sendmmsg implementations are now used on all platforms. + Compatible implementations are in place for systems that lack the + system calls. + - Socket options are now set in designated functions for easy reuse. + - Socket setup has been simplified for easy reuse. + - Configuration parser is now aware of the context in which an option + was specified. + +21 October 2019: Wouter + - For #21 add + contrib/patch_for_s6_startup_and_other_service_supervisors.diff + that adds support for readiness notification with READY_FD from + Cameron Nemo. + +17 October 2019: Jeroen + - Fix #40: Merge small fixes for confine-to-zone by Greg Bock. + +15 October 2019: Jeroen + - For #39: Merge confine-to-zone feature contributes by Greg Bock. + +26 September 2019: Wouter + - Fix #38: log address and failure reason with tls handshake errors, + squelches (the same as unbound) some unless high verbosity is used. + - Fixup clang analysis warning in xfrd_parse_received_xfr_packet + master dereference. + +25 September 2019: Wouter + - The nsd.conf includes are sorted ascending, for include statements + with a '*' from glob. + +16 September 2019: Wouter + - Fixup warnings during --disable-ipv6 compile. + - Fixup unit test executable to run without IPv6. + +4 September 2019: Wouter + - Fix #35: excessive logging of ixfr failures, it stops the log when + fallback to axfr is possible. log is enabled at high verbosity. + +2 September 2019: Wouter + - For #21: pidfile "" allows to run NSD without a pidfile, for + startup management tools like daemontools. + +28 August 2019: Wouter + - In tests check for tls test tool availability. + +19 August 2019: Wouter + - Tag for 4.2.2 release. Git master contains 4.2.3 in development. + 13 August 2019: Wouter - Fix error message for out of zone data to have more information. + - Tag for 4.2.2rc2. 12 August 2019: Wouter - Fix #33: Fix segfault in service of remaining streams on exit. diff --git a/usr.sbin/nsd/doc/RELNOTES b/usr.sbin/nsd/doc/RELNOTES new file mode 100644 index 00000000000..d4f1dc66b8e --- /dev/null +++ b/usr.sbin/nsd/doc/RELNOTES @@ -0,0 +1,1930 @@ +NSD RELEASE NOTES + +4.2.4 +================ +FEATURES: + - Fix #48: Add make distclean that removes config.h made by configure. + And add maintainer-clean that removes bison and flex output. +BUG FIXES: + - Detect fixed time memcmp for openssl 0.9.8 compatibility. + - Detect EC_KEY_new_by_curve_name for openssl 0.9.8. + - include limits.h for UINT_MAX. + - If no recvmmsg, dont use msg_flags member, but errno for error, + where our fallback function left it, msg_flags also does not exist + on some systems. + - Remove unused variable warning for portability. + - Fix #52: do not log transient network full errors unless higher + verbosity is set. + - Fix regressions in configparser.y where global variables were not + set for minimal-responses, round-robin and log-time-ascii. + + +4.2.3 +================ +FEATURES: + - For #39: confine-to-zone configures NSD to not return out-of-zone + additional information. Contributed by Greg Bock. + - For #21: pidfile "" allows to run NSD without a pidfile, for + startup management tools like daemontools. + - For #21 add + contrib/patch_for_s6_startup_and_other_service_supervisors.diff + that adds support for readiness notification with READY_FD from + Cameron Nemo. +BUG FIXES: + - Fix #35: excessive logging of ixfr failures, it stops the log when + fallback to axfr is possible. log is enabled at high verbosity. + - Fixup warnings during --disable-ipv6 compile. + - The nsd.conf includes are sorted ascending, for include statements + with a '*' from glob. + - Fix #38: log address and failure reason with tls handshake errors, + squelches (the same as unbound) some unless high verbosity is used. + - Fixup clang analysis warning in xfrd_parse_received_xfr_packet + master dereference. +CHANGES: + - Number of different UDP handlers has been reduced to one. recvmmsg + and sendmmsg implementations are now used on all platforms. + Compatible implementations are in place for systems that lack the + system calls. + - Socket options are now set in designated functions for easy reuse. + - Socket setup has been simplified for easy reuse. + - Configuration parser is now aware of the context in which an option + was specified. + - Fix #44: document that remote-control is a top-level nsd.conf + attribute. + + +4.2.2 +================ +BUG FIXES: + - Fix #20: CVE-2019-13207 Stack-based Buffer Overflow in the + dname_concatenate() function. Reported by Frederic Cambus. + It causes the zone parser to crash on a malformed zone file, + with assertions enabled, an assertion catches it. + - Fix #19: Out-of-bounds read caused by improper validation of + array index. Reported by Frederic Cambus. The zone parser + fails on type SIG because of mismatched definition with RRSIG. + - PR #23: Fix typo in nsd.conf man-page. + - Fix that NSD warns for wrong length of the hash in SSHFP records. + - Fix #25: NSD doesn't refresh zones after extended downtime, + it refreshes the old zones. + - Set no renegotiation on the SSL context to stop client + session renegotiation. + - Fix #29: SSHFP check NULL pointer dereference. + - Fix #30: SSHFP check failure due to missing domain name. + - Fix to timeval_add in minievent for remaining second in microseconds. + - PR #31: nsd-control: Add missing stdio header. + - PR #32: tsig: Fix compilation without HAVE_SSL. + - Cleanup tls context on xfrd exit. + - Fix #33: Fix segfault in service of remaining streams on exit. + - Fix error message for out of zone data to have more information. + + +4.2.1 +================ +FEATURES: + - Added num.tls and num.tls6 stat counters. + - PR #12: send-buffer-size, receive-buffer-size, + tcp-reject-overflow options for nsd.conf, from Jeroen Koekkoek. + - Fix #14, tcp connections have 1/10 to be active and have to work + every second, and then they get time to complete during a reload, + this is a process that lingers with the old version during a version + update. +BUG FIXES: + - Fix #13: Stray dot at the end of some log entries, removes dot + after updated serial number in log entry. + - Fix TLS cipher selection, the previous was redundant, prefers + CHACHA20-POLY1305 over AESGCM and was not as readable as it + could be. + - Consolidate server tls context create and remote control context + create, with hardening for the remote control tls context too. + - Fix to init event structure for reassignment. + - Fix to init event not pointer, in reassignment. + - Fix #15: crash in SSL library, initialize variables for TCP access + when TLS is configured. + - Fix tls handshake event callback function mistake, reported + by Mykhailo Danylenko. + - Initialize event structures before event_set, to stop uninitialized + values from setting event library lists and assertions, that would + sometimes also show after event_del. + - Do not use symbol from libc, instead use own replacement, if not + available, for accept4. + - Fix output of nsd-checkconf -h. + + +4.2.0 +================ +FEATURES: + - Print IP address when bind socket fails with error. + - Fix #4249: The option hide-identity: yes stops NSD from responding + with the hostname for chaos class queries. Implements the RFC4892 + security considerations. + - Patch to add support for TCP Fast Open, from Sara + Dickinson (Sinodun). + - Patch to add support for tls service on a specified tls port, + from Sara Dickinson (Sinodun). + - Use travis for build check, initial unit test and clang analysis. + - TLS OCSP stapling support, enabled with tls-service-ocsp: filename, + patch from Andreas Schulze. +BUG FIXES: + - Fix to delete unused zparser.default_apex member. + - Fix that the TLS handshake routine sets the correct event to + continue when done. + - Fix that TLS renegotiation calls the read and write routines again + with the same parameters when the desired event has been satisfied. + - Fix that TCP Fastopen has better error message and supports OSX. + - Fix to avoid buffer alloc with global buffer in tls write handler. + - Fix to initialize event structure when accepting TCP connection. + - Disable TLS1.0, TLS1.1 and weak ciphers, enable + CIPHER_SERVER_PREFERENCE, patch from Andreas Schulze. + - further setup ssl ctx after the keys are loaded, for ECDH. + - Fix #10: Fix memory leaks caused by duplicate rr and include + instructions. + - Fix to define _OPENBSD_SOURCE to get reallocarray on NetBSD. + + +4.1.27 +================ +FEATURES: + - Deny ANY with only one RR in response, by default. Patch from + Daisuke Higashi. The deny-any statement in nsd.conf sets ANY + queries over UDP to be further moved to TCP as well. + Also no additional section processing for type ANY, reducing + the response size. + - Fix #4215: on-the-fly change of TSIG keys with patch from Igor, adds + nsd-control print_tsig, update_tsig, add_tsig, assoc_tsig + and del_tsig. These changes are gone after reload, edit the + config file (or a file included from it) to make changes that + last after restart. +BUG FIXES: + - Fix #4213: disable-ipv6 and dnstap compile error. + - Fix to reduce region_log_stats if condition, this removes a + debug statement. + - Fix for FreeBSD port with dnstap enabled. + - Fix to remove unused code. + - Fix #6: nsd-control-setup: Change validity time to a shorter + period (<2038). + - Fix unused definition in header remote.h. + - Fix #4236: IPV4_MINIMAL_RESPONSE_SIZE=1480 is slightly too big. + - Fix #4235: IP_PMTUDISC_OMIT on IPv4/UDP sockets. + - Fixed radtree_insert memory leak. + - Fixed access recycled variable. + + +4.1.26 +================ +FEATURES: + - DNSTAP support for NSD, --enable-dnstap and then config in nsd.conf. + - Support SO_REUSEPORT_LB in FreeBSD 12 with the reuseport: yes + option in nsd.conf. + - Added nsd-control changezone. nsd-control changezone name pattern + allows the change of a zone pattern option without downtime for + the zone, in one operation. +BUG