Version: 4.3.4-bp152.2.3.1
* Tue Dec 01 2020 Michael Ströder <michael@stroeder.com>
- New upstream release 4.3.4
FEATURES:
- Merge PR #141: ZONEMD RR type.
BUG FIXES:
- Fix that symlink does not interfere with chown of pidfile
(bsc#1179191, CVE-2020-28935)
- Fix #129: ambiguous use of errno, in log message if sendmmsg fails.
- Fix #128: Fix that the invalid port number is logged for sendmmsg
failed: Invalid argument.
- Fix #127: two minor `-Wcast-qual` cleanups
- Fix #126: minor header hygiene
- Fix #125: include config.h in compat/setproctitle.c and fix
prototype of `setproctitle`
- Fix #133: fix 0-init of local ( stack ) buffer.
- Fix missing parenthesis on size of fix to init buffer.
- Fix #134: IPV4_MINIMAL_RESPONSE_SIZE vs EDNS_MAX_MESSAGE_LEN.
- Fix to add missing closest encloser NSEC3 for wildcard nodata type
DS answer.
- Remove unused init_cfg_parse routine from configlexer.
- Fix #138: NSD returns non-EDNS answer when QUESTION is empty.
- Fix #142: NODATA answers missin SOA in authority section after
CNAME chain.
* Thu Oct 08 2020 Michael Ströder <michael@stroeder.com>
- New upstream release 4.3.3
FEATURES:
- Follow DNS flag day 2020 advice and
set default EDNS message size to 1232.
- Merged PR #113 with fixes. Instead of listing an IP-address to
listen on, an interface name can be specified in nsd.conf, with
ip-address: eth0. The IP-addresses for that interface are then used.
- Port TSIG code for openssl 3.0.0-alpha6.
BUG FIXES:
- Fix make install with --with-pidfile="".
- Merge #115 from millert: Fix strlcpy() usage. From OpenBSD.
- Merge #117: mini_event.h (4.3.2 and 4.3.1) on OpenBSD cannot find
fd_set - patch.
- Fix that configure checks for EVP_sha256 to detect openssl, because
HMAC_CTX_new is deprecated in 3.0.0.
- Fix #119: fix compile warnings from new gcc.
- Fix #119: warn when trying to parse a directory.
- Merge PR #121: Increase log level of recreated database from
WARNING to ERR.
- Remove unused space from LIBS on link line.
- Updated date in nsd -v output.
* Tue Jul 14 2020 Michael Ströder <michael@stroeder.com>
- New upstream release 4.3.2
FEATURES:
- Fix #96: log-only-syslog: yes sets to only use syslog, fixes
that the default configuration and systemd results in duplicate
log messages.
- Fix #107: nsd -v shows configure line, openssl version and libevent
version.
- Fix #103 with #110: min-expire-time option. To provide a lower
bound for expire period. Expressed in number of seconds or
refresh+retry+1.
BUG FIXES:
- Fix for posix shell syntax for trap in nsd-control-setup
- Fix to omit the listen-on lines from log at startup, unless verbose.
- Fix uninitialised values for bindtodevice option at startup with
reuseport and multiple interfaces.
- Fix #95: Removed make test check because tpkg not included in
release tarballs.
- Fix unused parameter compile warnings.
- Fix #97: EDNS unknown version: query not in response.
- Fix #99: Fix copying of socket properties with reuseport enabled.
- Document default value for tcp-timeout.
- Merge PR#102 from and0x000: add missing default in documentation
for drop-updates.
- Fix unlink of pidfile warning if not possible due to permissions,
nsd can display the message at high verbosity levels.
- Removed contrib/nsd.service, example is too complicated and not
useful.
- Do not log EAGAIN errors for sendmmsg, to stop log spam on OpenBSD.
- Merge #108 from Nomis: Make the max-retry-time description clearer.
- Retry when udp send buffer is full to wait until buffer space is
available.
- Remove errno reset behaviour from sendmmsg and recvmmsg
replacement functions.
- Fix unit test for different nsd-control-setup -h exit code.
- Merge #112 from jaredmauch: log old and new serials when NSD
rejects an IXFR due to an old serial number.
- Fix #106: Adhere better to xfrd bounds. Refresh and retry times.
- Fix #105: Clearing hash_tree means just emptying the tree.
Version: 4.3.4-8.1
* Tue Dec 01 2020 michael@stroeder.com
- New upstream release 4.3.4
FEATURES:
- Merge PR #141: ZONEMD RR type.
BUG FIXES:
- Fix that symlink does not interfere with chown of pidfile
(bsc#1179191, CVE-2020-28935)
- Fix #129: ambiguous use of errno, in log message if sendmmsg fails.
- Fix #128: Fix that the invalid port number is logged for sendmmsg
failed: Invalid argument.
- Fix #127: two minor `-Wcast-qual` cleanups
- Fix #126: minor header hygiene
- Fix #125: include config.h in compat/setproctitle.c and fix
prototype of `setproctitle`
- Fix #133: fix 0-init of local ( stack ) buffer.
- Fix missing parenthesis on size of fix to init buffer.
- Fix #134: IPV4_MINIMAL_RESPONSE_SIZE vs EDNS_MAX_MESSAGE_LEN.
- Fix to add missing closest encloser NSEC3 for wildcard nodata type
DS answer.
- Remove unused init_cfg_parse routine from configlexer.
- Fix #138: NSD returns non-EDNS answer when QUESTION is empty.
- Fix #142: NODATA answers missin SOA in authority section after
CNAME chain.
* Thu Oct 08 2020 michael@stroeder.com
- New upstream release 4.3.3
FEATURES:
- Follow DNS flag day 2020 advice and
set default EDNS message size to 1232.
- Merged PR #113 with fixes. Instead of listing an IP-address to
listen on, an interface name can be specified in nsd.conf, with
ip-address: eth0. The IP-addresses for that interface are then used.
- Port TSIG code for openssl 3.0.0-alpha6.
BUG FIXES:
- Fix make install with --with-pidfile="".
- Merge #115 from millert: Fix strlcpy() usage. From OpenBSD.
- Merge #117: mini_event.h (4.3.2 and 4.3.1) on OpenBSD cannot find
fd_set - patch.
- Fix that configure checks for EVP_sha256 to detect openssl, because
HMAC_CTX_new is deprecated in 3.0.0.
- Fix #119: fix compile warnings from new gcc.
- Fix #119: warn when trying to parse a directory.
- Merge PR #121: Increase log level of recreated database from
WARNING to ERR.
