29 November 2023: Wouter
- Tag for 4.8.0rc1.
28 November 2023: Wouter
- Set up doc/RELNOTES for upcoming release.
- Fix unit test kill_from_pidfile function for nonexistent files
because the argument is evaluated before the test expression.
- Fix rr-test to also convert the contents of the just written output
file.
- Fix test set to remove -f nsd.db and rm nsd.db commands.
- Fix test set to remove difffile option.
27 November 2023: Jeroen
- Fix#14: Set timeout to 3s when servicing remaining TCP connections.
- Fix: Always instate write handler after reading queries from TCP.
- Answer first query on connections accepted just before reload.
27 November 2023: Wouter
- Merge #305: faster stats. Statistics can be gathered while a reload
is in progress.
27 November 2023: Willem
- Merge #302: Test package fixes. Correct Auxfiles, kill_from_pidfile
function and fix drop_updates, rr-test and xfr_update tests.
1 November 2023: Jeroen
- Remove on-disk database.
31 October 2023: Wouter
- Merge #301: improve the logging of ixfr fallbacks to axfr.
30 October 2023: Jeroen
- Fix processing of consolidated IXFRs.
30 October 2023: Wouter
- Fix for interprocess communication to set quit sync command from
main process explicitly.
3 October 2023: Wouter
- Merge #281: Proxy protocol. An implementation of PROXYv2 for NSD.
It can be configured with proxy-protocol-port: portnum with the
port number of the interface on which proxy traffic is handled.
The interface can support proxy traffic for UDP, TCP and TLS.
21 September 2023: Wouter
- Merge #295: Update e-mail addresses, add ref to support contracts
31 August 2023: Wouter
- Fix autoconf 2.69 warnings in configure.
14 July 2023: Wouter
- Merge #287: Update nsd.conf.5.in.
11 July 2023: Wouter
- Fix unused variable warning in unit test of udb.
22 June 2023: Wouter
- Fix#284: dnstap_collector.c: SOCK_NONBLOCK is not available on
Mac/Darwin.
7 June 2023: Wouter
- Merge #282: Improve nsd.conf man page.
- Fix unused but set variable warning.
- Fix#283: Compile failure in remote.c when --disable-bind8-stats
and --without-ssl are specified.
31 May 2023: Wouter
- Add missing items to doc/RELNOTES.
- Tag for 4.7.0rc1. It became release 4.7.0 on 7 june 2023. The code
repository continues with 4.7.1.
30 May 2023: Jeroen
- Fix#240: Prefix messages originating from verifier.
- Fix#275: Drop unnecessary root server checks.
30 May 2023: Wouter
- Next version is 4.7.0, instead of 4.6.2, because of the added
features, like TLS for DNSTAP.
- Fix unused variable warning in unit test, from clang compile.
24 May 2023: Wouter
- For #279: Note that autoreconf -fi creates the configure script
and also the needed auxiliary files, for autoconf 2.69 and 2.71.
4 May 2023: Wouter
- Fix to remove unused whitespace from acx_nlnetlabs.m4 and config.h.
1 May 2023: Wouter
- make depend.
- Fix for build to run flex and bison before compiling code that needs
the headers.
13 April 2023: Wouter
- Fix cirrus script for submit to coverity scan to libtoolize
the configure script components config.guess and config.sub.
- Fix readme status badge links.
28 March 2023: Wouter
- Fix#273: Large TXT record breaks AXFR.
- Fix ixfr create from adding too many record types.
16 March 2023: Wouter
- Fix include brackets for ssl.h include statements, instead of quotes.
- Fix static analyzer warning about nsd_event_method initialization.
15 March 2023: Wouter
- Dnstap tls code fixes.
14 March 2023: Wouter
- Fix dnstap to not check socket path when using IP address.
- dnstap over TLS, default enabled. Configured with the
options dnstap-tls, dnstap-tls-server-name, dnstap-tls-cert-bundle,
dnstap-tls-client-key-file and dnstap-tls-client-cert-file.
- Fix to compile without ssl with dnstap-tls code.
9 March 2023: Wouter
- Fix#271: DNSTAP over TCP, with dnstap-ip: "127.0.0.1@3333".
- Fix to clean more memory on exit of dnstap collector.
23 February 2023: Wouter
- Fix#270: reserved identifier violation.
20 February 2023: Wouter
- Merge #269 from Fale: Add systemd service unit.
16 February 2023: Wouter
- Fix#266: Fix build with --without-ssl.
- Fix#267: Allow unencrypted local operation of nsd-control.
- Fix for #267: neater variable definitions.
2 February 2023: Wouter
- Merge #265: Fix C99 compatibility issue.
30 January 2023: Wouter
- Merge #263: Add bash autocompletion script for nsd-control.
- Fix for #262: More error logging for SSL read failures for zone
transfers.
27 January 2023: Wouter
- Fix#262: Zone(s) not synchronizing properly via TLS.
- Fix ixfr_and_restart test to wait for processes to come to a stop.
26 January 2023: Wouter
- Fix configure for -Wstrict-prototypes.
10 November 2022: Wouter
- Tag for NSD 4.6.1, the repository continues with version 4.6.2.
- Fix#239: -Wincompatible-pointer-types warning in remote.c.
- Fix unit tests to succeed with --disable-bind8-stats.
1 November 2022: Wouter
- Fixup for non-trailing newline lexer change warnings.
- Update doc/RELNOTES for changes.
- Fix ixfr_gone unit test to not use system default zone list file.
- Fix credns tests for vm usage, and not use system default zone
list file.
- Fix verify tests to use more portable bash location in script.
- Fix verify_again test to use ipv4 address for test.
