-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, NSD 3.0.4 is released today. This is a security and maintenance update. I strongly encourage operators to upgrade NSD 3.x to this version. Reasons to upgrade are a security fix in the ACL processing, where ACL entries of NOKEY that got TSIG signed notifies caused outage. Also replies to notifies could contain wrong DNS header counts in the packet. These two problems are fixed in NSD 3.0.4. In the contrib directory you can find contributions from users: a spec file to build rpms and a python script that converts NSD 2 primary and secondary zones and TSIG info to a NSD 3 config file. The items in contrib are not supported, but provided for your enjoyment :-) Get NSD 3.0.4 here: http://www.nlnetlabs.nl/downloads/nsd/nsd-3.0.4.tar.gz And SHA1 is: e34333450a32d4683216c136218699e7f8c8367d Other notable changes in 3.0.4 are: BUG FIXES o zonec will print an error when other data is put next to a CNAME. o Fixup unaligned memory access that could occur when reading ixfr.db with a partial transfer inside. o Fixup for the WKS RR type printout by nsd-patch and nsd-xfer. o Error message 'could not read database CRC' now only given on error. o ./configure --zonesdir=<directory for zone files> now works to set a default value for the zonesdir: <dir> nsd.conf directive. Set zonesdir: "" to disable the change of directory. o Bug: reload crashes with log message 'continuing with old database', and after that no more zone updates. Manual fix is to kill -HUP, but now fixed in software to try to reload again (and again). o Small speedup where xfrd could briefly be busy-waiting. o If master sends IXFR with glue that is already present in the zone this is silently accepted. Printed in debug mode -L 2. To make the log file smaller. o Exponential backoff for zones that never worked to max of 4 hours. For expired zones the SOA retry values are used. o allow-notify acl entries 'NOKEY' match only queries without TSIG. o Answers to valid notifies contained wrong RR counts in the header. The notifies were processed correctly, but now the acknowledgement reply is in correct DNS format. FEATURES o Added contrib/nsd.zones2nsd.conf python script to convert NSD 2 to NSD 3 config files, contributed by Stephane Bortzmeyer. o The nsdc control script will print 'nsd startup failed' if the nsd executable does not start (due to bad permissions, bad config, ...). Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFFr0sOkDLqNwOhpPgRAtb3AKCsQjzb/wkO7u8Q+xz23kV7NA4tTQCfTVDB q/W5/ryu5OGKPFWQKrHP0Lo=VzrN -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, NSD 3.0.4 is released today. This is a security and maintenance update. I strongly encourage operators to upgrade NSD 3.x to this version. Reasons to upgrade are a security fix in the ACL processing, where ACL entries of NOKEY that got TSIG signed notifies caused outage. Also replies to notifies could contain wrong DNS header counts in the packet. These two problems are fixed in NSD 3.0.4. In the contrib directory you can find contributions from users: a spec file to build rpms and a python script that converts NSD 2 primary and secondary zones and TSIG info to a NSD 3 config file. The items in contrib are not supported, but provided for your enjoyment :-) Get NSD 3.0.4 here: http://www.nlnetlabs.nl/downloads/nsd/nsd-3.0.4.tar.gz And SHA1 is: e34333450a32d4683216c136218699e7f8c8367d Other notable changes in 3.0.4 are: BUG FIXES o zonec will print an error when other data is put next to a CNAME. o Fixup unaligned memory access that could occur when reading ixfr.db with a partial transfer inside. o Fixup for the WKS RR type printout by nsd-patch and nsd-xfer. o Error message 'could not read database CRC' now only given on error. o ./configure --zonesdir=<directory for zone files> now works to set a default value for the zonesdir: <dir> nsd.conf directive. Set zonesdir: "" to disable the change of directory. o Bug: reload crashes with log message 'continuing with old database', and after that no more zone updates. Manual fix is to kill -HUP, but now fixed in software to try to reload again (and again). o Small speedup where xfrd could briefly be busy-waiting. o If master sends IXFR with glue that is already present in the zone this is silently accepted. Printed in debug mode -L 2. To make the log file smaller. o Exponential backoff for zones that never worked to max of 4 hours. For expired zones the SOA retry values are used. o allow-notify acl entries 'NOKEY' match only queries without TSIG. o Answers to valid notifies contained wrong RR counts in the header. The notifies were processed correctly, but now the acknowledgement reply is in correct DNS format. FEATURES o Added contrib/nsd.zones2nsd.conf python script to convert NSD 2 to NSD 3 config files, contributed by Stephane Bortzmeyer. o The nsdc control script will print 'nsd startup failed' if the nsd executable does not start (due to bad permissions, bad config, ...). Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFFr0sOkDLqNwOhpPgRAtb3AKCsQjzb/wkO7u8Q+xz23kV7NA4tTQCfTVDB q/W5/ryu5OGKPFWQKrHP0Lo=VzrN -----END PGP SIGNATURE-----
Wouter Wijngaards wrote:> Hi, > > NSD 3.0.4 is released today. This is a security and maintenance update. > I strongly encourage operators to upgrade NSD 3.x to this version. > > Reasons to upgrade are a security fix in the ACL processing, where ACL > entries of NOKEY that got TSIG signed notifies caused outage. Also > replies to notifies could contain wrong DNS header counts in the packet. > These two problems are fixed in NSD 3.0.4. > > In the contrib directory you can find contributions from users: a spec > file to build rpms and a python script that converts NSD 2 primary and > secondary zones and TSIG info to a NSD 3 config file. The items in > contrib are not supported, but provided for your enjoyment :-)hi, here is a small fix to the spec file in the contrib (there is no such file as DIFFERENCES). -- Levente "Si vis pacem para bellum!" -------------- next part -------------- A non-text attachment was scrubbed... Name: nsd.spec.patch Type: text/x-patch Size: 454 bytes Desc: not available URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20070118/7ccea5b0/attachment.bin>