From wouter at nlnetlabs.nl  Tue Dec  4 11:20:31 2018
From: wouter at nlnetlabs.nl (Wouter Wijngaards)
Date: Tue, 4 Dec 2018 12:20:31 +0100
Subject: [nsd-users] NSD 4.1.26 released
In-Reply-To: <ad6dd845-7481-fa18-707a-46c97e9d043b@nlnetlabs.nl>
References: <ad6dd845-7481-fa18-707a-46c97e9d043b@nlnetlabs.nl>
Message-ID: <262364a4-3e0b-79a3-5825-f75311e48a94@nlnetlabs.nl>

Hi,

NSD 4.1.26 is available:
https://nlnetlabs.nl/downloads/nsd/nsd-4.1.26.tar.gz
sha256 9f8a41431d21034d64b9a910567b201636521b64b6a9947390bf898388dc15f4
pgp https://nlnetlabs.nl/downloads/nsd/nsd-4.1.26.tar.gz.asc


This version has DNSTAP support (https://dnstap.info).  Use
--enable-dnstap for ./configure to turn it on, then in nsd.conf enable
the dnstap feature with dnstap-enable: yes and set one or more of
dnstap-log-..-messages to yes.  And set the dnstap socket path in the
config.

The reuseport: yes config option in nsd.conf on FreeBSD 12 can use the
SO_REUSEPORT_LB option that performs performance load balancing.

The changezone command for nsd-control allows to change the pattern
associated with a zone without downtime for the zone, in one operation.
It is otherwise just like a delete and an add for that zone.


4.1.26
================
FEATURES:
- DNSTAP support for NSD, --enable-dnstap and then config in nsd.conf.
- Support SO_REUSEPORT_LB in FreeBSD 12 with the reuseport: yes
  option in nsd.conf.
- Added nsd-control changezone.  nsd-control changezone name pattern
  allows the change of a zone pattern option without downtime for
  the zone, in one operation.

BUG FIXES:
- Fix #4194: Zone file parser derailed by non-FQDN names in RHS of
  DNSSEC RRs.
- Fix #4202: nsd-control delzone incorrect exit code on error.
- Tab style fix to use tab for 8 spaces, from Xiaobo Liu.
- Fix #4205: enable-recvmmsg in mixed IPv4/IPv6 environment fails.
  This sets the msg_hdr.msg_namelen correctly after receipt.
- Fix to not set GLOB_NOSORT so the nsd.conf include: files are
  sorted and in a predictable order.
- Fix #3433: document that reconfig does not change per-zone stats.


Best regards, Wouter

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20181204/cdf1181e/attachment.bin>

From bortzmeyer at nic.fr  Wed Dec 19 15:37:17 2018
From: bortzmeyer at nic.fr (Stephane Bortzmeyer)
Date: Wed, 19 Dec 2018 16:37:17 +0100
Subject: [nsd-users] NSD and RFC 8482 (ANY queries)
Message-ID: <20181219153717.t7yvhmo2ondohk65@nic.fr>

Internet Draft draft-ietf-dnsop-refuse-any-07, soon RFC 8482, claims
that "An implementation of the subset-mode response to ANY queries was
implemented in NSD 4.1 in 2016." It is not clear to me how it is
implemented. I see in the code:

	if(q->qtype == TYPE_ANY && nsd->options->refuse_any && !q->tcp) {
		TC_SET(q->packet);
		return query_error(q, NSD_RC_OK);
	}

and in the documentation:

.B refuse\-any:\fR <yes or no>
Refuse queries of type ANY.  This is useful to stop query floods trying
to get large responses.  Note that rrl ratelimiting also has type ANY as
a ratelimiting type.  It sends truncation in response to UDP type ANY queries,
and it allows TCP type ANY queries like normal.
The default is no.

Code and documentation seem to agree. But sending TC is not one of the
three possibilities accepted by the RFC when you don't like ANY (the
future RFC says the opposite: "the TC bit SHOULD NOT be set on the
response"). Am I right in this assesment? Is there a plan to adapt NSD
to the RFC?


From daisuke.higashi at gmail.com  Wed Dec 19 15:51:20 2018
From: daisuke.higashi at gmail.com (Daisuke HIGASHI)
Date: Thu, 20 Dec 2018 00:51:20 +0900
Subject: [nsd-users] NSD and RFC 8482 (ANY queries)
In-Reply-To: <20181219153717.t7yvhmo2ondohk65@nic.fr>
References: <20181219153717.t7yvhmo2ondohk65@nic.fr>
Message-ID: <CAO-L_V-UYHYf5eRWWe9QbnxddWzMd+JqCFDCZ1rSL_atXznZJg@mail.gmail.com>

Hi,

I posted a (very simple) patch implementing draft-00 spec (answers subset
of available RRsets) to nsd-users maling list in 2016. But it was not
included to mainline.

  https://open.nlnetlabs.nl/pipermail/nsd-users/2016-February/002234.html

I don?t know whether ?NSD implementation? noted in draft-07 correnponds to
my patch.

Stephane Bortzmeyer <bortzmeyer at nic.fr>:

> Internet Draft draft-ietf-dnsop-refuse-any-07, soon RFC 8482, claims
> that "An implementation of the subset-mode response to ANY queries was
> implemented in NSD 4.1 in 2016." It is not clear to me how it is
> implemented. I see in the code
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20181220/9150a1cb/attachment.htm>