Mar 12, 2014
- Return REFUSED for queries to non-hosted zones.
- Fix expired zones to give SERVFAIL, also when parent zone loaded.
- documented nsd-control zonestatus output in nsd-control manpage.
- remove mention of nsdc from nsd-checkconf manpage.
- Disabled recvmmsg and sendmmsg usage by default because kernel
versions have implementation issues: ipv6 ignored, security issues.
- Detect libevent2 install automatically by configure, and use
event2 header files if necessary.
- Fix #551: change Regent to Copyright holder in the LICENSE,
to match the definition on opensource.org for the BSD License.
- Fix #552: zonefile loads on nsd-control reconfig when the name
of the file has changed.
- Fix leak of zone name after zonefile read and fix malloc too
large that would be leaked in the radix tree.
- Fix from 3.2: make SOA RDATA comparisons in XFR more lenient (only
- Fix that NSD will delete and recreate not-clean-closed databases.
Jan 27, 2014
- recognizes ip-address and interface as synonyms for convenience.
- EUI48 and EUI64 RR types (RFC7043) enabled by default.
- Support for CAA RR type (RFC6844).
- NSID can be set with "ascii_somestring" in ascii.
- Fix xfrd when zone transfer TCP contains zero length packets.
- Fix for NSEC3 zones where parent zone is co-hosted, also NSEC3,
because AXFRs overwrote nsec3 administration in the child zone.
- Fix that bad IXFR updates do not result in double SOA records,
and that an AXFR is started (attempted) when the zone state seems
to be inconsistent with the master's zone state.
- Log ip address for sendto and sendmmsg failures.
- Fix segfaults after read of zones with rr type WKS from zonefile.
- Seed PRNG for openssl at start of daemon, fixes SSL connection issue.
- Bugfix #534: IXFR query loop over UDP for zones that are unchanged.
- (same as in 3.2.16): fix wildcard cname to nxdomain repeated rrset.
- (same as in 3.2.16): Bugfix #542: Match RRSIG TTL with SOA TTL in
- Check if configure in srcdir collides with outofdir build.
- Fix #546: output format errors in nsd_munin_ (Thanks Tom Hendrikx).
- Fix printout of high-chars in TXT on NetBSD.
Oct 29, 2013
- documented in doc/NSD-4-features. Change configuration without
restart, direct nameserver control with nsd-control, support a
higher number of zones. Higher performance (compared to NSD3).
- nsdc is gone. Use kill -HUP for reload (also checks if zonefiles
have changed and rereads them), and kill -TERM for quit. Or use
nsd-control for detailed control.
- cron job for nsdcpatch is gone. nsd-control write creates zonefiles.
- nsd.db has a new format that compacts itself when it is changed,
thus nsdc patch is no longer necessary.
- nsd.db is memory mapped, NSD needs (part of) that mmap in ram.
- tcp-count can go above 1000; epoll/kqueue support with libevent.
- nsd-control reconfig for updates with no restart (zones, keys, ..)
- nsd-control-setup to create keys for nsd-control (enable nsd-control
with remote-control: yes in nsd.conf).
Jan 27, 2014
- Support for CAA RR type (RFC6844).
- EUI48 and EUI64 RR types (RFC7043) enabled by default.
- Bugfix #509: USE_ZONE_STATS used initialised memory for statistics data.
- Bugfix #510: USE_ZONE_STATS use a different zone stats file per process.
- Bugfix #542: Match RRSIG TTL with SOA TTL in negative response.
- Removed use of random when arc4random is available. Thus, random
and srandom are then not linked with the executable.
- Check if configure in srcdir collides with outofdir build.
Jul 22, 2013
- New config option "ip-transparent:" to allow NSD to bind to
non local addresses. Default no.
- Use IPV6 minimum MTU settings with TCP to reduce failures that
are caused by delays in learning working PMTU when communicating
through a tunnel.
- Bugfix #496: Support for EUI48 and EUI64 RR types. Experimental,
turned off by default. Enable with --enable-draft-rrtypes.
- New config option "rrl-slip:" to set the average number of
packets discarded before we send back a truncated response.
- New config option "rrl-ipv4-prefix-length:" and
"rrl-ipv6-prefix-length:" to set the prefix lengths.