FIXES: + - Fix #4194: Zone file parser derailed by non-FQDN names in RHS of + DNSSEC RRs. + - Fix #4202: nsd-control delzone incorrect exit code on error. + - Tab style fix to use tab for 8 spaces, from Xiaobo Liu. + - Fix #4205: enable-recvmmsg in mixed IPv4/IPv6 environment fails. + This sets the msg_hdr.msg_namelen correctly after receipt. + - Fix to not set GLOB_NOSORT so the nsd.conf include: files are + sorted and in a predictable order. + - Fix #3433: document that reconfig does not change per-zone stats. + + +4.1.25 +================ +FEATURES: + - nsd-control prints neater errors for file failures. +BUG FIXES: + - Fix that nsec3 precompile deletion happens before the RRs of + the zone are deleted. + - Fix printout of accepted remote control connection for unix sockets. + - Fix use_systemd typo/leftover in remote.c. + - Fix codingstyle in nsd-checkconf.c in patch from Sharp Liu. + - append_trailing_slash has one implementation and is not repeated + differently. + - Fix coding style in nsd.c + - Fix to combine the same error function into one, from Xiaobo Liu. + - Fix initialisation in remote.c. + - please clang analyzer and fix parse of IPSECKEY with bad gateway. + - Fix nsd-checkconf fail on bad zone name. + - Annotate exit functions with noreturn. + - Remove unused if clause during server service startup. + - Fix #4156: Fix systemd service manager state change notification + When it is compiled, systemd readiness signalling is enabled. + The option in nsd.conf is not used, it is ignored when read. + + +4.1.24 +================ +FEATURES: + - #4102: control interface via local socket. + configure it with control-interface: "/path/nsd.ctl" The path + has to start with a / to separate it from an IP address. + The local socket does not use SSL, but unencrypted traffic, use + file and containing directory permissions to restrict access. + - configure --enable-systemd (needs pkg-config and libsystemd) can + be used to then use-systemd: yes in nsd.conf and have readiness + signalling with systemd. + - RFC8162 support, for record type SMIMEA. +BUG FIXES: + - Patch to fix openwrt for mac os build darwin detection in configure. + - Fix that first control-interface determines if TLS is used. Warn + when IP address interfaces are used without TLS. + - #4106: Fix that stats printed from nsd-control are recast from + unsigned long to unsigned (remote.c). + - Fix that type CAA (and URI) in the zone file can contain + dots when not in quotes. + - #4133: Fix that when IXFR contains a zone with broken NSEC3PARAM + chain, NSD leniently attempts to find a working NSEC3PARAM. + + +4.1.23 +================ +BUG FIXES: + - Fix NSD time sensitive TSIG compare vulnerability. + + +4.1.22 +================ +FEATURES: + - refuse-any sends truncation (+TC) in reply to ANY queries over UDP, + and allows TCP queries like normal. + - Use accept4 to speed up answer of TCP queries, on Linux, FreeBSD + and OpenBSD. +BUG FIXES: + - Fix nsec3 hash of parent and child co-hosted nsec3 enabled zones. + - Fix to use same condition for nsec3 hash allocation and free. + + +4.1.21 +================ +FEATURES: + - --enable-memclean cleans up memory for use with memory checkers, + eg. valgrind. + - refuse-any nsd.conf option that refuses queries of type ANY. + - lower memory usage for tcp connections, so tcp-count can be higher. +BUG FIXES: + - Fix unused variable warnings and uninit variable in statistics + printout from clang analyzer. + - Fix spelling error in xfr-inspect. + - Fix #3562: explain build error when flex missing. + - Fix buffer size warnings from compiler on filename lengths. + - Fix #4093: Release notes not using 2018. + + +4.1.20 +================ +BUG FIXES: + - Fix memory leak in zone file read of unknown rr formatted RRs. + - Fix memory leak when rehashing nsec3 after axfr or zonefile read, + in the selectively allocated precompiled nsec3 hashes. + + +4.1.19 +================ +BUG FIXES: + - ignore fallthrough compiler warning in flex EOF rule. + - Fix warnings emitted by clang for --enable-packed. Alignment is not + a problem for x86_64, don't enable packed when the platform + requires aligned access. + - Fix spelling error in xfr-inspect. + - Fix 3392: Fix regression in 4.1.18 for notify lists with ip4 + and ip6 targets. + - Add test for support of -Wno-address-of-packed-member for + --enable-packed. + + +4.1.18 +================ +FEATURES: + - xfr-inspect, it is not installed, it prints xfr files from /tmp + made with 'make xfr-inspect' in the source dir. + - retry timeout between sending notifies dropped from 15 to 3 sec. + - NSD sends 16 notifies simultaneously. + - configure --enable-packed reduces memory usage, at expense of + unaligned reads. Saves about 17%. + - Save memory by selectively allocate precompiled nsec3 hashes, + saves about 16% memory. + - make ip-transparent option work on OpenBSD. + - Save about 2% memory by changing usage count size in name tree. + - Fix #2871: Increase number of sockets for xfrd transfers. +BUG FIXES: + - Fix gcc 7.1.1 warnings. + - Fix writev compile warning on FreeBSD. + - Fix #1446: A corrupted zone file "propagates" to good ones. + - nsd-control zonestatus prints wait time between attempts, for zones + that are in that waiting time. + - Fix collision printout of nsec3 to print name, hash and reverse. + - Fix #1567: Change crit to err log level for gettimeofday failure. + Add defines for compile without syslog. + - Fix crash for DS query when parent and child zones both configured + in nsd.conf and parent zone has not loaded properly. + + +4.1.17 +================ +FEATURES: + - zone parser parses type AVC (it has TXT format). + - Fix #1272: use writev to put tcp length field with data for outgoing + zone transfer requests. +BUG FIXES: + - Fix potential null pointer in nsec3 adjustment tree. + - Fix text format of deletes for CDS and CDNSKEY, single 0 to represent + empty base64 or hex string. + + +4.1.16 +================ +FEATURES: + - zone parser can parse acronyms for algorithms ED25519 and ED448. + - Fix 1243: Option to make NSD emit really minimal responses, + minimal-responses: yes in nsd.conf. +BUG FIXES: + - Calculate new udb index after growing the array, fix from + Chaofeng Liu. + - Fix missing _t to _type conversion for disable-radix-tree option. + - Printout serial error with hint it may be too big. + - Fix 1228: OpenSSL include is not guarded with HAVE_SSL + - Patch for expire state in multi-master when masters includes + broken master, from Manabu Sonoda. + - minor manpage fix. + + +4.1.15 +================ +BUG FIXES: + - Fix nsd-control and ipv6 only. + - Squelch zone transfer error address family not supported by protocol + at low verbosity levels. + - Fix #1195: Fix so that NSD fails on non-compliant values for Serial. + - Fix to rename _t typedefs because POSIX reserves them. + - Fix that nsec3 hash collisions only reported on verbosity level 3. + + +4.1.14 +================ +FEATURES: + - Fix #1132 for SERVFAIL zones perform backoff, and remembers the + timeout on next startup. +BUG FIXES: + - Fix null memcpy for radixtree with single link element. + - Robust fix against missing master in tcp_open for xfrd. + - Fix wildcards in include: config statements with chroot enabled. + - suppress compile warning in lex files. + - Fix to try every master once, then wait for timeout or notify. + - Save backoff timeout into xfrd.state file, this file has a higher + version number now. Old files are skipped silently (causes + refresh) and created as new files upon exit. + - Fix restart of zone transfers when new config becomes available. + + +4.1.13 +================ +FEATURES: + - multi-master-check: yes can be used to check all masters for the + last version, using the higher version from the configured masters, + from Manabu Sonoda. + - Support RR type OPENPGPKEY from RFC 7929. + - Can config key algorithms with the digest name, eg. 'sha256'. + - configure --disable-radix-tree for about 15% lower memory usage. + - for type SRV add A/AAAA to the additional section (if possible), + just like we already do for type MX. + - more extensible edns option handling. +BUG FIXES: + - Fix compile warnings about unused result from write and strtol. + and signcompare in minmax retrytime. + - Fix #812: fix that make depend fails after distribution. + - Fix #817: xfrd update failed loop. + - Add robustness against unallocated data in nsec3 trees. + - Fix README spelling error of BSD license (reported by Joerg Jung). + - Fix multimaster for not tried full zone transfer for a expired zone. + - Fix #827: fix compile with openssl 1.1.0 with api=1.1.0. + + +4.1.12 +================ +BUG FIXES: + - Fix malformed edns query assertion failure, reported by + Michal Kepien (NASK). + + +4.1.11 +================ +FEATURES: + - When tcp is more than half full, use short timeout for tcp session. + - Patch for {max,min}-{refresh,retry}-time from YAMAGUCHI Takanori. + - Fix #790: size-limit-xfr can stop NSD from downloading infinite zone + transfer data size, from Toshifumi Sakaguchi. Fixes CVE-2016-6173 + JVN#63359718 JPCERT#91251865. +BUG FIXES: + - Fix build without IPv6, patch from Zdenek Kaspar. + - Fix #783: Trying to run a root server without having configured it + silently gives wrong answers. + - Fix #782: Serve DS record but parent zone has no NS record. + - Fix nsec3 missing for nsec3 signed parent and child for DS at zonecut. + + +4.1.10 +================ +FEATURES: + - ip-freebind: yesno option in nsd.conf sets IP_FREEBIND socket option + for Linux, binds to interfaces and addresses that are down. + - NSD includes AAAA before A for queries over IPV6 (in delegations). + And TC is set if no glue can be provided with a delegation because + of packet size. + - print notice that nsd is starting before taking off. +BUG FIXES: + - Fix for openssl 1.1.0, HMAC_CTX size not exported from openssl. + - Fix #751: NSD fails to occlude names below a