- Remove unused space from LIBS on link line.
- Updated date in nsd -v output.
* Tue Jul 14 2020 michael@stroeder.com
- New upstream release 4.3.2
FEATURES:
- Fix #96: log-only-syslog: yes sets to only use syslog, fixes
that the default configuration and systemd results in duplicate
log messages.
- Fix #107: nsd -v shows configure line, openssl version and libevent
version.
- Fix #103 with #110: min-expire-time option. To provide a lower
bound for expire period. Expressed in number of seconds or
refresh+retry+1.
BUG FIXES:
- Fix for posix shell syntax for trap in nsd-control-setup
- Fix to omit the listen-on lines from log at startup, unless verbose.
- Fix uninitialised values for bindtodevice option at startup with
reuseport and multiple interfaces.
- Fix #95: Removed make test check because tpkg not included in
release tarballs.
- Fix unused parameter compile warnings.
- Fix #97: EDNS unknown version: query not in response.
- Fix #99: Fix copying of socket properties with reuseport enabled.
- Document default value for tcp-timeout.
- Merge PR#102 from and0x000: add missing default in documentation
for drop-updates.
- Fix unlink of pidfile warning if not possible due to permissions,
nsd can display the message at high verbosity levels.
- Removed contrib/nsd.service, example is too complicated and not
useful.
- Do not log EAGAIN errors for sendmmsg, to stop log spam on OpenBSD.
- Merge #108 from Nomis: Make the max-retry-time description clearer.
- Retry when udp send buffer is full to wait until buffer space is
available.
- Remove errno reset behaviour from sendmmsg and recvmmsg
replacement functions.
- Fix unit test for different nsd-control-setup -h exit code.
- Merge #112 from jaredmauch: log old and new serials when NSD
rejects an IXFR due to an old serial number.
- Fix #106: Adhere better to xfrd bounds. Refresh and retry times.
- Fix #105: Clearing hash_tree means just emptying the tree.
* Thu Apr 16 2020 michael@stroeder.com
- New upstream release 4.3.1
BUG FIXES:
- Fix #70: error: 'fd_set' undeclared.
- Fix #71: error: 'for' loop initial declaration used outside C99
mode.
- Fix to move declarations out of for loops in event test too.
- Fix #76: cpuid typedef for Hurd, DragonflyBSD compile.
- Fix #75: configure test for sched_setaffinity, and use
cpuset_setaffinity otherwise. Also test for presence of sysconf.
- Fix #74: GNU Hurd fix cast from pointer to integer of different size.
- Fix for #74, #75: cpuset test for header contents and provide code.
- Fix #78: Fix SO_SETFIB error on FreeBSD.
- Merge PR #83 from noloader: Fix GNU HURD sched_setaffinity compile.
- Fix #80: NetBSD and implicit declaration of reallocarray.
- Fix unknown u_long in util.c for Issue #80 .
- Merge PR #86 from noloader: Use precious variables for GREP, EGREP,
SED, AWK, LEX and YACC.
- For PR #86: Fix that programs loaded after CFLAGS and stuff is
set, specifically the compiler, so that it can work if it needs
special flags from that. Fix that lex only needs to support -i
if actually defined, otherwise the output included in the source
tarball can be used.
- Merge PR #90 by phicoh: O_CLOEXEC should be FD_CLOEXEC.
- Merge PR #92 by tonysgi: Fix typo.
- Merge PR #91 by gearnode: nsd-control-setup recreate certificates.
The '-r' option recreates certificates. Without it it creates them
if they do not exist, and does not modify them otherwise.
* Tue Mar 17 2020 michael@stroeder.com
- New upstream release 4.3.0
FEATURES:
- Fix to use getrandom() for randomness, if available.
- Fix #56: Drop sparse TSIG signing support in NSD.
Sign every axfr packet with TSIG, according to the latest
draft-ietf-dnsop-rfc2845bis-06, Section 5.3.1.
- Merge pull request #59 from buddyns: add FreeBSD support
for conf key ip-transparent.
- Add feature to pin server processes to specific cpus.
- Add feature to pin IP addresses to selected server processes.
- Set process title to identify individual processes.
- Merge PR#22: minimise-any: prefer polular and not large RRset,
from Daisuke Higashi.
- Add support for SO_BINDTODEVICE on Linux.
- Add support for SO_SETFIB on FreeBSD.
- Add feature to drop queries with opcode UPDATE.
BUG FIXES:
- Fix fname null check of fname in namedb_read_zonefile.
- Fix implicit cast of size in udb_radnode_array_grow.
- Fix ignore of return value of ssl_printf in remote.c.
- Fix unused check of fd in parent_handle_reload_command.
- Attempt to fix signedness of nscount lookup in ixfr query_process.
- Fix identical branches for ssl_print of errors in remote.c.
- Fix type cast bounds, signedness of opt_rdlen in edns_parse_record.
- Fix to separate header and data lines in parse_zone_list_file.
- Fix to define max number of EDNS records we are willing to
spend time on.
- Fix size of string len and capacity type cast in udbradtree.
- Fix to protect rrcount in tsig_find_rr from overflow.
- Annotate radix_find_prefix_node not reachable trail code.
- Fix to protect rrcount in packet_find_notify_serial from overflow.
- Fix to close socket on error in create_tcp_accept_sock.
- Fix to log on failure to chmod for socket for remote control.
- Fix to remove unneeded if in open of socket for remote control.
- Fix to restore input parameter on call failure in create_dirs.
- Please checker by terminating and initialising string read
by remote control.
- Fix to define upper bounds on rr counts read from untrusted packet
data.
- Separate acl_addr_match_range functions for ip4 and ip6, to
please checkers.
- Avoid unused variable warning in new match_range_v4 function.
- Fix whitespace in nsd.conf.sample.in, patch from Paul Wouters.
- use-systemd is ignored in nsd.conf, when NSD is compiled with
libsystemd it always signals readiness, if possible.
- Note that use-systemd is not necessary and ignored in man page.
- Fix unreachable code in ssl set options code.
- Fix bad shift in assertion code analyzer complaint.
- Fix responses for IXFR so that the authority section is not echoed
in the response.
- Merge PR#60: Minor portability fixes from michaelforney, with
avoid pointer arithmetic on void* and avoid unnecessary VLA.
- Fix that the retry wait does not exceed one day for zone transfers.
CHANGES:
- Set FD_CLOEXEC on opened sockets.