1 November 2022: Tom
- Add SVCB dohpath support
28 September 2022: Jeroen
- Set ALPN "dot" token during connection establishment as per RFC9103
section 7.1 (Thanks Cesar Kuroiwa).
21 September 2022: Tom
- Change zone parsing to accept non-trailing newline.
1 September 2022: Wouter
- Merge #231 from moritzbuhl: Fix checking if nonblocking sockets work
on OpenBSD.
19 August 2022: Wouter
- Update cirrus build script for newer Ubuntu image, and FreeBSD
build with libtoolize to install auxiliary files.
- Update to clang 14 in cirrus build test on Ubuntu Jammy 22.04.
7 July 2022: Tom
- Fix#212: Change commandline control actions to always log.
1 July 2022: Wouter
- Fix static analyzer reports, fix wrong log print when skipping xfr,
fix to print error on pipe read fail, and assert an xfr is in
progress during packet checks.
Release 2024a - 2024-02-01 09:28:56 -0800
Changes to code
The FROM and TO columns of Rule lines can no longer be "minimum"
or an abbreviation of "minimum", because TZif files do not support
DST rules that extend into the indefinite past - although these
rules were supported when TZif files had only 32-bit data, this
stopped working when 64-bit TZif files were introduced in 1995.
This should not be a problem for realistic data, since DST was
first used in the 20th century. As a transition aid, FROM columns
like "minimum" are now diagnosed and then treated as if they were
the year 1900; this should suffice for TZif files on old systems
with only 32-bit time_t, and it is more compatible with bugs in
2023c-and-earlier localtime.c. (Problem reported by Yoshito
Umaoka.)
localtime and related functions no longer mishandle some
timestamps that occur about 400 years after a switch to a time
zone with a DST schedule. In 2023d data this problem was visible
for some timestamps in November 2422, November 2822, etc. in
America/Ciudad_Juarez. (Problem reported by Gilmore Davidson.)
strftime %s now uses tm_gmtoff if available. (Problem and draft
patch reported by Dag-Erling Smørgrav.)
Changes to build procedure
The leap-seconds.list file is now copied from the IERS instead of
from its downstream counterpart at NIST, as the IERS version is
now in the public domain too and tends to be more up-to-date.
(Thanks to Martin Burnicki for liaisoning with the IERS.)
Changes to documentation
The strftime man page documents which struct tm members affect
which conversion specs, and that tzset is called. (Problems
reported by Robert Elz and Steve Summit.)
The single-letter variables 't', 's', 'l' and 'c' were too hard to
decipher.
The variable 'f_len' was used for two independent purposes.
Use a narrow scope for some variables, to avoid having to keep track of
22 individual variables at the same time.
No binary change.
Remove redundant parentheses and casts.
Indent statement-like macros consistently, use separate lines for each
statement, add parentheses to macro definitions.
Remove CONSTCOND comments as lint doesn't need them anymore.
No binary change.
Due to the check that any bytes beyond the expected output must be
unmodified, there's no need anymore to explicitly write the "ZZZ" at the
end of the expected output. While here, remove the redundant trailing
"\0".
Add more tests to cover possible situations where an out-of-bounds write
may have occurred. In some cases, the line length specified in
snprintb_m is exceeded.
In the previous commit, I had accidentally only run the tests for
snprintb_m but not those for snprintb, thereby missing a newly
introduced bug that would not null-terminate the resulting strings.
Add more tests to cover similar situations in which the buffer is too
small to contain the complete output.
ignore differences in the install target flag - the backend might have
flipped it off already to ensure only a single partition is marked
as install target.
https://www.top10vpn.com/research/wifi-vulnerabilities/
PEAP client: Update Phase 2 authentication requirements
The previous PEAP client behavior allowed the server to skip Phase 2
authentication with the expectation that the server was authenticated
during Phase 1 through TLS server certificate validation. Various PEAP
specifications are not exactly clear on what the behavior on this front
is supposed to be and as such, this ended up being more flexible than
the TTLS/FAST/TEAP cases. However, this is not really ideal when
unfortunately common misconfiguration of PEAP is used in deployed
devices where the server trust root (ca_cert) is not configured or the
user has an easy option for allowing this validation step to be skipped.
Change the default PEAP client behavior to be to require Phase 2
authentication to be successfully completed for cases where TLS session
resumption is not used and the client certificate has not been
configured. Those two exceptions are the main cases where a deployed
authentication server might skip Phase 2 and as such, where a more
strict default behavior could result in undesired interoperability
issues. Requiring Phase 2 authentication will end up disabling TLS
session resumption automatically to avoid interoperability issues.
Allow Phase 2 authentication behavior to be configured with a new phase1
configuration parameter option:
'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
tunnel) behavior for PEAP:
* 0 = do not require Phase 2 authentication
* 1 = require Phase 2 authentication when client certificate
(private_key/client_cert) is no used and TLS session resumption was
not used (default)
* 2 = require Phase 2 authentication in all cases
To keep its cache database efficient, `named` running as a recursive
resolver occasionally attempts to clean up the database. It uses
several methods, including some that are asynchronous: a small
chunk of memory pointing to the cache element that can be cleaned
up is first allocated and then queued for later processing. It was
discovered that if the resolver is continuously processing query
patterns triggering this type of cache-database maintenance, `named`
may not be able to handle the cleanup events in a timely manner.
This in turn enables the list of queued cleanup events to grow
infinitely large over time, allowing the configured `max-cache-size`
limit to be significantly exceeded. This issue affects BIND 9
versions 9.16.0 through 9.16.45 and 9.16.8-S1 through 9.16.45-S1.
christos