nsd users - Apr 2025 - NSD 4.12.0rc1 pre-release

Dear all,

NSD 4.12.0rc1 pre-release is available:
https://nlnetlabs.nl/downloads/nsd/nsd-4.12.0rc1.tar.gz
sha256 b9085a3fd08b8318ac30715faf1c7698099781eb3520253774a46f74386342e9
pgp https://nlnetlabs.nl/downloads/nsd/nsd-4.12.0rc1.tar.gz.asc


This release introduces Prometheus metrics that can be compiled with
`--enable-prometheus-metrics` and configured with `enable-metrics` (see
[nsd.conf(5)](https://nsd.docs.nlnetlabs.nl/en/latest/manpages/nsd.conf.html#metrics)).

Please review this pre-release carefully. If no issues arise, the actual
release will follow on Thursday 2025-04-24.


4.12.0
===============FEATURES:
- Merge #418: Support for DSYNC, EID, NIMLOC, SINK, TALINK, DOA,
  AMTRELAY and IPN resource record types.
- Merge #420: Zones get state "old-serial" with
  `nsd-control zonestatus` when the served serial is older than
  the one received by the transfer daemon.
- Merge #429: Add prometheus metrics

BUG FIXES:
- Fix re-enable to configure dns-cookies from config file, which was
  accidentally removed with the 4.11.1 release.
- Fix #426: nsd crashes with patterns in config_apply_pattern.
- Fix for #430: Confusing documentation: word "outgoing".
- Fix for #430: Confusing documentation: word "outgoing". Add wording
  to tcp-count, xfrd-tcp-max, xfrd-tcp-pipeline options.
- Fix that nsec3 prehash after a full transfer can create the nsec3
  zone trees if they are needed.
- Fix in nsd-mem for a zone with ixfr data.
- Fix ixfr read routine for use after the temp region is freed of rr.
- Fix ixfr file read to manage numlist in temp domains.
- Fix nsd-mem to clean ixfr storage.
- Fix log print assert in server sockets for printing '-' empty.
- Fix notify_fmt test for xfrd file location.
- Fix sanitizer warnings in read_uint32.
- Fix sanitizer warning in tsig write of zero length mac and otherdata.
- Fix to please sanitizer for ixfr store of data in cancelled state.
- Fix multiple zone transfers in one reload so that xfrd does not
  check the update as failed and restart the transfer.
- Fix read of ixfr file with rdata subdomain.
- Fix test checkconf for metrics options.
- Updated simdzone to include fixes for NSAP-PTR, LOC,
  uninitialized reads, and comment nit.
- Fix #436: Fix print of RR type NSAP-PTR.
- Fix unit test call to zone_parse_string and initialize padding.
- Fix escape more characters when printing an RR type with an
  unquoted string.
- Fix memory leak in the process of addzone.
- Fix to update common.sh for speed of kill_pid.
- Fix nsd-checkzone ixfr create cleanup on exit.


simdzone 0.2.2
===============FEATURES:

- Support for EID, NIMLOC, SINK, TALINK, DSYNC, DOA, AMTRELAY and IPN RR types.

BUG FIXES:

- Empty base16 and base64 in CDS and CDNSKEY can be represented with a
'0'.
  As specified in Section 4 of RFC 8078.
- Initialise padding after the file buffer (#249).
- Fix type NSAP-PTR (#250).
- Fix LOC poweroften lookup (#251).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL:
<http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20250416/c0ff7a9f/attachment.bin>

On Wed, 16 Apr 2025 14:22:15 +0200
Jannik Peters via nsd-users <nsd-users at lists.nlnetlabs.nl> wrote:
> Dear all,
> 
> NSD 4.12.0rc1 pre-release is available:
> https://nlnetlabs.nl/downloads/nsd/nsd-4.12.0rc1.tar.gz
> sha256
> b9085a3fd08b8318ac30715faf1c7698099781eb3520253774a46f74386342e9 pgp
> https://nlnetlabs.nl/downloads/nsd/nsd-4.12.0rc1.tar.gz.asc
Which key was used to sign the package? I couldn't find matching key
from keys.openpgp.org.

