similar to: And as a sidenote...

We upgraded to NSD 3.2.9 (from 3.2.8) because we encountered the problem "Fix denial of existence response for empty non-terminal that looks like a NSEC3-only domain (but has data below it)." (a nasty problem with DNSSEC). But we now have IXFR issues. On one name server, NSD 3.2.9 works fine, zones are IXFRed and work. On another name server, with much more zones (and big ones), we

I wonder how to process the statistics logged by nsd. We compile with --enable-bind8-stats and I thought we would be able to reuse the Perl script that translated our BIND8 statistics to MRTG. But the script has problems, probably because nsd has several daemons, not just one, and each one is logging statistics. Aug 4 10:34:01 ns2 nsd[24573]: NSTATS 1059986041 1059979224 A=292259 NS=4886

People are proposing rate-limiting built into BIND, to defend against some DoS attackes (a proposal <http://fanf.livejournal.com/122111.html> and its implementation <https://github.com/fanf2/bind-9/blob/master/doc/misc/ratelimiting>). What is the current thinking for NSD? (It is a truly open question, do not take it as "this guy requires rate-limiting in NSD".)

Hi all: I'm currently using NSD 1.2.4 on a FreeBSD host to serve a big domain. I've been looking for new versions of NSD (particularly NSD 2.0.2) on FreeBSD Ports but I haven't found it. Who should add this new version to Ports? Can I make something to include it? I don't have enough experience with FreeBSD and I feel a little bit lost. Best Regards -- Sebastian E. Castro

Hello, I am switching from djbdns and have a (probably dumb) question before going live with nsd: When syncing between master and slaves, am I supposed to see new files appear in the slave's "zonesdir" directory? Because, as you might expect, I see nothing here. Is this behavior normal? From what I understand, the slave "caches" the data in /var/lib/nsd/nsd.db

Hi Christof! AFAIK, PowerDNS is the only open source name server that supports ALIAS. There was an idea to standardize ALIAS as "ANAME" (https://datatracker.ietf.org/doc/draft-ietf-dnsop-aname/), but the idea was dropped in favor of SVCB/HTTPS record https://datatracker.ietf.org/doc/rfc9460/. So now we have to wait until all Browser vendors implement SVCB/HTTPS. Regards Klaus PS: If

Hi, Please advise how to use Response Rate Limiting on a server which has multiple NSD server processes (nsd.conf server section has server-count > 1). We have a problem with NSD v3.2.16 repeatedly unblocking and blocking again a single source which is flooding positive queries at a ~steady 700 qps rate. rrl-ratelimit setting is the default 200 qps. The unblock-block happens multiple times

While SVCB/HTTPS provides a better solution for the browsing use case, I see other use cases where ALIAS/ANAME would be ideal, notably in apex RRs. So while fostering SVCB/HTTPS deployment is a good thing, I wouldn?t mind name server software implementing ALIAS. Including NSD, but I reckon it?s much more challenging to do due to NSD architecture than it was to implement it in PowerDNS. But if

This release is an alpha release. We are currently not planning to have a 1.4.0 stable release as we want to prioritize implementing DNSSEC first. The next stable release will then be NSD 2.0.0 with DNSSEC support. This release has some major changes: the database format is much more compact, responses are generated on-the-fly instead of being precompiled in the database, and the new

Hello, we encountered a problem with registry nic.at for tld .at and their transaction "BillWithDraw". This transaction allows an registrar to delegate authority back to registry. For a successful use of this transaction all nameserver-entries for the zone will be deleted by our application before nic-order will be sent to nic.at. Nic.at now checks all nameserver for existing

Hello! Does nsd support ALIAS records or is there a plan to support it somewhen in the future? I didn't find anything about this topic in conjunction with nsd. Afaik there is no RFC for it and I guess therefore nsd does not support it. PowerDNS does for example: https://doc.powerdns.com/authoritative/guides/alias.html Br, Christof -------------- next part -------------- An HTML attachment

