Release of NSD 3.0.4

Wouter Wijngaards wouter at
Thu Jan 18 10:27:01 UTC 2007

Hash: SHA1


NSD 3.0.4 is released today. This is a security and maintenance update.
I strongly encourage operators to upgrade NSD 3.x to this version.

Reasons to upgrade are a security fix in the ACL processing, where ACL
entries of NOKEY that got TSIG signed notifies caused outage. Also
replies to notifies could contain wrong DNS header counts in the packet.
These two problems are fixed in NSD 3.0.4.

In the contrib directory you can find contributions from users: a spec
file to build rpms and a python script that converts NSD 2 primary and
secondary zones and TSIG info to a NSD 3 config file. The items in
contrib are not supported, but provided for your enjoyment :-)

Get NSD 3.0.4 here:
And SHA1 is:

Other notable changes in 3.0.4 are:
o zonec will print an error when other data is put next to a CNAME.
o Fixup unaligned memory access that could occur when reading ixfr.db
  with a partial transfer inside.
o Fixup for the WKS RR type printout by nsd-patch and nsd-xfer.
o Error message 'could not read database CRC' now only given on error.
o ./configure --zonesdir=<directory for zone files> now works to
  set a default value for the zonesdir: <dir> nsd.conf directive.
  Set zonesdir: "" to disable the change of directory.
o Bug: reload crashes with log message 'continuing with old database',
  and after that no more zone updates. Manual fix is to kill -HUP,
  but now fixed in software to try to reload again (and again).
o Small speedup where xfrd could briefly be busy-waiting.
o If master sends IXFR with glue that is already present in the zone
  this is silently accepted. Printed in debug mode -L 2. To make
  the log file smaller.
o Exponential backoff for zones that never worked to max of 4 hours.
  For expired zones the SOA retry values are used.
o allow-notify acl entries 'NOKEY' match only queries without TSIG.
o Answers to valid notifies contained wrong RR counts in the header.
  The notifies were processed correctly, but now the acknowledgement
  reply is in correct DNS format.
o Added contrib/nsd.zones2nsd.conf python script to convert NSD 2 to
  NSD 3 config files, contributed by Stephane Bortzmeyer.
o The nsdc control script will print 'nsd startup failed' if the nsd
  executable does not start (due to bad permissions, bad config, ...).

Best regards,
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Fedora -


More information about the nsd-users mailing list