DNAME. + - If set without nsd.db print "" as the default in the man pages. + - Fix #755: NSD spins after a zone update and a lot of TCP queries. + - Fix for NSEC3 with zone signed without exact match for empty + nonterminals, the answer for that domain gets closest encloser. + - #772 Document that recvmmsg has IPv6 problems on some linux kernels. + + +4.1.9 +================ +BUG FIXES: + - Change the nsd.db file version because of nanosecond precision fix. + + +4.1.8 +================ +FEATURES: + - #732: tcp-mss, outgoing-tcp-mss options for nsd.conf, patch + from Daisuke Higashi. + - #739: zonefile changes when mtime is small are detected on reload, + if filesystem supports precision mtime values. + - RR type CSYNC (RFC7477) syntax is supported. +BUG FIXES: + - take advantage of arc4random_uniform if available, patch from + Loganaden Velvindron. + - Fix flto check for OSX clang. + - Define _DEFAULT_SOURCE with _BSD_SOURCE for glibc 2.20 on Linux. + - Fix #736: segfault during zone transfer. + - Fix #744: Fix that NSD replies for configured but unloaded zone + with SERVFAIL, not REFUSED. + + +4.1.7 +================ +FEATURES: + - support configure --with-dbfile="" for nodb mode by default, where + there is no binary database, but nsd reads and writes zonefiles. + - reuseport: no is the default, because the feature is not troublefree. + - configure --enable-ratelimit-default-is-off with --enable-ratelimit + to set the default ratelimit to disabled but available in nsd.conf. + - version: "string" option to set chaos version query reply string. +BUG FIXES: + - Fix zones updates from nsd parent event loop when there are a lot + of interfaces. + - portability fixes. + - patch from Doug Hogan for SSL_OP_NO_SSLvx options, for the new + defaults in the ssl libraries. + - updated contrib/nsd.spec, from Bálint Szigeti, with new configure + options. + - Allocate less memory for TSIG digest. + - Fix #721: Fix wrong error code (FORMERR) returned for unknown + opcode. NOTIMP expected. + - Fix zonec ttl mismatch printout to include more information. + - Fix TCP responses when REUSEPORT is in use by turning it off. + - Document default in manpage for rrl-slip, ip4 and 6 prefixlength. + - Explain rrl-slip better in documentation. + - Document that ratelimit qps and slip are updated in reconfig. + - Fix up defaults in manpage. + + +4.1.6 +================ +BUG FIXES: + - Fix #701: Fix that AD=1 set in a BADVERS response. + - Fix typo in zonec.c inside error message. + - Fix #711: Document that debug-mode yes is used for staying + attached to the supervisor console. + - Document verbosity 3 prints more information. + - nsd-checkconf warns for master zones with no zonefile statement. + - Fix start failure when many file descriptors are in use. + - The servfail rcode is not printed with a space in the middle. + - print failed token for config syntax error or parse error. + + +4.1.5 +================ +BUG FIXES: + - Fix #706: default port 53 not opened on ip4 because of getaddrinfo + hints initialisation failure. + + +4.1.4 +================ +FEATURES: + - RFC7553 RR Type URI support. + - removed hardcoded interface limit, --with-max-ips removed. + - SO_REUSEPORT support, by default on Linux, or with reuseport: yes. + - Admitted axfrs are logged at verbosity 1. Refused at verbosity 2. + - --enable-pie and --enable-relro-now options for a safer executable. +BUG FIXES: + - Fix NSID response for short edns sizes. + - Fix that for expired zones NSD performs an AXFR and accepts newer + and older serial numbers. + - Document that minimal responses only minimizes responses to fit + in one datagram. It does not minimize smaller responses. + - Fix #618: documented need to list ip-addresses separately in + nsd.conf if there are multiple, because the source address of + replies can otherwise go wrong. + - Fix that notify from nsd-control contains soa serial. + - Fix #698 formatting errors and typos in nsd.8.in. + + +4.1.3 +================ +FEATURES: + - nsd-control addzones and delzones read list of zones from stdin. + - hmac sha224, sha384 and sha512 support, patch from David Gwynne. + - max-interfaces raised to 32. +BUG FIXES: + - Fix #665: when removing subdomain, nsd does not reparse parent zone. + - Fix task and zonestat files to be stored in a subdirectory in tmp + to stop privilege elevation. + - Fix crash in zone parser for relative dname after error in origin. + - Fix that formerrors are ratelimited. + + +4.1.2 +================ +FEATURES: + - Incoming notifies have serial number logged (at verbosity 1). +BUG FIXES: + - Remove some duplicate header includes (from Brad Smith). + - Fix tcp waiting list for zone transfers where the bind and connect + calls fail. + - Fix segfault in zone reader on invalid input. (thanks John Van de + Meulebrouck Brendgard) + - Fix segfault on double origin in zone reader (thanks John Van de + Meulebrouck Brendgard). + - Fix b64pton out of bounds error on invalid zonefile input. + (thanks John Van de Meulebrouck Brendgard) + - Fix origin directive from unused old value and subdomain parser + failure, reported by John Van de Meulebrouck Brendgard. + - Fix use after free after zonefile syntax error followed by ttl + or origin directive, reported by John Van de Meulebrouck Brendgard. + - Fix syntax error followed by too many TXT elements parse crash + reported by John Van de Meulebrouck Brendgard. + - Fix buffer overflow in config parse of domain name, + reported by John Van de Meulebrouck Brendgard. + - Use reallocarray for integer overflow protection, patch submitted + by Loganaden Velvindron. + - Fix allocation integer overflow checks. + - Fix #654: Fix contradiction in notify logging verbosity level. + - Fix #655: Fix contradiction in verbosity for zone transfers. + - Made log message more consistent, changed 'axfr refused' log message + to be more consistent with other messages. Also notify refused. + - verbosity 2 logs axfr refused and notify refused. + verbosity 1 contains less log messages. + + +4.1.1 +================ +FEATURES: + - RFC 7344: CDS and CDNSKEY (read record types). + - per zone statistics with --enable-zone-stats, config zone with + zonestats: "name", zones configured with the same string are added. + - Disabled use of SSLv3 in nsd-control. + - nsd-checkconf -f prints out full name of pidfile (with dir). + - Synthesize CNAMEs with same TTL as DNAME. +BUG FIXES: + - Fix that expired zones stay expired after a server restart. + - Fix "xfrd_handle_ipc: bad mode" log errors when compiled + with --disable-bind8-stats. + - Fix #616: retry xfer for zones with no content after command. + - Fix char used as array index warnings on NetBSD. + - Fix that queries for noname CH TXT are REFUSED instead of nodata. + - Fixes for wildcard addition and deletion, speedup for some cases. + - Fix that failure to add tcp to tcp base does not leak the socket. + - Patch nsd_munin_ from Philip Paeps to use type ABSOLUTE. + - Fix spinning NSD with lots of failing transfers, due to pointer + comparison using void pointer subtraction (from Otto Moerbeek). + - Fix bug#637: fix that nsd.db grows limitlessly, an off by one + on one megabyte free chunks, created during AXFRs of large zones, + that caused the one megabyte chunk to be leaked. + - Fix casts for ctype functions (from Todd Miller). + - correct some hyphen-used-as-minus-sign (from Andreas Schulze) in + man pages. + - Fix zonesdir chroot error message. + + +4.1.0 +================ +FEATURES: + - database: "" starts without mmap of database. Less memory is used, + zones are read from text zonefile. + - optimised zonefile parse code and zonefile write code. + - zonefiles-write option in nsd.conf, enabled when database is "". + The server writes changed zonefiles to disk every hour. + - xfrdfile: "" disables xfrd.state. If enabled, zones that are + same as before are not checked for a serial update at server start. + - include: "foo/nsd.d/*.conf" works, wildcard glob on includes. + - nsd shuts down during init process if given signal. + - log-time-ascii option, default yes, with readable timestamp in log. + - nsd-control addzone reports if zone already exists. + - Fix #564: add nsd-checkzone tool to check zonefile correctness. + - Increased default --with-max-ips from 8 to 16, this increases the + number of interfaces you can specify in nsd.conf to listen to. +BUG FIXES: + - Fixed shutdown message sporadically not printed on exit + (Thanks Anand Buddhdev). + - Documented zonefile %s syntax in nsd.conf man page. + - Fix manpage to put colon after zonefiles check and write. + - Change from 'Zone" to "zone" with ".. serial .. is updated" log + message. + - Changed maxbackoff for no-content secondary zones from 4h to 24h. + - Fix print filename of encompassing config file on read failure. + - Fix delete or rename of a lot of zones and make it take a + non-enormous time. + - Speed up deletion of zone contents a lot, (56s to 1s), speeds up + delete, rename and AXFR for zones. + - Fix #571: unused variable and incompatible pointer warnings when + compiled on a system without INET6. + - Fix write_socket return value check in server.c (Thanks Brad Smith, + Mark Kettenis). + - Fix that xfrd reaps children also if the signal is lost. + - Fix #577: makefile incorrectly installed manpages from srcdir. + - Fix #587: Default value for statistics is 0. + - Fix #553: Improve TXT parsing. + - Fix #590: rrl log does not print wildcard as a star but escaped. + - Fix #591: rrl log messages at verbosity level 1. + - fix strptime implicit declaration error on OpenBSD. + - Fix -O3 compile flag to -O2 to avoid miscompilations. + - Allow user to override the -g -O2 CFLAGS in ./configure. + - Fix endian.h include for OpenBSD. + - Fix #600: document that provide-xfr provides AXFR and not IXFR. + - Fix rising-load-average or memory-leaks in OSes (Linux since 2.6), + that keep track of all past process parents, or leak memory + for