-- 
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>

Hi Jannik,

What's the rationale behind the "--enable-prometheus-metrics"
compile-time
option? If this code were compiled by default, would it do any harm?

The reason I'm asking this is that features that can be enabled/disabled at
compile-time make package distribution complicated. It can result in a
scenario where NSD packages on different operating systems or distributions
have different features. It's especially confusing to an operator reading
the "nsd.conf" man page, noticing the option
"metrics-enable", setting it
to "yes" and discovering that it doesn't work, because the feature
isn't
compiled in.

Let's take Homebrew as an example. My brew-installed nsd doesn't have
RRL
compiled it, so even if I want to test it, I cannot. I have to download the
sources and compile it. Now, my nsd.conf doesn't mention RRL, because the
source of the nsd.conf man page has "rrlstart" and "rrlend"
markers, which
probably allow the build process to leave out the RRL sections because the
feature is not compiled in.

But I do not see any such markers for "metrics". The nsd.conf.5 man
page
that is generated shows the "metrics-enable" option, but it's not
actually
compiled in. It's quite confusing.

Years ago, nsd used to have a compile-time option called
"--enable-root-server". This prevented a standard nsd build from being
used
as a root name server, unless one explicitly enabled it when compiling. I
never liked this, and after some discussion, the nsd developers agreed with
me that making it a default was fine.

I think that similarly, it is better if all of nsd's features are just
compiled in, so that a *standard* package just has them all available. The
features should default to "off", naturally. Operators can enable the
features they need in the config file.

Regards,
Anand
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20250416/7e437655/attachment.htm>

Am 16.04.25 um 14:22 schrieb Jannik Peters via
nsd-users:
> NSD 4.12.0rc1 pre-release is available:
Hello,

compiled and run as usual. But some remarks:

1. maybe not new: I like to have NSTATS/XSTATS get *not* logged. I've to use
'configure --disable-bind8-stats' for this.
    Simply not using '--enable-bind8-stats' is not enough ...

    Is the nsd.conf option 'statistics' still relevant if
-disable-bind8-stats is used?

2. I agree with Anand that features should be better a configuration option
rather then compile time option.

3. there was a warning about an unused variable:

gcc -Wdate-time -D_FORTIFY_SOURCE=2 -I. -I/usr/local/include -Isimdzone/include
-I./simdzone/include -g -O2 -fdebug-prefix-map=/tmp=. -fstack-protector-strong
-Wformat -Werror=format-security -W -Wall -Wextra -Wdeclaration-after-statement
-I/usr/include/google -c metrics.c
metrics.c: In function 'metrics_http_callback':
metrics.c:321:32: warning: unused variable 'metrics' [-Wunused-variable]
   321 |         struct daemon_metrics *metrics = ((struct metrics_acceptlist
*)p)->metrics;
       |                                ^~~~~~~

4. any chance, that https://github.com/NLnetLabs/nsd/pull/437 find it's way
in 4.12?
    a similar change in active in unbound-1.23.0rc2 and works well there.

Andreas

On 2025-04-16 14:22 +02, Jannik Peters via nsd-users <nsd-users at
lists.nlnetlabs.nl> wrote:
> Dear all,
>
> NSD 4.12.0rc1 pre-release is available:
> https://nlnetlabs.nl/downloads/nsd/nsd-4.12.0rc1.tar.gz
> sha256 b9085a3fd08b8318ac30715faf1c7698099781eb3520253774a46f74386342e9
> pgp https://nlnetlabs.nl/downloads/nsd/nsd-4.12.0rc1.tar.gz.asc
>
>
> This release introduces Prometheus metrics that can be compiled with
> `--enable-prometheus-metrics` and configured with `enable-metrics` (see
>
[nsd.conf(5)](https://nsd.docs.nlnetlabs.nl/en/latest/manpages/nsd.conf.html#metrics)).
Hi,

this errors out on OpenBSD (which has libevent1 in base) thusly:
$ ./configure --enable-prometheus-metrics
[...]
checking for library containing evhttp_free... no
./configure: >&for : illegal file descriptor name
configure: error: is

