[nsd-users] NSD 4.0.0 release

W.C.A. Wijngaards wouter at nlnetlabs.nl
Tue Oct 29 14:06:52 UTC 2013

Hash: SHA1


The release of NSD 4.0.0 is here (no changes from 4.0.0RC3):

SHA1: b3ebd669be8e830f62062d12be55242ca41da369
SHA256: 62608a409d0f68c9d8d4595031b9de9130ac02efe39733be5dee40d5a90e991c

=== NSD 4.0.0

NSD 4 is a major release from NSD 3.  It contains the same base DNS
response generation and DNSSEC support code.  The changes are in data
structures used and the file back-end.  These changes allow for more
performance and for more rapid changes in configuration.  NSD 4 can
handle more zones and more tcp connections.  NSD 4 can execute
NSEC3-IXFRs in time relative to the size of the IXFR (times logN for
the zone size).

NSD 4 can selectively read in modified zone files, with kill -HUP or
nsd-control reload.  This reread is performed by the daemon itself,
and this is faster than the zonec of all files that was previously done.

NSD 4 can also change configuration without a restart.  With
nsd-control configuration changes can be told to the daemon in
real-time, with addzone and delzone.  Or users can edit the nsd.conf
file and execute "nsd-control reconfig".  The nsd.conf file supports
include: statements and also new pattern: statements for grouping and
managing its contents.

The file backend is changed to a read/write nsd.db file that allows
for updates to the data files without 'nsd patch' clean up tasks.  NSD
4 has the RRL implementation that NSD3 has (ported to NSD4).

NSD4 is likely to use more memory than NSD3.  The new database file is
memory mapped, and the new NSEC3 code needs more memory too.  NSEC
zones do not require this extra memory.

Several blog articles have been written about NSD4:

NLnet Labs supports the NSD 4 software as it did for NSD 3.
End-of-support for NSD3 will be announced after we've gathered some
experience with NSD4, after the announcement we will continue to
support NSD3 for another year.

=== Packaging NSD 4.0

NSD 4 no longer has the 'nsdc' tool, and if you upgrade from NSD3 to
NSD4 you may have to delete that in the package script.  Instead, NSD4
can respond to kill -HUP to reread zone files, and kill -TERM to quit.
NSD4 can stay attached to the console (for some daemon management suites
this is useful), with the -d flag (it no longer forks away).

For OpenDNSSEC signer note you have to change the NotifyCommand, it
may now still use the old nsdc script, you have to change that to
reload with kill -HUP or "nsd-control reload %zone".

The zonec and nsd-patch binaries are also no longer used.

nsd-control can be used for management tasks that involve notify and
zone transfer commands.  To set up nsd-control you need to set a flag in
the nsd.conf file and run nsd-control setup (as root, say) to generate
the necessary keys.

The config file is backwards compatible; you can use the NSD 3 config
file to start the NSD4 daemon - it serves the same zones.  NSD4 then
uses defaults for some file locations for new things, and ignores
settings that are deprecated.

If you installed a cron job with nsdc patch, this is no longer
necessary.  NSD4 does not write changed secondary zones to their zone
files by itself; you can do 'nsd-control write' to make that happen.

There is an example munin script in contrib/nsd_munin_ and similar cacti
scripts and so on can be created for statistics output.  This is
basically the same statistics that NSD3 had as BIND8-style statistics,
but then output from the nsd-control tool; and easily fed into other
scripts.  This can be used for a statistics package.

=== Details

- - documented in doc/NSD-4-features. Change configuration without
  restart, direct nameserver control with nsd-control, support a
  higher number of zones. Higher performance (compared to NSD3).
- - nsdc is gone. Use kill -HUP for reload (also checks if zonefiles
  have changed and rereads them), and kill -TERM for quit. Or use
  nsd-control for detailed control.
- - cron job for nsdcpatch is gone. nsd-control write creates zonefiles.
- - nsd.db has a new format that compacts itself when it is changed,
  thus nsdc patch is no longer necessary.
- - nsd.db is memory mapped, NSD needs (part of) that mmap in ram.
- - tcp-count can go above 1000; epoll/kqueue support with libevent.
- - nsd-control reconfig for updates with no restart (zones, keys, ..)
- - nsd-control-setup to create keys for nsd-control (enable nsd-control
  with remote-control: yes in nsd.conf).

FEATURES (incremental from BETA5):
- - configure --disable-recvmmsg for compat with older Linux kernels,
  by default it autodetects support in the kernel on the buildmachine.
- - Fix time at 2038, uint32s changed to time_t, support 64bit time_t.
- - Fix use of 32bit time, for 2038, thanks to Theo de Raadt for patch.
BUG FIXES (incremental from BETA5):
- - Bugfix#518 Incorrect RRL prefix length option names in nsd.conf
  man page from Ville Mattila.
- - Fix that xfrd, and nsd-control, does not stop responding when reload
  errors out. The pid is sent like it should by server_main.
- - Fix that EOF in quoted string error does not cause reload to exit.
- - Fixup errors from the stack code checker.
- - Removed use of random when arc4random is available. Thus, random
  and srandom are then not linked with the executable.
- - Fix segfault with no logfile and chroot.
- - Fix IXFR handling, that was discovered in the RC1. More leniently
  handle uppercase in RRSIG and NSEC rdata, during IXFRs.  There is a
  fix as well as more detailed error logging for this case.
- - Print slightly more human friendly TSIG errors and updated the
  manual page for the -d option for nsd.
- - Fix (in rc3) where reconfig would not initialise zones that change
  from primary to secondary (due to config changes); those zones
  did not perform zone transfers right away, and they do now.

Best regards,
   Wouter Wijngaards
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


More information about the nsd-users mailing list