- Improved RRL logging, also print triggering query src address and QTYPE.
- Provide RRL documentation in nsd.conf.sample.
- Bugfix #357: Parent process waits until children closed down
sockets, to prevent NSD failing to bind to sockets when restarting.
- Bugfix #487: lookup3.c determine endianness for BSD systems.
- Bugfix #491: pick program name (0th argument) as syslog identity.
- Bugfix #494: Exit with return code 1 if socket code fails.
- Bugfix #495: Wrong bufsize in dname_to_string for root.
- Fix outgoing-interface: Don't fail if family is IPv6 but
only IPv4 outgoing-interface is set, or vice versa.
- RRtypes ASFDB, RP, RT should not compress dnames.
- Check that zone directory is within chroot directory.
- Better XFR checking, fallback to AXFR (if allowed) if three
malformed XFR packets have been seen.
Feb 4, 2013
- Support for ILNP RR types: NID, L32, L64, LP (RFC6742).
- RRL, --enable-ratelimit at configure time and config options.
- TSIG initialization only fails when there is no digest found at all.
- Bugfix #478: Declaration after statement (for gcc 2.95).
- Bugfix #483: Better error message in case of TSIG error.
- Bugfix #485: TTL should not be greater than 2^31 - 1.
- Fix RCODE when CNAME loop final answer does not exist, should return NXDOMAIN as stated by RFC 6604.
- Fix --disable-full-prehash bug, where after multiple incoming IXFRs, NSEC3 can be removed unjustified.
Nov 1, 2012
- Fix build on OpenBSD (thanks Oliver Peter).
- Prioritize notify sender for requesting XFR (thanks Ilya Bakulin).
- Fix crash in zonec if TXT string too long (thanks Ilya Bakulin).
- tzset before chroot for correct timezone (thanks Camiel Dobbelaar).
- Fix --disable-full-prehash bug when nsdc patch happens while ixfr too,
it did not rehash the new database.
- Bugfix #464: Conditionally define MAXHOSTNAMELEN.
Jul 27, 2012
Bugfix #461 (VU#517036 CVE-2012-2979): NSD denial of service
vulnerability from DNS packet when using --enable-zone-stats.
Bugfix #460: man page correction - identity.
Fix for nsd-patch segfault if zone has been removed from nsd.conf
(thanks Ilya Bakulin).
Jul 19, 2012
Fix for VU#624931 CVE-2012-2978: NSD denial of service
vulnerability from non-standard DNS packet from any host
on the internet.
Jul 9, 2012
Fallback to AXFR if IXFR is unknown at the primary. NSD considers
IXFR unknown at the primary if there is a negative response for the
IXFR RRtype. This does not override the value for
Allow for reading in new DNSKEY algorithm mnemonics (RFC5155,
RFC5702, RFC5933, and RFC6605 (ECDSA)).
Zone statistics, enable with --enable-zone-stats. This stores the
BIND8 stats per zone in a configurable statistics file. This option
does not scale and should therefore not be enabled when serving
- Support for TLSA RRtype (DANE).
Fix for qtype ANY for a wildcard domain in NSEC signed zone: Don't
add the wildcard domain NSEC into the answer section. Instead,
put the wildcard expanded NSEC into the answer section and keep the
wildcard domain NSEC in the authority section.
- Fix for accept spinning reported by OpenBSD.
- Fix restart failed due to bad ixfr packet because of zone removed from nsd.conf.
- Bugfix #453: typo in nsdc man page.
NSD uses the query name for dname compression again (Fix #235
had as side effect that this didn't happen anymore and is hereby
Feb 15, 2012
- Bugfix #421: Truncate pidfile on shutdown, before unlink.
- Bugfix #423: Fix slow zone transfer processing due to 'Fix is_existing flag for ENT' bugfix.
- Bugfix #430: Fix segfault when MAX_INTERFACES set to more than 65K.
- Fix configure.ac strptime check for gcc 4.6.2, acx_nlnetlabs.m4 update
Nov 23, 2011
- Minimize responses to reduce truncation: NSD will only add
records to the authority and additional sections when the response
size does not exceed the minimal response size.
