head 1.3; access; symbols netbsd-11-0-RC4:1.2 netbsd-11-0-RC3:1.2 netbsd-11-0-RC2:1.2 netbsd-11-0-RC1:1.2 nsd-4-14-0:1.1.1.7 perseant-exfatfs-base-20250801:1.2 netbsd-11:1.2.0.6 netbsd-11-base:1.2 netbsd-10-1-RELEASE:1.2 perseant-exfatfs-base-20240630:1.2 perseant-exfatfs:1.2.0.4 perseant-exfatfs-base:1.2 netbsd-8-3-RELEASE:1.1.1.1 netbsd-9-4-RELEASE:1.1.1.4 netbsd-10-0-RELEASE:1.2 netbsd-10-0-RC6:1.2 netbsd-10-0-RC5:1.2 nsd-4-8-0:1.1.1.6 netbsd-10-0-RC4:1.2 netbsd-10-0-RC3:1.2 netbsd-10-0-RC2:1.2 netbsd-10-0-RC1:1.2 netbsd-10:1.2.0.2 netbsd-10-base:1.2 nsd-4-6-0:1.1.1.6 netbsd-9-3-RELEASE:1.1.1.4 cjep_sun2x-base1:1.1.1.6 cjep_sun2x:1.1.1.6.0.4 cjep_sun2x-base:1.1.1.6 cjep_staticlib_x-base1:1.1.1.6 netbsd-9-2-RELEASE:1.1.1.4 cjep_staticlib_x:1.1.1.6.0.2 cjep_staticlib_x-base:1.1.1.6 nsd-4-3-5:1.1.1.6 netbsd-9-1-RELEASE:1.1.1.4 phil-wifi-20200421:1.1.1.5 phil-wifi-20200411:1.1.1.5 is-mlppp:1.1.1.5.0.2 is-mlppp-base:1.1.1.5 phil-wifi-20200406:1.1.1.5 netbsd-8-2-RELEASE:1.1.1.1 netbsd-9-0-RELEASE:1.1.1.4 netbsd-9-0-RC2:1.1.1.4 nsd-4-2-4:1.1.1.5 netbsd-9-0-RC1:1.1.1.4 phil-wifi-20191119:1.1.1.4 netbsd-9:1.1.1.4.0.2 netbsd-9-base:1.1.1.4 phil-wifi-20190609:1.1.1.4 netbsd-8-1-RELEASE:1.1.1.1 nsd-4-1-27:1.1.1.4 netbsd-8-1-RC1:1.1.1.1 nsd-4-1-26:1.1.1.3 pgoyette-compat-merge-20190127:1.1.1.2.2.1 pgoyette-compat-20190127:1.1.1.3 pgoyette-compat-20190118:1.1.1.3 pgoyette-compat-1226:1.1.1.3 pgoyette-compat-1126:1.1.1.3 pgoyette-compat-1020:1.1.1.3 pgoyette-compat-0930:1.1.1.3 pgoyette-compat-0906:1.1.1.3 nsd-4-1-24:1.1.1.3 pgoyette-compat-0728:1.1.1.2 netbsd-8-0-RELEASE:1.1.1.1 phil-wifi:1.1.1.2.0.4 phil-wifi-base:1.1.1.2 pgoyette-compat-0625:1.1.1.2 netbsd-8-0-RC2:1.1.1.1 pgoyette-compat-0521:1.1.1.2 pgoyette-compat-0502:1.1.1.2 pgoyette-compat-0422:1.1.1.2 netbsd-8-0-RC1:1.1.1.1 pgoyette-compat-0415:1.1.1.2 pgoyette-compat-0407:1.1.1.2 pgoyette-compat-0330:1.1.1.2 pgoyette-compat-0322:1.1.1.2 pgoyette-compat-0315:1.1.1.2 pgoyette-compat:1.1.1.2.0.2 pgoyette-compat-base:1.1.1.2 nsd-4-1-19:1.1.1.2 matt-nb8-mediatek:1.1.1.1.0.12 matt-nb8-mediatek-base:1.1.1.1 perseant-stdc-iso10646:1.1.1.1.0.10 perseant-stdc-iso10646-base:1.1.1.1 netbsd-8:1.1.1.1.0.8 netbsd-8-base:1.1.1.1 prg-localcount2-base3:1.1.1.1 prg-localcount2-base2:1.1.1.1 prg-localcount2-base1:1.1.1.1 prg-localcount2:1.1.1.1.0.6 prg-localcount2-base:1.1.1.1 pgoyette-localcount-20170426:1.1.1.1 bouyer-socketcan-base1:1.1.1.1 pgoyette-localcount:1.1.1.1.0.4 pgoyette-localcount-20170320:1.1.1.1 bouyer-socketcan:1.1.1.1.0.2 bouyer-socketcan-base:1.1.1.1 nsd-4-1-14:1.1.1.1 NLNETLABS:1.1.1; locks; strict; comment @% @; 1.3 date 2026.01.15.21.35.18; author christos; state Exp; branches; next 1.2; commitid OUSWSLJXBJWxfxqG; 1.2 date 2022.09.24.17.38.17; author christos; state Exp; branches; next 1.1; commitid nZ2AQnhH6JMGN8VD; 1.1 date 2017.01.07.19.42.00; author christos; state Exp; branches 1.1.1.1; next ; commitid 6nrLM8GsvcVnx4Bz; 1.1.1.1 date 2017.01.07.19.42.00; author christos; state Exp; branches 1.1.1.1.4.1; next 1.1.1.2; commitid 6nrLM8GsvcVnx4Bz; 1.1.1.2 date 2018.02.09.16.52.54; author christos; state Exp; branches 1.1.1.2.2.1 1.1.1.2.4.1; next 1.1.1.3; commitid SjCNqSalUwAUNcqA; 1.1.1.3 date 2018.09.03.11.29.32; author christos; state Exp; branches; next 1.1.1.4; commitid YxtTlFbRA3kxoEQA; 1.1.1.4 date 2019.05.25.19.44.44; author christos; state Exp; branches; next 1.1.1.5; commitid tP6mZQ0ZZFpYDCoB; 1.1.1.5 date 2019.12.15.16.00.56; author christos; state Exp; branches; next 1.1.1.6; commitid kfJnnxVCu4ZUQOOB; 1.1.1.6 date 2021.03.15.18.38.58; author christos; state Exp; branches; next 1.1.1.7; commitid ys5NuoZlZmxG3rLC; 1.1.1.7 date 2026.01.15.21.02.29; author christos; state Exp; branches; next ; commitid eP3mMjgnyB4G2xqG; 1.1.1.1.4.1 date 2017.01.07.19.42.00; author pgoyette; state dead; branches; next 1.1.1.1.4.2; commitid jjw7cAwgyKq7RfKz; 1.1.1.1.4.2 date 2017.03.20.06.56.05; author pgoyette; state Exp; branches; next ; commitid jjw7cAwgyKq7RfKz; 1.1.1.2.2.1 date 2018.09.06.06.51.49; author pgoyette; state Exp; branches; next ; commitid HCi1bXD317XIK0RA; 1.1.1.2.4.1 date 2019.06.10.21.51.11; author christos; state Exp; branches; next 1.1.1.2.4.2; commitid jtc8rnCzWiEEHGqB; 1.1.1.2.4.2 date 2020.04.08.14.04.08; author martin; state Exp; branches; next ; commitid Qli2aW9E74UFuA3C; desc @@ 1.3 log @merge changes between nsd-4.8.0 and 4.14.0 @ text @% DIFFERENCES NSD 3 and other name servers. \documentclass[twoside,titlepage,english]{nlnetlabs} \newcites{rfc}{RFC references} \def\nlnetlabsno{2006-004} \rcsdetails{Id} % Prints RCS details at the bottom of the page. \title{Response Differences between\\ NSD and other DNS Servers} \author{ %This escape is needed. Because of wrapping by hyperref \texorpdfstring{ Jelte Jansen\thanks{\href{mailto:jelte@@nlnetlabs.nl}{jelte@@nlnetlabs.nl}}, \textsl{NLnet Labs}\\ Wouter Wijngaards\thanks{\href{mailto:wouter@@nlnetlabs.nl}{wouter@@nlnetlabs.nl}}, \textsl{NLnet Labs} } {Jelte Jansen, Wouter C.A. Wijngaards} } \date{ \today } \begin{document} \flushbottom \maketitle{} \begin{abstract} This note describes observed differences in responses between NSD and other DNS server implementations. NSD 3.0.0 is compared to NSD 2.3.6, BIND 8.4.7 and BIND 9.3.2. Differences in answers to captured queries from resolvers are tallied and analyzed. No interoperability problems are found. \end{abstract} \tableofcontents \newpage \section{Introduction} The NSD name server is compared to other DNS server implementations in order to assess server interoperability. The goal is to observe differences in the answers that the name servers provide. These differences are categorized and counted. We used BIND 8 and BIND 9 versions to compare against. Also regression tests have been run on our testlab, comparing NSD 2 versus NSD 3. Our method uses a set of queries captured from production name servers. These queries are sent over UDP to a name server set up to serve a particular zone. Then the responses from the name server are recorded. For every query, the different answers provided by the server implementations are compared. Unparseable answers and no answers from the servers are handled identically by the comparison software. This is not a problem because both BIND and NSD are mature and stable DNS implementations, all answers they send are parseable. Only in a very few cases, where the query is very badly formed, no answers are sent back. The differences are found by replaying captured DNS query traces from the NL TLD and from the root zone against different name servers. The differences in the answers are then analyzed, by first performing a byte-comparison on the packets. If the packets are binary different, the contents are parsed, thus removing differences in domain name compression, and normalized (sorted, lowercase) in presentation. If the results do not match after normalization, then a list of difference categories is consulted. The difference is classified as the first category that matches. If a difference in answers does not match any category, then the process stops and the user is notified. All the differences are categorized for the traces we present. In addition, we gratefully made use of the PROTOS DNS tool developed at the University of Oulu which they made publicly available at \href{http://www.ee.oulu.fi/research/ouspg/protos/testing/c09/dns} {the protos webpage}\footnote{http://www.ee.oulu.fi/research/ouspg/protos/testing/c09/dns} and played the queries against the authoritative name servers. We fixed a packet parsing error in NSD3-prerelease and both NSD3 and BIND 9.3.2 remained running and responsive. Additionally we used the faulty DNS query traces in the wiki-ethereal repository. These can be found in \href{http://wiki.ethereal.com/SampleCaptures} {the ethereal wiki}\footnote{http://wiki.ethereal.com/SampleCaptures}. These traces posed no problem for BIND and NSD, mostly FORMERR answers. A previous document DIFFERENCES between BIND 8.4.4 and NSD 2.0.0 can be found in the NSD 2.x package. In the places where differences have been found between BIND and NSD, in the authors' opinion, no interoperability problems result for resolvers. \section{Response differences between BIND 9.3.2 and NSD 3.0.0} In this section the response differences between BIND 9.3.2 and NSD 3.0.0 are presented and analyzed. We start in Section~\ref{root_b932nsd3} and Section~\ref{nl_b932nsd3} with presenting the difference statistics for two test traces. Then in Section~\ref{sec:features} and Section~\ref{sec:funcdiff} the difference categories are explained in more detail. \subsection{Comparison of responses to root queries} \label{root_b932nsd3} Comparison between NSD 3.0.0 and BIND 9.3.2 for a root trace. \begin{tabular}{lrr} {\em difference} & {\em packets} & {\em \%diff} \\ d-additional (\ref{d-additional}) & 455607 & 59.19\% \\ n-clrdobit (\ref{n-clrdobit}) & 208389 & 27.07\% \\ b-soattl (\ref{b-soattl}) & 101707 & 13.21\% \\ n-update (\ref{n-update}) & 1858 & 0.24\% \\ d-hostname (\ref{d-hostname}) & 1032 & 0.13\% \\ d-formerrquery (\ref{d-formerrquery}) & 773 & 0.10\% \\ b-class0 (\ref{b-class0}) & 264 & 0.03\% \\ d-refusedquery (\ref{d-refusedquery}) & 79 & 0.01\% \\ d-notify (\ref{d-notify}) & 18 & 0.00\% \\ b-mailb (\ref{b-mailb}) & 7 & 0.00\% \\ n-tcinquery (\ref{n-tcinquery}) & 6 & 0.00\% \\ b-classany-nxdomain (\ref{b-classany-nxdomain}) & 5 & 0.00\% \\ d-badqueryflags (\ref{d-badqueryflags}) & 4 & 0.00\% \\ n-ixfr-notimpl (\ref{n-ixfr-notimpl}) & 3 & 0.00\% \\ d-version (\ref{d-version}) & 1 & 0.00\% \\ Total number of differences: & 769753 & 100\% \\ Number of packets the same after normalization:&1474863 \\ Number of packets exactly the same on the wire:& 59161 \\ Total number of packets inspected: &2244616 \\ \end{tabular} For each type of difference the number of packets in the trace that match that difference are shown. The section where that difference is analyzed is shown in parenthesis after the difference name. The percentage of differences explained by the difference category is listed. Adding up the packets that are different gives the total number of differences, or 100\% of the differences. The number of packets after normalization includes the number of packets that are the same on the wire. The total number of query packets is displayed at the bottom of the table. \subsection{Comparison of responses to NL TLD queries} \label{nl_b932nsd3} Comparison between NSD 3.0.0 and BIND 9.3.2, for a trace for .nl. \begin{tabular}{lrr} {\em difference} & {\em packets} & {\em \%diff} \\ d-unknown-opcode (\ref{d-unknown-opcode}) & 2541 & 26.44\% \\ b-badquery-badanswer (\ref{b-badquery-badanswer}) & 1817 & 18.91\% \\ n-clrdobit (\ref{n-clrdobit}) & 1495 & 15.56\% \\ b-soattl (\ref{b-soattl}) & 1120 & 11.65\% \\ n-update (\ref{n-update}) & 990 & 10.30\% \\ d-badqueryflags (\ref{d-badqueryflags}) & 847 & 8.81\% \\ d-hostname (\ref{d-hostname}) & 531 & 5.52\% \\ d-notify (\ref{d-notify}) & 98 & 1.02\% \\ b-upwards-ref (\ref{b-upwards-ref}) & 78 & 0.81\% \\ n-clrcdbit (\ref{n-clrcdbit}) & 63 & 0.66\% \\ d-version (\ref{d-version}) & 22 & 0.23\% \\ b-noglue-nsquery (\ref{b-noglue-nsquery}) & 8 & 0.08\% \\ b8-badedns0 (\ref{b8-badedns0}) & 1 & 0.01\% \\ Total number of differences: & 9611 & 100\% \\ Number of packets the same after normalization: & 90389 \\ Number of packets exactly the same on the wire: & 52336 \\ Total number of packets inspected: & 100000 \\ \end{tabular} \subsection{Features} \label{sec:features} In this section we enumerate a number of differences between BIND 9.3.2 and NSD 3.0.0 that cannot be immediately explained as design choices. These features could be seen as bugs in software or protocol specs, except that they do not lead to interoperability problems. \subsubsection{n-clrdobit - NSD clears DO bit in response} \label{n-clrdobit} NSD clears the DO bit in answers to queries with the DO bit. BIND copies the DO bit to the answer. \vspace{-8pt}\subparagraph{Analysis:} In RFC4035\cite{rfc4035} the DO bit is not specified for answers. In the examples section of that RFC the DO bit is shown for signed dig responses, although this could refer to the query or the answer. NSD clears the DO bit for all answers, a decision based on speed: the EDNS record sent back by NSD is precompiled and not modified during answer processing. \subsubsection{n-clrcdbit - NSD clears CD bit in response} \label{n-clrcdbit} NSD clears the CD bit in answers to queries with the CD bit. BIND copies the CD bit to the answer. \vspace{-8pt}\subparagraph{Analysis:} RFC 4035\cite{rfc4035} asserts that the CD bit must be cleared for authoritative answers. The CD bit should be copied into the answer by recursive servers. BIND copies the CD bit for some formerr queries. \subsubsection{b-class0 - CLASS0 formerr in BIND} \label{b-class0} For CLASS0, you can get either FORMERR, from BIND or REFUSED, from NSD. \vspace{-8pt}\subparagraph{Analysis:} Difference in interpretation of the RFCs, a CLASS value of 0 is interpreted as a syntax error by BIND but as another valid class (that is not served) by NSD. Resolvers are unaffected for CLASS IN. \subsubsection{n-tcinquery - TC bit in query is formerr for NSD} \label{n-tcinquery} NSD returns FORMERR if tc bit is set in query. \vspace{-8pt}\subparagraph{Analysis:} Queries cannot be longer than 512 octets, since the DNS header is short and the query DNS name has a maximum length of 255 octets. Thus TC (TrunCation) cannot happen. Only one question per query packet is answered by NSD, this is a design decision. Some update, ixfr request, notify, gss-tsig TKEY sequence queries could theoretically carry longer data in the query from the client. In practice this does not happen, as 255 octet uncompressed names are not used. If this were to happen, the client could attempt a TCP connection immediately instead of setting a TC bit, or use EDNS0 to send longer packets. In this NSD is more strict in validation than BIND. \subsubsection{b-soattl - BIND sets SOA TTL in authority section to 0 for SOA queries} \label{b-soattl} This happens when asking for the SOA for a domain that is not served. \footnotesize \begin{verbatim} Query: ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0 ;; flags: rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; foo.bar. IN SOA \end{verbatim} \normalsize Answer from BIND 9.3.2: \footnotesize \begin{verbatim} ;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 6097 ;; flags: qr aa rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;; foo.bar. IN SOA ;; ANSWER SECTION: ;; AUTHORITY SECTION: . 0 IN SOA A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. ( 2006072801 1800 900 604800 86400) ;; ADDITIONAL SECTION: ;; Query time: 10 msec ;; SERVER: 127.0.0.1 ;; WHEN: Wed Aug 23 13:52:36 2006 ;; MSG SIZE rcvd: 100 \end{verbatim} \normalsize Answer from NSD 3: \footnotesize \begin{verbatim} ;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 26095 ;; flags: qr aa rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;; foo.bar. IN SOA ;; ANSWER SECTION: ;; AUTHORITY SECTION: . 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. ( 2006072801 1800 900 604800 86400) ;; ADDITIONAL SECTION: ;; Query time: 60 msec ;; SERVER: 127.0.0.1 ;; WHEN: Wed Aug 23 13:53:30 2006 ;; MSG SIZE rcvd: 100 \end{verbatim} \normalsize \vspace{-8pt}\subparagraph{Analysis:} BIND conforms to internet-draft draft-andrews-dnsext-soa-discovery which has at the moment of code development not (yet) been published as RFC. NSD conforms to the RFCs. \subsubsection{b-classany-nxdomain - BIND gives an auth answer for class ANY nxdomain} \label{b-classany-nxdomain} A difference in behaviour for CLASS=ANY queries. For existing domains both BIND and NSD reply with AA bit cleared. For not existing domains (nxdomain) NSD replies with AA bit cleared. BIND replies with AA bit on and includes a SOA (CLASS=IN) for the zone, as for an authoritative nxdomain. Query: \footnotesize \begin{verbatim} ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 13328 ;; flags: ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; nslabs.ruO. ANY MX \end{verbatim} \normalsize Answer from BIND 9.3.2: \footnotesize \begin{verbatim} ;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 13328 ;; flags: qr aa ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;; nslabs.ruo. ANY MX ;; ANSWER SECTION: ;; AUTHORITY SECTION: . 