them. Fix makes it so there is no very deep string of + process parents. + - Remove .LP after .SH in man pages. + + +4.0.3 +================ +BUG FIXES: + - Fix nsd.db unclean close check. Previous databases are considered + unclean by the code and are created anew. + - Adds nsd.db larger than 400Tb check for sanity. Also test if + filesize as documented in the file is correct. + - nsd waits for tasks to complete on stop, prevents nsd.db corruption. + - fix to not delete tmpdir too early in shutdown process. + - disabled udb checking functionality that made it very slow, + this was enabled when enable-checking was turned on. + + +4.0.2 +================ +FEATURES: + - Return REFUSED for queries to non-hosted zones. + +BUG FIXES: + - Fix expired zones to give SERVFAIL, also when parent zone loaded. + - documented nsd-control zonestatus output in nsd-control manpage. + - remove mention of nsdc from nsd-checkconf manpage. + - Disabled recvmmsg and sendmmsg usage by default because kernel + versions have implementation issues: ipv6 ignored, security issues. + - Detect libevent2 install automatically by configure, and use + event2 header files if necessary. + - Fix #551: change Regent to Copyright holder in the LICENSE, + to match the definition on opensource.org for the BSD License. + - Fix #552: zonefile loads on nsd-control reconfig when the name + of the file has changed. + - Fix leak of zone name after zonefile read and fix malloc too + large that would be leaked in the radix tree. + - Fix from 3.2: make SOA RDATA comparisons in XFR more lenient (only + check serial). + - Fix that NSD will delete and recreate not-clean-closed databases. + + +4.0.1 +================ +FEATURES: + - recognizes ip-address and interface as synonyms for convenience. + - Support for EUI48 and EUI64 RR types enabled by default (RFC 7043). + - Support for CAA RRtype (RFC 6844). + - NSID can be set with "ascii_somestring" in ascii. + +BUG FIXES: + - Fix xfrd when zone transfer TCP contains zero length packets. + - Fix for NSEC3 zones where parent zone is co-hosted, also NSEC3, + because AXFRs overwrote nsec3 administration in the child zone. + - Fix that bad IXFR updates do not result in double SOA records, + and that an AXFR is started (attempted) when the zone state seems + to be inconsistent with the master's zone state. + - Log ip address for sendto and sendmmsg failures. + - Fix segfaults after read of zones with rr type WKS from zonefile. + - Seed PRNG for openssl at start of daemon, fixes SSL connection issue. + - Bugfix #534: IXFR query loop over UDP for zones that are unchanged. + - (same as in 3.2.16): fix wildcard cname to nxdomain repeated rrset. + - (same as in 3.2.16): Bugfix #542: Match RRSIG TTL with SOA TTL in + negative response. + - Check if configure in srcdir collides with outofdir build. + - Fix #546: output format errors in nsd_munin_ (Thanks Tom Hendrikx). + - Fix printout of high-chars in TXT on NetBSD. + +4.0.0 NSD 4.0 +=============== +FEATURES: + - documented in doc/NSD-4-features. Change configuration without + restart, direct nameserver control with nsd-control, support a + higher number of zones. Higher performance (compared to NSD3). + - nsdc is gone. Use kill -HUP for reload (also checks if zonefiles + have changed and rereads them), and kill -TERM for quit. Or use + nsd-control for detailed control. + - cron job for nsdcpatch is gone. nsd-control write creates zonefiles. + - nsd.db has a new format that compacts itself when it is changed, + thus nsdc patch is no longer necessary. + - nsd.db is memory mapped, NSD needs (part of) that mmap in ram. + - tcp-count can go above 1000; epoll/kqueue support with libevent. + - nsd-control reconfig for updates with no restart (zones, keys, ..) + - nsd-control-setup to create keys for nsd-control (enable nsd-control + with remote-control: yes in nsd.conf). + - the NSD 3 feature of special zone stats are not ported to 4 yet, + as it would entail a complete reimplementation of the feature. +FEATURES (incremental from BETA5): + - configure --disable-recvmmsg for compat with older Linux kernels, + by default it autodetects support in the kernel on the buildmachine. + - Fix time at 2038, uint32s changed to time_t, support 64bit time_t. + - Fix use of 32bit time, for 2038, thanks to Theo de Raadt for patch. +BUG FIXES (incremental from BETA5): + - Bugfix #518 Incorrect RRL prefix length option names in nsd.conf + man page from Ville Mattila. + - Fix that xfrd, and nsd-control, does not stop responding when reload + errors out. The pid is sent like it should by server_main. + - Fix that EOF in quoted string error does not cause reload to exit. + - Fixup errors from the stack code checker. + - Removed use of random when arc4random is available. Thus, random + and srandom are then not linked with the executable. + - Fix segfault with no logfile and chroot (Thanks Patrik Lundin). + +4.0.0b5 BETA 5 release of NSD 4.0 +================================== +FEATURES: + - Optimizations for startup, qps and tcp speed, beta bug fixes and + merge with code changes with NSD 3.2.16. + - nsd-mem tool (make nsd-mem) to estimate memory usage. + - Same as NSD 3.2.16: --enable-draft-rrtypes(EUI48, EUI64), rr-slip, + rrl-ipv[46]-prefix-length, ip-transparent config options. + - configure option --disable-flto. + - improved RRL logging (query details that caused blockage). + - nsd-control status prints out ratelimit if ratelimit is enabled. + - nsd-control verbosity prints out verbosity level without argument. + - Fix #491: pick program name (of executable) as syslog identity. + - printout percentage for long activities (to log). After about 5 + seconds have passed. +BUG FIXES: + - The same fixes up to NSD 3.2.16. + - Fix that old zonefile does not override newer AXFR for slave zones. + - Nicer printout of notify. + - Fix tcp zonetransfer pipeline lookup function. + - Fix compile on bigendian netbsd alpha. + - Fixup the growth and shrinkage of nsd.db. This should use less + calls to remap and change the file and mmap size. + - notify information is logged at correct verbosity level, 1. + - Fix memory statistics in nsd_munin_. + - faster nsec3 updates. + - Fixup contrib/bug390.patch for 4.0.0b4. + - remove leak of nsec3. + - allocate radixtree in region for small (5%) total savings and + about 15% savings in the radixtree itself (due to many small alloc + savings in region). + - Patch from Lukas Wunner that makes nsd.conf include files work + inside chroot/etc environments on repattern and reconfig. + - Fix race on exit of nsd, for restarts, so that the pidfile-pid + process waits until port53 has been closed before exiting. + - Patch from Lukas Wunner that makes chroot more consistent. + Make all paths absolute with the chrootdir in front, or use + an absolute zonesdir with other paths relative to that. + - Fix segfault on repeated reconfigs, double free of zone apex name. + - Fix zone parser allocations are put in the db region. + - Fix memory leak in zone parser for txt record. + - Optimizations: -O3 if possible (user can override CFLAGS), udp + buffers are set to 1m by default (if socket options exist), + use recvmmsg and sendmmsg, or only recvmmsg, or recvfrom. + - nsd.db 12% smaller, no nsec3 hash storage. Also ups udb version + because of the format change. The nsd.db is recreated when a + different version number is detected on startup. + - Fix region-allocator for speedup of load and change of large data. + - Increase tcpbacklog default to 256 (silently capped to 128 on BSD). + For remote control keep it at 16, it has less TCP load. + It does not actually increase TCP performance (some except), but + reduces connection loss when there is a spike in TCP connections. + - unlink xfr file if transfer is stopped, timeouted or interrupted. + And unlink xfr file in progress when the zone is deleted. + +4.0.0b4 BETA 4 release of NSD 4.0 +================================== +BUG FIXES: + - remove -fwhole-program gcc flag usage. We cannot reliably detect + if it works without failure. + - fix zonefiles-check: entry in nsd.conf + - fix gcc warning, do not use uninit value for rng init. + - remove printout of "bad transfer" to the log for notimpl. + - printout log less verbosely, not every axfr packet. + - RRL documented in nsd.conf.sample + - Fix is_apex flag for zones read from udb. + - Fix that nsec3 zones are precompiled when read from udb. This + caused assertion failures. + - Less printout of 'bad transfer'. + - Fix AXFR of NSEC3 slave zone. + - Fix that old zonefile does not override newer AXFR for slave zones. + - Nicer printout of notify on verbosity 2. + +4.0.0b3 BETA 3 release of NSD 4.0 +================================== +BUG FIXES: + - applied patch from Robin Hack to remove double pid file truncation. + - repattern is called reconfig (because most config options are + picked up, except for superuser options (chroot, logfile, port)) + - document that the zonefile attribute can be empty. + - documented that the _implicit_ pattern names are used internally. + - Added zonefiles-check option, default yes, check mtimes of zone files + on sighup and startup (from Robin Hack). + - Fix spurious assertion failure for some rrl blocks. + - Tabs and spaces nicer in nsd.conf.sample. + - List libevent in README. + - Fix configure for gentoo gcc and headers. + - do-ip4 and do-ip6 nsd.conf options just like unbound. + - do not leave task files in /tmp if nsd fails to startup because + of file permissions. + - create xfrdir on make install (does not remove on make uninstall, + because this could be /tmp). + - Fix segv if xfrdir does not exit. + - log ip address with tcp failure. + - Fix time calculation of zone transfer. + +4.0.0b2 BETA 2 release of NSD 4.0 +================================== +FEATURES: + - Add and remove zones from nsd.conf with nsd-control repattern. + - Merge changes from 3.2.15 (such as xname-rcode fix). + +BUG FIXES: + - Fix for use