similar to: Unsecured zone transfers and open resolvers

Hello World, I am trying to build NSD4 on Debian Squeeze and I get the following errors when running `make`. ``` $ pwd /home/wiz/src/nsd/tags/NSD_4_0_0_imp_5 $ make [... output omitted ...] gcc -g -O2 -o nsd-checkconf answer.o axfr.o buffer.o configlexer.o configparse acket.o query.o rbtree.o radtree.o rdata.o region-allocator.o tsig.o tsig-opens 4_pton.o b64_ntop.o -lcrypto configparser.o: In

Am 23.07.24 um 17:28 schrieb Jeroen Koekkoek via nsd-users: > NSD 4.10.1rc2 pre-release is available: no compile time warnings while building on debian bookworm/x86_64 > @bilias implemented mutual TLS authentication for zone transfers. > Please consult the nsd.conf manual for details on the newly introduced > configuration options tls-auth-port and tls-auth-xfr-only. this is an nice

Hi list, We are observing strange behavior of nsd v3.2.9 acting as slave DNS server. The environment is set up as follows: 0. We are using 172.16.0.0/16 subnet; 1. Primary Master server at 172.16.100.114; 2. Slave server at 172.16.100.115. The config file is in /etc/nsd-dns-slave.conf; 3. There may be also other Master servers im the given subnet. Now I want to permit DNS NOTIFY messages to

Hi all, I'm running NSD 4.9.1 on OpenBSD 7.6. I recently upgraded from OpenBSD 7.5, which I believe had NSD 4.8.0 in base, and did not see this behavior prior. When I try to reload a zone using nsd-control, I am seeing an error message in my logfile: "error: reload: old-main quit during quit sync" This error does not appear to happen every time I run reload, but it does get

An HTML attachment was scrubbed... URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20230222/50ca00eb/attachment.htm>

Hi, NSD 4.8.0rc1 pre-release is available: https://nlnetlabs.nl/downloads/nsd/nsd-4.8.0rc1.tar.gz sha256 64f1da8f8163340f9d3b352ef8819e3c72c951fdd87cff55dc3b6a6b1ea27942 pgp https://nlnetlabs.nl/downloads/nsd/nsd-4.8.0rc1.tar.gz.asc This release introduces PROXYv2 support and faster statistics gathering, removes the database option and fixes bugs. The proxy protocol support is an implementation

Op 04-01-2025 om 17:10 schreef Otto Retter via nsd-users: > Hi all, > > I'm running NSD 4.9.1 on OpenBSD 7.6. I recently upgraded from OpenBSD > 7.5, which I believe had NSD 4.8.0 in base, and did not see this > behavior prior. Thanks Otto, Indeed, NSD 4.8.0 did not log this condition as an error message and just proceeded if the old-main would quit. With 4.9.0 reloading

Hi, I'm a sys admin and currently working for a french hosting company. We provide DNS services to our customers and at the moment we are using BIND on Debian servers. BIND is a good software but we don't need a recursing DNS for our public DNS, and we needed better security than what BIND provides. So I made the suggestion to replace BIND by another DNS software. NSD appears to be the

Hi, NSD 4.10.1rc2 pre-release is available: https://nlnetlabs.nl/downloads/nsd/nsd-4.10.1rc2.tar.gz sha256 ce2e82bc673aeff3a71aeb422fa38fb8db0a591edb76c13b0e4dde83ec8253e9 pgp https://nlnetlabs.nl/downloads/nsd/nsd-4.10.1rc2.tar.gz.asc Version 4.10.1 consists primarily of bug fixes. @bilias implemented mutual TLS authentication for zone transfers. Please consult the nsd.conf manual for details

I wonder how to process the statistics logged by nsd. We compile with --enable-bind8-stats and I thought we would be able to reuse the Perl script that translated our BIND8 statistics to MRTG. But the script has problems, probably because nsd has several daemons, not just one, and each one is logging statistics. Aug 4 10:34:01 ns2 nsd[24573]: NSTATS 1059986041 1059979224 A=292259 NS=4886

Hi, I'm testing: $ sudo nsd-control status version: 4.0.1 verbosity: 2 I found a loop problem with this record: * IN CNAME none ("none" means no matching record in zone and therefore match * again) Queries that use "* CNAME" will result in a loop. The response will use TCP and will be limited to 65k bytes $ dig @127.0.0.1 sdfgsfg.test.com ;; Truncated,

hi, after i test nsd i find the following. if i use this in a zone file: $ORIGIN example.com. CNAME www www CNAME x x A 1.2.3.4 then it's excepted by nsd what's more give the proper result. if the slave is nsd than there is no problem, while if the slave is bind i've got the following error:

Hi Andreas, The suggestions I captured in GitHub issues. Thanks for sharing. Regarding whether notifies are still plain UDP. Yes, the config parser doesn't accept additional arguments to "notify" and judging by the xfrd code anything to do with notify is using UDP, so no TLS yet. I've added a GitHub issue for this too. Thanks for the suggestions. They make for nice

hi, On 2024-12-27 22:32, Fredrik Pettai via nsd-users wrote: > Hello, > > It seems our NSD secondary has triggered some sort of intermittent bug > After several weeks/months of running nsd stops forking with the new > zone data. > > A manual nsd-control transfer or even nsd-control force_transfer won?t > work, only restart of nsd solves the problem. > The only

While SVCB/HTTPS provides a better solution for the browsing use case, I see other use cases where ALIAS/ANAME would be ideal, notably in apex RRs. So while fostering SVCB/HTTPS deployment is a good thing, I wouldn?t mind name server software implementing ALIAS. Including NSD, but I reckon it?s much more challenging to do due to NSD architecture than it was to implement it in PowerDNS. But if

Hello! I use NSD 4.7.0 self compiled: Configure line: --build=x86_64-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-option-checking --disable-silent-rules --libdir=${prefix}/lib/x86_64-linux-gnu --runstatedir=/run --disable-maintainer-mode --disable-dependency-tracking

Hi Chris, I've properly started looking into this yesterday. NSD definitely shouldn't crash, still working on that. However, the provided zone is invalid too(?) I'm not the foremost expert on NSEC3 (or even DNSSEC), but is seems an NSEC3 is missing for bar.foo.com. Empty non-terminals should still have an NSEC3 RR. (Of course, the delegation point should be at bar.foo.com. too and

On NetBSD 6.99.28-CURRENT, nsd 3.2.16 works fine, however nsd 4.0.0 is spinning chewing CPU. The logs show: Nov 28 23:07:00 xxx nsd[466]: sendmmsg failed: Resource temporarily unavailable ktruss shows it getting EAGAIN from sendmmsg(2) over and over again. According to the man page: [EAGAIN|EWOULDBLOCK] The socket is marked non-blocking and the requested

hi, At least with a recent version if it is a time sync issue nsd will do a specific log msg that. Laura, can you send over the actual configuration? (maybe replacing the key with a placeholder or rotating the keys afterwards) It sounds strange if nsd checks tsig on the notify, but allow xfr without it. Regards, Tam?s May 16, 2024 16:14:59 Anand Buddhdev via nsd-users <nsd-users at

Hi Chris, I'm having trouble trying to reproduce the issue locally. Like you I configure two zones. zone: name: example.com. zonefile: example.com.zone.signed zone: name: bar.example.com. zonefile: bar.example.com.zone The file bar.example.com.zone does not exist. After touching and reloading the signed zone, no segfault occurs. I've tried with and without the