Thanks,
Florian

$ ./configure --enable-prometheus-metrics
checking for gcc... no
checking for cc... cc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether the compiler supports GNU C... yes
checking whether cc accepts -g... yes
checking for cc option to enable C11 features... none needed
checking for stdio.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for strings.h... yes
checking for sys/stat.h... yes
checking for sys/types.h... yes
checking for unistd.h... yes
checking for wchar.h... yes
checking for minix/config.h... no
checking for vfork.h... no
checking whether it is safe to define __EXTENSIONS__... yes
checking whether _XOPEN_SOURCE should be defined... no
checking whether the compiler supports GNU C... (cached) yes
checking whether cc accepts -g... (cached) yes
checking for cc option to enable C11 features... (cached) none needed
checking for a sed that does not truncate output... /usr/bin/sed
checking for gawk... gawk
checking for grep that handles long lines and -e... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking for flex... flex
checking for lex output file root... lex.yy
checking for lex library... none needed
checking whether yytext is a pointer... yes
checking for bison... bison -y
checking whether ln -s works... yes
checking for a BSD-compatible install... /usr/bin/install -c
checking whether lex accepts -i... yes
checking if lex defines yy_current_buffer... no
checking whether cc supports -g... yes
checking whether cc supports -O2... yes
checking if cc supports -flto... yes
checking for an ANSI C-conforming const... yes
checking for inline... inline
checking for uid_t... yes
checking for gid_t... yes
checking for pid_t... yes
checking for size_t... yes
checking for off_t... yes
checking whether the C compiler (cc) accepts the "format" attribute...
yes
checking whether the C compiler (cc) accepts the "unused" attribute...
yes
checking whether the C compiler (cc) accepts the "weak" attribute...
yes
checking whether the C compiler (cc) accepts the "noreturn"
attribute... yes
checking if memcmp compares unsigned... yes
checking whether ctime_r works with two arguments... yes
checking for libevent... found in /usr/local
checking for library containing clock_gettime... none required
checking for event.h... yes
checking for cc options needed to detect all undeclared functions...
-fno-builtin
checking whether EV_VERSION_MAJOR is declared... no
checking for library containing event_set... -levent
checking for event_base_free... yes
checking for event_base_once... yes
checking for event_base_new... yes
checking for event_base_get_method... yes
checking for ev_loop... no
checking for ev_default_loop... no
checking for sys/wait.h that is POSIX.1 compatible... yes
checking for time.h... yes
checking for arpa/inet.h... yes
checking for signal.h... yes
checking for string.h... (cached) yes
checking for strings.h... (cached) yes
checking for fcntl.h... yes
checking for limits.h... yes
checking for netinet/in.h... yes
checking for netinet/tcp.h... yes
checking for stddef.h... yes
checking for sys/param.h... yes
checking for sys/socket.h... yes
checking for sys/un.h... yes
checking for syslog.h... yes
checking for unistd.h... (cached) yes
checking for sys/select.h... yes
checking for stdarg.h... yes
checking for stdint.h... (cached) yes
checking for netdb.h... yes
checking for sys/bitypes.h... no
checking for tcpd.h... no
checking for glob.h... yes
checking for grp.h... yes
checking for endian.h... yes
checking for sys/random.h... no
checking for ifaddrs.h... yes
checking for double definition of struct va_list... no
checking whether strptime needs defines... no
checking for library containing inet_pton... none required
checking for library containing socket... none required
checking whether strptime works... yes
checking if nonblocking sockets work... yes
checking whether mkdir has one arg... no
checking how to run the C preprocessor... cc -E
checking for egrep -e... (cached) /usr/bin/grep -E
checking for int8_t... yes
checking for int16_t... yes
checking for int32_t... yes
checking for int64_t... yes
checking for uint8_t... yes
checking for uint16_t... yes
checking for uint32_t... yes
checking for uint64_t... yes
checking for socklen_t... yes
checking for sig_atomic_t... yes
checking for ssize_t... yes