with libev. + - 'nsd-control start' runs an absolute path to start sbin/nsd. + - Fix for use with libevent-2.1.2. + - --with-logfile sets the logfile inside the example documentation. + - Fixed addzone and delzone inside chroot (thanks Will Pressly). + - Fix make outside of source directory. + +4.0.0b1 BETA 1 release of NSD 4.0 +================================== +FEATURES: + - add and remove zones without restart. + - nsdc is gone, use nsd-control for direct server control. + - performance increases + - support lots of zones + - and more ... + - longer desc in doc/NSD-4-features + +BUG FIXES: + - core code is fixed like 3.2.15r3763 (12 dec 2012). + + +3.2.16 (development branch) +================================= + +FEATURES: + - New config option "ip-transparent:" to allow NSD to bind to + non local addresses. Default no. + - Use IPV6 minimum MTU settings with TCP to reduce failures that + are caused by delays in learning working PMTU when communicating + through a tunnel. + - Bugfix #496: Support for EUI48 and EUI64 RR types. Experimental, + turned off by default. Enable with --enable-draft-rrtypes. + - New config option "rrl-slip:" to set the average number of + packets discarded before we send back a truncated response. + - New config option "rrl-ipv4-prefix-length:" and + "rrl-ipv6-prefix-length:" to set the prefix lengths. + - Improved RRL logging, also print triggering query src address and + QTYPE. + - Provide RRL documentation in nsd.conf.sample. + +BUG FIXES: + - Bugfix #357: Parent process waits until children closed down + sockets, to prevent NSD failing to bind to sockets when restarting. + - Bugfix #487: lookup3.c determine endianness for BSD systems. + - Bugfix #491: pick program name (0th argument) as syslog identity. + - Bugfix #494: Exit with return code 1 if socket code fails. + - RRtypes ASFDB, RP, RT should not compress dnames. + - Fix outgoing-interface: Don't fail if family is IPv6 but + only IPv4 outgoing-interface is set, or vice versa. + - RRtypes ASFDB, RP, RT should not compress dnames. + - Check that zone directory is within chroot directory. + - Better XFR checking, fallback to AXFR (if allowed) if three + malformed XFR packets have been seen. + + +3.2.15 +================================= + +FEATURES: + - Support for ILNP RR types: NID, L32, L64, LP (RFC6742). + - RRL, --enable-ratelimit at configure time and config options. + - TSIG initialization only fails when there is no digest found + at all. + +BUG FIXES: + - Bugfix #478: Declaration after statement (for gcc 2.95). + - Bugfix #483: Better error message in case of TSIG error. + - Bugfix #485: TTL should not be greater than 2^31 - 1. + - Fix RCODE when CNAME loop final answer does not exist, should + return NXDOMAIN as stated by RFC 6604. + - Fix --disable-full-prehash bug, where after multiple incoming + IXFRs, NSEC3 can be removed unjustified. + +3.2.14 +================ + +FEATURES: + - TCP writev support. + +BUG FIXES: + - Fix build on OpenBSD (thanks Oliver Peter). + - Prioritize notify sender for requesting XFR (thanks Ilya Bakulin). + - Fix crash in zonec if TXT string too long (thanks Ilya Bakulin). + - tzset before chroot for correct timezone (thanks Camiel Dobbelaar). + - Fix --disable-full-prehash bug when nsdc patch happens while ixfr too, + it did not rehash the new database. + - Bugfix #464: Conditionally define MAXHOSTNAMELEN. + +3.2.13 +================ + +BUG FIXES: + - Fix for nsd-patch segfault if zone has been removed from nsd.conf + (thanks Ilya Bakulin). + - Bugfix #460: man page correction - identity. + - Bugfix #461: NSD child segfaults when asked for out-of-zone data + with --enable-zone-stats. [VU#517036 CVE-2012-2979] + + +3.2.12 +================ + +BUG FIXES: + - Fix for VU#624931 CVE-2012-2978: NSD denial of service + vulnerability from non-standard DNS packet from any host + on the internet. + http://www.nlnetlabs.nl/downloads/CVE-2012-2978.txt + + +3.2.11 +================ + +FEATURES: + - Fallback to AXFR if IXFR is unknown at the primary. NSD considers + IXFR unknown at the primary if there is a negative response for the + IXFR RRtype. This does not override the value for + 'allow-axfr-fallback'. + - Allow for reading in new DNSKEY algorithm mnemonics (RFC5155, + RFC5702, RFC5933, and RFC6605 (ECDSA)). + - Zone statistics, enable with --enable-zone-stats. This stores the + BIND8 stats per zone in a configurable statistics file. This option + does not scale and should therefore not be enabled when serving + many zones. + - Support for TLSA RRtype (DANE). + +BUG FIXES: + - Fix for qtype ANY for a wildcard domain in NSEC signed zone: Don't + add the wildcard domain NSEC into the answer section. Instead, + put the wildcard expanded NSEC into the answer section and keep the + wildcard domain NSEC in the authority section. + - Fix for accept spinning reported by OpenBSD. + - Fix restart failed due to bad ixfr packet because of zone removed + from nsd.conf. + - Bugfix #453: typo in nsdc man page. + +OPERATIONAL NOTES: + - NSD uses the query name for dname compression again (Fix #235 + had as side effect that this didn't happen anymore and is hereby + undone). + + +3.2.10 +================ + +BUG FIXES: + - Bugfix #421: Truncate pidfile on shutdown, before unlink. + - Bugfix #423: Fix slow zone transfer processing due to + 'Fix is_existing flag for ENT' bugfix. + - Fix bug #430: segfault when MAX_INTERFACES set to more than 65K. + - Fix configure.ac strptime check for gcc 4.6.2, acx_nlnetlabs update. + + +3.2.9 +================ + +FEATURES: + - Minimize responses to reduce truncation: NSD will only add optional + records to the authority and additional sections when the response + size does not exceed the minimal response size. + + The minimal response size is 512 (no-EDNS), 1480 (EDNS/IPv4), + 1220 (EDNS/IPv6), or the advertized EDNS buffer size if that is + smaller than the EDNS default. + + The feature is enabled by default. You can disable it by configuring + NSD with --disable-minimal-responses. + + - Less NSEC3 prehashing. This will make NSD handle zone transfers + faster, but will decrease the performance of NXDOMAIN and wildcard + NODATA responses. Full prehashing is enabled by default. If you want + less NSEC3 prehashing, configure NSD with --disable-full-prehash. + Thanks Secure64 for the patch. + +BUG FIXES: + - Bugfix #302: nsd accepts XFR but refuses to re-read the slave zone. + - Bugfix #365: set patch style and zonec verbose for nsdc. + - First step of bug #369: RRSIG DNSKEY sets zone to be treated DNSSEC. + - Bugfix #375: typos in nsd.conf.5. + - Bugfix #381: Binary escaped and transfers. + - Bugfix #397: Don't allow relative domain names as origin in $INCLUDE + directives. + - Fix printout of IPSECKEY by nsd-patch. + - Fix is_existing flag for ENT when domain that has a shared ENT + is deleted by IXFR. (ENT == Empty Non-Terminal) + - Fix bug if the zonefile is changed for a secondary but stored + transfers are applied, and stop it from applying ixfr to empty zone. + The zone is flagged with error and AXFR-ed. + - Fix to have no authority NS set processing for CNAMEs. + - Fix nsd-checkconf to check tsig algorithms properly. + - Set the AA bit on responses that have an authoritative CNAME. + - Fix denial of existence response for empty non-terminal that looks + like a NSEC3-only domain (but has data below it). + +OPERATIONAL NOTES: + - nsd.db version number increased because NSD 3.2.7 and earlier + zonec is not compatible due to the TXT strings change. Please + run nsdc rebuild before running NSD 3.2.9 and later versions. + + +3.2.8 +============= + +BUG FIXES: + - Do setusercontext() before chroot(), otherwise login.conf etc. are + required inside chroot. + - Bugfix #216: Fix leak of compressiontable when the domain table increases + in size. + - Bugfix #348: Don't include header/library path if OpenSSL is in /usr + - Bugfix #350: Refused notifies should log client ip. + - Bugfix #352: Fix hard coded paths in man pages. + - Bugfix #354: The realclean target deletes a bit too much. + - Bugfix #357, make xfrd quit with many zones. + - Bugfix #362: outgoing-interface and v4 vs. v6 leads to spurious + warning messages. + - Bugfix #363: nsd-checkconf -v does not print outgoing-interface ok. + - Bugfix: nsd-checkconf -o outgoing-interface omits NOKEY. + +OPERATIONAL NOTES: + - Use 'make clean' to clean up files that make created. + - Use 'make realclean' to also clean up files that were generated by + running ./configure. + - Use 'make devclean' to also clean up autoconf, autoheader files. + +3.2.7 +============= + +BUG FIXES: + - Bugfix #253: Don't put NS RRs in a response with QTYPE=DS. + - Bugfix #320: use arcrandom(4) for QID generation if available. + - Bugfix #328: nsd-checkconf overrun. + - Bugfix #343: nsdc update fix. + - Bugfix #347: Wrong NSEC3 returned for nodata response QTYPE=DS no delegation. + - Bugfix: Allow for huge amount of strings in TXT (and other) records. + - Bugfix: nsdc can now deal with tsig algorithms other than hmac-md5. + - Fixed several parts in the documentation, including #306, #345. + +3.2.6 +============= + +BUG FIXES: + - Bugfix #314: correctly print NSEC next field, escape spaces and + fix label overflows. + +FEATURES: + - Expand command line option '-a' and config option 'ip-address:' + with port number. + +OPERATIONAL NOTES: + - Configure options --disable-dnssec, --disable-nsid, --disable-tsig + are removed. + - Configure option --max-interfaces is renamed to --max-ips. + +3.2.5 +============= +BUG FIXES: + - NSD will not start if chroot is configured, but changing root is + not possible (it used to ignore the badly configured chroot). + - Make use of the more secure strl* functions. + - Bugfix #303: spelling error. + +FEATURES: + - New option 'nsid:', to specify the NSID (Bugfix #298). + - The default chroot can be set with --with-chroot=<dir>. + If not set, by default chroot will not be used (thanks