* Thu Dec 12 2019 adam.majer@suse.de
- Update keyring as per https://nlnetlabs.nl/people/
* Tue Dec 10 2019 michael@stroeder.com
- New upstream release 4.2.4
FEATURES:
- Fix #48: Add make distclean that removes config.h made by configure.
And add maintainer-clean that removes bison and flex output.
BUG FIXES:
- Detect fixed time memcmp for openssl 0.9.8 compatibility.
- Detect EC_KEY_new_by_curve_name for openssl 0.9.8.
- include limits.h for UINT_MAX.
- If no recvmmsg, dont use msg_flags member, but errno for error,
where our fallback function left it, msg_flags also does not exist
on some systems.
- Remove unused variable warning for portability.
- Fix #52: do not log transient network full errors unless higher
verbosity is set.
- Fix regressions in configparser.y where global variables were not
set for minimal-responses, round-robin and log-time-ascii.
* Wed Nov 20 2019 adam.majer@suse.de
- New upstream release 4.2.3:
* confine-to-zone configures NSD to not return out-of-zone
additional information.
* pidfile "" allows to run NSD without a pidfile
* adds support for readiness notification with READY_FD
* fix excessive logging of ixfr failures, it stops the log when
fallback to axfr is possible. log is enabled at high verbosity.
* Fixup warnings during --disable-ipv6 compile.
* The nsd.conf includes are sorted ascending, for include statements
with a '*' from glob.
* Fix log address and failure reason with tls handshake errors,
squelches (the same as unbound) some unless high verbosity is used.
* Number of different UDP handlers has been reduced to one.
recvmmsg and sendmmsg implementations are now used on all platforms.
* Socket options are now set in designated functions for easy reuse.
* Socket setup has been simplified for easy reuse.
* Configuration parser is now aware of the context in which
an option was specified.
* document that remote-control is a top-level nsd.conf attribute.
- Remove legacy upgrade of nsd users in %post (boo#1157331)
* Sun Sep 08 2019 michael@stroeder.com
- New upstream release 4.2.2:
* Fix #20: CVE-2019-13207 Stack-based Buffer Overflow in the
dname_concatenate() function. Reported by Frederic Cambus.
It causes the zone parser to crash on a malformed zone file,
with assertions enabled, an assertion catches it.
* Fix #19: Out-of-bounds read caused by improper validation of
array index. Reported by Frederic Cambus. The zone parser
fails on type SIG because of mismatched definition with RRSIG.
* PR #23: Fix typo in nsd.conf man-page.
* Fix that NSD warns for wrong length of the hash in SSHFP records.
* Fix #25: NSD doesn't refresh zones after extended downtime,
it refreshes the old zones.
* Set no renegotiation on the SSL context to stop client
session renegotiation.
* Fix #29: SSHFP check NULL pointer dereference.
* Fix #30: SSHFP check failure due to missing domain name.
* Fix to timeval_add in minievent for remaining second in microseconds.
* PR #31: nsd-control: Add missing stdio header.
* PR #32: tsig: Fix compilation without HAVE_SSL.
* Cleanup tls context on xfrd exit.
* Fix #33: Fix segfault in service of remaining streams on exit.
* Fix error message for out of zone data to have more information.
* Tue Jul 09 2019 michael@stroeder.com
- New upstream release 4.2.1:
* FEATURES:
- Added num.tls and num.tls6 stat counters.
- PR #12: send-buffer-size, receive-buffer-size,
tcp-reject-overflow options for nsd.conf, from Jeroen Koekkoek.
- Fix #14, tcp connections have 1/10 to be active and have to work
every second, and then they get time to complete during a reload,
this is a process that lingers with the old version during a version
update.
* BUG FIXES:
- Fix #13: Stray dot at the end of some log entries, removes dot
after updated serial number in log entry.
- Fix TLS cipher selection, the previous was redundant, prefers
CHACHA20-POLY1305 over AESGCM and was not as readable as it
could be.
- Consolidate server tls context create and remote control context
create, with hardening for the remote control tls context too.
- Fix to init event structure for reassignment.
- Fix to init event not pointer, in reassignment.
- Fix #15: crash in SSL library, initialize variables for TCP access
when TLS is configured.
- Fix tls handshake event callback function mistake, reported
by Mykhailo Danylenko.
- Initialize event structures before event_set, to stop uninitialized
values from setting event library lists and assertions, that would
sometimes also show after event_del.
- Do not use symbol from libc, instead use own replacement, if not
available, for accept4.
- Fix output of nsd-checkconf -h.
* Tue Jun 11 2019 amajer@suse.com
- New upstream release 4.2.0:
* Implement TCP fast open
* Added DNS over TLS
* TLS OCSP stapling support with the tls-service-ocsp option
* New option hide-identity can be used in nsd.conf to stop NSD
from responding with the hostname for probe queries that
elicit the chaos class response, this is conform RFC4892
* Disable TLS1.0, TLS1.1 and weak ciphers, enable CIPHER_SERVER_PREFERENCE
* Mon Mar 25 2019 michael@stroeder.com
- Update to upstream release 4.1.27:
* FEATURES:
- Deny ANY with only one RR in response, by default. Patch from
Daisuke Higashi. The deny-any statement in nsd.conf sets ANY
queries over UDP to be further moved to TCP as well.
Also no additional section processig for type ANY, reducing
the response size.
- Fix #4215: on-the-fly change of TSIG keys with patch from Igor, adds
nsd-control print_tsig, update_tsig, add_tsig, assoc_tsig
and del_tsig. These changes are gone after reload, edit the
config file (or a file included from it) to make changes that
last after restart.
* BUG FIXES:
- Fix #4213: disable-ipv6 and dnstap compile error.
- Fix to reduce region_log_stats if condition, this removes a
debug statement.
- Fix for FreeBSD port with dnstap enabled.
- Fix to remove unused code.
- Fix #6: nsd-control-setup: Change validity time to a shorter
period (<2038).
- Fix unused definition in header remote.h.
- Fix #4236: IPV4_MINIMAL_RESPONSE_SIZE=1480 is slightly too big.
- Fix #4235: IP_PMTUDISC_OMIT on IPv4/UDP sockets.
- Fixed radtree_insert memory leak.
- Fixed access recycled variable.
* Tue Dec 04 2018 michael@stroeder.com
- Update to upstream release 4.1.26:
* FEATURES:
- DNSTAP support for NSD, --enable-dnstap and then config in nsd.conf.
- Support SO_REUSEPORT_LB in FreeBSD 12 with the reuseport: yes
option in nsd.conf.