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. ( 2006072801 1800 900 604800 86400) ;; ADDITIONAL SECTION: ;; Query time: 0 msec ;; WHEN: Wed Aug 23 13:58:51 2006 ;; MSG SIZE rcvd: 103 \end{verbatim} \normalsize Answer from NSD 3: \footnotesize \begin{verbatim} ;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 13328 ;; flags: qr ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; nslabs.ruo. ANY MX ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 0 msec ;; WHEN: Wed Aug 23 13:58:51 2006 ;; MSG SIZE rcvd: 28 \end{verbatim} \normalsize \vspace{-8pt}\subparagraph{Analysis:} Feature of BIND where it answers authoritatively for CLASS ANY nxdomain queries. \subsubsection{b-badquery-badanswer - BIND replies with bad answer for some bad queries} \label{b-badquery-badanswer} BIND replies with an answer packet that cannot be parsed, or does not answer at all. NSD always generates an answer, with the appropriate RCODE (mostly NOTIMPL and FORMERR, but also NXDOMAIN to NOTIFY queries). All these queries are malformed in some way. A (very simple) example of a query without an answer is a query packet of 18 zero bytes. For some queries no answer only happens when BIND is presented with a trace of queries, not for a single query. \vspace{-8pt}\subparagraph{Analysis:} BIND includes (part of) the unparseable question into the answer, or some internal state of BIND is affected by earlier queries. NSD manages to answer the malformed query. Note that NSD does not answer queries that are too short, or that have the QR bit set. NSD tries to be as liberal in what it accepts as possible. \subsection{Functionality Differences} \label{sec:funcdiff} The next group of differences are due to the fact that NSD does not implement some functionality that is requested by resolvers. This is a design choice and should not cause resolver problems at all, since responses to those requests are within protocol specs. \subsubsection{d-notify - different NOTIFY errors} \label{d-notify} BIND and NSD give different errors for notify queries. The servers are started without any configuration for access control on notify. For notify messages aimed at a zone that is served, BIND 9.3.2 returns a NOERROR answer, and NSD 3 returns NOTAUTH. For notify messages on a zone that is not served (in-addr.arpa.) BIND 9.3.2 returns NOTAUTH and NSD 3 returns NXDOMAIN. \vspace{-8pt}\subparagraph{Analysis:} Default configuration differs between the two packages. NSD is more strict. Error codes are different, the tools that send notifies are not affected. \subsubsection{n-update - NSD does not implement dynamic update} \label{n-update} For UPDATE, you can get either REFUSED/NXRRSET/other RCODE from BIND 9.3.2 or NOTIMPL from nsd3. \vspace{-8pt}\subparagraph{Analysis:} NSD does not implement dynamic update. \subsubsection{b-mailb - BIND does not implement MAILB} \label{b-mailb} For MAILB, you can get either NOTIMPL(BIND 9) or NOERROR/NXDOMAIN(NSD 3). \vspace{-8pt}\subparagraph{Analysis:} BIND does not implement queries for the MAILB type. NSD treats it as one of the RRTYPEs. MAILB is obsoleted by RFCs, the MX type is used to transfer mail information now. \subsubsection{d-version - BIND returns servfail on version.server queries} \label{d-version} NSD returns version.server query, BIND returns servfail. \vspace{-8pt}\subparagraph{Analysis:} Both NSD and BIND return version.bind queries of the chaos class. These queries differ in the version number they return, of course. BIND does not return version.server queries. This is a design decision on the part of NSD to return version.server queries with the same answer. \subsubsection{d-additional - Different additional section on truncated answers} \label{d-additional} NSD and BIND return different additional sections on truncated answers to queries from the root. These answers are 480+ bytes long. \vspace{-8pt}\subparagraph{Analysis:} Not all the A and AAAA data fits into the additional section of the answer. BIND includes different names than NSD does, and BIND is observed to sometimes include one more AAAA record, less A records in the additional section. Resolvers should be unaffected. \subsubsection{d-refusedquery - BIND includes query section in REFUSED answers} \label{d-refusedquery} BIND includes the query sent for REFUSED answers. NSD replies with only the DNS header section. \vspace{-8pt}\subparagraph{Analysis:} The resolver must inspect the query ID. The error code provides sufficient information. Sending the header makes NSD replies smaller and thus more resilient to DoS attacks. \subsubsection{d-hostname - BIND adds a NS record for hostname.bind} \label{d-hostname} BIND includes an additional RR in the authority section of the reply: \footnotesize \begin{verbatim} hostname.bind. 0 CH NS hostname.bind. \end{verbatim} \normalsize \vspace{-8pt}\subparagraph{Analysis:} The RR seems useless. NSD does not include it. \subsubsection{n-ixfr-notimpl - NSD does not implement IXFR} \label{n-ixfr-notimpl} To queries for IXFR BIND responds with a valid answer (the latest SOA) and NSD responds with NOTIMPL error. \vspace{-8pt}\subparagraph{Analysis:} NSD 3.0.0 does not implement IXFR. It returns NOTIMPL by design. \subsubsection{d-formerrquery - BIND includes query section in FORMERR answers} \label{d-formerrquery} BIND includes the query sent for FORMERR answers. NSD replies with only the DNS header section. For some queries, NSD includes an EDNS record in the reply if there was a recognizable EDNS record in the query. \vspace{-8pt}\subparagraph{Analysis:} The resolver must inspect the query ID. The error code provides sufficient information. Sending the header makes NSD replies smaller and thus more resilient to DoS attacks. \subsubsection{d-badqueryflags - BIND includes query section in FORMERR answers} \label{d-badqueryflags} BIND includes the query section in reply to unparseable queries. NSD does not. \vspace{-8pt}\subparagraph{Analysis:} Same as d-formerrquery (\ref{d-formerrquery}), but the implementation of the comparison software could not parse the query either, thus a separate label. \subsubsection{d-unknown-class - BIND includes query section in answers to unknown class} \label{d-unknown-class} For queries with an unknown class in the query, BIND includes the query section in the answer. NSD does not. \vspace{-8pt}\subparagraph{Analysis:} Same as d-formerrquery (\ref{d-formerrquery}), but for a different error. \subsubsection{d-unknown-opcode - NSD returns NOTIMPL for unknown opcode} \label{d-unknown-opcode} For queries that are bad packets, with malformed RRs, with an unknown opcode, BIND returns a FORMERR, but NSD gives up after checking the opcode and returns NOTIMPL. NSD copies the flags from the query, and turns on the QR (query response) bit, BIND zeroes some of the flags. \vspace{-8pt}\subparagraph{Analysis:} NOTIMPL is appropriate since NSD does not implement whatever functionality is being looked for. \subsubsection{b-upwards-ref - BIND returns root delegation} \label{b-upwards-ref} For queries to a domain that is not served, which can only have arrived at this server due to a lame delegation, BIND returns a root delegation. NSD returns SERVFAIL. \vspace{-8pt}\subparagraph{Analysis:} By design, NSD does not know the root-servers. NSD is unable to reply as the zone is not configured, hence the SERVFAIL. This is also discussed in the REQUIREMENTS document for NSD. \subsubsection{b-noglue-nsquery - BIND returns no glue for NS queries} \label{b-noglue-nsquery} For queries for the NS records of the zone, BIND does not include glue for the NS records. NSD includes glue for the NS servers that lie within the zone. \vspace{-8pt}\subparagraph{Analysis:} The glue saves a followup query. \subsubsection{d-noquestion - different error on no question} \label{d-noquestion} For queries without a question section the error code differs. NSD considers it a FORMERR. BIND returns REFUSED. \vspace{-8pt}\subparagraph{Analysis:} Error code not specified for this corner case. No problems for resolvers. \subsubsection{b-uchar - BIND returns FORMERR on strange characters} \label{b-uchar} BIND returns FORMERR on strange characters in the query, such as 0x00, 0xff, 0xe4, 0x20, 0x40 and so on. \vspace{-8pt}\subparagraph{Analysis:} NSD does not give a formerr on these queries, it processes them. NSD normalizes names to lower case. Otherwise leaves them untouched. BIND preserves case in answers. Choice made in REQUIREMENTS for NSD, also see RFC1035\cite{rfc1035} 2.3.3. \section{Response differences between NSD 2.3.6 and NSD 3.0.0} The differences between NSD 2.3.6 and NSD 3.0.0 are listed below. All are due to version number changes and new features in NSD 3. \subsection{Comparison of responses in root trace} Differences between NSD 2.3.6 and NSD 3.0.0 for a root trace. Note that apart from the 26 packets that are different, all responses are binary the same on the wire between the two versions of NSD. \begin{tabular}{lrr} {\em difference} & {\em packets} & {\em \%diff} \\ n-notify (\ref{n-notify}) & 19 & 73.08\% \\ n-ixfr (\ref{n-ixfr}) & 3 & 11.54\% \\ version.bind (\ref{nsd-version}) & 3 & 11.54\% \\ version.server (\ref{nsd-version}) & 1 & 3.85\% \\ Total number of differences: & 26 & 100\% \\ Number of packets the same after normalization:&2244590 \\ Number of packets exactly the same on the wire:&2244590 \\ Total number of packets inspected: &2244616 \\ \end{tabular} \subsection{Comparison of responses in NL TLD trace} Differences between NSD 2.3.6 and NSD 3.0.0 for a nl. trace. Note that apart from the 311 packets that are different, all responses are binary the same on the wire between the two versions of NSD. \begin{tabular}{lrr} {\em difference} & {\em packets} & {\em \%diff} \\ n-notify (\ref{n-notify}) & 289 & 92.93\% \\ version.bind (\ref{nsd-version}) & 22 & 7.07\% \\ Total number of differences: & 311 & 100\% \\ Number of packets the same after normalization:& 99689 \\ Number of packets exactly the same on the wire:& 99689 \\ Total number of packets inspected: &100000 \\ \end{tabular} \subsection{Version number - version.bind and version.server} \label{nsd-version} To queries for version.bind and version.server the different implementations return a different version number, as they should. \vspace{-8pt}\subparagraph{Analysis:} Expected. Correct version numbers are returned. \subsection{n-notify - notify not implemented in NSD 2} \label{n-notify} Notifications are handled differently. NSD 2 returns NOTIMPL error code, while NSD 3 returns NOTAUTH or NXDOMAIN error codes. \vspace{-8pt}\subparagraph{Analysis:} Default config denies all notify queries for NSD 3. These answers are correct for non-existing and not authorized domains. \subsection{n-ixfr - IXFR error FORMERR in NSD 2} \label{n-ixfr} To IXFR query questions different error codes are given. The NSD 2 gives FORMERR (due to the RR in the authority section). NSD 3 returns NOTIMPL. \vspace{-8pt}\subparagraph{Analysis:} Neither version of NSD implements IXFR. It is more appropriate to return the NOTIMPL error code in that case. Bugfix in NSD. \section{Response differences between BIND 8 and NSD 3.0.0} In this section the response differences between BIND 8.4.7 and NSD 3.0.0 are categorized and analyzed. \subsection{Comparison of responses in root trace} The differences between BIND 8.4.7 and NSD 3.0.0 when presented with queries for the root zone are below. \begin{tabular}{lrr} {\em difference} & {\em packets} & {\em \%diff} \\ n-clrcdbit (\ref{n-clrcdbit}) & 516372 &84.39\% \\ d-hostname (\ref{d-hostname}) & 53431 &8.73\% \\ d-additional (\ref{d-additional}) & 32526 &5.32\% \\ b8-nodata-ttlminup (\ref{b8-nodata-ttlminup}) & 4611 &0.75\% \\ n-update (\ref{n-update}) & 1856 &0.30\% \\ d-version (\ref{d-version}) & 1033 &0.17\% \\ b8-auth-any (\ref{b8-auth-any}) & 519 &0.08\% \\ b8-badedns0 (\ref{b8-badedns0}) & 492 &0.08\% \\ d-unknown-class (\ref{d-unknown-class}) & 482 &0.08\% \\ b-badquery-badanswer (\ref{b-badquery-badanswer}) & 451 &0.07\% \\ b-class0 (\ref{b-class0}) & 97 &0.02\% \\ d-notify (\ref{d-notify}) & 18 &0.00\% \\ b8-ignore-tc-query (\ref{b8-ignore-tc-query}) & 6 &0.00\% \\ b8-badquery-ignored (\ref{b8-badquery-ignored}) & 4 &0.00\% \\ n-ixfr-notimpl (\ref{n-ixfr-notimpl}) & 3 &0.00\% \\ b-soattl (\ref{b-soattl}) & 1 &0.00\% \\ Total number of differences: & 611902 &100\% \\ Number of packets the same after normalization:&1632714 \\ Number of packets exactly the same on the wire:& 2299 \\ Total number of packets inspected: &2244616 \\ \end{tabular} \subsection{Comparison of responses in NL TLD trace} The differences between BIND 8.4.7 and NSD 3.0.0 when presented with queries for the .nl zone are below. \begin{tabular}{lrr} {\em difference} & {\em packets} & {\em \%diff} \\ n-clrcdbit (\ref{n-clrcdbit}) & 2857 &33.53\% \\ d-unknown-opcode (\ref{d-unknown-opcode}) & 2692 &31.59\% \\ n-update (\ref{n-update}) & 1283 &15.06\% \\ d-badqueryflags (\ref{d-badqueryflags}) & 841 &9.87\% \\ d-hostname (\ref{d-hostname}) & 531 &6.23\% \\ d-notify (\ref{d-notify}) & 293 &3.44\% \\ d-version (\ref{d-version}) & 22 &0.26\% \\ b-badquery-badanswer (\ref{b-badquery-badanswer}) & 1 &0.01\% \\ b8-badedns0 (\ref{b8-badedns0}) & 1 &0.01\% \\ Total number of differences: &8521 &100\% \\ Number of packets the same after normalization:&91479 \\ Number of packets exactly the same on the wire:&90837 \\ Total number of packets inspected:&100000 \\ \end{tabular} \subsection{b8-nodata-ttlminup - BIND 8 uses minimum TTL from SOA also if bigger} \label{b8-nodata-ttlminup} For NXDOMAIN queries in root-servers.net BIND 8 uses the minimum TTL from the SOA as the TTL of the included SOA RR. However, this minimum TTL is larger than the original TTL of the SOA, both NSD 2.3.6, NSD 3 and BIND 9 use the smaller of those two values as the TTL of the included SOA. \vspace{-8pt}\subparagraph{Analysis:} Bug in BIND 8 solved in BIND 9. \subsection{b8-badquery-ignored - BIND 8 replies normally for some bad queries} \label{b8-badquery-ignored} BIND8 manages to reply for malformed queries. NSD replies with FORMERR. \vspace{-8pt}\subparagraph{Analysis:} The query is bad, formerr is needed. Fixed in BIND9. \subsection{b8-badedns0 - BIND 8 ignores bad EDNS0 queries} \label{b8-badedns0} BIND 8 ignores queries with bad EDNS0 section. It answers the query. NSD replies with FORMERR. \vspace{-8pt}\subparagraph{Analysis:} BIND8 is more liberal in accepting broken EDNS0 records. NSD is not. Changed in BIND 9. \subsection{b8-auth-any - BIND 8 includes an authority section on queries for ANY .