The minimal response size is 512 (no-EDNS), 1480 (EDNS/IPv4),
1220 (EDNS/IPv6), or the advertized EDNS buffer size if that is
smaller than the EDNS default.
The feature is enabled by default. You can disable it by configuring
NSD with --disable-minimal-responses.
Less NSEC3 prehashing. This will make NSD handle zone transfers
faster, but will decrease the performance of NXDOMAIN and wildcard
NODATA responses. Full prehashing is enabled by default. If you want
less NSEC3 prehashing, configure NSD with --disable-full-prehash.
Thanks Secure64 for the patch.
- Bugfix #302: nsd accepts XFR but refuses to re-read the slave zone.
- Bugfix #365: set patch style and zonec verbose for nsdc.
- First step of bug #369: RRSIG DNSKEY sets zone to be treated DNSSEC.
- Bugfix #375: typos in nsd.conf.5.
- Bugfix #381: Binary escaped and transfers.
- Bugfix #397: Don't allow relative domain names as origin in $INCLUDE directives.
- Fix printout of IPSECKEY by nsd-patch.
- Fix is_existing flag for ENT when domain that has a shared ENT is deleted by IXFR. (ENT == Empty Non-Terminal)
- Fix bug if the zonefile is changed for a secondary but stored
transfers are applied, and stop it from applying ixfr to empty zone.
The zone is flagged with error and AXFR-ed.
- Fix to have no authority NS set processing for CNAMEs.
- Fix nsd-checkconf to check tsig algorithms properly.
- Set the AA bit on responses that have an authoritative CNAME.
- Fix denial of existence response for empty non-terminal that looks
like a NSEC3-only domain (but has data below it).
- nsd.db version number increased because NSD 3.2.7 and earlier
zonec is not compatible due to the TXT strings change. Please
run nsdc rebuild before running NSD 3.2.9 and later versions.
Mar 22, 2011
- Do setusercontext before chroot, otherwise login.conf etc. are required inside chroot.
- Bugfix #216: Fix leak of compressiontable when the domain table increases in size.
- Bugfix #348: Don't include header/library path if OpenSSL is in /usr.
- Bugfix #350: Refused notifies should log client ip.
- Bugfix #352: Fix hard coded paths in man pages.
- Bugfix #354: The realclean target deletes a bit too much.
- Bugfix #357, make xfrd quit with many zones.
- Bugfix #362: outgoing-interface and v4 vs. v6 leads to spurious warning messages.
- Bugfix #363: nsd-checkconf -v does not print outgoing-interface ok.
- Bugfix: nsd-checkconf -o outgoing-interface omits NOKEY.
- Undo Bugfix #235: Don't skip dname compression, messes up packets that do need compression.
- Use 'make clean' to clean up files that make created.
- Use 'make realclean' to also clean up files that were generated by running ./configure.
- Use 'make devclean' to also clean up autoconf, autoheader files.
Jan 24, 2011
- Bugfix #253: Don't put NS RRs in a response with QTYPE=DS.
- Bugfix #320: use arcrandom(4) for QID generation if available.
- Bugfix #328: nsd-checkconf overrun.
- Bugfix #343: nsdc update fix.
- Bugfix #347: Wrong NSEC3 returned for nodata response QTYPE=DS no delegation.
- Bugfix: Allow for huge amount of strings in TXT (and other) records.
- Bugfix: nsdc can now deal with tsig algorithms other than hmac-md5.
- Fixed several parts in the documentation, including #306, #345.
Aug 2, 2010
- Expand command line option '-a' and config option 'ip-address:'
with port number.
- Bugfix #314: correctly print NSEC next field, escape spaces and
fix label overflows.
- Configure options --disable-dnssec, --disable-nsid, --disable-tsig
- Configure option --max-interfaces is renamed to --max-ips.
Apr 14, 2010
- New option 'nsid:', to specify the NSID (Bugfix #298).
- The default chroot can be set with --with-chroot=dir.
If not set, by default chroot will not be used (thanks Jakob Schlyter).
- Optimized zonec and b64_pton compatibility code (thanks Martin Svec).
- Optimized memory allocations. Use mmap/munmap instead of malloc/free.
