Hi, NSD 4.1.24rc1 pre-release is available for download https://www.nlnetlabs.nl/downloads/nsd/nsd-4.1.24rc1.tar.gz sha256 4dbb82adccea883e137ccaa171b14490de3ea7795838c3b57ad3d7854d166a75 pgp https://www.nlnetlabs.nl/downloads/nsd/nsd-4.1.24rc1.tar.gz.asc This version has a fix for a bug in resigning zones with different NSEC3 salt, where NSD would not pick up the NSEC3PARAM record, and serve answers that omit NSEC3 records. NSD is now lenient and when NSEC3PARAMs exist that point to nonworking NSEC3 chains, NSD attempts to find an alternative NSEC3PARAM with NSEC3 records. It is possible to use nsd-control over a command pipe, without using TLS, by setting the name of the control socket file. Access permissions on that file then act as the access control. No TLS is used, because it is not network traffic, and this is likely faster. Also systemd support is added for readiness signalling. Enabled with use-systemd: yes. 4.1.24 ===============FEATURES: - #4102: control interface via local socket. configure it with control-interface: "/path/nsd.ctl" The path has to start with a / to separate it from an IP address. The local socket does not use SSL, but unencrypted traffic, use file and containing directory permissions to restrict access. - configure --enable-systemd (needs pkg-config and libsystemd) can be used to then use-systemd: yes in nsd.conf and have readiness signalling with systemd. - RFC8162 support, for record type SMIMEA. BUG FIXES: - Patch to fix openwrt for mac os build darwin detection in configure. - Fix that first control-interface determines if TLS is used. Warn when IP address interfaces are used without TLS. - #4106: Fix that stats printed from nsd-control are recast from unsigned long to unsigned (remote.c). - Fix that type CAA (and URI) in the zone file can contain dots when not in quotes. - #4133: Fix that when IXFR contains a zone with broken NSEC3PARAM chain, NSD leniently attempts to find a working NSEC3PARAM. Best regards, Wouter
On 06/08/2018 13:29, Wouter Wijngaards wrote: Hi Wouter,> NSD 4.1.24rc1 pre-release is available for download > https://www.nlnetlabs.nl/downloads/nsd/nsd-4.1.24rc1.tar.gz > sha256 4dbb82adccea883e137ccaa171b14490de3ea7795838c3b57ad3d7854d166a75 > pgp https://www.nlnetlabs.nl/downloads/nsd/nsd-4.1.24rc1.tar.gz.ascI've built this version on CentOS 7. It builds and runs.> It is possible to use nsd-control over a command pipe, without using > TLS, by setting the name of the control socket file. Access permissions > on that file then act as the access control. No TLS is used, because it > is not network traffic, and this is likely faster.I've tried this feature, and it works. I've noticed that NSD doesn't remove the control socket file on exit, but this probably isn't a big deal. In some situations, NSD may not be able to remove the file anyway, so there's probably no sense in adding code to clean up.> Also systemd support is added for readiness signalling. Enabled with > use-systemd: yes.I haven't tried this yet. Regards, Anand
Am 06.08.2018 um 13:29 schrieb Wouter Wijngaards:> NSD 4.1.24rc1 pre-release is available for downloadcompiled without warnings and deployed on some lab systems...> It is possible to use nsd-control over a command pipe, without using > TLS, by setting the name of the control socket file. Access permissions > on that file then act as the access control. No TLS is used, because it > is not network traffic, and this is likely faster.the code try to identify the socket type by some assumptions -> start with '/' -> unix-socket -> contain ':' -> IPv6 address -> contain '.' -> IPv4 address It would be more clear and give more options if NSD wouldn't "guess". (think, somebody want to use a relative path ...) NSD (and unbound as well) could require sockets specified as "<typ>:<value>" postfix does this: unix:pathname inet:host:port ( host = ipv4 | ipv6 | dnsname ) sendmail does that: unix:pathname inet:port at host inet6:port at host but I'm also fine with the current implementation :-)> Also systemd support is added for readiness signalling. Enabled with > use-systemd: yes.I don't care about that software> Best regards, WouterThanks for NSD! Andreas
Hi, NSD 4.1.24 is available for download https://www.nlnetlabs.nl/downloads/nsd/nsd-4.1.24.tar.gz sha256 4fb687c8e494610ad8692a127ac101ed73df851142a42766c33de06e54449311 pgp https://www.nlnetlabs.nl/downloads/nsd/nsd-4.1.24.tar.gz.asc This version has a fix for a bug in resigning zones with different NSEC3 salt, where NSD would not pick up the NSEC3PARAM record, and serve answers that omit NSEC3 records. NSD is now lenient and when NSEC3PARAMs exist that point to nonworking NSEC3 chains, NSD attempts to find an alternative NSEC3PARAM with NSEC3 records. It is possible to use nsd-control over a command pipe, without using TLS, by setting the name of the control socket file. Access permissions on that file then act as the access control. No TLS is used, because it is not network traffic, and this is likely faster. Also systemd support is added for readiness signalling. Enabled with use-systemd: yes. 4.1.24 ===============FEATURES: - #4102: control interface via local socket. configure it with control-interface: "/path/nsd.ctl" The path has to start with a / to separate it from an IP address. The local socket does not use SSL, but unencrypted traffic, use file and containing directory permissions to restrict access. - configure --enable-systemd (needs pkg-config and libsystemd) can be used to then use-systemd: yes in nsd.conf and have readiness signalling with systemd. - RFC8162 support, for record type SMIMEA. BUG FIXES: - Patch to fix openwrt for mac os build darwin detection in configure. - Fix that first control-interface determines if TLS is used. Warn when IP address interfaces are used without TLS. - #4106: Fix that stats printed from nsd-control are recast from unsigned long to unsigned (remote.c). - Fix that type CAA (and URI) in the zone file can contain dots when not in quotes. - #4133: Fix that when IXFR contains a zone with broken NSEC3PARAM chain, NSD leniently attempts to find a working NSEC3PARAM. Best regards, Wouter -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20180813/7a7f7800/attachment.bin>