} \label{b8-auth-any} BIND8 includes an authority section on queries for class ANY . BIND9 and NSD return an empty authority section. \vspace{-8pt}\subparagraph{Analysis:} Fixed in BIND9. \subsection{b8-ignore-tc-query - BIND 8 ignores the TC bit in queries} \label{b8-ignore-tc-query} BIND responds to queries that have the TC bit set. NSD gives FORMERR. \vspace{-8pt}\subparagraph{Analysis:} This is like the n-tcinquery (\ref{n-tcinquery}), except where BIND9 returns NXDOMAIN, BIND8 returns the query with qr bit set. This is fixed in BIND9. NSD is less liberal in accepting queries, it returns form error on queries with the TC bit set. \bibliographystyle{nlnetlabs} \bibliography{allbib} \end{document} @ 1.2 log @merge conflicts between 4.3.5 and 4.6.0, and update build @ text @d7 1 a7 1 \rcsdetails{$Id$} @ 1.1 log @Initial revision @ text @d7 1 a7 1 \rcsdetails{Id: differences.tex 2438 2006-09-05 09:58:47Z wouter } @ 1.1.1.1 log @Import nsd @ text @@ 1.1.1.2 log @ NSD 4.1.19 Dec 11, 2017 Bugfixes ignore fallthrough compiler warning in flex EOF rule. Fix warnings emitted by clang for --enable-packed. Alignment is not a problem for x86_64, don't enable packed when the platform requires aligned access. Fix spelling error in xfr-inspect. Fix 3392: Fix regression in 4.1.18 for notify lists with ip4 and ip6 targets. Add test for support of -Wno-address-of-packed-member for --enable-packed. NSD 4.1.18 Nov 30, 2017 Features xfr-inspect, it is not installed, it prints xfr files from /tmp made with 'make xfr-inspect' in the source dir. retry timeout between sending notifies dropped from 15 to 3 sec. NSD sends 16 notifies simultaneously. configure --enable-packed reduces memory usage, at expense of unaligned reads. Saves about 17%. Save memory by selectively allocate precompiled nsec3 hashes, saves about 16% memory. make ip-transparent option work on OpenBSD. Save about 2% memory by changing usage count size in name tree. Fix #2871: Increase number of sockets for xfrd transfers. Bugfixes Fix gcc 7.1.1 warnings. Fix writev compile warning on FreeBSD. Fix #1446: A corrupted zone file "propagates" to good ones. nsd-control zonestatus prints wait time between attempts, for zones that are in that waiting time. Fix collision printout of nsec3 to print name, hash and reverse. Fix #1567: Change crit to err log level for gettimeofday failure. Add defines for compile without syslog. Fix crash for DS query when parent and child zones both configured in nsd.conf and parent zone has not loaded properly. NSD 4.1.17 Jul 21, 2017 Features zone parser parses type AVC (it has TXT format). Fix #1272: use writev to put tcp length field with data for outgoing zone transfer requests. Bugfixes Fix potential null pointer in nsec3 adjustment tree. Fix text format of deletes for CDS and CDNSKEY, single 0 to represent empty base64 or hex string. NSD 4.1.16 Apr 25, 2017 Features zone parser can parse acronyms for algorithms ED25519 and ED448. Fix 1243: Option to make NSD emit really minimal responses, minimal-responses: yes in nsd.conf. Bugfixes Calculate new udb index after growing the array, fix from Chaofeng Liu. Fix missing _t to _type conversion for disable-radix-tree option. Printout serial error with hint it may be too big. Fix 1228: OpenSSL include is not guarded with HAVE_SSL Patch for expire state in multi-master when masters includes broken master, from Manabu Sonoda. minor manpage fix. NSD 4.1.15 Feb 16, 2017 Bugfixes Fix nsd-control and ipv6 only. Squelch zone transfer error address family not supported by protocol at low verbosity levels. Fix #1195: Fix so that NSD fails on non-compliant values for Serial. Fix to rename _t typedefs because POSIX reserves them. Fix that nsec3 hash collisions only reported on verbosity level 3. @ text @d7 1 a7 1 \rcsdetails{$Id: differences.tex 2438 2006-09-05 09:58:47Z wouter $} @ 1.1.1.2.4.1 log @Sync with HEAD @ text @d7 1 a7 1 \rcsdetails{$Id: differences.tex,v 1.1.1.4 2019/05/25 19:44:44 christos Exp $} @ 1.1.1.2.4.2 log @Merge changes from current as of 20200406 @ text @d7 1 a7 1 \rcsdetails{Id} @ 1.1.1.2.2.1 log @Sync with HEAD Resolve a couple of conflicts (result of the uimin/uimax changes) @ text @d7 1 a7 1 \rcsdetails{Id: differences.tex 2438 2006-09-05 09:58:47Z wouter } @ 1.1.1.3 log @Import nsd-4.1.24 6 August 2018: Wouter - tag for 4.1.24 release. 30 July 2018: Wouter - Tag for NSD 4.1.23 release, trunk is 4.1.24, includes fix NSD time sensitive TSIG compare vulnerability. - Fix checkconf test for use-systemd option. 25 July 2018: Wouter - #4133: Fix that when IXFR contains a zone with broken NSEC3PARAM chain, NSD leniently attempts to find a working NSEC3PARAM. 23 July 2018: Wouter - Remove socket activation from systemd code, it was reported as not useful to enable. The readiness signalling is still there, and can be enabled with use-systemd: yes. - Only call sd_notify from systemd when use-systemd is yes. 6 July 2018: Wouter - RFC8162 support, for record type SMIMEA. - Fix that type CAA (and URI) in the zone file can contain dots when not in quotes. 26 June 2018: Wouter - configure --enable-systemd (needs pkg-config and libsystemd) can be used to then use-systemd: yes in nsd.conf and use socket activation and readiness signalling with systemd. 19 June 2018: Wouter - #4106: Fix that stats printed from nsd-control are recast from unsigned long to unsigned (remote.c). 14 June 2018: Wouter - Fix that first control-interface determines if TLS is used. Warn when IP address interfaces are used without TLS. 12 June 2018: Wouter - #4102: control interface via local socket. configure it with control-interface: "/path/nsd.ctl" The path has to start with a / to separate it from an IP address. The local socket does not use SSL, but unencrypted traffic, use file and containing directory permissions to restrict access. 6 June 2018: Wouter - Patch to fix openwrt for mac os build darwin detection in configure. 4 June 2018: Wouter - tag for 4.1.22rc1. Became 4.1.22 on 11 June, trunk is 4.1.23 in development from this point. 31 May 2018: Wouter - Fix to use same condition for nsec3 hash allocation and free. 23 May 2018: Wouter - Use accept4 to speed up answer of TCP queries, on Linux and FreeBSD and OpenBSD. 22 May 2018: Wouter - Fix nsec3 hash of parent and child co-hosted nsec3 enabled zones. 15 May 2018: Wouter - Fix memory free in unit test. 14 May 2018: Wouter - Tag for 4.1.21 release. - trunk has 4.1.22 in development. - refuse-any sends truncation (+TC) in reply to ANY queries over UDP, and allows TCP queries like normal. 7 May 2018: Wouter - Tag for 4.1.21rc1 release. 4 May 2018: Wouter - Fix #4093: Release notes not using 2018. 3 May 2018: Wouter - Fix buffer size warnings from compiler on filename lengths. 26 April 2018: Wouter - lower memory usage for tcp connections, so tcp-count can be higher. - Fix checkconf test for refuse-any option. 3 April 2018: Wouter - refuse-any nsd.conf option that refuses queries of type ANY. 5 March 2018: Wouter - Fix #3562: explain build error when flex missing. 20 February 2018: Wouter - For more clang warnings - Fix spelling error in xfr-inspect. 19 February 2018: Wouter - Fix for clang analysis complaints. 15 February 2018: Wouter - --enable-memclean cleans up memory for use with memory checkers, eg. valgrind. - Fix unused variable warnings from clang analyzer. 14 February 2018: Wouter - updated RELNOTES for upcoming release. - tag 4.1.20rc1, became release on 20 feb, trunk has 4.1.21 in development. 9 February 2018: Wouter - make depend: updated the make dependencies in the Makefile. 8 February 2018: Wouter - Fix memory leak when rehashing nsec3 after axfr or zonefile read, in the selectively allocated precompiled nsec3 hashes. 6 February 2018: Wouter - Fix memory leak in zone file read of unknown rr formatted RRs. @ text @d7 1 a7 1 \rcsdetails{Id: differences.tex 2438 2006-09-05 09:58:47Z wouter } @ 1.1.1.4 log @19 March 2019: Wouter - tag 4.1.27rc1 18 March 2019: Wouter - Fix unit test bug013_truncate for new truncation with EDNS size, it is one RR smaller for the truncated response in the test. 14 March 2019: Wouter - Fixed radtree_insert memory leak. - Fixed access recycled variable. 11 March 2019: Wouter - Fix #6: nsd-control-setup: Change validity time to a shorter period (<2038). - Fix unused definition in header remote.h. - Fix #4236: IPV4_MINIMAL_RESPONSE_SIZE=1480 is slightly too big. - Fix #4235: IP_PMTUDISC_OMIT on IPv4/UDP sockets. 18 February 2019: Wouter - Fix to remove unused code. 15 February 2019: Wouter - tentative robustness, delete stats items from list twice if needed. 14 February 2019: Wouter - Fix #4: setusercontext() is in libutil on NetBSD, and also include login_cap.h only if it exists. - Fix #4215: fixup for state update for TSIG information in server processes, nicer printout for tsig_print, tsig_print without arguments and no leaks. - nicer logging for update_tsig. 1 February 2019: Wouter - Fix for tsig assoc_tsig command on acl with nokey elements. 29 January 2019: Wouter - Fix #4215: on-the-fly change of TSIG keys with patch from Igor, adds nsd-control print_tsig, update_tsig, add_tsig, assoc_tsig and del_tsig. These changes are gone after reload, edit the config file (or a file included from it) to make changes that last after restart. - documentation for tsig nsd-control options. 24 January 2019: Wouter - Deny ANY with only one RR in response, by default. Patch from Daisuke Higashi. The deny-any statement in nsd.conf sets ANY queries over UDP to be further moved to TCP as well. Also no additional section processig for type ANY, reducing the response size. - assertions for clang analysis. 10 December 2018: Wouter - Fix for FreeBSD port with dnstap enabled. 6 December 2018: Wouter - Fix to reduce region_log_stats if condition, this removes a debug statement. 5 December 2018: Wouter - Fix #4213: disable-ipv6 and dnstap compile error. 3 December 2018: Wouter - Note that the content_list member is unused; and could be removed if the database format is modified or updated. - Fix that dnstap logs CQ and CR like BIND does. - Revert that, it looks wrong, AQ and AR are for the authoritative. @ text @d7 1 a7 1 \rcsdetails{$Id: differences.tex 2438 2006-09-05 09:58:47Z wouter $} @ 1.1.1.5 log @3 December 2019: Wouter - Fix #52: do not log transient network full errors unless higher verbosity is set. - Fix checkconf test for new error output string. - tag for 4.2.4rc1 release. 27 November 2017 Jeroen - Fix regressions in configparser.y 22 November 2019: Wouter - Fix #48: Add make distclean that removes config.h made by configure. And add maintainer-clean that removes bison and flex output. 18 November 2019: Wouter - Detect fixed time memcmp for openssl 0.9.8 compatibility. - Detect EC_KEY_new_by_curve_name for openssl 0.9.8. - include limits.h for UINT_MAX. - If no recvmmsg, dont use msg_flags member, but errno for error, where our fallback function left it, msg_flags also does not exist on some systems. - Remove unused variable warning for portability. 14 November 2019: Wouter - Fix checkconf test with filenames that sort in the same order. - Tag for 4.2.3rc1. Branch master is 4.2.4 in development. 11 November 2019: Wouter - Fix #44: document that remote-control is a top-level nsd.conf attribute. - Fix compile on OSX. - Fix for #44: nicer top-level clause documentation. 22 October 2019: Jeroen - Number of different UDP handlers has been reduced to one. recvmmsg and sendmmsg implementations are now used on all platforms. Compatible implementations are in place for systems that lack the system calls. - Socket options are now set in designated functions for easy reuse. - Socket setup has been simplified for easy reuse. - Configuration parser is now aware of the context in which an option was specified. 21 October 2019: Wouter - For #21 add contrib/patch_for_s6_startup_and_other_service_supervisors.diff that adds support for readiness notification with READY_FD from Cameron Nemo. 17 October 2019: Jeroen - Fix #40: Merge small fixes for confine-to-zone by Greg Bock. 15 October 2019: Jeroen - For #39: Merge confine-to-zone feature contributes by Greg Bock. 26 September 2019: Wouter - Fix #38: log address and failure reason with tls handshake errors, squelches (the same as unbound) some unless high verbosity is used. - Fixup clang analysis warning in xfrd_parse_received_xfr_packet master dereference. 25 September 2019: Wouter - The nsd.conf includes are sorted ascending, for include statements with a '*' from glob. 16 September 2019: Wouter - Fixup warnings during --disable-ipv6 compile. - Fixup unit test executable to run without IPv6. 4 September 2019: Wouter - Fix #35: excessive logging of ixfr failures, it stops the log when fallback to axfr is possible. log is enabled at high verbosity. 2 September 2019: Wouter - For #21: pidfile "" allows to run NSD without a pidfile, for startup management tools like daemontools. 28 August 2019: Wouter - In tests check for tls test tool availability. 19 August 2019: Wouter - Tag for 4.2.2 release. Git master contains 4.2.3 in development. 13 August 2019: Wouter - Fix error message for out of zone data to have more information. - Tag for 4.2.2rc2. 12 August 2019: Wouter - Fix #33: Fix segfault in service of remaining streams on exit. 6 August 2019: Wouter - Tag for 4.2.2rc1. 5 August 2019: Wouter - PR #31: nsd-control: Add missing stdio header. - PR #32: tsig: Fix compilation without HAVE_SSL. - Cleanup tls context on xfrd exit. 31 July 2019: Wouter - Fix #29: SSHFP check NULL pointer dereference. - Fix #30: SSHFP check failure due to missing domain name. - Fix to timeval_add in minievent for remaining second in microseconds. 22 July 2019: Wouter - Set timeout for refetch immediately, only spread load when there are retries. 19 July 2019: Wouter - Set no renegotiation on the SSL context to stop client session renegotiation. 18 July 2019: Wouter - Fix #25: NSD doesn't refresh zones after extended downtime, it refreshes the old zones, with a random delay of a couple of seconds to spread the load. - Fix so that expired zones stay expired when server is down a long time. 17 July 2019: Wouter - Fix that NSD warns for wrong length of the hash in SSHFP records. 15 July 2019: Wouter - PR #23: Fix typo in nsd.conf man-page. 4 July 2019: Wouter - Set version to 4.2.2 in development. - clean memory on exit of nsd-checkzone for memory debug. - Fix #20: CVE-2019-13207 Stack-based Buffer Overflow in the dname_concatenate() function. Reported by Frederic Cambus. It causes the zone parser to crash on a malformed zone file, with assertions enabled, an assertion catches it. - Fix #19: Out-of-bounds read caused by improper validation of array index. Reported by Frederic Cambus. The zone parser fails on type SIG because of mismatched definition with RRSIG. 2 July 2019: Wouter - Tag for 4.2.1rc1 27 June 2019: Wouter - Fix unit test for added options and no dot after zone updated log message. - Fix compile without accept4. 21 June 2019: Wouter - Omit remaining tcp processing if the list is empty. - Fix output of nsd-checkconf -h. 20 June 2019: Wouter - Initialize event structures before event_set, to stop uninitialized values from setting event library lists and assertions, that would sometimes also show after event_del. - Added num.tls and num.tls6 stat counters. - PR #12: send-buffer-size, receive-buffer-size, tcp-reject-overflow options for nsd.conf, from Jeroen Koekkoek. - Do not use symbol from libc, instead use own replacement, if not available, for accept4. - Fix #14, tcp connections have 1/10 to be active and have to work every second, and then they get time to complete during a reload, this is a process that lingers with the old version during a version update. 19 June 2019: Wouter - Fix tls handshake event callback function mistake, reported by Mykhailo Danylenko. 18 June 2019: Wouter - Fix #15: crash in SSL library, initialize variables for TCP access when TLS is configured. 14 June 2019: Wouter - Fix to init event not pointer, in reassignment. 12 June 2019: Wouter - Fix to init event structure for reassignment. 11 June 2019: Wouter - NSD 4.2.0 release. Current development is 4.2.1. - Fixup of RELNOTES, corrected RFC reference for 4892. - Fix #13: Stray dot at the end of some log entries, removes dot after updated serial number in log entry. - Fix TLS cipher selection, the previous was redundant, prefers CHACHA20-POLY1305 over AESGCM and was not as readable as it could be. - Consolidate server tls context create and remote control context create, with hardening for the remote control tls context too. 6 June 2019: Wouter - NSD 4.2.0rc1 tag. 4 June 2019: Wouter - Fix unit test for outgoing interface to use random port numbers for the outgoing interface config. 