Hi, The 4.3.8rc1 pre-release is available: https://nlnetlabs.nl/downloads/nsd/nsd-4.3.8rc1.tar.gz sha256 16ab0237c15e121f0522e3d30869334dd1743b857f9bc57d0245fa10868c9d46 pgp https://nlnetlabs.nl/downloads/nsd/nsd-4.3.8rc1.tar.gz.asc This release fixes a crash bug in delegation answers, and fixes in NSEC3 answers. Also compile fixes for OpenSSL. The OpenSSL 3.0 API is supported. The Mutual TLS feature allows for client authentication for XFR-over-TLS connections, use the client-cert, client-key and client-key-pw options to set up the certificate that NSD then uses to connect to the upstream server to download the zone with. 4.3.8 ===============FEATURES: - Merge #185 by cesarkuroiwa: Mutual TLS. BUG FIXES: - Fix to compile with OpenSSL 3.0.0beta2. - Fix configure detection of SSL_CTX_set_security_level. - Fix deprecated functions use from openssl 3.0.0beta2. - For #184: Note that all zones can be targeted by some nsd-control commands in the man page. - Fixes for #185: Document client-cert, client-key and client-key-pw in the man page. Fix yacc semicolon. Fix unused variable warning. Use strlcpy instead of strncpy. Fix spelling error in error printout. - Merge #187: Support using system-wide crypto policies. - Fix #188: NSD fails to build against openssl 1.1 on CentOS 7. - Fix sed script in ssldir split handling. - Fix #189: nsd 4.3.7 crash answer_delegation: Assertion `query->delegation_rrset' failed. - Fix #190: NSD returns 3 NSEC3 records for NODATA response. - Fix compile failure with openssl 1.0.2. - Fix #194: Incorrect NSEC3 response for SOA query below delegation point. -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20211004/fcfe6f50/attachment.bin>
Paul Wouters
2021-Oct-04 15:52 UTC
[nsd-users] [NLnet Labs Maintainers] NSD 4.3.8rc1 pre-release
On Mon, 4 Oct 2021, Wouter Wijngaards via maintainers wrote:> The 4.3.8rc1 pre-release is available: > https://nlnetlabs.nl/downloads/nsd/nsd-4.3.8rc1.tar.gz > sha256 16ab0237c15e121f0522e3d30869334dd1743b857f9bc57d0245fa10868c9d46 > pgp https://nlnetlabs.nl/downloads/nsd/nsd-4.3.8rc1.tar.gz.asc > > This release fixes a crash bug in delegation answers, and fixes > in NSEC3 answers. Also compile fixes for OpenSSL. The OpenSSL 3.0 > API is supported. > > The Mutual TLS feature allows for client authentication for XFR-over-TLS > connections, use the client-cert, client-key and client-key-pw options > to set up the certificate that NSD then uses to connect to the upstream > server to download the zone with.Testing and seems to compile and run fine. But I did not test XFR-over-TLS yet. Paul
Am 04.10.21 um 14:18 schrieb Wouter Wijngaards via nsd-users:> The 4.3.8rc1 pre-release is available:> FEATURES: > - Merge #185 by cesarkuroiwa: Mutual TLS.Hello, nsd-4.3.8rc1 compiled without noise, but the Mutual TLS feature unfortunately does not work well at first try. Certificate and private key files are present in a directory accessible by root only. That is sufficient for NSD to operate as DoT server. The same files now can't be used by NSD in it's role as XFR-over-TLS client. I assume, the relevant process no longer run as root. (chroot is not configured/used here) Also, NSD warn about unreadable certificate files but continue: [2021-10-06 23:38:59.686] nsd[33]: info: control cmd: force_transfer example [2021-10-06 23:38:59.687] nsd[33]: info: remote control operation completed [2021-10-06 23:38:59.688] nsd[33]: error: xfrd tls: Unable to load client certificate from file /acme/nsd.example/cert+intermediate.pem [2021-10-06 23:38:59.689] nsd[33]: error: xfrd tls: Unable to load private key from file /acme/nsd.example/key.pem [2021-10-06 23:38:59.989] nsd[33]: info: xfrd: zone example. written received XFR packet from 2001:db8::53 with serial 2110062049 to disk [2021-10-06 23:38:59.992] nsd[33]: info: xfrd: zone example. written received XFR packet from 2001:db8::53 with serial 2110062049 to disk [2021-10-06 23:38:59.993] nsd[33]: info: xfrd: zone example. committed "received update to serial 2110062049 at 2021-10-06T23:38:59 from 2001:db8::53 TSIG verified with key Knsd-example" Andreas
Hi, The 4.3.8rc2 pre-release is available: https://nlnetlabs.nl/downloads/nsd/nsd-4.3.8rc2.tar.gz sha256 39f82885a948303b48bf61758306dd448750a72b0d1904b739e99b027d84031d pgp https://nlnetlabs.nl/downloads/nsd/nsd-4.3.8rc2.tar.gz.asc The RC2 is here to update the default for DNS Cookies. It is now off to stop wrong behaviour in mixed server deployments. Best regards, Wouter On 04/10/2021 14:18, Wouter Wijngaards via maintainers wrote:> Hi, > > The 4.3.8rc1 pre-release is available: > https://nlnetlabs.nl/downloads/nsd/nsd-4.3.8rc1.tar.gz > sha256 16ab0237c15e121f0522e3d30869334dd1743b857f9bc57d0245fa10868c9d46 > pgp https://nlnetlabs.nl/downloads/nsd/nsd-4.3.8rc1.tar.gz.asc > > This release fixes a crash bug in delegation answers, and fixes > in NSEC3 answers. Also compile fixes for OpenSSL. The OpenSSL 3.0 > API is supported. > > The Mutual TLS feature allows for client authentication for XFR-over-TLS > connections, use the client-cert, client-key and client-key-pw options > to set up the certificate that NSD then uses to connect to the upstream > server to download the zone with. > > > 4.3.8 > ===============> FEATURES: > - Merge #185 by cesarkuroiwa: Mutual TLS. > > BUG FIXES: > - Fix to compile with OpenSSL 3.0.0beta2. > - Fix configure detection of SSL_CTX_set_security_level. > - Fix deprecated functions use from openssl 3.0.0beta2. > - For #184: Note that all zones can be targeted by some nsd-control > commands in the man page. > - Fixes for #185: Document client-cert, client-key and client-key-pw > in the man page. Fix yacc semicolon. Fix unused variable warning. > Use strlcpy instead of strncpy. Fix spelling error in error > printout. > - Merge #187: Support using system-wide crypto policies. > - Fix #188: NSD fails to build against openssl 1.1 on CentOS 7. > - Fix sed script in ssldir split handling. > - Fix #189: nsd 4.3.7 crash answer_delegation: Assertion > `query->delegation_rrset' failed. > - Fix #190: NSD returns 3 NSEC3 records for NODATA response. > - Fix compile failure with openssl 1.0.2. > - Fix #194: Incorrect NSEC3 response for SOA query below delegation > point. > > > _______________________________________________ > maintainers mailing list > maintainers at lists.nlnetlabs.nl > https://lists.nlnetlabs.nl/mailman/listinfo/maintainers >-------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20211007/7ed2406e/attachment.bin>