checking for suseconds_t... yes
checking for in_addr_t... yes
checking for struct sockaddr_storage.ss_family... yes
checking for struct stat.st_mtimensec... yes
checking for struct stat.st_mtim.tv_nsec... yes
checking for struct sockaddr_un.sun_len... yes
checking build system type... x86_64-unknown-openbsd7.7
checking host system type... x86_64-unknown-openbsd7.7
checking for working chown... yes
checking for fork... yes
checking for vfork... yes
checking for working fork... yes
checking for working vfork... (cached) yes
checking for GNU libc compatible malloc... yes
checking for declarations of fseeko and ftello... yes
checking for cc option to enable large file support... none needed
checking size of void*... 8
checking size of off_t... 8
checking for getrandom... no
checking for arc4random... yes
checking for arc4random_uniform... yes
checking for library containing setusercontext... none required
checking for login_cap.h... yes
checking for tzset... yes
checking for alarm... yes
checking for chroot... yes
checking for dup2... yes
checking for endpwent... yes
checking for gethostname... yes
checking for memset... yes
checking for memcpy... yes
checking for pwrite... yes
checking for socket... yes
checking for strcasecmp... yes
checking for strchr... yes
checking for strdup... yes
checking for strerror... yes
checking for strncasecmp... yes
checking for strtol... yes
checking for writev... yes
checking for getaddrinfo... yes
checking for getnameinfo... yes
checking for freeaddrinfo... yes
checking for gai_strerror... yes
checking for sigaction... yes
checking for sigprocmask... yes
checking for strptime... yes
checking for strftime... yes
checking for localtime_r... yes
checking for setusercontext... yes
checking for glob... yes
checking for initgroups... yes
checking for setresuid... yes
checking for setreuid... yes
checking for setresgid... yes
checking for setregid... yes
checking for getpwnam... yes
checking for mmap... yes
checking for ppoll... yes
checking for clock_gettime... yes
checking for accept4... yes
checking for getifaddrs... yes
checking for struct mmsghdr... yes
checking for sched.h... yes
checking for sys/cpuset.h... no
checking for cpu_set_t... no
checking for cpuset_t... no
checking for cpuid_t... yes
checking for sched_setaffinity... no
checking for basename... yes
checking for inet_aton... yes
checking for inet_pton... yes
checking for inet_ntop... yes
checking for snprintf... yes
checking for strlcat... yes
checking for strlcpy... yes
checking for strptime... (cached) yes
checking for b64_pton... no
checking for b64_ntop... no
checking for pselect... yes
checking for memmove... yes
checking for setproctitle... yes
checking for explicit_bzero... yes
checking for reallocarray... yes
checking whether reallocarray is declared... yes
checking for pselect prototype in sys/select.h... yes
checking for ctime_r prototype in time.h... yes
checking for struct timespec... yes
checking for SSL... found in /usr
checking if libssl needs libdl... no
checking for EVP_sha256 in -lcrypto... yes
checking for openssl/ssl.h... yes
checking for openssl/err.h... yes
checking for openssl/rand.h... yes
checking for openssl/ocsp.h... yes
checking for openssl/core_names.h... no
checking for openssl/x509v3.h... yes
checking for HMAC_CTX_reset... yes
checking for HMAC_CTX_new... yes
checking for EVP_cleanup... yes
checking for ERR_load_crypto_strings... yes
checking for OPENSSL_init_crypto... yes
checking for CRYPTO_memcmp... yes
checking for EC_KEY_new_by_curve_name... yes
checking for EVP_MAC_CTX_new... no
checking for EVP_MAC_CTX_set_params... no
checking for EVP_MAC_CTX_get_mac_size... no
checking for SHA1_Init... yes
checking for ASN1_STRING_get0_data... yes
checking if SHA1_Init is deprecated... no
checking whether SSL_CTX_set_ecdh_auto is declared... yes
checking whether SSL_CTX_set_tmp_ecdh is declared... yes
checking whether TLS1_3_VERSION is declared... yes
checking for OPENSSL_init_ssl... yes
checking for SSL_get1_peer_certificate... no
checking for SSL_CTX_set_security_level... yes
checking for ERR_load_SSL_strings... yes
checking if ERR_load_SSL_strings is deprecated... no
checking for library containing evhttp_free... no
./configure: >&for : illegal file descriptor name
configure: error: is



-- 
In my defence, I have been left unsupervised.