29 May 2019: Wouter - Fix to guard _OPENBSD_SOURCE from redefinition. 28 May 2019: Wouter - Fix to define _OPENBSD_SOURCE to get reallocarray on NetBSD. 16 May 2019: Wouter - Fix #10: Fix memory leaks caused by duplicate rr and include instructions. 6 May 2019: Wouter - Note CII best practices badge for NSD on the README.md. 2 May 2019: Wouter - Fix .gitignore for unit test generated files. - Fix checkconf unit test for hide-identity and tls. 1 May 2019: Wouter - Fix makedist.sh for use with git. - Nicer output on travis for clang analysis. - Add .gitignore file to exclude built files from version tracking. - Add README.md file in repository with compile instructions. - Fix .gitignore for dnstap files and aclocal temp. - Add aclocal to README.md for pkgconfig for some configure options. 25 April 2019: Wouter - Add tls.tpkg unit test for DNS over TLS functionality. 18 April 2019: Wouter - Fix to avoid buffer alloc with global buffer in tls write handler. - Fix to initialize event structure when accepting TCP connection. - Use travis for build check, initial unit test and clang analysis. - Disable SSLv2,3,TLSv1.0,1.1 if TLS1.2 is available in libssl. - Disable weak ciphers, enable CIPHER_SERVER_PREFERENCE. - further setup ssl ctx after the keys are loaded, for ECDH. - TLS OCSP stapling support, enabled with tls-service-ocsp: filename, patch from Andreas Schulze. 17 April 2019: Wouter - Fix to share openssl init code, and perform it once. 16 April 2019: Andreas via Sara - Patch to add support for TCP Fast Open - Patch to add support for tls service on a specified tls port 16 April 2019: Wouter - Fix #4249: The option hide-identity: yes stops NSD from responding with the hostname for chaos class queries. Implements the RFC4829 security considerations. - Remove starttls, this signalling method was not standardized. - Remove TO bit, this signalling method was not standardized. - Remove unused first_query and tls_ok states. - Remove sign-compare warning in tls packet send code. - Fix spelling in comment and log printout. - Fix potential uninitialized variable. - Fix documentation for DNS over TLS, and set default port 853. - Fix to add missing comment. - Fix that the TLS handshake routine sets the correct event to continue when done. - Fix that TLS renegotiation calls the read and write routines again with the same parameters when the desired event has been satisfied. - Fix that TCP Fastopen has better error message and supports OSX. - Fix log for fastopen with verbosity. - Squelch TLS handshake failure log until verbosity 3. - Add per-zone statistics for TLS queries, and dnstap for TLS queries, and rcode and TCflag statistics for TCP and TLS queries. 25 March 2019: Wouter - Print IP address when bind socket fails with error. 21 March 2019: Wouter - Fix spelling error in release notes. - Fix to delete unused zparser.default_apex member. @ text @d7 1 a7 1 \rcsdetails{Id} @ 1.1.1.6 log @Import 4.3.5: 19 January 2021: Wouter - Set branch ready for 4.3.5 release. Tag for 4.3.5rc1. Became the 4.3.5 release on 26 january 2021. This branch continues with 4.3.6 in development. 15 January 2021: Wouter - Fix #152: '*' in Rdata causes the return code to be NOERROR instead of NX. - Add config.guess and config.sub to .gitignore for autoconf 2.70. - Fix #150: TXT record validation difference with BIND. - Fixup TXT record validation fix for escaped quotes. - Fixup TXT record validation fix for escaped backslashes. - Fixup escape character parse for quoted strings. 11 January 2021: Wouter - Fix #151: DNAME not applied more than once to resolve the query. - Fix dname test for #148. - For #151: fix to not produce loops in output. 5 January 2021: Wouter - Fix configure.ac for autoconf 2.70. 4 January 2021: Wouter - Fix #148: CNAME need not be followed after a synthesized CNAME for a CNAME query. 11 December 2020: Wouter - Fix that nsd-control has timeout when connection is down. - remove windows socket ifdefs from nsd-control. 3 December 2020: Wouter - For #145: Fix that service of remaining TCP and TLS connections does not allow new queries to be made, the connection is closed. Only existing queries and zone transfers are answered, new ones are rejected by a close of the channel. 30 November 2020: Wouter - Fix #144: fix better. 27 November 2020: Wouter - Fix #144: Typo fix in nsd.conf.5.in. 26 November 2020: Wouter - Fix #143: xfrd no hysteresis with NOT IMPLEMENTED rcode. 24 November 2020: Wouter - Merge PR #141: ZONEMD RR type. - tag for 4.3.4rc1. This became 4.3.4 release on 1 dec 2020. The code repo continues for 4.3.5 in development. 23 November 2020: Wouter - Fix #142: NODATA answers missin SOA in authority section after CNAME chain. - Fix for CVE-2020-28935 : Fix that symlink does not interfere with chown of pidfile. - fix writepid for retvalue 0. 9 November 2020: Wouter - Fix #138: NSD returns non-EDNS answer when QUESTION is empty. - Fix to check nscount in previous fix for EDNS in formerr response when there is no question. 28 October 2020: Wouter - Remove unused init_cfg_parse routine from configlexer. 20 October 2020: Wouter - Fix to add missing closest encloser NSEC3 for wildcard nodata type DS answer. 14 October 2020: Wouter - Fix #134: IPV4_MINIMAL_RESPONSE_SIZE vs EDNS_MAX_MESSAGE_LEN. 13 October 2020: Wouter - Fix missing parenthesis on size of fix to init buffer. 12 October 2020: Wouter - Fix #127: two minor `-Wcast-qual` cleanups - Fix #126: minor header hygiene - Fix #125: include config.h in compat/setproctitle.c and fix prototype of `setproctitle` - Fix #133: fix 0-init of local ( stack ) buffer. 8 October 2020: Wouter - tag for 4.3.3 release - current repository contains 4.3.4 in development. - Fix #129: ambiguous use of errno, in log message if sendmmsg fails. - Fix #128: Fix that the invalid port number is logged for sendmmsg failed: Invalid argument. 1 October 2020: Wouter - tag for 4.3.3rc1 release. 30 September 2020: Wouter - Updated date in nsd -v output. - Fixup bug013_truncate, checkconf and cutest_qroot tests for new default EDNS size. 29 September 2020: Willem - Follow DNS flag day 2020 advice and set default EDNS message size to 1232. 4 September 2020: Wouter - Remove unused space from LIBS on link line. 3 September 2020: Wouter - Merge PR #121: Increase log level of recreated database from WARNING to ERR. 1 September 2020: Wouter - Fix #119: fix compile warnings from new gcc. - Fix #119: warn when trying to parse a directory. 27 August 2020: Wouter - Merged PR #113 with fixes. Instead of listing an IP-address to listen on, an interface name can be specified in nsd.conf, with ip-address: eth0. The IP-addresses for that interface are then used. 26 August 2020: Wouter - Add xstrdup for PR #113. - Tidy up code like in PR #113. - Import code from PR #113. - Fix for unknown EVP_MAC_CTX_free function in openssl 3.0.0 tsig code. 24 August 2020: Wouter - Fix that configure checks for EVP_sha256 to detect openssl, because HMAC_CTX_new is deprecated in 3.0.0. - Port TSIG code for openssl 3.0.0-alpha6. - Sync acx_nlnetlabs.m4 with the unbound repo. - Review fixes for tsig, defensive free and zero. 4 August 2020: Wouter - Merge #117: mini_event.h (4.3.2 and 4.3.1) on OpenBSD cannot find fd_set - patch. 23 July 2020: Wouter - Merge #115 from millert: Fix strlcpy() usage. From OpenBSD. 15 July 2020: Wouter - Fix make install with --with-pidfile="". 14 July 2020: Wouter - Tag for 4.3.2 release. Master branch contains the next version in development, 4.3.3. 7 July 2020: Wouter - Tag for 4.3.2rc1. 6 July 2020: Wouter - Fix compile includes for xfr-inspect tool on FreeBSD. - Add tpkg/run_vm.sh that runs test when in a virtual machine. - Merge #112 from jaredmauch: log old and new serials when NSD rejects an IXFR due to an old serial number. - Fix bug034 test for vm test changes. 22 June 2020: Wouter - Remove errno reset behaviour from sendmmsg and recvmmsg replacement functions. - Fix unit test for different nsd-control-setup -h exit code. 19 June 2020: Wouter - Merge #108 from Nomis: Make the max-retry-time description clearer. - Retry when udp send buffer is full to wait until buffer space is available. 18 June 2020: Wouter - Do not log EAGAIN errors for sendmmsg, to stop log spam on OpenBSD. 17 June 2020: Wouter - Fix #107: nsd -v shows configure line, openssl version and libevent version. 27 May 2020: Wouter - Fix unlink of pidfile warning if not possible due to permissions, nsd can display the message at high verbosity levels. - Update contrib/nsd.service for chown of nsd.log and /var/log in ReadWritePaths. - Removed contrib/nsd.service, example is too complicated and not useful. 15 May 2020: Wouter - Merge PR#102 from and0x000: add missing default in documentation for drop-updates. - Fix checkconf test for log-only-syslog option. 14 May 2020: Wouter - Document default value for tcp-timeout. 13 May 2020: Jeroen - Fix #99: Fix copying of socket properties with reuseport enabled. 24 April 2020: Wouter - Fix #97: EDNS unknown version: query not in response. 21 April 2020: Wouter - Fix #96: log-only-syslog: yes sets to only use syslog, fixes that the default configuration and systemd results in duplicate log messages. 20 April 2020: Wouter - Fix #95: Removed make test check because tpkg not included in release tarballs. - Fix unused parameter compile warnings. 16 April 2020: Wouter - Tag for 4.3.1 release and track 4.3.2 release in code repository. - note sha256 digest algo use in makedist.sh. - Fix for posix shell syntax for trap in nsd-control-setup. - Fix to omit the listen-on lines from log at startup, unless verbose. - Fix uninitialised values for bindtodevice option at startup with reuseport and multiple interfaces. 8 April 2020: Wouter - Tag for 4.3.1rc2. 7 April 2020: Wouter - Merge PR #91 by gearnode: nsd-control-setup recreate certificates. The '-r' option recreates certificates. Without it it creates them if they do not exist, and does not modify them otherwise. 6 April 2020: Wouter - Merge PR #90 by phicoh: O_CLOEXEC should be FD_CLOEXEC. - Merge PR #92 by tonysgi: Fix typo. 2 April 2020: Wouter - Tag for 4.3.1rc1. 1 April 2020: Wouter - Fix for whitespace in minimal responses test for FreeBSD. 25 March 2020: Wouter - Merge PR #86 from noloader: Use precious variables for GREP, EGREP, SED, AWK, LEX and YACC. - For PR #86: Fix that programs loaded after CFLAGS and stuff is set, specifically the compiler, so that it can work if it needs special flags from that. Fix that lex only needs to support -i if actually defined, otherwise the output included in the source tarball can be used. - Merge PR #72 from noloader: Increase Travis testing coverage 23 March 2020: Wouter - Fix unterminated ifdef in nsd.h. - Fix unknown u_long in util.c for Issue #80 . 20 March 2020: Wouter - Merge PR #83 from noloader: Fix GNU HURD sched_setaffinity compile. - Fix #82: print error when system does not have setaffinity. - Fix #80: NetBSD and implicit declaration of reallocarray. - Fix for #80: Fix reallocarray test to define before include. - Fix for #80: Define alternatives for IFNAMSIZ if it does not exist. 19 March 2020: Wouter - Fix #76: cpuid typedef for Hurd, DragonflyBSD compile. - Fix #75: configure test for sched_setaffinity, and use cpuset_setaffinity otherwise. Also test for presence of sysconf. - Fix #74: GNU Hurd fix cast from pointer to integer of different size. - Fix for #74, #75: cpuset test for header contents and provide code. - Fix #78: Fix SO_SETFIB error on FreeBSD. 18 March 2020: Wouter - Fix #70: error: 'fd_set' undeclared. - Fix #71: error: 'for' loop initial declaration used outside C99 mode. - Fix to move declarations out of for loops in event test too. - Fix to move declarations out of for loops in popen3 test too. - Another fix to move declaration out of for loop for event test. - Fix to move declarations out of for loops in cutest regex display. 17 March 2020: Wouter - tag for 4.3.0 release and master branch has version 4.3.1. 10 March 2020: Wouter - repository has version number 4.3.0. Tag for 4.3.0rc1. 3 March 2020: Wouter - Fix that the retry wait does not exceed one day for zone transfers. 27 February 2020: Wouter - Fix warning on FreeBSD about pointer size cast. 26 February 2020: Wouter - Fixup fix of reuseport TCP for server close of sockets not used by it. And the unit test skips when the necessary debug output is not enabled. 25 February 2020: Wouter - Fix event unit test, signal has to be registered with signal_add, event_add not for every backend for signals. The event_initialized is not possible for every backend, so event_added variable. The agent write event fires after a timeout, instead of on event write so that it does not trigger a sigpipe event when the handlers stop. Timeout shorted to 0.1 second. event_get_fd was not implemented, so used ev_fd. Debug output printfs added to see what happens. - Fix checkconf test for new drop-updates config option. - Fix errors with reuseport and TCP file descriptors, it was closing them for server-1 in server-2 and server-3.. 7 February 2020: Jeroen - Add feature to drop queries with opcode UPDATE. 6 February 2020: Jeroen - Support SO_BINDTODEVICE on Linux. Specify bindtodevice: yes to bind sockets directly to the network interface. - Support SO_SETFIB on FreeBSD. Add setfib= after an ip-address option to use the specified FIB for that socket. - Require user to add servers= after an ip-address option to specify the servers that must listen on that socket. 6 February 2020: Wouter - Merge PR#60: Minor portability fixes from michaelforney, with avoid pointer arithmetic on void* and avoid unnecessary VLA. 4 February 2020: Wouter - Merge PR#22: minimise-any: prefer polular and not large RRset, from Daisuke Higashi. - Fix responses for IXFR so that the authority section is not echoed in the response. 21 January 2020: Wouter - Fix leak in server bitset setup. 16 January 2020: Jeroen - Add zone resource record iterator for future zone-verification port. - Set FD_CLOEXEC on opened sockets. - Add popen3 implementation for future zone-verification port. - Add -r option to cutest so that a subset of tests can be run. 15 January 2020: Jeroen - Add feature to pin server proccesses to specific cpus. - Add feature to pin IP addresses to selected server processes. - Set process title to identify individual processes. 13 January 2020: Wouter - Merge pull request #59 from buddyns: add FreeBSD support for conf key ip-transparent. 10 January 2020: Wouter - Fix unreachable code in ssl set options code. - Fix bad shift in assertion code analyzer complaint. 6 January 2020: Wouter - Fix #56: Drop sparse TSIG signing support in NSD. Sign every axfr packet with TSIG, according to the latest draft-ietf-dnsop-rfc2845bis-06, Section 5.3.1. 12 December 2019: Wouter - Note that use-systemd is not necessary and ignored in man page. 11 December 2019: Wouter - Fix whitespace in nsd.conf.sample.in, patch from Paul Wouters. - use-systemd is ignored in nsd.conf, when NSD is compiled with libsystemd it always signals readiness, if possible. 9 December 2019: Wouter - Fix to define upper bounds on rr counts read from untrusted packet data. - Try different annotation for radix_find_prefix_node not reachable. - Separate acl_addr_match_range functions for ip4 and ip6, to please checkers. - Avoid unused variable warning in new match_range_v4 function. 