Experimental, by default off. Enable it at build time with
--enable-mmap (thanks Martin Svec).
- NSD will not start if chroot is configured, but changing root is
not possible (it used to ignore the badly configured chroot).
- Make use of the more secure strl* functions.
- Bugfix #303: spelling error.
- NSID support is now enabled by default.
Jan 6, 2010
- Support DLV records.
- New option 'tcp-query-count:', to limit the maximum number of DNS
queries on a single tcp connection.
- New option 'tcp-timeout:', to override the default tcp timeout.
The option can also be set at build time, --with-tcp-timeout.
- New option 'notify-retry:', to configure how many times NSD should
retry a NOTIFY message.
- New options 'ipv4-edns-size:' and 'ipv6-edns-size:', to set your
preferred EDNS buffer size.
- Bugfix #269: Additional c99 syntax.
- Bugfix #276: Zonec prints debug data to stderr.
- Bugfix #286: Document verbosity levels in nsd.conf manual page.
- Bugfix #288: Ignore SIGHUP to child processes.
- Fix typo in include file for setusercontext.
- UDP/IPv4 sockets have new options set that will disable the DF flag
in IP packets.
Aug 17, 2009
- Bug #236: Allow RRs before the SOA in a zonefile.
- Bug #229: Remove the C99 code.
- Bug #253: Don't put NS RRs in a response with QTYPE=DNSKEY.
- Bug #263: Make TSIG algorithm comparison case insensitive.
- Bug #266: Build failed on systems without strptime.
- Fix install hickup.
- Fix to use 4096 EDNS limit for IPv6 on Linux.
May 18, 2009
- Off-by-one buffer overflow fix while processing the QUESTION section.
- Return BADVERS when NSD does not implement the VERSION level of the
request, instead of 0x1FORMERR.
- Bugfix #234.
- Bugfix #235.
- Reset 'error occurred' after notifying an error occurred at the $TTL or
$ORIGIN directive (Otherwise, the whole zone is skipped because the
error is reset after reading the SOA).
- Minor bugfixes.
Jan 19, 2009
- New configuration option 'allow-afxr-fallback', "yes" by default. If
set to "no", NSD will never do AXFR fallback, even if the master
does not support IXFR.
- Allow file rotation on nsd.log.
- The new nsd-patch options -s and -o allows you to skip writing
zonefiles and store the output directly to a database file,
- When configuring, don't do strptime test when cross-compiling.
- Bug #230: Output non-error messages to stdout.
- Better error message when ixfr.db old file format is read.
- Bug #218: shared UDP query for all interfaces.
- Bug #222: Remove bashism from nsdc script.
- Nicer check for SHA-256 functionality.
- Fixed some minor memory leaks that occured on reload.
- nsdc: check if a lockfile has not gone stale, when lock failed.
- Bugfix strptime compatibility function.
- NSD will now fallback to AXFR, only if the master does not support IXFR.
- You can adjust nsdc patch to skip textfile patching. This will
increase the patching process, but will not output to zonefiles
anymore. By default, this is turned off.
Nov 10, 2008
- AXFR/TCP fallback in case of failing IXFR zone transfers.
- RFC 4635: support for hmac-sha1 and hmac-sha256 TSIG algorithm
identifiers, "Bugfix #130".
- Configure the source ip-address for notifies (master) and zone
requests (slave) in nsd.conf, "Bugfix #148".
- nsd-notify and nsd-xfer allow you to configure the outgoing
hostname and source port, in addition to the source address.
- Additional debug and verbose log messages.
- Only normalize dnames in rdatas when rrtype is listed in RFC 4034,
section 6.2: Canonical RR Form, following
draft-ietf-dnsext-dnssec-bis-updates (affects RRSIG and NSEC records).
- Typo in zonec manpage.
- Bugfix in log_finalize.
- Fix race condition between nsdc patch and server reload.
- IMPORTANT: Format of ixfr.db has changed. When you are planning an upgrade to the
new NSD release, make sure to process the old ixfr.db before starting
the new release (by running nsdc patch).
- IXFR is transmitted over TCP by default instead of UDP. If you want to
continue the use of IXFR/UDP, please modify your zone configuration
request-xfr: UDP 188.8.131.52 tsigkey
- We strongly recommend to enable TSIG if you send IXFR over UDP.
