-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Here is NSD 3.2.9. It has a fair list of bugfixes and it introduces two new features: - - Minimize responses to reduce truncation. - - Less NSEC3 prehashing, to speed up zone transfer reloads. For more information, see the Release Notes. You can download NSD 3.2.9 at Link: http://www.nlnetlabs.nl/downloads/nsd/nsd-3.2.9.tar.gz Sha1: 66e17e5801e94da1a21f0f2a4dd7a4ab4ffe0dd9 Best regards, Matthijs RELNOTES ======= FEATURES: - - Minimize responses to reduce truncation: NSD will only add optional records to the authority and additional sections when the response size does not exceed the minimal response size. The minimal response size is 512 (no-EDNS), 1480 (EDNS/IPv4), 1220 (EDNS/IPv6), or the advertized EDNS buffer size if that is smaller than the EDNS default. The feature is enabled by default. You can disable it by configuring NSD with --disable-minimal-responses. - - Less NSEC3 prehashing. This will make NSD handle zone transfers faster, but will decrease the performance of NXDOMAIN and wildcard NODATA responses. Full prehashing is enabled by default. If you want less NSEC3 prehashing, configure NSD with --disable-full-prehash. Thanks Secure64 for the patch. BUG FIXES: - - Bugfix #302: nsd accepts XFR but refuses to re-read the slave zone. - - Bugfix #365: set patch style and zonec verbose for nsdc. - - First step of bug #369: RRSIG DNSKEY sets zone to be treated DNSSEC. - - Bugfix #375: typos in nsd.conf.5. - - Bugfix #381: Binary escaped and transfers. - - Bugfix #397: Don't allow relative domain names as origin in $INCLUDE directives. - - Fix printout of IPSECKEY by nsd-patch. - - Fix is_existing flag for ENT when domain that has a shared ENT is deleted by IXFR. (ENT == Empty Non-Terminal) - - Fix bug if the zonefile is changed for a secondary but stored transfers are applied, and stop it from applying ixfr to empty zone. The zone is flagged with error and AXFR-ed. - - Fix to have no authority NS set processing for CNAMEs. - - Fix nsd-checkconf to check tsig algorithms properly. - - Set the AA bit on responses that have an authoritative CNAME. - - Fix denial of existence response for empty non-terminal that looks like a NSEC3-only domain (but has data below it). OPERATIONAL NOTES: - - nsd.db version number increased because NSD 3.2.7 and earlier zonec is not compatible due to the TXT strings change. Please run nsdc rebuild before running NSD 3.2.9 and later versions. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEbBAEBAgAGBQJOzMhFAAoJEA8yVCPsQCW5tWIH+Pr0mHliM0RzYedoTRRCoQ4i UfInfXoDwSVZ6qq3pVwpCqeRe9clLAhRUmPP7GIqp9hD+CP8maWfhCu5ucE8+azq 6d3chlrV0/t+YsJM2zGtiAYZd4QSizRi5OVjnnD6Run9G7y49geHRbVf0/H8L6SC 0HwPbgTaHx+taI+zA84yRWImiQ+sgTlZxoFRGJCMbpR8okQ7PWrF7AG0KHPqpqiv zH7jqpIgy95mwHMeI3ZcpiZFGViPmvq7i5B0RTajAdn9szBETIHca8sKvch+5WqB Erh0VR4rMduct/MvcQ78RbZjmjFNhUPywRZryx4sV/6JeeZ9Yc5SvUK/GcQPYw==sSEH -----END PGP SIGNATURE-----
On Nov 23, 2011, at 4:17 AM, Matthijs Mekking wrote:> RELNOTES > =======> > FEATURES: > - - Minimize responses to reduce truncation: NSD will only add optional > records to the authority and additional sections when the response > size does not exceed the minimal response size. > > The minimal response size is 512 (no-EDNS), 1480 (EDNS/IPv4), > 1220 (EDNS/IPv6), or the advertized EDNS buffer size if that is > smaller than the EDNS default. > > The feature is enabled by default. You can disable it by configuring > NSD with --disable-minimal-responses.Matthijs, Thanks for the 3.2.9 release. It looks like there are allot of good fixes in the release. I'm trying to get a more thorough understanding of the mininal-responses feature in order to do a risk assessment of enabling it in our build. I've done some archeology and from what I can tell, commits 3471 through 3473 are the total change. I could not find a bug referring to these commits. Looking at the commits, I find this additional documentation in doc/REQUIREMENTS: + The feature 'minimize responses' is included since NSD 3.2.9. + NS RRsets that would go into the Authority section in positive + responses are not considered REQUIRED and therefore will NOT lead + to setting of the TC bit. As I see it, my biggest risk of taking this feature is that I could possibly cause unexpected behavior in any client expecting this information, even though the spec says it's optional. Are there any other issues I should consider? Thanks, Todd
Matthijs, On Wed, 2011-11-23 at 11:17 +0100, Matthijs Mekking wrote:> - Minimize responses to reduce truncation: NSD will only add optional > records to the authority and additional sections when the response > size does not exceed the minimal response size. > > The minimal response size is 512 (no-EDNS), 1480 (EDNS/IPv4), > 1220 (EDNS/IPv6), or the advertized EDNS buffer size if that is > smaller than the EDNS default.I'm curious why you choose to ignore the EDNS buffer size when it is advertised (unless smaller than 1480/1220). I see that NSD already uses the minimum MTU when possible on the system. In principle this means that UDP packets should be fragmented by the kernel, so should already be sending IP packets that make it across the network without many problems. Do you have any data on how much of a problem this causes and avoids in some production networks? -- Shane