6 December 2019: Wouter - Fix to define max number of EDNS records we are willing to spend time on. - Fix size of string len and capacity type cast in udbradtree. - Fix to protect rrcount in tsig_find_rr from overflow. - Annotate radix_find_prefix_node not reachable trail code. - Fix to protect rrcount in packet_find_notify_serial from overflow. - Fix to close socket on error in create_tcp_accept_sock. - Fix to log on failure to chmod for socket for remote control. - Fix to remove unneeded if in open of socket for remote control. - Fix to restore input parameter on call failure in create_dirs. - Please checker by terminating and initialising string read by remote control. - Fixup of random_generate negative modulo, from previous commit, and return srandom when random is used if no getrandom. 5 December 2019: Wouter - Fix fname null check of fname in namedb_read_zonefile. - Fix implicit cast of size in udb_radnode_array_grow. - Fix ignore of return value of ssl_printf in remote.c. - Fix unused check of fd in parent_handle_reload_command. - Fix to use getrandom() for randomness, if available. - Attempt to fix signedness of nscount lookup in ixfr query_process. - Fix identical branches for ssl_print of errors in remote.c. - Fix type cast bounds, signedness of opt_rdlen in edns_parse_record. - Fix to separate header and data lines in parse_zone_list_file. @ text @d7 1 a7 1 \rcsdetails{$Id$} @ 1.1.1.7 log @Import 4.14.0 (previous was 4.8.0) NSD 4.14.0 Latest This release consists of a refactor of the RDATA storage, reducing the memory footprint of NSD, and various bug fixes. 4.14.0 FEATURES: Fix #137: Adds tcp-listen-queue: number config option to set the TCP backlog. And the default for the listen TCP backlog is set to -1 on BSDs and Linux. Merge #444: Refactor RDATA storage to reduce memory footprint BUG FIXES: Fix empty debug statement body in catalog consumer zone process. Merge #459: Check for libfstrm version >= 0.4. For #459: Add configure check for fstrm_tcp_writer_options_init in addition to the check for fstrm_iothr_init. Merge #460: Add XDP_OBJ fixing link errors for XDP. Fix XDP build error with --enable-checking Resolve warnings about mixed declaration and code and unused variable Fix confusing report for default send and receive buffer-size by nsd-checkconf Fix to log more details when send-buffer-size or receive-buffer-size is not granted, on verbosity level 2. Update in acx_nlnetlabs.m4 to version 49. Update in acx_nlnetlabs.m4 to version 50, with cache value for malloc function check. Update acx_nlnetlabs.m4 to version 51, with nonstring unknown attribute warning fix. Merge #466: Do not delete nodes from non-existent zone's NSEC3 hash trees simdzone 0.2.4 BUG FIXES: Correct lengths for GOST R 34.10-2012 and SM3 delegation signer (DS) digest algorithms Require the AMTRELAY relay field to be . for the no gateway relay type as specified by RFC 8777 (#257) Assets 2 Source code (zip) Dec 4, 2025 Source code (tar.gz) Dec 4, 2025 NSD 4.14.0rc1 Nov 27, 2025 @@mozzieongit mozzieongit NSD_4_14_0_RC1 128ba30 NSD 4.14.0rc1 Pre-release This release consists of a refactor of the RDATA storage, reducing the memory footprint of NSD, and various bug fixes. 4.14.0 FEATURES: Fix #137: Adds tcp-listen-queue: number config option to set the TCP backlog. And the default for the listen TCP backlog is set to -1 on BSDs and Linux. Merge #444: Refactor RDATA storage to reduce memory footprint BUG FIXES: Fix empty debug statement body in catalog consumer zone process. Merge #459: Check for libfstrm version >= 0.4. For #459: Add configure check for fstrm_tcp_writer_options_init in addition to the check for fstrm_iothr_init. Merge #460: Add XDP_OBJ fixing link errors for XDP. Fix XDP build error with --enable-checking Resolve warnings about mixed declaration and code and unused variable Fix confusing report for default send and receive buffer-size by nsd-checkconf Fix to log more details when send-buffer-size or receive-buffer-size is not granted, on verbosity level 2. Update in acx_nlnetlabs.m4 to version 49. Update in acx_nlnetlabs.m4 to version 50, with cache value for malloc function check. Update acx_nlnetlabs.m4 to version 51, with nonstring unknown attribute warning fix. Merge #466: Do not delete nodes from non-existent zone's NSEC3 hash trees simdzone 0.2.4 BUG FIXES: Correct lengths for GOST R 34.10-2012 and SM3 delegation signer (DS) digest algorithms Require the AMTRELAY relay field to be . for the no gateway relay type as specified by RFC 8777 (#257) Assets 2 NSD 4.13.0 Sep 3, 2025 @@mozzieongit mozzieongit NSD_4_13_0_REL 559013e NSD 4.13.0 This release enables some commonly used features by default, and introduces experimental support for AF_XDP sockets that can be enabled with the --enable-xdp feature flag (see https://nsd.docs.nlnetlabs.nl/en/latest/xdp.html). 4.13.0 FEATURES: Use '(all)' and '(none)' for the socket server affinity log output instead of '*' and '-'. The --enable-bind8-stats feature, was already enabled by default, is described as enabled by default in usage. The --enable-zone-stats feature is enabled by default. It can be turned on with config like zonestats: "%s". The --enable-ratelimit feature is enabled by default. The ratelimit value is off by default. It can be turned on with config like rrl-ratelimit: 200. The --enable-dnstap feature is enabled by default. If fstrm-devel or protobuf-c are not found by configure it prints an error. It can be turned on with config like dnstap-enable: yes. Change default for send-buffer-size to 4m, to mitigate a cross-layer issue where the UDP socket send buffers are exhausted waiting for ARP/NDP resolution. Thanks to Reflyable for the report. Disable TLSv1.2 if TLSv1.3 is available. Merge #449: Add useful logging for XoT transfers. Merge #425: Add experimental XDP (AF_XDP) support for UDP traffic Merge #455: --with-dbdir option for configure to set the base directory for the xfrd zone timer state file, the zone list file and the cookie secrets file. Thanks Simon Josefsson. Merge #456: Spelling fixes in metrics.c. Thanks Simon Josefsson. BUG FIXES: Fix punctuation of nsd -h output for the -a option. Fix checkconf unit test for when metrics are not enabled. Prometheus metrics tests require --enable-zone-stats. Add unit test for socket server affinity log output. Move xfrd-tcp unit test to its own file. Fix contrib/nsd.spec to omit configure flags that are default or that do not exist. Fix to remove mention of obsolete root-server option. Fix mention of draft-rrtypes and root-server configure options. Fix ci workflow for enable dnstap. Fix to remove use of sprintf from metrics. Fix for fstrm and protobuf-c for ci workflow coverity-scan. Fix for parallel build of dnstap protoc-c output. Fix to remove unneeded mkdir from Makefile. Fix dnstap to use protoc and keep dnstap_config.h unchanged if possible. Fix to provide doc for --enable-systemd. Fix to remove debug printout for configure dnstap header. Fix #441: SystemD script for NSD prevents using chroot. Fix to add checks for compression pointers and too long dnames in internal dname routines, dname_make and ixfr dname_length. Fix to remove shell assignment operator from Makefile for DATE. make depend. Fix bitwise operators in conditional expressions with parentheses. Fix conditional expressions with parentheses for bitwise and. Merge #445: contrib/nsd.openrc.in: use supervise-daemon and add need net. Fix #446 nsd_size_db_in_mem_bytes (size.db.mem) metric not updated on reload. Merge #447: Minimize disruptions on reconfig. For #447: Updated simdzone to latest commit. With the padding test changes. For #447: use need_to_send_reload to detect if a reload is issued. For #447: acl_list_equal already tests for TSIG key changes, so removed the duplicate checks. For #447: log crypto error with the SSL_write error. Update simdzone with support for --enable-pie. Merge #454 from jaredmauch: handle rare case but seen in production where data->query is NULL. simdzone 0.2.3 FEATURES: check_pie: match nsd support (#253). BUG FIXES: Fix tests to initialize padding (#252). Fix for #253, add acx_nlnetlabs.m4 in the repo and allow CFLAGS passed to configure to set the flags. Assets 2 NSD 4.13.0rc1 Aug 26, 2025 @@mozzieongit mozzieongit NSD_4_13_0_RC1 9a1a5ed NSD 4.13.0rc1 Pre-release This release enables some commonly used features by default, and introduces experimental support for AF_XDP sockets that can be enabled with the --enable-xdp feature flag (see https://nsd.docs.nlnetlabs.nl/en/latest/xdp.html). 4.13.0 FEATURES: Use '(all)' and '(none)' for the socket server affinity log output instead of '*' and '-'. The --enable-bind8-stats feature, was already enabled by default, is described as enabled by default in usage. The --enable-zone-stats feature is enabled by default. It can be turned on with config like zonestats: "%s". The --enable-ratelimit feature is enabled by default. The ratelimit value is off by default. It can be turned on with config like rrl-ratelimit: 200. The --enable-dnstap feature is enabled by default. If fstrm-devel or protobuf-c are not found by configure it prints an error. It can be turned on with config like dnstap-enable: yes. Change default for send-buffer-size to 4m, to mitigate a cross-layer issue where the UDP socket send buffers are exhausted waiting for ARP/NDP resolution. Thanks to Reflyable for the report. Disable TLSv1.2 if TLSv1.3 is available. Merge #449: Add useful logging for XoT transfers. Merge #425: Add experimental XDP (AF_XDP) support for UDP traffic Merge #455: --with-dbdir option for configure to set the base directory for the xfrd zone timer state file, the zone list file and the cookie secrets file. Thanks Simon Josefsson. Merge #456: Spelling fixes in metrics.c. Thanks Simon Josefsson. BUG FIXES: Fix punctuation of nsd -h output for the -a option. Fix checkconf unit test for when metrics are not enabled. Prometheus metrics tests require --enable-zone-stats. Add unit test for socket server affinity log output. Move xfrd-tcp unit test to its own file. Fix contrib/nsd.spec to omit configure flags that are default or that do not exist. Fix to remove mention of obsolete root-server option. Fix mention of draft-rrtypes and root-server configure options. Fix ci workflow for enable dnstap. Fix to remove use of sprintf from metrics. Fix for fstrm and protobuf-c for ci workflow coverity-scan. Fix for parallel build of dnstap protoc-c output. Fix to remove unneeded mkdir from Makefile. Fix dnstap to use protoc and keep dnstap_config.h unchanged if possible. Fix to provide doc for --enable-systemd. Fix to remove debug printout for configure dnstap header. Fix #441: SystemD script for NSD prevents using chroot. Fix to add checks for compression pointers and too long dnames in internal dname routines, dname_make and ixfr dname_length. Fix to remove shell assignment operator from Makefile for DATE. make depend. Fix bitwise operators in conditional expressions with parentheses. Fix conditional expressions with parentheses for bitwise and. Merge #445: contrib/nsd.openrc.in: use supervise-daemon and add need net. Fix #446 nsd_size_db_in_mem_bytes (size.db.mem) metric not updated on reload. Merge #447: Minimize disruptions on reconfig. For #447: Updated simdzone to latest commit. With the padding test changes. For #447: use need_to_send_reload to detect if a reload is issued. For #447: acl_list_equal already tests for TSIG key changes, so removed the duplicate checks. For #447: log crypto error with the SSL_write error. Update simdzone with support for --enable-pie. Merge #454 from jaredmauch: handle rare case but seen in production where data->query is NULL. simdzone 0.2.3 FEATURES: check_pie: match nsd support (#253). BUG FIXES: Fix tests to initialize padding (#252). Fix for #253, add acx_nlnetlabs.m4 in the repo and allow CFLAGS passed to configure to set the flags. Assets 2 NSD 4.12.0 Apr 24, 2025 @@mozzieongit mozzieongit NSD_4_12_0_REL 8eaaab3 NSD 4.12.0 This release introduces Prometheus metrics that can be configured with enable-metrics (see nsd.conf(5)). nsd 4.12.0 FEATURES: Merge #418: Support for DSYNC, EID, NIMLOC, SINK, TALINK, DOA, AMTRELAY and IPN resource record types. Merge #420: Zones get state "old-serial" with nsd-control zonestatus when the served serial is older than the one received by the transfer daemon. Merge #429: Add prometheus metrics BUG FIXES: Fix re-enable to configure dns-cookies from config file, which was accidentally removed with the 4.11.1 release. Fix #426: nsd crashes with patterns in config_apply_pattern. Fix for #430: Confusing documentation: word "outgoing". Fix for #430: Confusing documentation: word "outgoing". Add wording to tcp-count, xfrd-tcp-max, xfrd-tcp-pipeline options. Fix that nsec3 prehash after a full transfer can create the nsec3 zone trees if they are needed. Fix in nsd-mem for a zone with ixfr data. Fix ixfr read routine for use after the temp region is freed of rr. Fix ixfr file read to manage numlist in temp domains. Fix nsd-mem to clean ixfr storage. Fix log print assert in server sockets for printing '-' empty. Fix notify_fmt test for xfrd file location. Fix sanitizer warnings in read_uint32. Fix sanitizer warning in tsig write of zero length mac and otherdata. Fix to please sanitizer for ixfr store of data in cancelled state. Fix multiple zone transfers in one reload so that xfrd does not check the update as failed and restart the transfer. Fix read of ixfr file with rdata subdomain. Fix test checkconf for metrics options. Updated simdzone to include fixes for NSAP-PTR, LOC, uninitialized reads, and comment nit. Fix #436: Fix print of RR type NSAP-PTR. Fix unit test call to zone_parse_string and initialize padding. Fix escape more characters when printing an RR type with an unquoted string. Fix memory leak in the process of addzone. Fix to update common.sh for speed of kill_pid. Fix nsd-checkzone ixfr create cleanup on exit. simdzone 0.2.2 FEATURES: Support for EID, NIMLOC, SINK, TALINK, DSYNC, DOA, AMTRELAY and IPN RR types. BUG FIXES: Empty base16 and base64 in CDS and CDNSKEY can be represented with a '0'. As specified in Section 4 of RFC 8078. Initialise padding after the file buffer (#249). Fix type NSAP-PTR (#250). Fix LOC poweroften lookup (#251). Assets 2 2 people reacted NSD 4.12.0rc1 Apr 16, 2025 @@mozzieongit mozzieongit NSD_4_12_0_RC1 fee5394 NSD 4.12.0rc1 Pre-release This release introduces Prometheus metrics that can be compiled with --enable-prometheus-metrics and configured with enable-metrics (see nsd.conf(5)). 