- Added nsd-control changezone. nsd-control changezone name pattern
allows the change of a zone pattern option without downtime for
the zone, in one operation.
* BUG FIXES:
- Fix #4194: Zone file parser derailed by non-FQDN names in RHS of
DNSSEC RRs.
- Fix #4202: nsd-control delzone incorrect exit code on error.
- Tab style fix to use tab for 8 spaces, from Xiaobo Liu.
- Fix #4205: enable-recvmmsg in mixed IPv4/IPv6 environment fails.
This sets the msg_hdr.msg_namelen correctly after receipt.
- Fix to not set GLOB_NOSORT so the nsd.conf include: files are
sorted and in a predictable order.
- Fix #3433: document that reconfig does not change per-zone stats.
* Tue Sep 25 2018 michael@stroeder.com
- Update to upstream release 4.1.25:
* FEATURES:
- nsd-control prints neater errors for file failures.
* BUG FIXES:
- Fix that nsec3 precompile deletion happens before the RRs of
the zone are deleted.
- Fix printout of accepted remote control connection for unix sockets.
- Fix use_systemd typo/leftover in remote.c.
- Fix codingstyle in nsd-checkconf.c in patch from Sharp Liu.
- append_trailing_slash has one implementation and is not repeated
differently.
- Fix coding style in nsd.c
- Fix to combine the same error function into one, from Xiaobo Liu.
- Fix initialisation in remote.c.
- please clang analyzer and fix parse of IPSECKEY with bad gateway.
- Fix nsd-checkconf fail on bad zone name.
- Annotate exit functions with noreturn.
- Remove unused if clause during server service startup.
- Fix #4156: Fix systemd service manager state change notification
When it is compiled, systemd readiness signalling is enabled.
The option in nsd.conf is not used, it is ignored when read.
Version: 4.3.1-bp152.1.1
* Thu Apr 16 2020 Michael Ströder <michael@stroeder.com>
- New upstream release 4.3.1
BUG FIXES:
- Fix #70: error: 'fd_set' undeclared.
- Fix #71: error: 'for' loop initial declaration used outside C99
mode.
- Fix to move declarations out of for loops in event test too.
- Fix #76: cpuid typedef for Hurd, DragonflyBSD compile.
- Fix #75: configure test for sched_setaffinity, and use
cpuset_setaffinity otherwise. Also test for presence of sysconf.
- Fix #74: GNU Hurd fix cast from pointer to integer of different size.
- Fix for #74, #75: cpuset test for header contents and provide code.
- Fix #78: Fix SO_SETFIB error on FreeBSD.
- Merge PR #83 from noloader: Fix GNU HURD sched_setaffinity compile.
- Fix #80: NetBSD and implicit declaration of reallocarray.
- Fix unknown u_long in util.c for Issue #80 .
- Merge PR #86 from noloader: Use precious variables for GREP, EGREP,
SED, AWK, LEX and YACC.
- For PR #86: Fix that programs loaded after CFLAGS and stuff is
set, specifically the compiler, so that it can work if it needs
special flags from that. Fix that lex only needs to support -i
if actually defined, otherwise the output included in the source
tarball can be used.
- Merge PR #90 by phicoh: O_CLOEXEC should be FD_CLOEXEC.
- Merge PR #92 by tonysgi: Fix typo.
- Merge PR #91 by gearnode: nsd-control-setup recreate certificates.
The '-r' option recreates certificates. Without it it creates them
if they do not exist, and does not modify them otherwise.
* Tue Mar 17 2020 Michael Ströder <michael@stroeder.com>
- New upstream release 4.3.0
FEATURES:
- Fix to use getrandom() for randomness, if available.
- Fix #56: Drop sparse TSIG signing support in NSD.
Sign every axfr packet with TSIG, according to the latest
draft-ietf-dnsop-rfc2845bis-06, Section 5.3.1.
- Merge pull request #59 from buddyns: add FreeBSD support
for conf key ip-transparent.
- Add feature to pin server processes to specific cpus.
- Add feature to pin IP addresses to selected server processes.
- Set process title to identify individual processes.
- Merge PR#22: minimise-any: prefer polular and not large RRset,
from Daisuke Higashi.
- Add support for SO_BINDTODEVICE on Linux.
- Add support for SO_SETFIB on FreeBSD.
- Add feature to drop queries with opcode UPDATE.
BUG FIXES:
- Fix fname null check of fname in namedb_read_zonefile.
- Fix implicit cast of size in udb_radnode_array_grow.
- Fix ignore of return value of ssl_printf in remote.c.
- Fix unused check of fd in parent_handle_reload_command.
- Attempt to fix signedness of nscount lookup in ixfr query_process.
- Fix identical branches for ssl_print of errors in remote.c.
- Fix type cast bounds, signedness of opt_rdlen in edns_parse_record.
- Fix to separate header and data lines in parse_zone_list_file.
- Fix to define max number of EDNS records we are willing to
spend time on.
- Fix size of string len and capacity type cast in udbradtree.
- Fix to protect rrcount in tsig_find_rr from overflow.
- Annotate radix_find_prefix_node not reachable trail code.
- Fix to protect rrcount in packet_find_notify_serial from overflow.
- Fix to close socket on error in create_tcp_accept_sock.
- Fix to log on failure to chmod for socket for remote control.
- Fix to remove unneeded if in open of socket for remote control.
- Fix to restore input parameter on call failure in create_dirs.
- Please checker by terminating and initialising string read
by remote control.
- Fix to define upper bounds on rr counts read from untrusted packet
data.
- Separate acl_addr_match_range functions for ip4 and ip6, to
please checkers.
- Avoid unused variable warning in new match_range_v4 function.
- Fix whitespace in nsd.conf.sample.in, patch from Paul Wouters.
- use-systemd is ignored in nsd.conf, when NSD is compiled with
libsystemd it always signals readiness, if possible.
- Note that use-systemd is not necessary and ignored in man page.
- Fix unreachable code in ssl set options code.
- Fix bad shift in assertion code analyzer complaint.
- Fix responses for IXFR so that the authority section is not echoed
in the response.
- Merge PR#60: Minor portability fixes from michaelforney, with
avoid pointer arithmetic on void* and avoid unnecessary VLA.
- Fix that the retry wait does not exceed one day for zone transfers.
CHANGES:
- Set FD_CLOEXEC on opened sockets.
