Hi,
NSD 4.10.1rc2 pre-release is available:
https://nlnetlabs.nl/downloads/nsd/nsd-4.10.1rc2.tar.gz
sha256 ce2e82bc673aeff3a71aeb422fa38fb8db0a591edb76c13b0e4dde83ec8253e9
pgp https://nlnetlabs.nl/downloads/nsd/nsd-4.10.1rc2.tar.gz.asc
Version 4.10.1 consists primarily of bug fixes.
@bilias implemented mutual TLS authentication for zone transfers.
Please consult the nsd.conf manual for details on the newly introduced
configuration options tls-auth-port and tls-auth-xfr-only.
Michael Orlitzky provided integration for the OpenRC init system.
Version 4.10.0 was the first release to integrate simdzone. Build
issues on OpenBSD releases before 5.6, Gentoo and Solaris have been
reported and fixed. The fallback parser, used on systems that lack
SSE4.2 and AVX2 instruction sets, contained some bugs with regards to
state keeping and under certain circumstances a use after free bug was
encountered in buffer management.
4.10.1
===============FEATURES:
- Merge #352 from orlitzky: contrib: add OpenRC service script,
config file, and tmpfiles entry.
- Merge #337 from bilias: Mutual TLS-AUTH.
BUG FIXES:
- Fix incorrect punctuation of log messages.
- Fix for #317, document more text on pidfile permissions.
- Fix #334: RFC8482 behavior documentation.
- Fix for OpenSSL 3.0 deprecated functions.
- Merge #341: Fix allow-query wording in nsd.conf.5.in.
- Fix test script from making spurious output.
- Fix cpu_affinity and socket_partitioning tests for
--enable-log-role.
- Fix #344: Update simdzone.
- Fix #347: Adjust verbosity for TLS (+TCP) to be 5.
- Merge #348: Move TLS logging to verbosity level 5.
- For #347: Also adjust verbosity of log message for remaining TCP
connections.
- Merge #349: log file name before loading.
- Use MAKE variable rather than make command directly in Makefile.
- Serialize WKS RRs using numeric values rather than names.
- Fix propagation of Makefile targets to simdzone
- Do not log ACL mismatch on followed CNAMEs.
simdzone 0.1.1
===============FEATURES:
- Test to verify configure.ac and Makefile.in are correct.
- Add support for reading from stdin if filename is "-".
- Add support for building with Oracle Developer Studio 12.6.
- Add support for "time" service for Well-Know Services (WKS) RR.
BUG FIXES:
- Fix makefile dependencies.
- Fix makefile to use source directory for build dependencies.
- Fix changelog to reflect v0.1.0 release.
- Update makefile to not use target-specific variables.
- Fix makefile clean targets.
- Fix state keeping in fallback scanner for contiguous and quoted.
- Fix bug in name scanner.
- Fix type mnemonic parsing in fallback parser.
- Fix endian.h to include machine/endian.h on OpenBSD releases before
5.6.
- Fix use after free on buffer resize.
CHANGES:
- Make relative includes relative to current working directory.
Am 23.07.24 um 17:28 schrieb Jeroen Koekkoek via nsd-users:> NSD 4.10.1rc2 pre-release is available:no compile time warnings while building on debian bookworm/x86_64> @bilias implemented mutual TLS authentication for zone transfers. > Please consult the nsd.conf manual for details on the newly introduced > configuration options tls-auth-port and tls-auth-xfr-only.this is an nice feature that seem to work but have some nits. nsd serving as simple tls server is configured with server: username: nsd ip-address: ::@853 tls-service-key: /path/to/key.pem tls-service-pem: /path/to/cert+intermediate.pem tls-port: 853 # since 4.10.1rc2 ip-address: ::@1853 tls-auth-port: 1853 tls-auth-xfr-only: yes tls-cert-bundle: /path/to/ca-certificates.crt in this mode, /path/to/*.pem may accessible for the root user only. Now, when adding a tls-auth for the purpose of client authentication I add tls-auth: name: primary.nsd.example auth-domain-name: primary.nsd.example client-cert: /path/to/cert+intermediate.pem client-key: /path/to/key.pem Here, the files /path/to/*.pem are used by a child process with limited privileges of the username 'nsd' It would be better, if nsd read all tls-auth client-[cert|key] data before dropping privileges. Then the files could be still limited to be readable by the root user. next question: now, the axfr request from secondary to primary is a mTLS connection. But what about notify messages from primary to secondary? the zone-statement 'notify' does not mention a tls-auth-name Are these notifies still plain, unencrypted, unauthenticated UDP packets? next note: I used an IPv6 network for my zone transfer tests and have the impression, the outgoing-interface statement at the secondary is not working if AXFR-over-tls is used. next note: while trying to get AXFR-over-tls working, I saw errors like "error: xfrd tls: TLS verify failed - (62) depth: 0 error: hostname mismatch" It would be helpful to see there "... hostname mismatch: expected 'foo', got 'bar'" funny side note: after "error: xfrd tls: TLS verify failed - (62) depth: 0 error: hostname mismatch" I also saw "error: xfrd: TLS handshake failed: Success" Andreas