Jakob Schlyter). + - Optimized zonec and b64_pton compatibility code (thanks Martin Svec). + - Optimized memory allocations. Use mmap/munmap instead of malloc/free. + Experimental, by default off. Enable it at build time with + --enable-mmap (thanks Martin Svec). + +OPERATIONAL NOTES: + - NSID support is now enabled by default. + +3.2.4 +============= +BUG FIXES: + - Bugfix #269: Additional C99 syntax. + - Bugfix #276: Zonec prints debug data to stderr. + - Bugfix #286: Document verbosity levels in nsd.conf manual page. + - Bugfix #288: Ignore SIGHUP to child processes. + - Fix typo in include file for setusercontext. + +FEATURES: + - Support DLV records. + - New option 'tcp-query-count:', to limit the maximum number of + DNS queries on a single tcp connection. + - New option 'tcp-timeout:', to override the default tcp timeout. + The default can also be set at build time, --with-tcp-timeout=<number>. + - New option 'notify-retry:', to configure how many times NSD should retry + a NOTIFY message. + - New options 'ipv4-edns-size:' and 'ipv6-edns-size:'. to set your preferred + EDNS buffer size. + +OPERATIONAL NOTES: + - UDP/IPv4 sockets have new options set that will disable the DF flag in IP + packets. + +3.2.3 +============= +BUG FIXES: + - Bugfix #236: Allow RRs before the SOA in a zonefile. + - Bugfix #249: Remove the C99 code. + - Bugfix #253: Don't put NS RRs in a response with QTYPE=DNSKEY. + - Bugfix #263: Make TSIG algorithm comparison case insensitive. + - Bugfix #266: Build failed on systems without strptime. + - Bugfix: install hickup. + - Fix to use 4096 EDNS limit for IPv6 on Linux. + +3.2.2 +============= +BUG FIXES: + - Off-by-one buffer overflow fix while processing the QUESTION section. + - Return BADVERS when NSD does not implement the VERSION level of the + request, instead of 0x1<FORMERR>. + - Bugfix #234. + - Bugfix #235. + - Reset 'error occurred' after notifying an error occurred at the $TTL or + $ORIGIN directive (Otherwise, the whole zone is skipped because the + error is reset after reading the SOA). + - Minor bugfixes. + +3.2.1 +============= +OPERATIONAL NOTES: + - NSD will now fallback to AXFR, only if the master does not support IXFR. + - You can adjust nsdc patch to skip textfile patching. This will + increase the patching process, but will not output to zonefiles + anymore. By default, this is off. + +BUG FIXES: + - When configuring, don't do strptime test when cross-compiling. + - Bug #230: Output non-error messages to stdout. + - Better error message when ixfr.db old file format is read. + - Bug #218: shared UDP query for all interfaces. + - Bug #222: Remove bashism from nsdc script. + - Nicer check for SHA-256 functionality. + - Fixed some minor memory leaks that occurred on reload. + - nsdc: check if a lockfile has not gone stale, when lock failed. + - Bugfix strptime compatibility function + +FEATURES: + - New configuration option 'allow-afxr-fallback', "yes" by default. If + set to "no", NSD will never do AXFR fallback, even if the master + does not support IXFR. + - Allow file rotation on nsd.log. + - The new nsd-patch options -s and -o allows you to skip writing + zonefiles and store the output directly to a database file, + respectively. + +3.2.0 +============= +OPERATIONAL NOTES: + - Format of ixfr.db has changed. When you are planning an upgrade to the + new NSD release, make sure to process the old ixfr.db before starting + the new release (by running nsdc patch). + - IXFR is transmitted over TCP by default instead of UDP. If you want to + continue the use of IXFR/UDP, please modify your zone configuration + file to: + request-xfr: UDP 1.2.3.4 tsigkey + We strongly recommend to enable TSIG if you send IXFR over UDP. + When all masters fail to transmit IXFR/UDP, slave will fallback to + IXFR/TCP and eventually AXFR/TCP. + - nsd-patch prints errors to stderr instead of stdout. + +BUG FIXES: + - Only normalize dnames in rdatas when rrtype is listed in RFC 4034, + section 6.2: Canonical RR Form, following + draft-ietf-dnsext-dnssec-bis-updates (affects RRSIG and NSEC records). + - Typo in zonec manpage. + - Bugfix in log_finalize. + - Fix race condition between nsdc patch and server reload. + +FEATURES: + - AXFR/TCP fallback in case of failing IXFR zone transfers. + - RFC 4635: support for hmac-sha1 and hmac-sha256 TSIG algorithm + identifiers, "Bugfix #130". + - Configure the source ip-address for notifies (master) and zone + requests (slave) in nsd.conf, "Bugfix #148". + - nsd-notify and nsd-xfer allow you to configure the outgoing + hostname and source port, in addition to the source address. + - Additional debug and verbose log messages. + +3.1.1 +============= +BUG FIXES: + - Try to avoid race conditions with NSD reloading and nsdc running, + by writing pidfile before closing old parent process. + - Fixed NSEC3 memory leak in the case NSEC3 is not needed. + - Fixed some memory leaks that happened on error, mostly on + zone transfer errors. + - Bugfix #191: nsd-checkconf allowed only (max_interfaces-1) interfaces. + +FEATURES: + - The number of maximum interfaces allowed is configurable with + --with-max_interfaces=<number> (thanks John Lightsey). + +3.1.0 +============= +OPERATIONAL NOTES: + - Default locations of nsd.db, ixfr.db & xfrd.state are changed to + the /var/db/nsd directory. + +BUG FIXES: + - Zone compiler gives more sane error messages when out of + diskspace and bug #172: when compiling single zone file. + - Changed man pages format from mdoc to mansun, to support the Solaris OS. + - Log tcp read error only when connection not reset by peer or when + verbosity level is high. + - RRs are compared without checking the TTL value. + +FEATURES: + - NSD is now NSEC3 enabled by default. You can disable it by configuring + NSD with --disable-nsec3. + - Added "hide-version" configuration setting. Enabling this feature + stops NSD from answering to CHAOS class version requests. + - Added bind2nsd 0.5.0 (http://bind2nsd.sourceforge.net) in contrib/. + - Report source and zone for denied AXFR attempts. + +3.0.8 +============= +FEATURES: + - Better logging for nsd-notify (show 'broken' zone) + - Add configuration for chkconfig to control nsd service. + +BUG FIXES: + - Fixed nsdc start when nsd already running: do not initialize server, + since it is already running. + - Fixup bug where data related files are looked up in the wrong + directory when chrooted with chrootdir ending with a slash. + - Fixup bug where nsd would return FORMERR if received an edns + query with version set to zero and rdlen larger than zero. + - Fixed strptime, so that zonec will also work on systems with broken + strptime (like leopard :-)) + - Do not answer nsec3 wildcard information when DO bit is not set + - Better logging when creating database failed. + - Various spelling errors + +3.0.7 +============= +BUG FIXES: + - Error handling for malformed IXFRs improved. + - Fixed man pages, consistent syntax. + +3.0.6 +============= +FEATURES: + - Report source and zone for denied AXFR attempts. + +BUG FIXES: + - More elegant handling of malformed nsec3 records from a zone + transfer. + - Fixup ignored return value in region-allocator. + - Added bind2nsd 0.5.0 (http://bind2nsd.sourceforge.net) in contrib/. + +3.0.5 +============= +BUG FIXES: + - Fixed problem with reload waiting very long. If the OS has a + raging herd problem, NSD could block in a UDP operation and + that process would stop reload from finishing. Made UDP sockets + nonblocking. + - Made TCP listen sockets nonblocking. NSD could block in accept. + - Handle the new CERT RDATA types defined in RFC 4398 (submitted by + Mans Nilsson). + - Fixed a bug where zonec would choke on unknown CERT RDATA types. + - Change nsd-notify retry timer from linear into exponential + backoff (submitted by Mans Nilsson). + - Debug flag (-d) behavior changed. Nsd now also forks children when + run in debug mode. + - Added verbosity mode (-V <level>) for extra operational logging. + - zonesdir default is /etc/nsd. This can be overridden in nsd.conf. + - if clients drop the tcp connection this does not result in a logfile + entry, unless verbosity is set 2 or more. + +3.0.4 +============= +BUG FIXES: + - zonec will print an error when other data is put next to a CNAME. + - Fixup unaligned memory access that could occur when reading ixfr.db + with a partial transfer inside. + - Fixup for the WKS RR type printout by nsd-patch and nsd-xfer. + - Error message 'could not read database CRC' now only given on error. + - ./configure --zonesdir=<directory for zone files> now works to + set a default value for the zonesdir: <dir> nsd.conf directive. + Set zonesdir: "" to disable the change of directory. + - Bug: reload crashes with log message 'continuing with old database', + and after that no more zone updates. Manual fix is to kill -HUP, + but now fixed in software to try to reload again (and again). + - Small speedup where xfrd could briefly be busy-waiting. + - If master sends IXFR with glue that is already present in the zone + this is silently accepted. Printed in debug mode -L 2. To make + the log file smaller. + - Exponential backoff for zones that never worked to max of 4 hours. + For expired zones the SOA retry values are used. + - allow-notify acl entries 'NOKEY' match only queries without TSIG. + - Answers to valid notifies contained wrong RR counts in the header. + The notifies were processed correctly, but now the acknowledgement + reply is in correct DNS format. +FEATURES: + - Added contrib/nsd.zones2nsd.conf python script to convert NSD 2 to + NSD 3 config files, contributed by Stephane Bortzmeyer. + - The nsdc control script will print 'nsd startup failed' if the nsd + executable does not start (due to bad permissions, bad config, ...). + +3.0.3 +============= +BUG FIXES: + - Bug #152: NSD would not use the identity from nsd.conf, fixed. + - Bug #153: When running with thousands of secondary