* Thu Dec 12 2019 Adam Majer <adam.majer@suse.de>
- Update keyring as per https://nlnetlabs.nl/people/
* Tue Dec 10 2019 Michael Ströder <michael@stroeder.com>
- New upstream release 4.2.4
FEATURES:
- Fix #48: Add make distclean that removes config.h made by configure.
And add maintainer-clean that removes bison and flex output.
BUG FIXES:
- Detect fixed time memcmp for openssl 0.9.8 compatibility.
- Detect EC_KEY_new_by_curve_name for openssl 0.9.8.
- include limits.h for UINT_MAX.
- If no recvmmsg, dont use msg_flags member, but errno for error,
where our fallback function left it, msg_flags also does not exist
on some systems.
- Remove unused variable warning for portability.
- Fix #52: do not log transient network full errors unless higher
verbosity is set.
- Fix regressions in configparser.y where global variables were not
set for minimal-responses, round-robin and log-time-ascii.
* Wed Nov 20 2019 Adam Majer <adam.majer@suse.de>
- New upstream release 4.2.3:
* confine-to-zone configures NSD to not return out-of-zone
additional information.
* pidfile "" allows to run NSD without a pidfile
* adds support for readiness notification with READY_FD
* fix excessive logging of ixfr failures, it stops the log when
fallback to axfr is possible. log is enabled at high verbosity.
* Fixup warnings during --disable-ipv6 compile.
* The nsd.conf includes are sorted ascending, for include statements
with a '*' from glob.
* Fix log address and failure reason with tls handshake errors,
squelches (the same as unbound) some unless high verbosity is used.
* Number of different UDP handlers has been reduced to one.
recvmmsg and sendmmsg implementations are now used on all platforms.
* Socket options are now set in designated functions for easy reuse.
* Socket setup has been simplified for easy reuse.
* Configuration parser is now aware of the context in which
an option was specified.
* document that remote-control is a top-level nsd.conf attribute.
- Remove legacy upgrade of nsd users in %post (boo#1157331)
* Sun Sep 08 2019 Michael Ströder <michael@stroeder.com>
- New upstream release 4.2.2:
* Fix #20: CVE-2019-13207 Stack-based Buffer Overflow in the
dname_concatenate() function. Reported by Frederic Cambus.
It causes the zone parser to crash on a malformed zone file,
with assertions enabled, an assertion catches it.
* Fix #19: Out-of-bounds read caused by improper validation of
array index. Reported by Frederic Cambus. The zone parser
fails on type SIG because of mismatched definition with RRSIG.
* PR #23: Fix typo in nsd.conf man-page.
* Fix that NSD warns for wrong length of the hash in SSHFP records.
* Fix #25: NSD doesn't refresh zones after extended downtime,
it refreshes the old zones.
* Set no renegotiation on the SSL context to stop client
session renegotiation.
* Fix #29: SSHFP check NULL pointer dereference.
* Fix #30: SSHFP check failure due to missing domain name.
* Fix to timeval_add in minievent for remaining second in microseconds.
* PR #31: nsd-control: Add missing stdio header.
* PR #32: tsig: Fix compilation without HAVE_SSL.
* Cleanup tls context on xfrd exit.
* Fix #33: Fix segfault in service of remaining streams on exit.
* Fix error message for out of zone data to have more information.
* Tue Jul 09 2019 Michael Ströder <michael@stroeder.com>
- New upstream release 4.2.1:
* FEATURES:
- Added num.tls and num.tls6 stat counters.
- PR #12: send-buffer-size, receive-buffer-size,
tcp-reject-overflow options for nsd.conf, from Jeroen Koekkoek.
- Fix #14, tcp connections have 1/10 to be active and have to work
every second, and then they get time to complete during a reload,
this is a process that lingers with the old version during a version
update.
* BUG FIXES:
- Fix #13: Stray dot at the end of some log entries, removes dot
after updated serial number in log entry.
- Fix TLS cipher selection, the previous was redundant, prefers
CHACHA20-POLY1305 over AESGCM and was not as readable as it
could be.
- Consolidate server tls context create and remote control context
create, with hardening for the remote control tls context too.
- Fix to init event structure for reassignment.
- Fix to init event not pointer, in reassignment.
- Fix #15: crash in SSL library, initialize variables for TCP access
when TLS is configured.
- Fix tls handshake event callback function mistake, reported
by Mykhailo Danylenko.
- Initialize event structures before event_set, to stop uninitialized
values from setting event library lists and assertions, that would
sometimes also show after event_del.
- Do not use symbol from libc, instead use own replacement, if not
available, for accept4.
- Fix output of nsd-checkconf -h.
* Tue Jun 11 2019 Adam Majer <amajer@suse.com>
- New upstream release 4.2.0:
* Implement TCP fast open
* Added DNS over TLS
* TLS OCSP stapling support with the tls-service-ocsp option
* New option hide-identity can be used in nsd.conf to stop NSD
from responding with the hostname for probe queries that
elicit the chaos class response, this is conform RFC4892
* Disable TLS1.0, TLS1.1 and weak ciphers, enable CIPHER_SERVER_PREFERENCE
Version: 4.1.27-bp151.1.1
* Mon Mar 25 2019 Michael Ströder <michael@stroeder.com>
- Update to upstream release 4.1.27:
* FEATURES:
- Deny ANY with only one RR in response, by default. Patch from
Daisuke Higashi. The deny-any statement in nsd.conf sets ANY
queries over UDP to be further moved to TCP as well.
Also no additional section processig for type ANY, reducing
the response size.
- Fix #4215: on-the-fly change of TSIG keys with patch from Igor, adds
nsd-control print_tsig, update_tsig, add_tsig, assoc_tsig
and del_tsig. These changes are gone after reload, edit the
config file (or a file included from it) to make changes that
last after restart.
* BUG FIXES:
- Fix #4213: disable-ipv6 and dnstap compile error.
- Fix to reduce region_log_stats if condition, this removes a
debug statement.
- Fix for FreeBSD port with dnstap enabled.
- Fix to remove unused code.
- Fix #6: nsd-control-setup: Change validity time to a shorter
period (<2038).
- Fix unused definition in header remote.h.
- Fix #4236: IPV4_MINIMAL_RESPONSE_SIZE=1480 is slightly too big.
- Fix #4235: IP_PMTUDISC_OMIT on IPv4/UDP sockets.
- Fixed radtree_insert memory leak.
- Fixed access recycled variable.
* Tue Dec 04 2018 Michael Ströder <michael@stroeder.com>
- Update to upstream release 4.1.26:
* FEATURES:
- DNSTAP support for NSD, --enable-dnstap and then config in nsd.conf.
