similar to: NSD 3.2.15 released (+RRL)

Hi, Please advise how to use Response Rate Limiting on a server which has multiple NSD server processes (nsd.conf server section has server-count > 1). We have a problem with NSD v3.2.16 repeatedly unblocking and blocking again a single source which is flooding positive queries at a ~steady 700 qps rate. rrl-ratelimit setting is the default 200 qps. The unblock-block happens multiple times

On Sat, 28 Dec 2019 17:02:09 +0100 richard lucassen via nsd-users <nsd-users at lists.nlnetlabs.nl> wrote: > The problem is (was) that I used "include:" statements in nsd.conf > to load zone information. Apparently nsd does not reread the include > files upon a SIGHUP. I scripted everything into 1 file and a HUP > rereads the zone info now. Wrong, I made a mistake it

Hello NSD developers, The new release candidate of NSD, with the new prometheus metrics feature, got me thinking about NSD's feature set, and how so many of its features have to be enabled at compile time. The result of of this is that NSD packages on various operating systems behave differently. I would like to propose that you adjust the build process to compile in *all* the features of

Hello, Lutz Donnerhacke implemented DNS-Dampening. http://lutz.donnerhacke.de/eng/Blog/DNS-Dampening The implementation is available as patch for BIND9 only. He told me that there is an other method preferred by the nsd developer. It's called "Response Rate Limiting". May one describe the idea behind rate limiting and compare it with Lutz' solution? Thanks. -- Andreas

Dear all, NSD 4.12.0rc1 pre-release is available: https://nlnetlabs.nl/downloads/nsd/nsd-4.12.0rc1.tar.gz sha256 b9085a3fd08b8318ac30715faf1c7698099781eb3520253774a46f74386342e9 pgp https://nlnetlabs.nl/downloads/nsd/nsd-4.12.0rc1.tar.gz.asc This release introduces Prometheus metrics that can be compiled with `--enable-prometheus-metrics` and configured with `enable-metrics` (see

Hi Jannik, What's the rationale behind the "--enable-prometheus-metrics" compile-time option? If this code were compiled by default, would it do any harm? The reason I'm asking this is that features that can be enabled/disabled at compile-time make package distribution complicated. It can result in a scenario where NSD packages on different operating systems or distributions

NSD 4.10.0rc1 is available: https://nlnetlabs.nl/downloads/nsd/nsd-4.10.0rc1.tar.gz sha256 ad476e82eee5bdabc985e071cabe6a68263dd02eac6278ce2f81798b8c08f19f pgp https://nlnetlabs.nl/downloads/nsd/nsd-4.10.0rc1.tar.gz.asc Version 4.10.0 integrates simdzone and drops the Flex+Bison zone parser. NSD used a Flex+Bison based zone parser since version 1.4.0. The parser served NSD well, but zones have

Hi, NSD 4.8.0rc1 pre-release is available: https://nlnetlabs.nl/downloads/nsd/nsd-4.8.0rc1.tar.gz sha256 64f1da8f8163340f9d3b352ef8819e3c72c951fdd87cff55dc3b6a6b1ea27942 pgp https://nlnetlabs.nl/downloads/nsd/nsd-4.8.0rc1.tar.gz.asc This release introduces PROXYv2 support and faster statistics gathering, removes the database option and fixes bugs. The proxy protocol support is an implementation

Hi Jean Claude, The message is printed when the bind operation failed. Why that happens is hard to say, I'd need more information for that. As the message does not say: address already in use (or similar), I'm guessing the address is not configured? Best regards, Jeroen On Fri, 2023-04-21 at 18:03 +0200, HAKIZIMANA Jean Claude via nsd-users wrote: > Dear nsd Users, > kindly can

hi, On 2024-12-27 22:32, Fredrik Pettai via nsd-users wrote: > Hello, > > It seems our NSD secondary has triggered some sort of intermittent bug > After several weeks/months of running nsd stops forking with the new > zone data. > > A manual nsd-control transfer or even nsd-control force_transfer won?t > work, only restart of nsd solves the problem. > The only

People are proposing rate-limiting built into BIND, to defend against some DoS attackes (a proposal <http://fanf.livejournal.com/122111.html> and its implementation <https://github.com/fanf2/bind-9/blob/master/doc/misc/ratelimiting>). What is the current thinking for NSD? (It is a truly open question, do not take it as "this guy requires rate-limiting in NSD".)

On NetBSD 6.99.28-CURRENT, nsd 3.2.16 works fine, however nsd 4.0.0 is spinning chewing CPU. The logs show: Nov 28 23:07:00 xxx nsd[466]: sendmmsg failed: Resource temporarily unavailable ktruss shows it getting EAGAIN from sendmmsg(2) over and over again. According to the man page: [EAGAIN|EWOULDBLOCK] The socket is marked non-blocking and the requested

Hello, It seems our NSD secondary has triggered some sort of intermittent bug After several weeks/months of running nsd stops forking with the new zone data. A manual nsd-control transfer or even nsd-control force_transfer won?t work, only restart of nsd solves the problem. The only ?hint? I?ve found is that the nsd xfrd messages stops appearing in the logs (while the notify messages keeps

NSD 2.3.2 is a bugfix release. Please see the README document for configuration and installation instructions. You can download NSD from http://www.nlnetlabs.nl/nsd/ Note: we switched to SHA-1 for tarball digest. 2.3.2 ============= FEATURES: - Bug #101: add support for the SPF record. BUG FIXES: - Bug #100: replaced non-portable use of timegm(3) with portable

Hi all, we have discovered a segfault in nsd-patch when renaming slave zone in nsd config file if some data for this zone still exists in the IXFR diff database. In my case, the zone "black" was renamed to "blackinwhite": > root at ggd115:/cage/nsd/var/nsd/zones#nsd-patch -c > /cage/nsd/etc/nsd-dns-slave.conf > reading database > reading updates to database >

Dear nsd Users, kindly can you help me to trace the cause of this error in nsd " nsd[25372]: warning: xfrd: could not bind source address:port to socket: Cannot assign requested address". I use NSD version 4.0.1 Thank you, -------------- next part -------------- An HTML attachment was scrubbed... URL:

Hello, The NSD documentation on Catalog zones[1] states: > NSD can be a producer of catalog zones as well as a catalog zone consumer, but it is limited to process only a single consumer zone. This can be a shortcoming in some architectures, like when NSD is used as a distribution server, dynamically "collecting" domains from several primary servers (each with its own catalog zone)

Hi there! I remember reading that you cannot reload new zone files on the fly and require a full restart of the nsd daemon? We are evaluating multiple DNS servers that have better performance comparing to bind, but will require quite heavy zone reload (new and existing) every 10 minutes or so. Downtime (even 1-3 secs) is not the option. Thanks!

Hi Andreas, On 16/04/2025 23:17, A. Schulze via nsd-users wrote: > 4. any chance, that https://github.com/NLnetLabs/nsd/pull/437 find it's > way in 4.12? > ?? a similar change in active in unbound-1.23.0rc2 and works well there. This change was heading to 4.12 but we pulled it because it was breaking software that implicitly sends the SOA probe over UDP. Maybe a more lenient

Am 23.07.24 um 17:28 schrieb Jeroen Koekkoek via nsd-users: > NSD 4.10.1rc2 pre-release is available: no compile time warnings while building on debian bookworm/x86_64 > @bilias implemented mutual TLS authentication for zone transfers. > Please consult the nsd.conf manual for details on the newly introduced > configuration options tls-auth-port and tls-auth-xfr-only. this is an nice