4.12.0 FEATURES: Merge #418: Support for DSYNC, EID, NIMLOC, SINK, TALINK, DOA, AMTRELAY and IPN resource record types. Merge #420: Zones get state "old-serial" with nsd-control zonestatus when the served serial is older than the one received by the transfer daemon. Merge #429: Add prometheus metrics BUG FIXES: Fix re-enable to configure dns-cookies from config file, which was accidentally removed with the 4.11.1 release. Fix #426: nsd crashes with patterns in config_apply_pattern. Fix for #430: Confusing documentation: word "outgoing". Fix for #430: Confusing documentation: word "outgoing". Add wording to tcp-count, xfrd-tcp-max, xfrd-tcp-pipeline options. Fix that nsec3 prehash after a full transfer can create the nsec3 zone trees if they are needed. Fix in nsd-mem for a zone with ixfr data. Fix ixfr read routine for use after the temp region is freed of rr. Fix ixfr file read to manage numlist in temp domains. Fix nsd-mem to clean ixfr storage. Fix log print assert in server sockets for printing '-' empty. Fix notify_fmt test for xfrd file location. Fix sanitizer warnings in read_uint32. Fix sanitizer warning in tsig write of zero length mac and otherdata. Fix to please sanitizer for ixfr store of data in cancelled state. Fix multiple zone transfers in one reload so that xfrd does not check the update as failed and restart the transfer. Fix read of ixfr file with rdata subdomain. Fix test checkconf for metrics options. Updated simdzone to include fixes for NSAP-PTR, LOC, uninitialized reads, and comment nit. Fix #436: Fix print of RR type NSAP-PTR. Fix unit test call to zone_parse_string and initialize padding. Fix escape more characters when printing an RR type with an unquoted string. Fix memory leak in the process of addzone. Fix to update common.sh for speed of kill_pid. Fix nsd-checkzone ixfr create cleanup on exit. simdzone 0.2.2 FEATURES: Support for EID, NIMLOC, SINK, TALINK, DSYNC, DOA, AMTRELAY and IPN RR types. BUG FIXES: Empty base16 and base64 in CDS and CDNSKEY can be represented with a '0'. As specified in Section 4 of RFC 8078. Initialise padding after the file buffer (#249). Fix type NSAP-PTR (#250). Fix LOC poweroften lookup (#251). Assets 2 1 person reacted NSD_4_11_1_REL: NSD 4.11.1 Jan 19, 2025 @@wtoorop wtoorop NSD_4_11_1_REL 2f62877 NSD_4_11_1_REL: NSD 4.11.1 NSD version 4.11.0 had a serious bug in which applying updates to zones (and other modifications that require a reload, such as adding and deleting zones), could stop entirely after reception of a broken or corrupted update via zone transfer. We believe that this broken state would appear as one of the NSD processes consuming 100% CPU. Version 4.11.1 has this corrected as well as some other smaller non-critical bugs. We strongly advise to not run NSD version 4.11.0, and if you have it deployed already, upgrade to 4.11.1 at the earliest possible opportunity. Many thanks to the people at SUNET and netnod (Fredrik and Arvid and all the others) that helped us to get to the bottom of this critical issue! nsd 4.11.1 BUG FIXES: Fix #415: Fix out of tree builds. Thanks Florian Obser (@@fobser). Fix #414: XoT interoperability with BIND and Knot Fix #421: old-main can quit before the reload process received from old-main that it is done on the reload_listener pipe. Thanks Otto Retter. Fix whitespace in comment. Fix #424: Stalled updates after corrupt transfer. simdzone 0.2.1 BUG FIXES: Cleanup westmere and haswell object files (#244) Thanks @@fobser Out of tree builds (#415) Fix function declarations for fallback detection routine in isadetection.h. Contributors @@fobser fobser Assets 2 NSD 4.11.0 Dec 12, 2024 @@wtoorop wtoorop NSD_4_11_0_REL c628f66 NSD 4.11.0 This release has various small features and bugfixes. One notable feature is that configuration can be reloaded and evaluated on SIGHUP, when enabled with the new "reload-config" option. Also new is that cookie secrets will be reevaluated from config too. One notable bugfix is to process and apply non transfer tasks before transfer tasks during reloads. Before, non transfer tasks (such as adding or deleting zones) would be lost when batched together with a transfer task that would fail to apply. NSD 4.11.0 FEATURES: Support reloading configuration on SIGHUP. Fix #383: log timestamps in ISO8601 format with timezone. This adds the option log-time-iso: yes that logs in ISO8601 format. Updated cookie secrets management. The default cookie secret file location can be set at compile time with the --with-cookiesecretsfile=path option to configure. The default location is changed to {dbdir}/cookiesecrets.txt. The previous default location will be checked at startup when there is no cookie secrets file at the new default location. A staging cookie can now also be configured in the configuration file and secrets configured in the configuration file now take precedence over those read from file. All DNS related setting in the configuration file will be reevaluated and effectuated after nsd-control reconfig. Merge #398: RFC 9660 The DNS Zone Version (ZONEVERSION) Option Merge #406: ohttp and tls-supported-groups SvcParam suppor Merge #408: NINFO, RKEY, RESINFO, WALLET, CLA and TA RR types Merge #409: Writing of NSAP-PTR, GPOS and HIP RR types Merge #407: Better balanced verbosity levels for logging. BUG FIXES: Fix title underline and declaration after statement warnings. Add cross platform freebsd, openbsd and netbsd to github ci. Update simdzone to include fix for netbsd double bswap declarations, and also semantic checks for DS and ZONEMD. And CFLAGS has -march prepended to fix detection. Merge #376: Point the user towards tcpdump for logging individual queries. Track $INCLUDEs in zone files. Fix ci to update macos-12 to the macos-15 runner image. Merge #390: Apply non-xfr tasks before xfr tasks. This fixes an issue where non-xfr tasks are lost when they are batch processed together with non-xfr tasks. This merge also changes that notifies are passed on from the serve processes to the xfrd directly instead of via main. This was necessary to allow applying the non-xfr tasks without forking a backup-main for the sole purpose of forwarding notifies. Merge #391: Update copyright lines (in version output). Fix #392: Inconsistent documentation about control-interface. Merge #395: Explain the zonefile example better. Merge #394: Fix the path to use doc/manual/. Fix analyzer issue in do_print_cookie_secrets to check for failure. Merge #404: Introducing Sphinx substitution in code blocks. As well as other fixes with Sphinx build. Update Copyright lines in help output Merge #395: Explain zonefile example better Merge #394: Fix doc path (fixes "Edit on GitHub" button in the docs) Fix Makefile for parallel build failure around bison rule. Fix #405: Fix typo in documentation. Treat a mismatch in RRset TTLs as a warning. simdzone 0.2.0 FEATURES: Add semantic checks for DS and ZONEMD digests (#205). Support registering a callback for $INCLUDE entries (#229). Add tls-supported-groups SvcParam support. Check iana registries for unimplemented (new) RR types and SvcParamKeys. Add support for NINFO, RKEY, RESINFO, WALLET, CLA and TA RR types. BUG FIXES: Prepend -march to CFLAGS to fix architecture detection (#372). Fix propagation of implicit TTLs (#375). Fix detection of Westmere architecture by checking for CLMUL too. Fix compilation on NetBSD (#233). Fix reading specialized symbolic links (#380). Assets 2 1 person reacted NSD 4.10.1 Aug 2, 2024 @@k0ekk0ek k0ekk0ek NSD_4_10_1_REL b92327b NSD 4.10.1 NSD 4.10.1 This release consists primarily of bug fixes. @@bilias implemented mutual TLS authentication for zone transfers. Please consult the nsd.conf manual for details on the newly introduced configuration options tls-auth-port and tls-auth-xfr-only. @@orlitzky provided integration for the OpenRC init system. Version 4.10.0 was the first release to integrate simdzone. Build issues on OpenBSD releases before 5.6, Gentoo and Solaris have been reported and fixed. The fallback parser, used on systems that lack SSE4.2 and AVX2 instruction sets, contained some bugs with regards to state keeping and under certain circumstances a use after free bug was encountered in buffer management. 4.10.1 FEATURES: Merge #352 from orlitzky: contrib: add OpenRC service script, config file, and tmpfiles entry. Merge #337 from bilias: Mutual TLS-AUTH. BUG FIXES: Fix incorrect punctuation of log messages. Fix for #317, document more text on pidfile permissions. Fix #334: RFC8482 behavior documentation. Fix for OpenSSL 3.0 deprecated functions. Merge #341: Fix allow-query wording in nsd.conf.5.in. Fix test script from making spurious output. Fix cpu_affinity and socket_partitioning tests for --enable-log-role. Fix #344: Update simdzone. Fix #347: Adjust verbosity for TLS (+TCP) to be 5. Merge #348: Move TLS logging to verbosity level 5. For #347: Also adjust verbosity of log message for remaining TCP connections. Merge #349: log file name before loading. Use MAKE variable rather than make command directly in Makefile. Serialize WKS RRs using numeric values rather than names. Fix propagation of Makefile targets to simdzone. Do not log ACL mismatch on followed CNAMEs. Fix link of xfr-inspect for libssl dependency. Initialize tls_auth_port and tls_auth_xfr_only options. Merge #358: Fix Hurd build error due to log_err. Update simdzone to fix detection of AVX2 support. simdzone 0.1.1 FEATURES: Test to verify configure.ac and Makefile.in are correct. Add support for reading from stdin if filename is "-". Add support for building with Oracle Developer Studio 12.6. Add support for "time" service for Well-Know Services (WKS) RR. BUG FIXES: Fix makefile dependencies. Fix makefile to use source directory for build dependencies. Fix changelog to reflect v0.1.0 release. Update makefile to not use target-specific variables. Fix makefile clean targets. Fix state keeping in fallback scanner for contiguous and quoted. Fix bug in name scanner. Fix type mnemonic parsing in fallback parser. Fix endian.h to include machine/endian.h on OpenBSD releases before 5.6. Fix use after free on buffer resize. Fix parsing of numeric protocols in WKS RRs. Make devclean target depend on realclean target. Fix detection of AVX2 support by checking generic AVX support by the processor and operating system (#222). CHANGES: Make relative includes relative to current working directory. Split Autoconf and CMake compiler tests for supported SIMD instructions. Contributors @@orlitzky @@bilias orlitzky and bilias Assets 2 NSD 4.10.1rc2 Jul 23, 2024 @@k0ekk0ek k0ekk0ek NSD_4_10_1_RC2 f0bb464 NSD 4.10.1rc2 Pre-release NSD 4.10.1rc2 This release consists primarily of bug fixes. @@bilias implemented mutual TLS authentication for zone transfers. Please consult the nsd.conf manual for details on the newly introduced configuration options tls-auth-port and tls-auth-xfr-only. @@orlitzky provided integration for the OpenRC init system. Version 4.10.0 was the first release to integrate simdzone. Build issues on OpenBSD releases before 5.6, Gentoo and Solaris have been reported and fixed. The fallback parser, used on systems that lack SSE4.2 and AVX2 instruction sets, contained some bugs with regards to state keeping and under certain circumstances a use after free bug was encountered in buffer management. 4.10.1 FEATURES: Merge #352 from orlitzky: contrib: add OpenRC service script, config file, and tmpfiles entry. Merge #337 from bilias: Mutual TLS-AUTH. BUG FIXES: Fix incorrect punctuation of log messages. Fix for #317, document more text on pidfile permissions. Fix #334: RFC8482 behavior documentation. Fix for OpenSSL 3.0 deprecated functions. Merge #341: Fix allow-query wording in nsd.conf.5.in. Fix test script from making spurious output. Fix cpu_affinity and socket_partitioning tests for --enable-log-role. Fix #344: Update simdzone. Fix #347: Adjust verbosity for TLS (+TCP) to be 5. Merge #348: Move TLS logging to verbosity level 5. For #347: Also adjust verbosity of log message for remaining TCP connections. Merge #349: log file name before loading. Use MAKE variable rather than make command directly in Makefile. Serialize WKS RRs using numeric values rather than names. Fix propagation of Makefile targets to simdzone Do not log ACL mismatch on followed CNAMEs. simdzone 0.1.1 FEATURES: Test to verify configure.ac and Makefile.in are correct. Add support for reading from stdin if filename is "-". Add support for building with Oracle Developer Studio 12.6. Add support for "time" service for Well-Know Services (WKS) RR. BUG FIXES: Fix makefile dependencies. Fix makefile to use source directory for build dependencies. Fix changelog to reflect v0.1.0 release. Update makefile to not use target-specific variables. Fix makefile clean targets. Fix state keeping in fallback scanner for contiguous and quoted. Fix bug in name scanner. Fix type mnemonic parsing in fallback parser. Fix endian.h to include machine/endian.h on OpenBSD releases before 5.6. Fix use after free on buffer resize. CHANGES: Make relative includes relative to current working directory. NSD 4.10.1rc1 Pre-release NSD 4.10.1rc1 This release consists primarily of bug fixes. @@bilias implemented mutual TLS authentication for zone transfers. Please consult the nsd.conf manual for details on the newly introduced configuration options tls-auth-port and tls-auth-xfr-only. @@orlitzky provided integration for the OpenRC init system. Version 4.10.0 was the first release to integrate simdzone. Build issues on OpenBSD releases before 5.6, Gentoo and Solaris have been reported and fixed. The fallback parser, used on systems that lack SSE4.2 and AVX2 instruction sets, contained some bugs with regards to state keeping and under certain circumstances a use after free bug was encountered in buffer management. 4.10.1 FEATURES: Merge #352 from orlitzky: contrib: add OpenRC service script, config file, and tmpfiles entry. Merge #337 from bilias: Mutual TLS-AUTH. BUG FIXES: Fix incorrect punctuation of log messages. Fix for #317, document more text on pidfile permissions. Fix #334: RFC8482 behavior documentation. Fix for OpenSSL 3.0 deprecated functions. Merge #341: Fix allow-query wording in nsd.conf.5.in. Fix test script from making spurious output. Fix cpu_affinity and socket_partitioning tests for --enable-log-role. Fix #344: Update simdzone. Fix #347: Adjust verbosity for TLS (+TCP) to be 5. Merge #348: Move TLS logging to verbosity level 5. For #347: Also adjust verbosity of log message for remaining TCP connections. Merge #349: log file name before loading. Use MAKE variable rather than make command directly in Makefile. Serialize WKS RRs using numeric values rather than names. Fix propagation of Makefile targets to simdzone Do not log ACL mismatch on followed CNAMEs. simdzone 0.1.1 FEATURES: Test to verify configure.ac and Makefile.in are correct. Add support for reading from stdin if filename is "-". Add support for building with Oracle Developer Studio 12.6. Add support for "time" service for Well-Know Services (WKS) RR. BUG FIXES: Fix makefile dependencies. Fix makefile to use source directory for build dependencies. Fix changelog to reflect v0.1.0 release. Update makefile to not use target-specific variables. Fix makefile clean targets. Fix state keeping in fallback scanner for contiguous and quoted. Fix bug in name scanner. Fix type mnemonic parsing in fallback parser. Fix endian.h to include machine/endian.h on OpenBSD releases before 5.6. Fix use after free on buffer resize. CHANGES: Make relative includes relative to current working directory. Contributors @@orlitzky @@bilias orlitzky and bilias Assets 2 NSD 4.10.0 Jun 13, 2024 @@wcawijngaards wcawijngaards NSD_4_10_0_REL d69dc13 NSD 4.10.0 NSD 4.10.0 Version 4.10.0 integrates simdzone and drops the Flex+Bison zone parser. NSD used a Flex+Bison based zone parser since version 1.4.0. The parser served NSD well, but zones have increased in size and zone loading performance has been problematic for some users. With the integration of simdzone (https://github.com/NLnetLabs/simdzone), performance of loading zones and IXFRs is drastically improved. Quick measurements show improvements ranging anywhere from 3.8x to 1.6x, depending on zone size and database type, though the improvements will be less noticable for NSEC3 zones due to pre-hashing. simdzone leverages SIMD instructions in modern CPUs to improve throughput. Right now SSE4.2 and AVX2 instruction sets are supported, other instruction sets will use the fallback implementation, which still is a decent improvement over the Flex+Bison based parser. The release has additional fixes from the release candidate. The parse of lowercase type names is fixed and the x86_64 variable is set to no for other machines. 