- Support SO_REUSEPORT_LB in FreeBSD 12 with the reuseport: yes
option in nsd.conf.
- Added nsd-control changezone. nsd-control changezone name pattern
allows the change of a zone pattern option without downtime for
the zone, in one operation.
* BUG FIXES:
- Fix #4194: Zone file parser derailed by non-FQDN names in RHS of
DNSSEC RRs.
- Fix #4202: nsd-control delzone incorrect exit code on error.
- Tab style fix to use tab for 8 spaces, from Xiaobo Liu.
- Fix #4205: enable-recvmmsg in mixed IPv4/IPv6 environment fails.
This sets the msg_hdr.msg_namelen correctly after receipt.
- Fix to not set GLOB_NOSORT so the nsd.conf include: files are
sorted and in a predictable order.
- Fix #3433: document that reconfig does not change per-zone stats.
* Tue Sep 25 2018 Michael Ströder <michael@stroeder.com>
- Update to upstream release 4.1.25:
* FEATURES:
- nsd-control prints neater errors for file failures.
* BUG FIXES:
- Fix that nsec3 precompile deletion happens before the RRs of
the zone are deleted.
- Fix printout of accepted remote control connection for unix sockets.
- Fix use_systemd typo/leftover in remote.c.
- Fix codingstyle in nsd-checkconf.c in patch from Sharp Liu.
- append_trailing_slash has one implementation and is not repeated
differently.
- Fix coding style in nsd.c
- Fix to combine the same error function into one, from Xiaobo Liu.
- Fix initialisation in remote.c.
- please clang analyzer and fix parse of IPSECKEY with bad gateway.
- Fix nsd-checkconf fail on bad zone name.
- Annotate exit functions with noreturn.
- Remove unused if clause during server service startup.
- Fix #4156: Fix systemd service manager state change notification
When it is compiled, systemd readiness signalling is enabled.
The option in nsd.conf is not used, it is ignored when read.
* Mon Aug 13 2018 michael@stroeder.com
- Update to upstream release 4.1.24:
- Features
* #4102: control interface via local socket
* configure --enable-systemd (needs pkg-config and libsystemd) can be
used to then use-systemd: yes in nsd.conf and have readiness signalling
with systemd.
* RFC8162 support, for record type SMIMEA.
- Bug Fixes
* Patch to fix openwrt for mac os build darwin detection in configure.
* Fix that first control-interface determines if TLS is used.
Warn when IP address interfaces are used without TLS.
* #4106: Fix that stats printed from nsd-control are recast from
unsigned long to unsigned (remote.c).
* Fix that type CAA (and URI) in the zone file can contain dots
when not in quotes.
* #4133: Fix that when IXFR contains a zone with broken NSEC3PARAM chain,
NSD leniently attempts to find a working NSEC3PARAM.
* Mon Jul 30 2018 michael@stroeder.com
- Update to upstream release 4.1.23:
- Fix NSD time sensitive TSIG compare vulnerability.
* Tue Jul 03 2018 michael@stroeder.com
- Update to upstream release 4.1.22:
- Features:
* refuse-any sends truncation (+TC) in reply to ANY queries
over UDP, and allows TCP queries like normal.
* Use accept4 to speed up answer of TCP queries
- Bug fixes:
* Fix nsec3 hash of parent and child co-hosted nsec3 enabled zones.
* Fix to use same condition for nsec3 hash allocation and free.
- Changes in version 4.1.21:
- Features:
* --enable-memclean cleans up memory for use with memory checkers,
eg. valgrind.
* refuse-any nsd.conf option that refuses queries of type ANY.
* lower memory usage for tcp connections, so tcp-count can be
higher.
- Bug fixes:
* Fix spelling error in xfr-inspect.
* Fix buffer size warnings from compiler on filename lengths.
Version: 4.1.19-2.1
* Mon Feb 19 2018 adam.majer@suse.de
- Own missing ownership for %_tmpfilesdir
* Fri Feb 16 2018 adam.majer@suse.de
- More specfile cleanup:
+ Drop SysV support from package (and hence usage of fillup)
+ Don't redefine %_rundir
+ Drop useless BuildRequires on systemd-devel
* Mon Feb 12 2018 jengelh@inai.de
- Check group existence before creating it, for real.
- Stop deleting users from the system, it might remove a legitimate
user that nsd unfortunately shared its name with.
* Mon Feb 12 2018 adam.majer@suse.de
- Create a system user, not a regular user
- Check if user/group already exists and are in system range
- Do not ignore return values from user/group creation
- Own the config zones directory
* Mon Feb 05 2018 adam.majer@suse.de
- drop insserv requires on SLE12+ and openSUSE
- nsd-lintrpmrc: drop most overrides
- don't install config file as sample
- switch to using user/group names _nsd to match expected names
as per recent rpmlint changes as not to conflict with admin
created names.
- update and change current owner during upgrade
* Tue Jan 02 2018 michael@stroeder.com
- update to 4.1.19 with the following bug fixes:
* ignore fallthrough compiler warning in flex EOF rule.
* Fix warnings emitted by clang for --enable-packed. Alignment is not
a problem for x86_64, don't enable packed when the platform
requires aligned access.
* Fix spelling error in xfr-inspect.
* Fix 3392: Fix regression in 4.1.18 for notify lists with ip4
and ip6 targets.
* Thu Nov 30 2017 michael@stroeder.com
- update to 4.1.18
- Features
* xfr-inspect, it is not installed, it prints xfr files from /tmp made
with 'make xfr-inspect' in the source dir.
* retry timeout between sending notifies dropped from 15 to 3 sec.
* NSD sends 16 notifies simultaneously.
* configure --enable-packed reduces memory usage, at expense of unaligned
reads. Saves about 17%.
* Save memory by selectively allocate precompiled nsec3 hashes, saves
about 16% memory.
* make ip-transparent option work on OpenBSD.
* Save about 2% memory by changing usage count size in name tree.
* Fix #2871: Increase number of sockets for xfrd transfers.
- Bugfixes
* Fix gcc 7.1.1 warnings.
* Fix writev compile warning on FreeBSD.
* Fix #1446: A corrupted zone file "propagates" to good ones.
* nsd-control zonestatus prints wait time between attempts, for zones
that are in that waiting time.
* Fix collision printout of nsec3 to print name, hash and reverse.
* Fix #1567: Change crit to err log level for gettimeofday failure. Add
defines for compile without syslog.
* Fix crash for DS query when parent and child zones both configured in
nsd.conf and parent zone has not loaded properly.
