Created attachment 196156 [details]
patch to upgrade
This version has a fix for a bug in resigning zones with different NSEC3
salt, where NSD would not pick up the NSEC3PARAM record, and serve
answers that omit NSEC3 records. NSD is now lenient and when
NSEC3PARAMs exist that point to nonworking NSEC3 chains, NSD attempts to
find an alternative NSEC3PARAM with NSEC3 records.
It is possible to use nsd-control over a command pipe, without using
TLS, by setting the name of the control socket file. Access permissions
on that file then act as the access control. No TLS is used, because it
is not network traffic, and this is likely faster.
Also systemd support is added for readiness signalling. Enabled with
- #4102: control interface via local socket.
configure it with control-interface: "/path/nsd.ctl" The path
has to start with a / to separate it from an IP address.
The local socket does not use SSL, but unencrypted traffic, use
file and containing directory permissions to restrict access.
- configure --enable-systemd (needs pkg-config and libsystemd) can
be used to then use-systemd: yes in nsd.conf and have readiness
signalling with systemd.
- RFC8162 support, for record type SMIMEA.
- Patch to fix openwrt for mac os build darwin detection in configure.
- Fix that first control-interface determines if TLS is used. Warn
when IP address interfaces are used without TLS.
- #4106: Fix that stats printed from nsd-control are recast from
unsigned long to unsigned (remote.c).
- Fix that type CAA (and URI) in the zone file can contain
dots when not in quotes.
- #4133: Fix that when IXFR contains a zone with broken NSEC3PARAM
chain, NSD leniently attempts to find a working NSEC3PARAM.
A commit references this bug:
Date: Wed Aug 15 23:33:07 UTC 2018
New revision: 477296
dns/nsd: Update to 4.1.24
Submitted by: jaap@NLnetLabs.nl (maintainer)