zones, NSD would + run out of UDP sockets. Caused crash on FreeBSD, errors on Linux + ('out of file descriptors'), depending on ulimits. Fixed. + - Fixed getaddrinfo error message to be more descriptive. + - Fallback to ip4 if getaddrinfo fails for ip6. + - Will no longer lose a notify message during reloads (IPC). + - Will no longer lose transfer in progress when notified for that zone. + - Nicer error when operator forgets to rebuild after deleting a zone. + +3.0.2 +============= +BUG FIXES: + - Nice error from zonec on a wrong configuration zone name. + - Nicer warning from zonec when starting secondary zone with + no zone file for the first time. + - nsdc makes more portable use of 'which' (for SunOS5.9/bash2.05). + - Bug #143: Improved handling of zonesdir: directive and relative + pidfile, database, diff file, xfrdfile paths in nsdc.sh and + nsd-patch. They would not find the files. + - Bug #144: LOC RRtype default values for precision wrong. Fixed. + - Bug #145: NSD failed to reload cases of simultaneous zone transfer. + - Bug #146: NSD fails to write to xfrdfile when chrooted. Fixed. + Also fix for difffile when chrooted. + - Bug #147: NSD runs out of memory. Fixed, memory is reused. + Occurred when running NSD with very big zones and large updates. + - nsd -L 1 logging is smaller, -L 2 contains all debug information. + (only available for debug compiles). + - Bug #149: Fixed text for NOTAUTH error code. When notify is not + authorised REFUSED error code returned instead. + +3.0.1 +============= +BUG FIXES: + - nsd-patch prints SOA record at start of zone files. + +3.0.0 +============= +FEATURES: + - AXFR/IXFR zone transfer supported. + - NSD requests but does not provide IXFR transfers. + - NSD keeps track of SOA timeouts for secondary zones. + - TSIG authentication supported. + - For queries, for notifies, for zone transfers. + - NOTIFY messages of zone updates, incoming and outgoing. + - DNAME type is supported, including CNAME synthesis. + - config file, nsd.conf(5), place to put TSIG keys, server settings, + and lists of ip-addresses/ranges for AXFR/IXFR and NOTIFY. + - prepared for NSEC3 (--enable-nsec3), experimental code for testing + in workshops. + - prepared for NSID (--enable-nsid), experimental code for testing in + workshops. + +OPERATIONAL NOTES: + - config file needed, nsd.conf(5) supersedes nsd.zones and nsdc.conf. + - AXFR transfers are denied by default. Allow in config file. + - Zones only become secondary with "request-xfr:" items in config file. + - NSD produces "ixfr.db" file with a journal of zone transfers. + Use nsdc patch to merge changes back to zone files and remake db. + - NSD produces "xfrd.state" file with zone timeout information. + The file is text formatted. + - NSD sends notifies automatically, + nsd-notify is deprecated and will be removed from the package. + - NSD requests AXFR/IXFR and reloads the updates automatically, + nsd-xfer is deprecated and will be removed from the package. + - Check your config file with nsd-checkconf. + +BUG FIXES: + - contains all bug fixes from 2.3.5 and before. + - The sighandler() bug is fixed more thoroughly, + by using pipes for interprocess communication. + - CNAMEs are followed by the server to different zones and + information from that zone is returned. This saves a followup + query. + - bug fixes (ported) 2.3.6. + - nsd-notify will retry max 15 times 5 second retries. + - Bug #105: nsdc lacks locking, fixed locking for root user. + - Bug #134: nsd: make -N <large number> work again + - Bug #135: Typo in locking code for nsdc, fixed. + - uninitialised variable fixed. + - unaligned memory access (on Solaris SPARC), in zonec + LOC parsing, fixed. + - Bug #138: nsd aborts trying to bind all interfaces if ip6 + is not enabled, instead it will fallback to ip4. + - Bug #139: resync timer for stats to whole minute. + - Bug #140: NSD did not clear CD bit on authoritative answers. + - Bug #141: NSD did not clear flags on a formerror reply. + +2.3.5 +============= +BUG FIXES: + - Bug #132: regression, nsd: fix compile with --disable-ipv6 + - Makefile: remove gnuisms + +2.3.4 +============= +BUG FIXES: + - Unknown type codes for type code numbers > 48 and < 97 work again. + (this implies --enable-checking can be enabled again) + - nsd: sighandler() fixes + - Bug #118: nsd: nsd_notify waits for a response. Will retry the notify + after a timeout. + - Bug #124: $(DESTDIR) was added to Makefile.in. + - Bug #128: zonec: parser can handle \\ at the end of a string. + - zonec: lexer: add \r to the newline delimeter + - zonec: use strtol with an explicit base 10 as parameter. + (Scott Rose, Roy Arends) + - nsd-xfer: print human readable error codes. Change logging to + be more in line with the rest + +2.3.3 +============= +BUG FIXES: + - Apply the correct patch to nsdc.sh.in. + +2.3.2 +============= +FEATURES: + - Bug #101: add support for the SPF record. + +BUG FIXES: + - Bug #100: replaced non-portable use of timegm(3) with + portable implementation (mktime_from_utc). + - Bug #103: nsd: trim the SOA's TTL to the MINIMUM value when returning a + negative answer. + - Bug #104: nsd: add a time_t timestamp to the log when logging to + a file. + - Bug #105: nsdc: use a lock file when rebuilding the database (patch by + Jakob Schlyter/Ted Lindgreen/Sebastian/Ondrej Sury). + - Bug #106: zonec: don't walk all 256 NSEC windows when that is not + needed. + - Bug #107: zonec: fixed a crash when encountering bad unknown rdata. + - nsd: Don't print: "error: nsd is already running as <pid>, stopping" + when in fact NSD continues to run. + - nsd: Minimize the race window in sig_handler(). + +2.3.1 +============= +BUG FIXES: + - zonec: Don't crash when generating error messages outside of zone + files. + - nsd: when logging to a file the pid is now printed. + - nsd: Reset 'boot' time in statistics when reloading the database, + since the statistics are reset to 0 on a reload. + - nsd-xfer.c: Added '-a' option to specify local address to connect + from. Original patch supplied by Walter Hop <nsd@walter.transip.nl>. + - Bug #98: Allow mnemonics for DS and RRSIG algorithm field. + +2.3.0 +============= +FEATURES: + - DNSSEC is now enabled by default. NSD should be fully + compliant with RFC4033, RFC4034, and RFC4035. + +BUG FIXES: + - nsd: Ensure that the number of -a flags does not exceed the + maximum specified by MAX_INTERFACES in config.h. + - nsd-xfer: Use serial number arithmetic (RFC1982) for the + zone serial check + - nsdc: Don't pass (fake) serial number to nsd-xfer if the + zone file does not exist. + - zonec: Loading many zones would cause namedb_find_zone to + slow down, performance patch by Kazunori Fujiwara. + - Bug #96: nsd-xfer did not handle 8-bit domain names + correctly. + +2.2.1 +============= +FEATURES: + - The message priority is now included when logging to a file. + +BUG FIXES: + - Zero length RDATA using the unknown RR notation was not + working (except for the APL RR type). + - Bug #93: './configure' error message containing a comma must + be properly bracketed. + - Bug #94: nsd-xfer: Handle unexpected EOF when receiving AXFR + data. Timeout if no data is received for more than 120 + seconds (see the TCP_TIMEOUT parameter in config.h). + - Bug #95: An owner starting with an asterisk label ("*") was + being treated as its own wildcard child. + +2.2.0 +============= +FEATURES: + - nsd-xfer: replacement program for named-xfer to perform zone + transfers using AXFR. TSIG is supported by nsd-xfer but not + yet by the nsd server. DNSSEC is also supported. TSIG + requires OpenSSL version 0.9.7 or higher, configure using + --disable-tsig if you do not have OpenSSL installed. + Configure using --with-ssl=path if OpenSSL is not installed + at a standard location. + +CODE CHANGES: + - New data structure 'buffer_type' for representing binary + buffers that can be read, written, and resized. Data in + these buffers is stored in network byte order. This data + structure replaces the iobuf field of 'struct query'. + +BUG FIXES: + - Fixed endian problem in WKS record. + - Protocol can now be specified numerically in WKS record. + - Allow escape sequences (\DDD) in TTL, RR class, and RR type. + - The zone compiler now accepts many more characters in + unquoted strings such as domain name labels. The characters + no longer need to be escaped with a backslash. + - Close included files after reading. + - Maximum TCP message size is now 65535 bytes. AXFR response + packets are still limited to 16383 bytes for optimal + compression of dnames. + - The TSIG key for AXFRs can now also be stored in the file + <zonename>.tsiginfo. This makes it possible to use TSIG + with multiple master servers. + - Signals are no longer blocked while performing I/O so the + server should respond quicker to signals. + - Fixed parsing of LOC rdata. Fractions and altitude were not + handled correctly. + +2.1.5 +============= +BUG FIXES: + - Bug #90: handle \000 in TXT records correctly + - Fixed undefined behavior in the use of vsnprintf when + logging messages. This caused crashes on Linux/PPC. + +2.1.4 +============= +BUG FIXES: + - nsdc: Fixed a typo that caused AXFRs to stop working. + +2.1.3 +============= +FEATURES: + - nsd: The pidfile can be specified using the '-P' option. + +BUG FIXES: + - Bug #87: allow @ in the rdata + - Bug #88: allow ::FFFF:ipv4addr in AAAA records + - Bug #89: Count the number of queries received over TCP, + instead of the number of TCP connections. + - Zonec: when - is used as input, set the filename to 'STDIN'. + - The nsdc script handles failed AXFRs more gracefully. + - NSD emits an error when it sees bitlabels (RFC 2673). + - Only copy the CD bit when DNSSEC is enabled. + +2.1.2 +============= +FEATURES: + - NSD now fully supports unknown record types using the + notation specified in RFC3597. + - Support for the following RR types has been added: WKS, X25, + ISDN, RT, NSAP, PX, NAPTR, KX, CERT, DNAME, and