similar to: NSD 3.2.15 released (+RRL)

Hi, Please advise how to use Response Rate Limiting on a server which has multiple NSD server processes (nsd.conf server section has server-count > 1). We have a problem with NSD v3.2.16 repeatedly unblocking and blocking again a single source which is flooding positive queries at a ~steady 700 qps rate. rrl-ratelimit setting is the default 200 qps. The unblock-block happens multiple times

On Sat, 28 Dec 2019 17:02:09 +0100 richard lucassen via nsd-users <nsd-users at lists.nlnetlabs.nl> wrote: > The problem is (was) that I used "include:" statements in nsd.conf > to load zone information. Apparently nsd does not reread the include > files upon a SIGHUP. I scripted everything into 1 file and a HUP > rereads the zone info now. Wrong, I made a mistake it

Hello, Lutz Donnerhacke implemented DNS-Dampening. http://lutz.donnerhacke.de/eng/Blog/DNS-Dampening The implementation is available as patch for BIND9 only. He told me that there is an other method preferred by the nsd developer. It's called "Response Rate Limiting". May one describe the idea behind rate limiting and compare it with Lutz' solution? Thanks. -- Andreas

NSD 4.10.0rc1 is available: https://nlnetlabs.nl/downloads/nsd/nsd-4.10.0rc1.tar.gz sha256 ad476e82eee5bdabc985e071cabe6a68263dd02eac6278ce2f81798b8c08f19f pgp https://nlnetlabs.nl/downloads/nsd/nsd-4.10.0rc1.tar.gz.asc Version 4.10.0 integrates simdzone and drops the Flex+Bison zone parser. NSD used a Flex+Bison based zone parser since version 1.4.0. The parser served NSD well, but zones have

Hi, NSD 4.8.0rc1 pre-release is available: https://nlnetlabs.nl/downloads/nsd/nsd-4.8.0rc1.tar.gz sha256 64f1da8f8163340f9d3b352ef8819e3c72c951fdd87cff55dc3b6a6b1ea27942 pgp https://nlnetlabs.nl/downloads/nsd/nsd-4.8.0rc1.tar.gz.asc This release introduces PROXYv2 support and faster statistics gathering, removes the database option and fixes bugs. The proxy protocol support is an implementation

Hi Jean Claude, The message is printed when the bind operation failed. Why that happens is hard to say, I'd need more information for that. As the message does not say: address already in use (or similar), I'm guessing the address is not configured? Best regards, Jeroen On Fri, 2023-04-21 at 18:03 +0200, HAKIZIMANA Jean Claude via nsd-users wrote: > Dear nsd Users, > kindly can

hi, On 2024-12-27 22:32, Fredrik Pettai via nsd-users wrote: > Hello, > > It seems our NSD secondary has triggered some sort of intermittent bug > After several weeks/months of running nsd stops forking with the new > zone data. > > A manual nsd-control transfer or even nsd-control force_transfer won?t > work, only restart of nsd solves the problem. > The only

People are proposing rate-limiting built into BIND, to defend against some DoS attackes (a proposal <http://fanf.livejournal.com/122111.html> and its implementation <https://github.com/fanf2/bind-9/blob/master/doc/misc/ratelimiting>). What is the current thinking for NSD? (It is a truly open question, do not take it as "this guy requires rate-limiting in NSD".)

On NetBSD 6.99.28-CURRENT, nsd 3.2.16 works fine, however nsd 4.0.0 is spinning chewing CPU. The logs show: Nov 28 23:07:00 xxx nsd[466]: sendmmsg failed: Resource temporarily unavailable ktruss shows it getting EAGAIN from sendmmsg(2) over and over again. According to the man page: [EAGAIN|EWOULDBLOCK] The socket is marked non-blocking and the requested

Hello, It seems our NSD secondary has triggered some sort of intermittent bug After several weeks/months of running nsd stops forking with the new zone data. A manual nsd-control transfer or even nsd-control force_transfer won?t work, only restart of nsd solves the problem. The only ?hint? I?ve found is that the nsd xfrd messages stops appearing in the logs (while the notify messages keeps

NSD 2.3.2 is a bugfix release. Please see the README document for configuration and installation instructions. You can download NSD from http://www.nlnetlabs.nl/nsd/ Note: we switched to SHA-1 for tarball digest. 2.3.2 ============= FEATURES: - Bug #101: add support for the SPF record. BUG FIXES: - Bug #100: replaced non-portable use of timegm(3) with portable

Hi all, we have discovered a segfault in nsd-patch when renaming slave zone in nsd config file if some data for this zone still exists in the IXFR diff database. In my case, the zone "black" was renamed to "blackinwhite": > root at ggd115:/cage/nsd/var/nsd/zones#nsd-patch -c > /cage/nsd/etc/nsd-dns-slave.conf > reading database > reading updates to database >

Dear nsd Users, kindly can you help me to trace the cause of this error in nsd " nsd[25372]: warning: xfrd: could not bind source address:port to socket: Cannot assign requested address". I use NSD version 4.0.1 Thank you, -------------- next part -------------- An HTML attachment was scrubbed... URL:

Hello, The NSD documentation on Catalog zones[1] states: > NSD can be a producer of catalog zones as well as a catalog zone consumer, but it is limited to process only a single consumer zone. This can be a shortcoming in some architectures, like when NSD is used as a distribution server, dynamically "collecting" domains from several primary servers (each with its own catalog zone)

Hi there! I remember reading that you cannot reload new zone files on the fly and require a full restart of the nsd daemon? We are evaluating multiple DNS servers that have better performance comparing to bind, but will require quite heavy zone reload (new and existing) every 10 minutes or so. Downtime (even 1-3 secs) is not the option. Thanks!

Am 23.07.24 um 17:28 schrieb Jeroen Koekkoek via nsd-users: > NSD 4.10.1rc2 pre-release is available: no compile time warnings while building on debian bookworm/x86_64 > @bilias implemented mutual TLS authentication for zone transfers. > Please consult the nsd.conf manual for details on the newly introduced > configuration options tls-auth-port and tls-auth-xfr-only. this is an nice

Good morning, On Tue Apr 28 2009 at 10:34:24 CEST, Jelte Jansen wrote: > We are looking into it (if only because the question comes up about once a > week now) It's been a little more than a week since the question last turned up :) I'd also like to know if any progress has been made to allow NSD to have zones added/removed on the fly, somewhat along the lines of BIND's

We upgraded to NSD 3.2.9 (from 3.2.8) because we encountered the problem "Fix denial of existence response for empty non-terminal that looks like a NSEC3-only domain (but has data below it)." (a nasty problem with DNSSEC). But we now have IXFR issues. On one name server, NSD 3.2.9 works fine, zones are IXFRed and work. On another name server, with much more zones (and big ones), we

B.t.w. I've created a PR for it that resolves it (see https://github.com/NLnetLabs/nsd/pull/346 ), but we may need to discuss if and how to resolve it first. First I'd like to know if your configuration is similar in that the CNAME or DNAME target does contain an allow-query list. Op 03-07-2024 om 10:52 schreef Willem Toorop via nsd-users: > Hi Jamie, > > I can reproduce,

Dear all, NSD 4.11.0rc1 pre-release is available: https://nlnetlabs.nl/downloads/nsd/nsd-4.11.0rc1.tar.gz sha256 7594d014199585c24f6593649bfc657078d411a3f09eb31192a35a7c031c028f pgp https://nlnetlabs.nl/downloads/nsd/nsd-4.11.0rc1.tar.gz.asc Version 4.11.0rc1 sees various small features and bugfixes. One notable feature is that configuration can be reloaded and evaluated on SIGHUP, when