* Mon Sep 04 2017 michael@stroeder.com
- update to 4.1.17
- Features
* zone parser parses type AVC (it has TXT format).
* Fix #1272: use writev to put tcp length field with data for
outgoing zone transfer requests.
- Bugfixes
* Fix potential null pointer in nsec3 adjustment tree.
* Fix text format of deletes for CDS and CDNSKEY, single 0 to
represent empty base64 or hex string.
* Mon May 08 2017 michael@stroeder.com
- update to 4.1.16
- Features
* zone parser can parse acronyms for algorithms ED25519 and ED448.
* Fix 1243: Option to make NSD emit really minimal responses,
minimal-responses: yes in nsd.conf.
- Bugfixes
* Calculate new udb index after growing the array, fix from Chaofeng Liu.
* Fix missing _t to _type conversion for disable-radix-tree option.
* Printout serial error with hint it may be too big.
* Fix 1228: OpenSSL include is not guarded with HAVE_SSL
* Patch for expire state in multi-master when masters includes broken
master, from Manabu Sonoda.
* minor manpage fix.
* Mon Apr 24 2017 michael@stroeder.com
- update to 4.1.15
* Fix nsd-control and ipv6 only.
* Squelch zone transfer error address family not supported by protocol at
low verbosity levels.
* Fix #1195: Fix so that NSD fails on non-compliant values for Serial.
* Fix to rename _t typedefs because POSIX reserves them.
* Fix that nsec3 hash collisions only reported on verbosity level 3.
* Fri Jan 13 2017 michael@stroeder.com
- update to 4.1.14
- Features
* Fix #1132 for SERVFAIL zones perform backoff, and remembers the timeout
on next startup.
- Bugfixes
* Fix null memcpy for radixtree with single link element.
* Robust fix against missing master in tcp_open for xfrd.
* Fix wildcards in include: config statements with chroot enabled.
* suppress compile warning in lex files.
* Fix to try every master once, then wait for timeout or notify.
* Save backoff timeout into xfrd.state file, this file has a higher
version number now. Old files are skipped silently (causes refresh) and
created as new files upon exit.
* Fix restart of zone transfers when new config becomes available.
* Tue Oct 11 2016 adam.majer@suse.de
- fix tmpfiles-nsd.conf to point to /run instead of /var/run
- add nsd-rpmlintrc to not display some bogus errors
- put log files into /var/log/nsd/
- put sample config in documentation directory
- update to 4.1.13
- FEATURES
- multi-master-check: yes can be used to check all masters for
the last version, using the higher version from the
configured masters
- Support RR type OPENPGPKEY from RFC 7929.
- Can config key algorithms with the digest name, eg. 'sha256'.
- configure --disable-radix-tree for about 15% lower memory
usage.
- for type SRV add A/AAAA to the additional section (if
possible), just like we already do for type MX.
- more extensible edns option handling.
- When tcp is more than half full, use short timeout for tcp
session.
- Patch for {max,min}-{refresh,retry}-time
- Fix #790: size-limit-xfr can stop NSD from downloading
infinite zone transfer data size, from Toshifumi Sakaguchi.
Fixes CVE-2016-6173f
- BUGFIXES
- Fix compile warnings about unused result from write and
strtol. and signcompare in minmax retrytime.
- Fix #812: fix that make depend fails after distribution.
- Fix #817: xfrd update failed loop.
- Add robustness against unallocated data in nsec3 trees.
- Fix README spelling error of BSD license
- Fix multimaster for not tried full zone transfer for a
expired zone.
- Fix #827: fix compile with openssl 1.1.0 with api=1.1.0.
- Fix malformed edns query assertion failure
- Fix build without IPv6, patch from Zdenek Kaspar.
- Fix #783: Trying to run a root server without having
configured it silently gives wrong answers.
- Fix #782: Serve DS record but parent zone has no NS record.
- Fix nsec3 missing for nsec3 signed parent and child for DS at
zonecut.
* Mon Aug 08 2016 adam.majer@suse.de
- reword description and summary
- add signature file and basic keyring (currently only contains
signature of the released version since upstream doesn't seem
to distribute a real keyring)
- remove redundant nsec3 configure option which are enabled by default
- remove obsolete --enable-draft-rrtypes configure
* Wed Jun 29 2016 mrueckert@suse.de
- update to 4.1.10
- FEATURES:
- ip-freebind: yesno option in nsd.conf sets IP_FREEBIND socket
option for Linux, binds to interfaces and addresses that are
down.
- NSD includes AAAA before A for queries over IPV6 (in
delegations). And TC is set if no glue can be provided with
a delegation because of packet size.
- print notice that nsd is starting before taking off.
- BUG FIXES:
- Fix for openssl 1.1.0, HMAC_CTX size not exported from
openssl.
- Fix #751: NSD fails to occlude names below a DNAME.
- If set without nsd.db print "" as the default in the man
pages.
- Fix #755: NSD spins after a zone update and a lot of TCP
queries.
- Fix for NSEC3 with zone signed without exact match for empty
nonterminals, the answer for that domain gets closest
encloser.
- #772 Document that recvmmsg has IPv6 problems on some linux
kernels.
* Tue May 10 2016 mrueckert@suse.de
- update to 4.1.9
- Change the nsd.db file version because of nanosecond precision
fix.
- changes from 4.1.8
- #732: tcp-mss, outgoing-tcp-mss options for nsd.conf, patch
from Daisuke Higashi.
- #739: zonefile changes when mtime is small are detected on
reload, if filesystem supports precision mtime values.
- RR type CSYNC (RFC7477) syntax is supported.
- take advantage of arc4random_uniform if available, patch from
Loganaden Velvindron.
- Fix flto check for OSX clang.
- Define _DEFAULT_SOURCE with _BSD_SOURCE for glibc 2.20 on
Linux.
- Fix #736: segfault during zone transfer.
- Fix #744: Fix that NSD replies for configured but unloaded zone
with SERVFAIL, not REFUSED.
* Tue Dec 29 2015 mrueckert@suse.de
- update to 4.1.7
- support configure --with-dbfile="" for nodb mode by default,
where there is no binary database, but nsd reads and writes
zonefiles.
- reuseport: no is the default, because the feature is not
troublefree.
- configure --enable-ratelimit-default-is-off with
- -enable-ratelimit to set the default ratelimit to disabled but
available in nsd.conf.
- version: "string" option to set chaos version query reply
string.
- Fix zones updates from nsd parent event loop when there are a
lot of interfaces.