When all masters fail to transmit IXFR/UDP, slave will fallback to
IXFR/TCP and eventually AXFR/TCP.
- nsd-patch prints errors to stderr instead of stdout.
Jul 21, 2008
- The number of maximum interfaces allowed is configurable with
--with-max_interfaces (thanks John Lightsey).
- Try to avoid race conditions when NSD reloads and nsdc signals NSD: Update the pidfile before exiting the old server.
- Fixed memory leak when NSEC3 enabled but not needed.
- Added region destroys when erroring during zone transfers.
- Bugfix #191: nsd-checkconf allowed (max_interfaces-1) interfaces.
June 23, 2008
- NSD is now NSEC3 enabled by default. You can disable it by configuring NSD with --disable-nsec3.
- Added "hide-version" configuration setting, to stop NSD from answering CHAOS class version requests.
- Added bind2nsd 0.5.0 in contrib/.
- Report source and zone for denied AXFR attempts.
- Bug #172: Zone compiler gives more sane error messages.
- Manual pages are in mansun format now, which is more portable.
- Log tcp read error only when connection not reset by peer or when verbosity level >= 2.
- RRs are compared without checking TTL value.
- Default locations of nsd.db, ixfr.db, xfrd.state are changed to /var/db/nsd.
April 18, 2008
- Better logging for nsd-notify (show 'broken' zone)
- Bug #164: Add configuration for chkconfig to control nsd
- Better logging when creating database failed.
- Fixed nsdc start when nsd already running: do not initialize
server, since it is already running.
- Bug #163: Fixup bug where data related files are looked up in the
wrong directory when chrooted with chrootdir ending with a
- Bug #157: Fixup bug where nsd would return FORMERR if received an
edns query with version set to zero and rdlen larger than zero.
- Fixed strptime, so that zonec will also work on systems with
broken strptime (like leopard :-)).
- Do not answer nsec3 wildcard information when DO bit is not
- Various spelling errors.
November 13th, 2007
- Error handling for malformed IXFRs improved.
- Bug #162 and #156: Fixed man pages, consistent syntax.
August 7th, 2007
- Report source and zone for denied AXFR attempts.
- More elegant handling of malformed nsec3 records from a zone
- Fixup ignored return value in region-allocator.
- Added bind2nsd 0.5.0 (http://bind2nsd.sourceforge.net) in
March 20th, 2007
- Fixed problem with reload waiting very long. If the OS has a
raging herd problem, NSD could block in a UDP operation and
that process would stop reload from finishing. Made UDP sockets
- Made TCP listen sockets nonblocking. NSD could block in
- Handle the new CERT RDATA types defined in RFC 4398
(submitted by Mans Nilsson).
- Fixed a bug where zonec would choke on unknown CERT RDATA
- Change nsd-notify retry timer from linear into exponential
backoff (submitted by Mans Nilsson).
- Debug flag (-d) behavior changed. Nsd now also forks
children when run in debug mode.
- Added verbosity mode (-V <level>) for extra operational
- zonesdir default is /etc/nsd. This can be overridden in
- if clients drop the tcp connection this does not result in a
logfile entry, unless verbosity is set 2 or more.
January 18th, 2007
- Added contrib/nsd.zones2nsd.conf python script to convert NSD 2
to NSD 3 config files, contributed by Stephane Bortzmeyer.
- The nsdc control script will print 'nsd startup failed' if the
nsd executable does not start (due to bad permissions, bad config,
- zonec will print an error when other data is put next to a
- Fixup unaligned memory access that could occur when reading
ixfr.db with a partial transfer inside.
- Fixup for the WKS RR type printout by nsd-patch and
- Error message 'could not read database CRC' now only given on
- ./configure --zonesdir=<directory for zone files>
now works to set a default value for the zonesdir: <dir> nsd.conf
directive. Set zonesdir: "" to disable the change of directory.
- Bug: reload crashes with log message 'continuing with old database',
and after that no more zone updates. Manual fix is to kill -HUP,
but now fixed in software to try to reload again (and again).
- Small speedup where xfrd could briefly be busy-waiting.
