[nsd-users] NSD 3.2.15 released (+RRL)

Mon Feb 4 14:37:35 UTC 2013

Dear NSD users,

Here is the release candidate for NSD 3.2.15. This comes with ILNP
support, NSD-RRL and different TSIG initialization (it fails if it can't
find no suitable algorithms, instead of can't find 'one of the'). Plus
some bugfixes.

The NSD-RRL implementation is based on the work by Vixie and Schryver.
However, because of the code-diversity argument that is at the basis of
NSD work but also because of specifics of the NSD architecture, it is an
independent implementation.

The implementation shares the main ideas that prevent false positives:
the fallback to TCP and a fine grained (albeit different) query
classification mechanism. See
https://www.nlnetlabs.nl/blog/2012/10/11/nsd-ratelimit/ for some of the
details.

RRL is not enabled by default. Although we are confident about code
stability, did extensive testing, and a performed a usual beta-release
cycle which gave the code exposure, the methodology is rather new and
there is relatively little operational experience. You can enable RRL
with the build option '--enable-ratelimit':

    $ ./configure --enable-ratelimit

We advice prudent monitoring. Within NSD one can monitor RRL being
turned on or off for specific query patterns when verbosity set to level
2 or higher.

Best regards,
  Matthijs

link: http://www.nlnetlabs.nl/downloads/nsd/nsd-3.2.15.tar.gz
sha1: e31a81ab7877422b34e1f163f9509cd93f395664

NSD RELEASE NOTES

3.2.15
================

FEATURES:
- Support for ILNP RR types: NID, L32, L64, LP (RFC6742).
- RRL, --enable-ratelimit at configure time and config options.
- TSIG initialization only fails when there is no digest found
  at all.

BUG FIXES:
- Bugfix #478: Declaration after statement (for gcc 2.95).
- Bugfix #483: Better error message in case of TSIG error.
- Bugfix #485: TTL should not be greater than 2^31 - 1.
- Fix RCODE when CNAME loop final answer does not exist, should
  return NXDOMAIN as stated by RFC 6604.
- Fix --disable-full-prehash bug, where after multiple incoming
  IXFRs, NSEC3 can be removed unjustified.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20130204/398d2770/attachment.bin>