- portability fixes.
- patch from Doug Hogan for SSL_OP_NO_SSLvx options, for the new
defaults in the ssl libraries.
- updated contrib/nsd.spec, from Bálint Szigeti, with new
configure options.
- Allocate less memory for TSIG digest.
- Fix #721: Fix wrong error code (FORMERR) returned for unknown
opcode. NOTIMP expected.
- Fix zonec ttl mismatch printout to include more information.
- Fix TCP responses when REUSEPORT is in use by turning it off.
- Document default in manpage for rrl-slip, ip4 and 6
prefixlength.
- Explain rrl-slip better in documentation.
- Document that ratelimit qps and slip are updated in reconfig.
- Fix up defaults in manpage.
* Thu Nov 26 2015 mrueckert@suse.de
- enable zone stats
* Wed Nov 25 2015 mrueckert@suse.de
- update to 4.1.6
- Fix compile of zonec error message on FreeBSD.
- nsd-checkconf warns for master zones with no zonefile
statement.
- Fix start failure when many file descriptors are in use.
- The servfail rcode is not printed with a space in the middle.
- fixup file descriptor fixup nicer.
- print failed token for config syntax error or parse error.
- Fix #711: Document that debug-mode yes is used for staying
attached to the supervisor console.
- Document verbosity 3 prints more information.
- makedist.sh print on pgp signature creation.
- Fix typo in zonec.c inside error message.
- Fix #701: Fix that AD=1 set in a BADVERS response.
- Fix #706: default port 53 not opened on ip4 because of
getaddrinfo hints initialisation failure.
- Fix #698 formatting errors and typos in nsd.8.in.
- Add --enable-pie and --enable-relro-now options.
- Admitted axfrs are logged at verbosity 1. Refused at verbosity
2.
- Fixed checkconf test for reuseport setting.
- SO_REUSEPORT does not work on FreeBSD. Enabled by default on
Linux, not enabled by default on other OSes.
- Fix that notify from nsd-control contains soa serial.
- squelch SO_REUSEPORT failure on verbosity less than 3.
- removed hardcoded interface limit, --with-max-ips removed.
- SO_REUSEPORT support.
- Fix #618: documented need to list ip-addresses seperately in
nsd.conf if there are multiple, because the source address of
replies can otherwise go wrong.
- Fix that for expired zones NSD performs an AXFR and accepts
newer and older serial numbers.
- Document that minimal responses only minimizes responses to fit
in one datagram. It does not minimize smaller responses.
- Fix NSID response for short edns sizes.
- Trunk contains 4.1.4 in development.
- improve nsd-control usage text. (23 june - added to 4.1.3)
- RFC7553 RR Type URI support.
- Fix redefined macro lex warning for freebsd flex.
- Fix that formerrors are ratelimited.
- max-interfaces raised to 32.
- removed unused defines for unofficial tsig-hmac algorithm
codes. The TSIG algorithm is identified by name in the config
file.
- hmac sha224, sha384 and sha512 support, patch from David
Gwynne.
- Fix crash in zone parser for relative dname after error in
origin.
- Test for zone parser failures
- nsd-control addzones and delzones read list of zones from
stdin.
- Fix task and zonestat files to be stored in a subdirectory in
tmp to stop privilege elevation.
- printout names for successful addition and removal with bulk
command.
- Fix #665: when removing subdomain, nsd does not reparse parent
zone.
- trunk contains 4.1.3(upcoming).
- Made log message more consistent, changed 'axfr refused' log
message to be more consistent with other messages. Also notify
refused.
- verbosity 2 logs axfr refused and notify refused. verbosity 1
contains less log messages.
- Fix #654: Fix contradiction in notify logging verbosity level.
- Incoming notifies have serial number logged (at verbosity 1).
- Fix #655: Fix contradiction in verbosity for zone transfers.
- Use reallocarray for integer overflow protection, patch
submitted by Loganaden Velvindron.
- Fix allocation integer overflow checks.
- Fix buffer overflow in config parse of domain name, reported by
John Van de Meulebrouck Brendgard.
- Updated default keylength in nsd-control-setup to 3k.
- Fix use after free after zonefile syntax error followed by ttl
or origin directive, reported by John Van de Meulebrouck
Brendgard.
- Fix syntax error followed by too many TXT elements parse crash
reported by John Van de Meulebrouck Brendgard.
- Fix origin directive from unused old value and subdomain parser
failure, reported by John Van de Meulebrouck Brendgard.
- Fix b64pton out of bounds error on invalid zonefile input
reported by John Van de Meulebrouck Brendgard.
- Fix segfault on double origin in zone reader (thanks John Van
de Meulebrouck Brendgard).
- Remove dead code domain_table_iterate.
- Fix segfault in zone reader on invalid input reported by John
Van de Meulebrouck Brendgard.
- Fix #642: Change 'zone read with no errors' to '.. with
success'. Patch from Benedikt Heine.
* Tue Oct 13 2015 michael@stroeder.com
- ignore absence of the systemd-tmpfiles command
* Wed Mar 11 2015 mrueckert@suse.de
- update to 4.1.1
- RFC 7344: CDS and CDNSKEY (read record types).
- per zone statistics with --enable-zone-stats, config zone with
zonestats: "name", zones configured with the same string are
added.
- Disabled use of SSLv3 in nsd-control.
- nsd-checkconf -f prints out full name of pidfile (with dir).
- Synthesize CNAMEs with same TTL as DNAME.
- Fix that expired zones stay expired after a server restart.
- Fix "xfrd_handle_ipc: bad mode" log errors when compiled with
- -disable-bind8-stats.
- Fix #616: retry xfer for zones with no content after command.
- Fix char used as array index warnings on NetBSD.
- Fix that queries for noname CH TXT are REFUSED instead of
nodata.
- Fixes for wildcard addition and deletion, speedup for some
cases.
- Fix that failure to add tcp to tcp base does not leak the
socket.
- Patch nsd_munin_ from Philip Paeps to use type ABSOLUTE.
- Fix spinning NSD with lots of failing transfers, due to pointer
comparison using void pointer subtraction (from Otto Moerbeek).
- Fix bug#637: fix that nsd.db grows limitlessly, an off by one
on one megabyte free chunks, created during AXFRs of large
zones, that caused the one megabyte chunk to be leaked.
- Fix casts for ctype functions (from Todd Miller).
- correct some hyphen-used-as-minus-sign (from Andreas Schulze)
in man pages.
- Fix zonesdir chroot error message.