- If master sends IXFR with glue that is already present in
the zone this is silently accepted. Printed in debug mode -L 2. To make
the log file smaller.
- Exponential backoff for zones that never worked to max of 4
hours. For expired zones the SOA retry values are used.
- allow-notify acl entries 'NOKEY' match only queries without
- Answers to valid notifies contained wrong RR counts in the
header. The notifies were processed correctly, but now the
acknowledgement reply is in correct DNS format.
December 7th, 2006
- Bug #152: NSD would not use the identity from nsd.conf,
- Bug #153: When running with thousands of secondary zones, NSD
would run out of UDP sockets. Caused crash on FreeBSD, errors on Linux
('out of file descriptors'), depending on ulimits. Fixed.
- Fixed getaddrinfo error message to be more descriptive.
- Fallback to ip4 if getaddrinfo fails for ip6.
- Will no longer lose a notify message during reloads
- Will no longer lose transfer in progress when notified for that
- Nicer error when operator forgets to rebuild after deleting a
November 3rd, 2006
- Nice error from zonec on a wrong configuration zone
- Nicer warning from zonec when starting secondary zone with
no zone file for the first time.
- nsdc makes more portable use of 'which' (for
- Bug #143: Improved handling of zonesdir: directive and relative
pidfile, database, diff file, xfrdfile paths in nsdc.sh and
nsd-patch. They would not find the files.
- Bug #144: LOC RRtype default values for precision wrong.
- Bug #145: NSD failed to reload cases of simultaneous zone
- Bug #146: NSD fails to write to xfrdfile when chrooted. Fixed.
Also fix for difffile when chrooted.
- Bug #147: NSD runs out of memory. Fixed, memory is reused.
Occurred when running NSD with very big zones and large
- nsd -L 1 logging is smaller, -L 2 contains all debug information.
(only available for debug compiles).
- Bug #149: Fixed text for NOTAUTH error code. When notify is
not authorised REFUSED error code returned instead.
September 6th, 2006
- nsd-patch prints SOA record at start of zone files.
September 5th, 2006
- nsd-patch prints SOA record at start of zone
files: NSD requests but does not provide IXFR transfers; NSD keeps
track of SOA timeouts for secondary zones.
- TSIG authentication supported: For queries, for notifies, for
- NOTIFY messages of zone updates, incoming and
- DNAME type is supported, including CNAME synthesis.
- config file, nsd.conf(5), place to put TSIG keys, server
settings, and lists of ip-addresses/ranges for AXFR/IXFR and
- Prepared for NSEC3 (--enable-nsec3), experimental code for
testing in workshops.
- Prepared for NSID (--enable-nsid), experimental code for
testing in workshops.
- Contains all bug fixes from 2.3.5 and before.
- The sighandler() bug is fixed more thoroughly, by using pipes for
- CNAMEs are followed by the server to different zones and
information from that zone is returned. This saves a followup
- Bug fixes (ported) 2.3.6: nsd-notify will retry max 15 times 5
second retries; Bug #105: nsdc lacks locking, fixed locking for root
user; Bug #134: nsd: make -N <large number> work again; Bug #135:
Typo in locking code for nsdc, fixed; uninitialised variable fixed;
unaligned memory access (on Solaris SPARC), in zonec LOC parsing,
fixed; Bug #138: nsd aborts trying to bind all interfaces if ip6 is not
enabled, instead it will fallback to ip4; Bug #139: resync timer for
stats to whole minute; Bug #140: NSD did not clear CD bit on
authoritative answers; Bug #141: NSD did not clear flags on a formerror
- config file needed, nsd.conf(5) supersedes nsd.zones and
- AXFR transfers are denied by default. Allow in config
- Zones only become secondary with "request-xfr:" items in config
- NSD produces "ixfr.db" file with a journal of zone transfers.
Use nsdc patch to merge changes back to zone files and remake
- NSD produces "xfrd.state" file with zone timeout information.
The file is text formatted.
- NSD sends notifies automatically, nsd-notify is deprecated and
will be removed from the package.
- NSD requests AXFR/IXFR and reloads the updates automatically,
nsd-xfer is deprecated and will be removed from the package.
- Check your config file with nsd-checkconf.