APL. DNAME + special processing is not supported. + +BUG FIXES: + - Bug #84: NSD now uses SIGUSR1 instead of SIGILL to report stats. + - Bug #85: Support for WKS records. + - Bug #86: The characters "#%&^[]?" can now be used without + backslash in zone file domain names. + - Plugin callback return type fixed. + - The maximum message length for IPv6 UDP packets is now + limited to the IPv6 minimum MTU (1280) unless the + IPV6_USE_MIN_MTU socket option is supported. + +2.1.1 +============= +BUG FIXES: + - Bug #81: Handle unknown types correctly. + - Bug #82: Zonec: don't report "0 errors" unless -v is + specified. + - Bug #83: Close zone files after parsing. + - Handle AFSDB RR type. + +2.1.0 +============= +FEATURES: + - New networking code allows a single server to handle both + UDP and TCP connections. By default up to 10 simultaneous + TCP connections are supported. Use the '-n' flag to change + the default. + +2.0.2 +============= +BUG FIXES: + - Allow the use of a mnemonic for the algorithm field of a + DNSKEY record. + - Behavior of the zonec -v flag has been modified. By default + zonec will only print a single line with a summary of the + error count. + - Bug #75: Fixed typo in previous "fix". + +2.0.1 +============= +BUG FIXES: + - Queries for QTYPE DS (DNSSEC) were not handled correctly in + certain cases. + - Partial support for unknown RRs. Known RR types with + unknown RR data format is not yet supported. + - Bug #75: Fixed bad error message when nsdc update is run for + the first time. + - Bug #78: Multiple zones, each with include directives, are + now compiled correctly. + +2.0.0 +============= +FEATURES: + - Experimental DNSSEC support implemented, but disabled by + default. Enable using the --enable-dnssec configuration + option. + - IPv6 enabled by default. Disable using the --disable-ipv6 + configuration option. + +BUG FIXES: + - Bug #47: Domain name is now logged when a notify is + received. + - Bug #70: First include all A records in the additional + section, followed by AAAA records. + - Bug #77: Check length of domain name and label. + - LOC records are supported again. + +1.4.0-alpha1 +============= +FEATURES: + - New database format that is much more compact and portable + across architectures. + - The new zone compiler is now the default and the old zone + compiler has been removed. + - Name compression is done dynamically, removing one other + difference with BIND in the responses generated (the full + query name is now used for compression). + - CNAME target records are now generated from wildcard + records if necessary. + +REGRESSIONS: + - mmap(2) isn't currently supported. + - Not all RR types are supported by zonec (such as LOC). + +1.3.0-alpha1 +============= +FEATURES: + - New name lookup algorithm. This required a change to the + database format. Performance should increase at the expense + of database size and memory usage. + - New zone compiler (zonec2) based on flex and yacc, fully RFC + compliant (still in alpha). + - Database can be loaded using mmap(2) (use the --enable-mmap + configure option to enable). This is useful on operating + systems such as Solaris that do not allow memory overcommit. + - Region based memory allocation and resource management. + - New internal format for storing domain names. Each dname + now includes an array of label offsets within the domain + name. + - Updates to the plugin API. + +BUG FIXES: + - Bug #65: The syslog facility is now a compile time option + (--with-facility=FACILITY). The default facility is DAEMON. + - Bug #66: Automatic periodic dumping of the statistics (using + the -s option) is now continued after a database reload. + +1.2.4 +============= +BUG FIXES: + - Bug #72: If an RRset for a child domain is defined before + the RRset of the parent domain the parent's RRset would be + "lost". + +1.2.3 +============= +BUG FIXES: + - Bug #65: The syslog facility is now a compile time option + (--with-facility=FACILITY). The default facility is DAEMON. + - Bug #66: Automatic periodic dumping of the statistics (using + the -s option) is now continued after a database reload. + - NSD would try to kill pid -1 on startup if forking of a child + process failed. + - Do not log EAGAIN errors on calls to recvfrom. These errors + should be harmless. + +1.2.2 +============= +BUG FIXES: + - Bug #59: NSD returns FORMERR when the query name is >= 246 + bytes. + - Bug #60: Zonec runs out of file descriptors with many zones. + - Bug #61: nsdc uses /bin/sh hardwired (and should not). + - Bug #62: NSD is not able to log to a file. + - Bug #63: nsdc update and zonec are too talkative. + - Bug #64: Answer for request of a host resolved by a + wildcard-resource-record is not understandable by dig. + +1.2.1 +============= +BUG FIXES: + - AXFR terminates early if a zone contains a CNAME pointing + the the zone's domain name (SOA record) (bug #56). + - During an AXFR memory above the top of the stack was + accessed. This could lead to occasional AXFR errors (bad + packets). + - NSD now prints its version number and exits when invoked + with the -v flag (bug #57). + - NSD prints help information and exits when invoked with the + -h flag. + +1.2.0 +============= +FEATURES: + - NSD is now a single parent process (handling child + termination and database reloads) plus multiple UDP and TCP + child processes handling queries. Before the parent process + also handled UDP queries. This change simplifies the parent + and child processes and allows the use of multiple + concurrent UDP servers. + - Experimental plugin support. This required a minor, + incompatible change to the database format. Make sure you + recompile your database. Use --enable-plugins to enable. + - Full IPv6 support (for multi-homing and for Linux, thanks to + Colm MacCárthaigh and Jun-ichiro itojun Hagino). Use + --enable-ipv6 to enable. + - Support for multi-homing with TCP connections. + - Support for SunOS 4.x has been dropped. + +CODE CHANGES: + - NSD should now conform to the Single Unix Specification + (http://www.unix.org/). + - Const correctness for strings and some other data types. + - Removed code for Berkeley DB, hash tables, and mmap(2). + - Separate preprocessor flags from code flags (CPPFLAGS and + CFLAGS). + - Use uint8_t instead of u_char, uint{16,32}_t instead of + u_int{16,32}_t. + - Fixed warnings from mixing signed and unsigned types. + - Use sigaction(2) instead of signal(2). + - The query_process function has been split up for clarity. + +BUG FIXES: + - CHAOS TXT queries failed on big-endian machines. + - Portability fixes for Tru64 (thanks to Stephane Bortzmeyer), + HP-UX, and MacOS X (thanks to Ronald van der Pol). + - Removed compile time limit on maximum number of TCP child + servers. + - Support for debugging UDP and TCP queries. + - Always ensure there is enough room for the EDNS record when + answering a query with EDNS enabled. + +1.1 +============= +FEATURES: + - ANSI C + - autoconf/configure + - new parser + - support for various RR types in zonec + - support for UNKN RR types + +BUG FIXES: + - lots of zone parsing errors eliminated + - empty node matching bug gives NXDOMAIN + +1.0.3 +============= +This release is a bug fix release and does not add any new features. + +BUG FIXES: + - Ignore SIGPIPE errors (bug #43). + - Keep track of TCP child servers and restart if necessary. + (bug #55) + - Handle database reload failures correctly. + - Close UDP sockets in TCP child servers. + - Handle escaped characters (besides \.) in labels. + - Preserve the query's RD flag in the answer. + +1.0.2 +============= +FEATURES: + - -DBIND8_STATS to enable bind8 like [NX]STATS + - -t flag to make nsd chroot to a certain directory + - -s flag to make nsd produce statistics every s seconds + - /etc/nsd/nsdc.conf to overwrite default variables + for nsdc.sh + - less loggin and more radical tcp connection (mis)handling + - prefork -n processes to handle tcp connections + - multiple -a flags + +CHANGES: + - named.stats file functionality is removed + +BUG FIXES: + - couple of pedantic fixes in C code + - last zone in database axfr bug fixed + - nsdc update wont update bug fixed + +1.0.1 +============= + +FEATURES: + - NSD drops permissions after binding the sockets + - ``cache'' zones are no longer allowed + - ID.Server & Version.Server compile time options + - AXFR implemented (with tcpwrapper for access control) + - nsdc update and nsdc notify functionality + - using named-xfer with TSIG for inbound axfr + + +CHANGES: + - the order of records in the database is from now + on significant + - since Berkeley DB doesnt define order for sequential + access it is no longer supported + +BUG FIXES: + - white space problem in zonec is fixed + +KNOWN BUGS: + - please see appropriate man pages for the known bugs + +1.0.0 RELEASE +============= + +KNOWN BUGS: + +- Although NSD allows one to configure a zone without SOA record and + use it as so called ``cached'' non-authoritative data, it is decided + that having this functionality is wrong, dangerous and will be removed + from the further versions. + +- If while processing EDNS(0) OPT record NSD encounters bad EDNS(0) + version it will answer with Format Error instead of EDNS(0) BADVERS + +PLATFORMS: + + Tested and working on i386 FreeBSD-4.4, i386 Linux, dec alpha Linux, + sparc SunOS 4.x + + +1.0.0-BETA2 +=========== + +FIXES: + - wildcards bug fixed + - AA bit for class ANY bug fixed + - minor coredumps with really broken zones in zonec fixed + - linux & SunOS port + +1.0-ALPHA2 +========== +FIXES: + - IPv6 transport support added by Jun-ichiro itojun Hagino (Use -DINET6) + - Makefile modified for easier compile time configuration + - EDNS(0) bug fixed + - Default database changed to all lowercase, red-black tree to make nsd + DNSSEC ready + - REQUIREMENTS are cleaned up and updated + - Signal names changed in nsdc.sh.in + - Default compile options dont include -DMIMIC_BIND8 |