Bug 257413

Summary: dns/nsd: Update to 4.3.7
Product: Ports & Packages Reporter: Jaap Akkerhuis <jaap>
Component: Individual Port(s)Assignee: Neel Chauhan <nc>
Status: Closed FIXED    
Severity: Affects Only Me CC: nc
Priority: ---    
Version: Latest   
Hardware: Any   
OS: Any   
URL: https://www.nlnetlabs.nl/news/2021/Jul/22/nsd-4.3.7-released/
Attachments:
Description Flags
patch to update jaap: maintainer-approval+

Description Jaap Akkerhuis 2021-07-25 13:04:16 UTC 
Created attachment 226678 [details]
patch to update

This release fixes a crash in dnstap. New features are XoT which
provides AXFR and IXFR over TLS, and DNS Cookies support and SVCB and
HTTPS RR type support.

For zone transfer TLS can be turned on by specifying the tls-auth-name
in the request-xfr config option, like
request-xfr: 192.0.2.1 NOKEY ns.example.com
With the tls-cert-bundle option, in the server section, the list of
certificates for authenticating the transfers over TLS can be configured.

The DNS cookies can be turned on or off with the answer-cookie option,
and instead of a randomly generated secret, for anycast or loadbalanced
deployment, the secret can be configured with cookie-secret or
cookie-secret-file and rollover of the cookie secret can be performed
with the nsd-control commands add_cookie_secret, activate_cookie_secret
and drop_cookie_secret, using the cookie-secret-file.

The SVCB and HTTPS RR type support mean that in zone files the syntax
for these RR types can be used and is written when a zone is downloaded.
In previous versions the unknown RR type support code provided a
fallback syntax in zone files and on the wire functionality for these types.

Compared to the pre-release version there are a couple small bugfixes in
the final release version, notably a fix for failure to compile without
ipv6.

4.3.7
================
FEATURES:
- Syntax of SVCB and HTTPS RR type as per draft-ietf-dnsop-svcb-https
- Client side DNS Zone Transfer-over-TLS (XoT) support as per
  draft-ietf-dprive-xfr-over-tls
- Interoperable DNS Cookies support as per RFC7873 and RFC9018

BUG FIXES:
- Fix for #170: Fix build warnings when IPv6 is disabled.
- Fix #170: Disabled IPv6 and DNSTAP enabled triggers a build error.
- Fix for #128: Skip over sendmmsg invalid argument when port is zero.
- Fix #171: Invalid negative response (NSEC3) after IXFR.
- Fix to make nsec3_chain_find_prev return NULL if one nsec3 left.
- Fix #174: NS Records below delegation are not ignored (nsd-checkzone
  also does not raise any issue).
- Fix #176: please review Loglevel on missing zonefile.
- Update the ACX_CHECK_NONBLOCKING_BROKEN test for the configure
  script.
- Fix #179: log notice and server-count.
- Update configure nonblocking test to use host.
- Fix #168: Buffer overflow in the dname_to_string() function
- Fixes for child server processes getting out of sync with the
  dnstap-collector process
- Fix gcc-11 warning on array bounds.
- Fix compile of cookies on FreeBSD without IPv6.
- Fix for loop initial declaration for nonc99 compiler
- Fix typo in xfrd-tcp.c.
Comment 1 Neel Chauhan freebsd_committer freebsd_triage 2021-07-25 23:54:51 UTC 
Committed!
Comment 2 commit-hook freebsd_committer freebsd_triage 2021-07-25 23:55:13 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=32e5367ddd1f9b3a9fb686328a0266042af55406

commit 32e5367ddd1f9b3a9fb686328a0266042af55406
Author:     Jaap Akkerhuis <jaap@NLnetLabs.nl>
AuthorDate: 2021-07-25 23:53:00 +0000
Commit:     Neel Chauhan <nc@FreeBSD.org>
CommitDate: 2021-07-25 23:54:32 +0000

    dns/nsd: Update to 4.3.7

    Changes: https://www.nlnetlabs.nl/news/2021/Jul/22/nsd-4.3.7-released/

    PR:     257413

 dns/nsd/Makefile                    |   3 +-
 dns/nsd/distinfo                    |   6 +-
 dns/nsd/files/patch-nsd.c (gone)    |  33 -------
 dns/nsd/files/patch-server.c (gone) | 167 ------------------------------------
 4 files changed, 4 insertions(+), 205 deletions(-)