4.10.0 FEATURES: Merge #278: Replace Flex+Bison based zone parser with simdzone. Performance of loading zones and IXFRs is greatly improved by using the simdzone project by NLnet Labs. The optimized presentation format parser leverages SIMD instructions in modern CPUs to improve throughput. Right now SSE4.2 and AVX2 instruction sets are supported, other instruction sets will use the fallback implementation, which still is a decent improvement over the Flex+Bison based parser. BUG FIXES: Fix that when the server truncates the pidfile, it does not follow symbolic links. Fix #317: nsd should not chown its PID file. For #317: Modify nsd service script to stop NSD from creating a pid file that systemd is not using. Fix #324: Clarify the purpose of contrib/bug390.patch. Fix IXFR requests upstream for zones with a long name. Thanks for the report to Yuuki Wakisaka from Internet Initiative Japan Inc. Unit test for dname subdomain test used by xfrd-tcp.c. Fix #329: TCP accept queues number. Fix that the reload handler for sigchild uses signal_add, and also that the signal handler is restored when done. Fix that when server verify is done it resets the sigchild handler. Fix makedist.sh for simdzone inclusion. Fix makedist.sh to remove simdzone git tracking information and scripting temporaries from tarball. Fix error output of makedist.sh. Use simdzone version with name parser fix. Bump simdzone version to fix OpenBSD build issues. Bump simdzone to include minor fixes. Assets 2 NSD_4_10_0_RC1 Apr 25, 2024 @@k0ekk0ek k0ekk0ek NSD_4_10_0_RC1 f6a7922 NSD_4_10_0_RC1 Pre-release NSD 4.10.0rc1 is available: Version 4.10.0 integrates simdzone and drops the Flex+Bison zone parser. NSD used a Flex+Bison based zone parser since version 1.4.0. The parser served NSD well, but zones have increased in size and zone loading performance has been problematic for some users. With the integration of simdzone (https://github.com/NLnetLabs/simdzone), performance of loading zones and IXFRs is drastically improved. Quick measurements show improvements ranging anywhere from 3.8x to 1.6x depending on zone size and database type, though the improvements will be less noticable for NSEC3 zones due to pre-hashing. simdzone leverages SIMD instructions in modern CPUs to improve throughput. Right now SSE4.2 and AVX2 instruction sets are supported, other instruction sets will use the fallback implementation, which still is a decent improvement over the Flex+Bison based parser. The release candidate window will be longer this time as simdzone is rather new and while it has been tested on various architectures and operating systems, it is likely problems will pop-up due to sheer amount of code. Please consider giving this release candidate a good run and report any problems. 4.10.0 FEATURES: Merge #278: Replace Flex+Bison based zone parser with simdzone. Performance of loading zones and IXFRs is greatly improved by using the simdzone project by NLnet Labs. The optimized presentation format parser leverages SIMD instructions in modern CPUs to improve throughput. Right now SSE4.2 and AVX2 instruction sets are supported, other instruction sets will use the fallback implementation, which still is a decent improvement over the Flex+Bison based parser. BUG FIXES: Fix that when the server truncates the pidfile, it does not follow symbolic links. Fix #317: nsd should not chown its PID file. For #317: Modify nsd service script to stop NSD from creating a pid file that systemd is not using. Fix #324: Clarify the purpose of contrib/bug390.patch. Fix IXFR requests upstream for zones with a long name. Thanks for the report to Yuuki Wakisaka from Internet Initiative Japan Inc. Unit test for dname subdomain test used by xfrd-tcp.c. Fix #329: TCP accept queues number. Fix that the reload handler for sigchild uses signal_add, and also that the signal handler is restored when done. Fix that when server verify is done it resets the sigchild handler. Fix makedist.sh for simdzone inclusion. Fix makedist.sh to remove simdzone git tracking information and scripting temporaries from tarball. Fix error output of makedist.sh. Use simdzone version with name parser fix. Bump simdzone version to fix OpenBSD build issues. Assets 2 NSD 4.9.1 Apr 4, 2024 @@k0ekk0ek k0ekk0ek NSD_4_9_1_REL 07119e9 NSD 4.9.1 NSD 4.9.1 This release fixes the builds scripts in the release of version 4.9.0. Version 4.9.0 adds support for DNS Catalog Zones (RFC 9432) version "2". Both producer and consumer roles for catalog zones are implemented, but only a single consumer zone is allowed. The "coo" property, relevant when multiple consumer zones can be configured, is therefore not supported. The "group" property is. Consult the nsd.conf man page for details on how to configure and use catalog zones. Thanks to Fredrik Pettai from Sunet for providing feedback and testing DNS Catalog Zones. 4.9.1 BUG FIXES: Use rooted temporary path in makedist.sh. Assets 2 NSD 4.9.0 Apr 3, 2024 @@k0ekk0ek k0ekk0ek NSD_4_9_0_REL 9373228 NSD 4.9.0 NSD 4.9.0 This release adds support for DNS Catalog Zones (RFC 9432) version "2". Both producer and consumer roles for catalog zones are implemented, but only a single consumer zone is allowed. The "coo" property, relevant when multiple consumer zones can be configured, is therefore not supported. The "group" property is. Consult the nsd.conf man page for details on how to configure and use catalog zones. Thanks to Fredrik Pettai from Sunet for providing feedback and testing DNS Catalog Zones. 4.9.0 FEATURES: Merge #315: Allow SOA apex queries to otherwise with allow-query protected zones for clients matching a provide-xfr rule, because clients that are allowed to transfer the zone need to be able to query SOA at the apex preceding the actual transfer. Merge #304: Support for Catalog zones version "2" as specified in RFC 9432. Both the consumer as well as the producer role are implemented, but only a single catalog consumer zone is allowed. The "coo" property, only relevant with multiple catalog consumer, is therefore not supported. The "group" property is supported. Have a look at the nsd.conf man page for details on how to configure and use catalog zones. BUG FIXES: Fix to sync the tests script file common.sh. Update test script file common.sh. Fix #306: Missing AC_SUBST(dbdir) breaks installation with 4.8.0. Fix for #306: Create directory for xfrd.state and zone.list files in make install. Merge #307 from anandb-ripencc: Many improvements to the nsd.conf man page. Fix #308: Deprecate "multi-master-check" in favour of "multi-primary-check". Merge #309: More RFC 8499 compliance. Fix control-reconfig-xfrd test for zonestatus primary that is printed by nsd-control zonestatus. Move acx_nlnetlabs.m4 to version 47, with crypt32 check. Move acx_nlnetlabs.m4 to version 48, with ssp and getaddrinfo include check. Fix #313: nsd 4.8 stats with implausible spikes. Fix compile with memclean for xfrd nsd.db close. In xfrd del secondary zone, the timer could perhaps have event_added, and if so, it would not be event_del if a tcp connection is active at the time. This could cause the libevent event lists to fail. Also fix to make sure to set event_added for the nsd-control ssl nonblocking handshake and check event_added there too, for extra certainty. Merge #316: Fix to reap defunct children by the reload process that emerged when some serve child processes were still serving TCP request while the others had already quit, while the reload process was waiting for the signal from the backup/old main process that all children exited. Fix (also from Merge #316) to reap exited children more frequently from server main loop for processes that exited during reload, but missed the initial reaping at start of the main loop because they took somewhat longer to exit. Fix timing sensitivity in ixfr_outsync test. Test if debug is available in do-tests. Enforce timeout from NSD in ixfr_gone test. Update expressions in ixfr_and_restart test. Make algorithm explicit in control-repattern test. Switch algorithm to hmac-256 for testplan_mess test. Replace multiple strcat and strcpy by snprintf. Assets 2 1 person reacted NSD 4.8.0 Dec 6, 2023 @@wcawijngaards wcawijngaards NSD_4_8_0_REL f96f83f @ text @d7 1 a7 1 \rcsdetails{Id} @ 1.1.1.1.4.1 log @file differences.tex was added on branch pgoyette-localcount on 2017-03-20 06:56:05 +0000 @ text @d1 819 @ 1.1.1.1.4.2 log @Sync with HEAD @ text @a0 819 % DIFFERENCES NSD 3 and other name servers. \documentclass[twoside,titlepage,english]{nlnetlabs} \newcites{rfc}{RFC references} \def\nlnetlabsno{2006-004} \rcsdetails{Id: differences.tex 2438 2006-09-05 09:58:47Z wouter } % Prints RCS details at the bottom of the page. \title{Response Differences between\\ NSD and other DNS Servers} \author{ %This escape is needed. Because of wrapping by hyperref \texorpdfstring{ Jelte Jansen\thanks{\href{mailto:jelte@@nlnetlabs.nl}{jelte@@nlnetlabs.nl}}, \textsl{NLnet Labs}\\ Wouter Wijngaards\thanks{\href{mailto:wouter@@nlnetlabs.nl}{wouter@@nlnetlabs.nl}}, \textsl{NLnet Labs} } {Jelte Jansen, Wouter C.A. Wijngaards} } \date{ \today } \begin{document} \flushbottom \maketitle{} \begin{abstract} This note describes observed differences in responses between NSD and other DNS server implementations. NSD 3.0.0 is compared to NSD 2.3.6, BIND 8.4.7 and BIND 9.3.2. Differences in answers to captured queries from resolvers are tallied and analyzed. No interoperability problems are found. \end{abstract} \tableofcontents \newpage \section{Introduction} The NSD name server is compared to other DNS server implementations in order to assess server interoperability. The goal is to observe differences in the answers that the name servers provide. These differences are categorized and counted. We used BIND 8 and BIND 9 versions to compare against. Also regression tests have been run on our testlab, comparing NSD 2 versus NSD 3. Our method uses a set of queries captured from production name servers. These queries are sent over UDP to a name server set up to serve a particular zone. Then the responses from the name server are recorded. For every query, the different answers provided by the server implementations are compared. Unparseable answers and no answers from the servers are handled identically by the comparison software. This is not a problem because both BIND and NSD are mature and stable DNS implementations, all answers they send are parseable. Only in a very few cases, where the query is very badly formed, no answers are sent back. The differences are found by replaying captured DNS query traces from the NL TLD and from the root zone against different name servers. The differences in the answers are then analyzed, by first performing a byte-comparison on the packets. If the packets are binary different, the contents are parsed, thus removing differences in domain name compression, and normalized (sorted, lowercase) in presentation. If the results do not match after normalization, then a list of difference categories is consulted. The difference is classified as the first category that matches. If a difference in answers does not match any category, then the process stops and the user is notified. All the differences are categorized for the traces we present. In addition, we gratefully made use of the PROTOS DNS tool developed at the University of Oulu which they made publicly available at \href{http://www.ee.oulu.fi/research/ouspg/protos/testing/c09/dns} {the protos webpage}\footnote{http://www.ee.oulu.fi/research/ouspg/protos/testing/c09/dns} and played the queries against the authoritative name servers. We fixed a packet parsing error in NSD3-prerelease and both NSD3 and BIND 9.3.2 remained running and responsive. Additionally we used the faulty DNS query traces in the wiki-ethereal repository. These can be found in \href{http://wiki.ethereal.com/SampleCaptures} {the ethereal wiki}\footnote{http://wiki.ethereal.com/SampleCaptures}. These traces posed no problem for BIND and NSD, mostly FORMERR answers. A previous document DIFFERENCES between BIND 8.4.4 and NSD 2.0.0 can be found in the NSD 2.x package. In the places where differences have been found between BIND and NSD, in the authors' opinion, no interoperability problems result for resolvers. \section{Response differences between BIND 9.3.2 and NSD 3.0.0} In this section the response differences between BIND 9.3.2 and NSD 3.0.0 are presented and analyzed. We start in Section~\ref{root_b932nsd3} and Section~\ref{nl_b932nsd3} with presenting the difference statistics for two test traces. Then in Section~\ref{sec:features} and Section~\ref{sec:funcdiff} the difference categories are explained in more detail. \subsection{Comparison of responses to root queries} \label{root_b932nsd3} Comparison between NSD 3.0.0 and BIND 9.3.2 for a root trace. \begin{tabular}{lrr} {\em difference} & {\em packets} & {\em \%diff} \\ d-additional (\ref{d-additional}) & 455607 & 59.19\% \\ n-clrdobit (\ref{n-clrdobit}) & 208389 & 27.07\% \\ b-soattl (\ref{b-soattl}) & 101707 & 13.21\% \\ n-update (\ref{n-update}) & 1858 & 0.24\% \\ d-hostname (\ref{d-hostname}) & 1032 & 0.13\% \\ d-formerrquery (\ref{d-formerrquery}) & 773 & 0.10\% \\ b-class0 (\ref{b-class0}) & 264 & 0.03\% \\ d-refusedquery (\ref{d-refusedquery}) & 79 & 0.01\% \\ d-notify (\ref{d-notify}) & 18 & 0.00\% \\ b-mailb (\ref{b-mailb}) & 7 & 0.00\% \\ n-tcinquery (\ref{n-tcinquery}) & 6 & 0.00\% \\ b-classany-nxdomain (\ref{b-classany-nxdomain}) & 5 & 0.00\% \\ d-badqueryflags (\ref{d-badqueryflags}) & 4 & 0.00\% \\ n-ixfr-notimpl (\ref{n-ixfr-notimpl}) & 3 & 0.00\% \\ d-version (\ref{d-version}) & 1 & 0.00\% \\ Total number of differences: & 769753 & 100\% \\ Number of packets the same after normalization:&1474863 \\ Number of packets exactly the same on the wire:& 59161 \\ Total number of packets inspected: &2244616 \\ \end{tabular} For each type of difference the number of packets in the trace that match that difference are shown. The section where that difference is analyzed is shown in parenthesis after the difference name. The percentage of differences explained by the difference category is listed. Adding up the packets that are different gives the total number of differences, or 100\% of the differences. The number of packets after normalization includes the number of packets that are the same on the wire. The total number of query packets is displayed at the bottom of the table. \subsection{Comparison of responses to NL TLD queries} \label{nl_b932nsd3} Comparison between NSD 3.0.0 and BIND 9.3.2, for a trace for .nl. \begin{tabular}{lrr} {\em difference} & {\em packets} & {\em \%diff} \\ d-unknown-opcode (\ref{d-unknown-opcode}) & 2541 & 26.44\% \\ b-badquery-badanswer (\ref{b-badquery-badanswer}) & 1817 & 18.91\% \\ n-clrdobit (\ref{n-clrdobit}) & 1495 & 15.56\% \\ b-soattl (\ref{b-soattl}) & 1120 & 11.65\% \\ n-update (\ref{n-update}) & 990 & 10.30\% \\ d-badqueryflags (\ref{d-badqueryflags}) & 847 & 8.81\% \\ d-hostname (\ref{d-hostname}) & 531 & 5.52\% \\ d-notify (\ref{d-notify}) & 98 & 1.02\% \\ b-upwards-ref (\ref{b-upwards-ref}) & 78 & 0.81\% \\ n-clrcdbit (\ref{n-clrcdbit}) & 63 & 0.66\% \\ d-version (\ref{d-version}) & 22 & 0.23\% \\ b-noglue-nsquery (\ref{b-noglue-nsquery}) & 8 & 0.08\% \\ b8-badedns0 (\ref{b8-badedns0}) & 1 & 0.01\% \\ Total number of differences: & 9611 & 100\% \\ Number of packets the same after normalization: & 90389 \\ Number of packets exactly the same on the wire: & 52336 \\ Total number of packets inspected: & 100000 \\ \end{tabular} \subsection{Features} \label{sec:features} In this section we enumerate a number of differences between BIND 9.3.2 and NSD 3.0.0 that cannot be immediately explained as design choices. These features could be seen as bugs in software or protocol specs, except that they do not lead to interoperability problems. \subsubsection{n-clrdobit - NSD clears DO bit in response} \label{n-clrdobit} NSD clears the DO bit in answers to queries with the DO bit. BIND copies the DO bit to the answer. \vspace{-8pt}\subparagraph{Analysis:} In RFC4035\cite{rfc4035} the DO bit is not specified for answers. In the examples section of that RFC the DO bit is shown for signed dig responses, although this could refer to the query or the answer. NSD clears the DO bit for all answers, a decision based on speed: the EDNS record sent back by NSD is precompiled and not modified during answer processing. \subsubsection{n-clrcdbit - NSD clears CD bit in response} \label{n-clrcdbit} NSD clears the CD bit in answers to queries with the CD bit. BIND copies the CD bit to the answer. \vspace{-8pt}\subparagraph{Analysis:} RFC 4035\cite{rfc4035} asserts that the CD bit must be cleared for authoritative answers. The CD bit should be copied into the answer by recursive servers. BIND copies the CD bit for some formerr queries. \subsubsection{b-class0 - CLASS0 formerr in BIND} \label{b-class0} For CLASS0, you can get either FORMERR, from BIND or REFUSED, from NSD. \vspace{-8pt}\subparagraph{Analysis:} Difference in interpretation of the RFCs, a CLASS value of 0 is interpreted as a syntax error by BIND but as another valid class (that is not served) by NSD. Resolvers are unaffected for CLASS IN. \subsubsection{n-tcinquery - TC bit in query is formerr for NSD} \label{n-tcinquery} NSD returns FORMERR if tc bit is set in query. \vspace{-8pt}\subparagraph{Analysis:} Queries cannot be longer than 512 octets, since the DNS header is short and the query DNS name has a maximum length of 255 octets. Thus TC (TrunCation) cannot happen. Only one question per query packet is answered by NSD, this is a design decision. Some update, ixfr request, notify, gss-tsig TKEY sequence queries could theoretically carry longer data in the query from the client. In practice this does not happen, as 255 octet uncompressed names are not used. If this were to happen, the client could attempt a TCP connection immediately instead of setting a TC bit, or use EDNS0 to send longer packets. In this NSD is more strict in validation than BIND. \subsubsection{b-soattl - BIND sets SOA TTL in authority section to 0 for SOA queries} \label{b-soattl} This happens when asking for the SOA for a domain that is not served. \footnotesize \begin{verbatim} Query: ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0 ;; flags: rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; foo.bar. IN SOA \end{verbatim} \normalsize Answer from BIND 9.3.2: \footnotesize \begin{verbatim} ;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 6097 ;; flags: qr aa rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;; foo.bar. IN SOA ;; ANSWER SECTION: ;; AUTHORITY SECTION: . 