Hi, The 4.3.8rc2 pre-release is available: https://nlnetlabs.nl/downloads/nsd/nsd-4.3.8rc2.tar.gz sha256 39f82885a948303b48bf61758306dd448750a72b0d1904b739e99b027d84031d pgp https://nlnetlabs.nl/downloads/nsd/nsd-4.3.8rc2.tar.gz.asc The RC2 is here to update the default for DNS Cookies. It is now off to stop wrong behaviour in mixed server deployments. Best regards, Wouter On 04/10/2021 14:18, Wouter Wijngaards via maintainers wrote:> Hi, > > The 4.3.8rc1 pre-release is available: > https://nlnetlabs.nl/downloads/nsd/nsd-4.3.8rc1.tar.gz > sha256 16ab0237c15e121f0522e3d30869334dd1743b857f9bc57d0245fa10868c9d46 > pgp https://nlnetlabs.nl/downloads/nsd/nsd-4.3.8rc1.tar.gz.asc > > This release fixes a crash bug in delegation answers, and fixes > in NSEC3 answers. Also compile fixes for OpenSSL. The OpenSSL 3.0 > API is supported. > > The Mutual TLS feature allows for client authentication for XFR-over-TLS > connections, use the client-cert, client-key and client-key-pw options > to set up the certificate that NSD then uses to connect to the upstream > server to download the zone with. > > > 4.3.8 > ===============> FEATURES: > - Merge #185 by cesarkuroiwa: Mutual TLS. > > BUG FIXES: > - Fix to compile with OpenSSL 3.0.0beta2. > - Fix configure detection of SSL_CTX_set_security_level. > - Fix deprecated functions use from openssl 3.0.0beta2. > - For #184: Note that all zones can be targeted by some nsd-control > commands in the man page. > - Fixes for #185: Document client-cert, client-key and client-key-pw > in the man page. Fix yacc semicolon. Fix unused variable warning. > Use strlcpy instead of strncpy. Fix spelling error in error > printout. > - Merge #187: Support using system-wide crypto policies. > - Fix #188: NSD fails to build against openssl 1.1 on CentOS 7. > - Fix sed script in ssldir split handling. > - Fix #189: nsd 4.3.7 crash answer_delegation: Assertion > `query->delegation_rrset' failed. > - Fix #190: NSD returns 3 NSEC3 records for NODATA response. > - Fix compile failure with openssl 1.0.2. > - Fix #194: Incorrect NSEC3 response for SOA query below delegation > point. > > > _______________________________________________ > maintainers mailing list > maintainers at lists.nlnetlabs.nl > https://lists.nlnetlabs.nl/mailman/listinfo/maintainers >-------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20211007/7ed2406e/attachment.bin>
On 07/10/2021 13:16, Wouter Wijngaards via nsd-users wrote: Hi Wouter,> The RC2 is here to update the default for DNS Cookies. It is now off to > stop wrong behaviour in mixed server deployments.Thanks for this. I don't mind that NSD has cookie support, but it should not default to "on" immediately. It would take many operators by surprise, and even cause operational problems. Regards, Anand
On Thu, 7 Oct 2021, Wouter Wijngaards via nsd-users wrote:> The RC2 is here to update the default for DNS Cookies. It is now off to > stop wrong behaviour in mixed server deployments.Wrong? What was wrong? Isn't it RFC compliant? Does this only affect anycast setups? Paul
Hi, NSD 4.3.8 is available: https://nlnetlabs.nl/downloads/nsd/nsd-4.3.8.tar.gz sha256 11897e25f72f5a98f9202bd5378c936886d54376051a614d3688e451e9cb99e1 pgp https://nlnetlabs.nl/downloads/nsd/nsd-4.3.8.tar.gz.asc This release fixes a crash bug in delegation answers, and fixes in NSEC3 answers. Also compile fixes for OpenSSL. The OpenSSL 3.0 API is supported. The Mutual TLS feature allows for client authentication for XFR-over-TLS connections, use the client-cert, client-key and client-key-pw options to set up the certificate that NSD then uses to connect to the upstream server to download the zone with. The default for DNS Cookies is updated. It is now off to stop wrong behaviour in mixed server deployments. 4.3.8 ===============FEATURES: - Merge #185 by cesarkuroiwa: Mutual TLS. - Set default for answer-cookie to no. Because in server deployments with mixed server software, a default of yes causes issues. BUG FIXES: - Fix to compile with OpenSSL 3.0.0beta2. - Fix configure detection of SSL_CTX_set_security_level. - Fix deprecated functions use from openssl 3.0.0beta2. - For #184: Note that all zones can be targeted by some nsd-control commands in the man page. - Fixes for #185: Document client-cert, client-key and client-key-pw in the man page. Fix yacc semicolon. Fix unused variable warning. Use strlcpy instead of strncpy. Fix spelling error in error printout. - Merge #187: Support using system-wide crypto policies. - Fix #188: NSD fails to build against openssl 1.1 on CentOS 7. - Fix sed script in ssldir split handling. - Fix #189: nsd 4.3.7 crash answer_delegation: Assertion `query->delegation_rrset' failed. - Fix #190: NSD returns 3 NSEC3 records for NODATA response. - Fix compile failure with openssl 1.0.2. - Fix #194: Incorrect NSEC3 response for SOA query below delegation point. Best regards, Wouter -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20211012/6107aefc/attachment.bin>