Dear All, Please help me understand why timestamps in logs are different from those in nsd-control zonestatus output: served-serial: "2024022603 since 2024-02-27T08:07:51" commit-serial: "2024022603 since 2024-02-27T08:07:51" Feb 26 18:47:34 slave-server nsd[780]: zone testzone.test. received update to serial 2024022603 at 2024-02-26T18:47:33 from

Jeroen Koekkoek via nsd-users <nsd-users at lists.nlnetlabs.nl> wrote: > Anand's answer is entirely correct. > > Once 4.8.0 is released, zone files will be written once per hour by > default. I'm confused now :-) Arnand said the "database" option is being removed. Does this mean the database will always be created, or NEVER be created? I always wondered why

Hello, NSD 4.8.0 running on FreeBSD 13.2-RELEASE-p9 and serving both plain and DNSSEC signed zones. I noticed Permission denied errors in the logs for all domains listed in nsd.conf: [2024-01-12 12:20:05.710] nsd[8655]: info: writing zone domain-plain.org to file domain-plain.org [2024-01-12 12:20:05.710] nsd[8655]: error: cannot write zone domain-plain.org file domain-plain.org~: Permission

Hi Jean-Christophe, Anand's answer is entirely correct. Once 4.8.0 is released, zone files will be written once per hour by default. Best regards, Jeroen On Tue, 2023-12-05 at 10:48 +0100, Anand Buddhdev via nsd-users wrote: > On 04/12/2023 13:47, Jean-Christophe Boggio via nsd-users wrote: > > Hi Jean-Christophe, > > > When syncing between master and slaves, am I

Dear all, We have an emergency quick-fix release, version 4.11.1 for NSD. NSD 4.11.1 is available: https://nlnetlabs.nl/downloads/nsd/nsd-4.11.1.tar.gz sha256 696e50052008de4fa7ab1d818d5b77eb63247eea2f0575114c9592ff9188a614 pgp https://nlnetlabs.nl/downloads/nsd/nsd-4.11.1.tar.gz.asc NSD version 4.11.0 had a serious bug in which applying updates to zones (and other modifications that require a

Hi, I'm doing some quick tests with nsd-4.0.0b5 and (rc2). And found something strange when changing (nsd-control reconfig) one zone from: zone: name: 10.in-addr.arpa zonefile: /zones/empty.zone to zone: name: 10.in-addr.arpa request-xfr: 192.168.122.12 NOKEY allow-notify: 192.168.122.12 NOKEY zonefile: /zones/slave/10.rev and doing nsd-control reconfig. After

Hello I have this problem since a week or so: The nsd daemon crashes unexpectedly and the nsd log files shows this: [1200299533] nsd[3736]: info: XSTATS 1200299533 1200298484 RR=0 RNXD=0 RFwdR=0 RDupR=0 RFail=0 RFErr=0 RErr=0 RAXFR=0 RLame=0 ROpts=0 SSysQ=0 SAns=40 SFwdQ=0 SDupQ=0 SErr=0 RQ=37 RIQ=0 RFwdQ=0 RDupQ=0 RTCP=0 SFwdR=0 SFail=30 SFErr=0 SNaAns=0 SNXD=0 RUQ=0 RURQ=0 RUXFR=0 RUUpd=1

I just noticed this with NSD 4.10.0 (and earlier versions - it's not a new regression)) I have nsd set to log refused requests to syslog. After adding a DNAME type into my dns for one sub-zone that is being moved, I noticed that legitimate requests for hosts under that subdomain are working as expected, howerver they are being logged as refused. As a quick replicable test, I just did this

Hi "xfrd: failed reading tcp Operation now in progress" has recently started cropping up in my logs on an NSD secondary (pulling from a PowerDNS primary). My other secondary runs Knot and has no issues. What does the obscure message mean and (more importantly) how do I fix it ? A reboot of the host did not help and there are no updates pending. This is Debian Bookworm and NSD is from