similar to: NSD 3.2.15 released (+RRL)

Hi, Please advise how to use Response Rate Limiting on a server which has multiple NSD server processes (nsd.conf server section has server-count > 1). We have a problem with NSD v3.2.16 repeatedly unblocking and blocking again a single source which is flooding positive queries at a ~steady 700 qps rate. rrl-ratelimit setting is the default 200 qps. The unblock-block happens multiple times

On Sat, 28 Dec 2019 17:02:09 +0100 richard lucassen via nsd-users <nsd-users at lists.nlnetlabs.nl> wrote: > The problem is (was) that I used "include:" statements in nsd.conf > to load zone information. Apparently nsd does not reread the include > files upon a SIGHUP. I scripted everything into 1 file and a HUP > rereads the zone info now. Wrong, I made a mistake it

Hello, Lutz Donnerhacke implemented DNS-Dampening. http://lutz.donnerhacke.de/eng/Blog/DNS-Dampening The implementation is available as patch for BIND9 only. He told me that there is an other method preferred by the nsd developer. It's called "Response Rate Limiting". May one describe the idea behind rate limiting and compare it with Lutz' solution? Thanks. -- Andreas

Hi, NSD 4.8.0rc1 pre-release is available: https://nlnetlabs.nl/downloads/nsd/nsd-4.8.0rc1.tar.gz sha256 64f1da8f8163340f9d3b352ef8819e3c72c951fdd87cff55dc3b6a6b1ea27942 pgp https://nlnetlabs.nl/downloads/nsd/nsd-4.8.0rc1.tar.gz.asc This release introduces PROXYv2 support and faster statistics gathering, removes the database option and fixes bugs. The proxy protocol support is an implementation

Hi Jean Claude, The message is printed when the bind operation failed. Why that happens is hard to say, I'd need more information for that. As the message does not say: address already in use (or similar), I'm guessing the address is not configured? Best regards, Jeroen On Fri, 2023-04-21 at 18:03 +0200, HAKIZIMANA Jean Claude via nsd-users wrote: > Dear nsd Users, > kindly can

People are proposing rate-limiting built into BIND, to defend against some DoS attackes (a proposal <http://fanf.livejournal.com/122111.html> and its implementation <https://github.com/fanf2/bind-9/blob/master/doc/misc/ratelimiting>). What is the current thinking for NSD? (It is a truly open question, do not take it as "this guy requires rate-limiting in NSD".)

On NetBSD 6.99.28-CURRENT, nsd 3.2.16 works fine, however nsd 4.0.0 is spinning chewing CPU. The logs show: Nov 28 23:07:00 xxx nsd[466]: sendmmsg failed: Resource temporarily unavailable ktruss shows it getting EAGAIN from sendmmsg(2) over and over again. According to the man page: [EAGAIN|EWOULDBLOCK] The socket is marked non-blocking and the requested

NSD 2.3.2 is a bugfix release. Please see the README document for configuration and installation instructions. You can download NSD from http://www.nlnetlabs.nl/nsd/ Note: we switched to SHA-1 for tarball digest. 2.3.2 ============= FEATURES: - Bug #101: add support for the SPF record. BUG FIXES: - Bug #100: replaced non-portable use of timegm(3) with portable

Hi all, we have discovered a segfault in nsd-patch when renaming slave zone in nsd config file if some data for this zone still exists in the IXFR diff database. In my case, the zone "black" was renamed to "blackinwhite": > root at ggd115:/cage/nsd/var/nsd/zones#nsd-patch -c > /cage/nsd/etc/nsd-dns-slave.conf > reading database > reading updates to database >

Dear nsd Users, kindly can you help me to trace the cause of this error in nsd " nsd[25372]: warning: xfrd: could not bind source address:port to socket: Cannot assign requested address". I use NSD version 4.0.1 Thank you, -------------- next part -------------- An HTML attachment was scrubbed... URL:

Hi there! I remember reading that you cannot reload new zone files on the fly and require a full restart of the nsd daemon? We are evaluating multiple DNS servers that have better performance comparing to bind, but will require quite heavy zone reload (new and existing) every 10 minutes or so. Downtime (even 1-3 secs) is not the option. Thanks!

Good morning, On Tue Apr 28 2009 at 10:34:24 CEST, Jelte Jansen wrote: > We are looking into it (if only because the question comes up about once a > week now) It's been a little more than a week since the question last turned up :) I'd also like to know if any progress has been made to allow NSD to have zones added/removed on the fly, somewhat along the lines of BIND's

We upgraded to NSD 3.2.9 (from 3.2.8) because we encountered the problem "Fix denial of existence response for empty non-terminal that looks like a NSEC3-only domain (but has data below it)." (a nasty problem with DNSSEC). But we now have IXFR issues. On one name server, NSD 3.2.9 works fine, zones are IXFRed and work. On another name server, with much more zones (and big ones), we

Hello I have this problem since a week or so: The nsd daemon crashes unexpectedly and the nsd log files shows this: [1200299533] nsd[3736]: info: XSTATS 1200299533 1200298484 RR=0 RNXD=0 RFwdR=0 RDupR=0 RFail=0 RFErr=0 RErr=0 RAXFR=0 RLame=0 ROpts=0 SSysQ=0 SAns=40 SFwdQ=0 SDupQ=0 SErr=0 RQ=37 RIQ=0 RFwdQ=0 RDupQ=0 RTCP=0 SFwdR=0 SFail=30 SFErr=0 SNaAns=0 SNXD=0 RUQ=0 RURQ=0 RUXFR=0 RUUpd=1

Hi, I'm new to NSD and would really appreciate if someone can point me to the right direction. I have like 8 NSD servers (secondary) serving around 30,000 zones. Zone updates are transferred from the primary DNS servers by AXFR/IXFR. The 8 NSD servers do not save the zones file on disk but are only held in memory. Therefore after NSD service is restarted zone transfer requests are being

Hello, while investigating a report from Jan-Piet Mens (resulting in http://wiki.powerdns.com/trac/changeset/3109), we discovered that NSD (both 3.2.15 and 4.0.0b4) compresses labels in RP content. As far as I can see, this is not allowed by RFC3597 section 4 paragraph 1/2. PowerDNS Recursor, like Unbound and BIND, now deals with this as 3597 section 4 paragraph 4 says we SHOULD. Nevertheless,

This release is an alpha release. We are currently not planning to have a 1.4.0 stable release as we want to prioritize implementing DNSSEC first. The next stable release will then be NSD 2.0.0 with DNSSEC support. This release has some major changes: the database format is much more compact, responses are generated on-the-fly instead of being precompiled in the database, and the new

Robert Blayzor via nsd-users writes: > > NSD doesn't understand the GENERATE directive. You'll have to create > > your zone files using a script or template engine. > Understood but certainly not helpful with large dynamic IPv6 PTR's... > Not that dynamic hosts NEED PTR's, but would still be nice to have. lex(1) is your friend. For managing our reverse ip6

Greetings, Unbound 1.4.20 OS X 10.8.4 - Server NSD 3.2.15 I have installed 'unbound' and it works nicely on my client (test purpose) - Client is MacBook Air. I have installed NSD (will be in replacement of BIND) on said client. All is good but when i try to start NSD Error --> nsd can't bind udp socket: address already in use. Everything is configured to bind to 127.0.0.1. #

An HTML attachment was scrubbed... URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20230222/50ca00eb/attachment.htm>