0 IN SOA A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. ( 2006072801 1800 900 604800 86400) ;; ADDITIONAL SECTION: ;; Query time: 10 msec ;; SERVER: 127.0.0.1 ;; WHEN: Wed Aug 23 13:52:36 2006 ;; MSG SIZE rcvd: 100 \end{verbatim} \normalsize Answer from NSD 3: \footnotesize \begin{verbatim} ;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 26095 ;; flags: qr aa rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;; foo.bar. IN SOA ;; ANSWER SECTION: ;; AUTHORITY SECTION: . 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. ( 2006072801 1800 900 604800 86400) ;; ADDITIONAL SECTION: ;; Query time: 60 msec ;; SERVER: 127.0.0.1 ;; WHEN: Wed Aug 23 13:53:30 2006 ;; MSG SIZE rcvd: 100 \end{verbatim} \normalsize \vspace{-8pt}\subparagraph{Analysis:} BIND conforms to internet-draft draft-andrews-dnsext-soa-discovery which has at the moment of code development not (yet) been published as RFC. NSD conforms to the RFCs. \subsubsection{b-classany-nxdomain - BIND gives an auth answer for class ANY nxdomain} \label{b-classany-nxdomain} A difference in behaviour for CLASS=ANY queries. For existing domains both BIND and NSD reply with AA bit cleared. For not existing domains (nxdomain) NSD replies with AA bit cleared. BIND replies with AA bit on and includes a SOA (CLASS=IN) for the zone, as for an authoritative nxdomain. Query: \footnotesize \begin{verbatim} ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 13328 ;; flags: ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; nslabs.ruO. ANY MX \end{verbatim} \normalsize Answer from BIND 9.3.2: \footnotesize \begin{verbatim} ;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 13328 ;; flags: qr aa ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;; nslabs.ruo. ANY MX ;; ANSWER SECTION: ;; AUTHORITY SECTION: . 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. ( 2006072801 1800 900 604800 86400) ;; ADDITIONAL SECTION: ;; Query time: 0 msec ;; WHEN: Wed Aug 23 13:58:51 2006 ;; MSG SIZE rcvd: 103 \end{verbatim} \normalsize Answer from NSD 3: \footnotesize \begin{verbatim} ;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 13328 ;; flags: qr ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; nslabs.ruo. ANY MX ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 0 msec ;; WHEN: Wed Aug 23 13:58:51 2006 ;; MSG SIZE rcvd: 28 \end{verbatim} \normalsize \vspace{-8pt}\subparagraph{Analysis:} Feature of BIND where it answers authoritatively for CLASS ANY nxdomain queries. \subsubsection{b-badquery-badanswer - BIND replies with bad answer for some bad queries} \label{b-badquery-badanswer} BIND replies with an answer packet that cannot be parsed, or does not answer at all. NSD always generates an answer, with the appropriate RCODE (mostly NOTIMPL and FORMERR, but also NXDOMAIN to NOTIFY queries). All these queries are malformed in some way. A (very simple) example of a query without an answer is a query packet of 18 zero bytes. For some queries no answer only happens when BIND is presented with a trace of queries, not for a single query. \vspace{-8pt}\subparagraph{Analysis:} BIND includes (part of) the unparseable question into the answer, or some internal state of BIND is affected by earlier queries. NSD manages to answer the malformed query. Note that NSD does not answer queries that are too short, or that have the QR bit set. NSD tries to be as liberal in what it accepts as possible. \subsection{Functionality Differences} \label{sec:funcdiff} The next group of differences are due to the fact that NSD does not implement some functionality that is requested by resolvers. This is a design choice and should not cause resolver problems at all, since responses to those requests are within protocol specs. \subsubsection{d-notify - different NOTIFY errors} \label{d-notify} BIND and NSD give different errors for notify queries. The servers are started without any configuration for access control on notify. For notify messages aimed at a zone that is served, BIND 9.3.2 returns a NOERROR answer, and NSD 3 returns NOTAUTH. For notify messages on a zone that is not served (in-addr.arpa.) BIND 9.3.2 returns NOTAUTH and NSD 3 returns NXDOMAIN. \vspace{-8pt}\subparagraph{Analysis:} Default configuration differs between the two packages. NSD is more strict. Error codes are different, the tools that send notifies are not affected. \subsubsection{n-update - NSD does not implement dynamic update} \label{n-update} For UPDATE, you can get either REFUSED/NXRRSET/other RCODE from BIND 9.3.2 or NOTIMPL from nsd3. \vspace{-8pt}\subparagraph{Analysis:} NSD does not implement dynamic update. \subsubsection{b-mailb - BIND does not implement MAILB} \label{b-mailb} For MAILB, you can get either NOTIMPL(BIND 9) or NOERROR/NXDOMAIN(NSD 3). \vspace{-8pt}\subparagraph{Analysis:} BIND does not implement queries for the MAILB type. NSD treats it as one of the RRTYPEs. MAILB is obsoleted by RFCs, the MX type is used to transfer mail information now. \subsubsection{d-version - BIND returns servfail on version.server queries} \label{d-version} NSD returns version.server query, BIND returns servfail. \vspace{-8pt}\subparagraph{Analysis:} Both NSD and BIND return version.bind queries of the chaos class. These queries differ in the version number they return, of course. BIND does not return version.server queries. This is a design decision on the part of NSD to return version.server queries with the same answer. \subsubsection{d-additional - Different additional section on truncated answers} \label{d-additional} NSD and BIND return different additional sections on truncated answers to queries from the root. These answers are 480+ bytes long. \vspace{-8pt}\subparagraph{Analysis:} Not all the A and AAAA data fits into the additional section of the answer. BIND includes different names than NSD does, and BIND is observed to sometimes include one more AAAA record, less A records in the additional section. Resolvers should be unaffected. \subsubsection{d-refusedquery - BIND includes query section in REFUSED answers} \label{d-refusedquery} BIND includes the query sent for REFUSED answers. NSD replies with only the DNS header section. \vspace{-8pt}\subparagraph{Analysis:} The resolver must inspect the query ID. The error code provides sufficient information. Sending the header makes NSD replies smaller and thus more resilient to DoS attacks. \subsubsection{d-hostname - BIND adds a NS record for hostname.bind} \label{d-hostname} BIND includes an additional RR in the authority section of the reply: \footnotesize \begin{verbatim} hostname.bind. 0 CH NS hostname.bind. \end{verbatim} \normalsize \vspace{-8pt}\subparagraph{Analysis:} The RR seems useless. NSD does not include it. \subsubsection{n-ixfr-notimpl - NSD does not implement IXFR} \label{n-ixfr-notimpl} To queries for IXFR BIND responds with a valid answer (the latest SOA) and NSD responds with NOTIMPL error. \vspace{-8pt}\subparagraph{Analysis:} NSD 3.0.0 does not implement IXFR. It returns NOTIMPL by design. \subsubsection{d-formerrquery - BIND includes query section in FORMERR answers} \label{d-formerrquery} BIND includes the query sent for FORMERR answers. NSD replies with only the DNS header section. For some queries, NSD includes an EDNS record in the reply if there was a recognizable EDNS record in the query. \vspace{-8pt}\subparagraph{Analysis:} The resolver must inspect the query ID. The error code provides sufficient information. Sending the header makes NSD replies smaller and thus more resilient to DoS attacks. \subsubsection{d-badqueryflags - BIND includes query section in FORMERR answers} \label{d-badqueryflags} BIND includes the query section in reply to unparseable queries. NSD does not. \vspace{-8pt}\subparagraph{Analysis:} Same as d-formerrquery (\ref{d-formerrquery}), but the implementation of the comparison software could not parse the query either, thus a separate label. \subsubsection{d-unknown-class - BIND includes query section in answers to unknown class} \label{d-unknown-class} For queries with an unknown class in the query, BIND includes the query section in the answer. NSD does not. \vspace{-8pt}\subparagraph{Analysis:} Same as d-formerrquery (\ref{d-formerrquery}), but for a different error. \subsubsection{d-unknown-opcode - NSD returns NOTIMPL for unknown opcode} \label{d-unknown-opcode} For queries that are bad packets, with malformed RRs, with an unknown opcode, BIND returns a FORMERR, but NSD gives up after checking the opcode and returns NOTIMPL. NSD copies the flags from the query, and turns on the QR (query response) bit, BIND zeroes some of the flags. \vspace{-8pt}\subparagraph{Analysis:} NOTIMPL is appropriate since NSD does not implement whatever functionality is being looked for. \subsubsection{b-upwards-ref - BIND returns root delegation} \label{b-upwards-ref} For queries to a domain that is not served, which can only have arrived at this server due to a lame delegation, BIND returns a root delegation. NSD returns SERVFAIL. \vspace{-8pt}\subparagraph{Analysis:} By design, NSD does not know the root-servers. NSD is unable to reply as the zone is not configured, hence the SERVFAIL. This is also discussed in the REQUIREMENTS document for NSD. \subsubsection{b-noglue-nsquery - BIND returns no glue for NS queries} \label{b-noglue-nsquery} For queries for the NS records of the zone, BIND does not include glue for the NS records. NSD includes glue for the NS servers that lie within the zone. \vspace{-8pt}\subparagraph{Analysis:} The glue saves a followup query. \subsubsection{d-noquestion - different error on no question} \label{d-noquestion} For queries without a question section the error code differs. NSD considers it a FORMERR. BIND returns REFUSED. \vspace{-8pt}\subparagraph{Analysis:} Error code not specified for this corner case. No problems for resolvers. \subsubsection{b-uchar - BIND returns FORMERR on strange characters} \label{b-uchar} BIND returns FORMERR on strange characters in the query, such as 0x00, 0xff, 0xe4, 0x20, 0x40 and so on. \vspace{-8pt}\subparagraph{Analysis:} NSD does not give a formerr on these queries, it processes them. NSD normalizes names to lower case. Otherwise leaves them untouched. BIND preserves case in answers. Choice made in REQUIREMENTS for NSD, also see RFC1035\cite{rfc1035} 2.3.3. \section{Response differences between NSD 2.3.6 and NSD 3.0.0} The differences between NSD 2.3.6 and NSD 3.0.0 are listed below. All are due to version number changes and new features in NSD 3. \subsection{Comparison of responses in root trace} Differences between NSD 2.3.6 and NSD 3.0.0 for a root trace. Note that apart from the 26 packets that are different, all responses are binary the same on the wire between the two versions of NSD. \begin{tabular}{lrr} {\em difference} & {\em packets} & {\em \%diff} \\ n-notify (\ref{n-notify}) & 19 & 73.08\% \\ n-ixfr (\ref{n-ixfr}) & 3 & 11.54\% \\ version.bind (\ref{nsd-version}) & 3 & 11.54\% \\ version.server (\ref{nsd-version}) & 1 & 3.85\% \\ Total number of differences: & 26 & 100\% \\ Number of packets the same after normalization:&2244590 \\ Number of packets exactly the same on the wire:&2244590 \\ Total number of packets inspected: &2244616 \\ \end{tabular} \subsection{Comparison of responses in NL TLD trace} Differences between NSD 2.3.6 and NSD 3.0.0 for a nl. trace. Note that apart from the 311 packets that are different, all responses are binary the same on the wire between the two versions of NSD. \begin{tabular}{lrr} {\em difference} & {\em packets} & {\em \%diff} \\ n-notify (\ref{n-notify}) & 289 & 92.93\% \\ version.bind (\ref{nsd-version}) & 22 & 7.07\% \\ Total number of differences: & 311 & 100\% \\ Number of packets the same after normalization:& 99689 \\ Number of packets exactly the same on the wire:& 99689 \\ Total number of packets inspected: &100000 \\ \end{tabular} \subsection{Version number - version.bind and version.server} \label{nsd-version} To queries for version.bind and version.server the different implementations return a different version number, as they should. \vspace{-8pt}\subparagraph{Analysis:} Expected. Correct version numbers are returned. \subsection{n-notify - notify not implemented in NSD 2} \label{n-notify} Notifications are handled differently. NSD 2 returns NOTIMPL error code, while NSD 3 returns NOTAUTH or NXDOMAIN error codes. \vspace{-8pt}\subparagraph{Analysis:} Default config denies all notify queries for NSD 3. These answers are correct for non-existing and not authorized domains. \subsection{n-ixfr - IXFR error FORMERR in NSD 2} \label{n-ixfr} To IXFR query questions different error codes are given. The NSD 2 gives FORMERR (due to the RR in the authority section). NSD 3 returns NOTIMPL. \vspace{-8pt}\subparagraph{Analysis:} Neither version of NSD implements IXFR. It is more appropriate to return the NOTIMPL error code in that case. Bugfix in NSD. \section{Response differences between BIND 8 and NSD 3.0.0} In this section the response differences between BIND 8.4.7 and NSD 3.0.0 are categorized and analyzed. \subsection{Comparison of responses in root trace} The differences between BIND 8.4.7 and NSD 3.0.0 when presented with queries for the root zone are below. \begin{tabular}{lrr} {\em difference} & {\em packets} & {\em \%diff} \\ n-clrcdbit (\ref{n-clrcdbit}) & 516372 &84.39\% \\ d-hostname (\ref{d-hostname}) & 53431 &8.73\% \\ d-additional (\ref{d-additional}) & 32526 &5.32\% \\ b8-nodata-ttlminup (\ref{b8-nodata-ttlminup}) & 4611 &0.75\% \\ n-update (\ref{n-update}) & 1856 &0.30\% \\ d-version (\ref{d-version}) & 1033 &0.17\% \\ b8-auth-any (\ref{b8-auth-any}) & 519 &0.08\% \\ b8-badedns0 (\ref{b8-badedns0}) & 492 &0.08\% \\ d-unknown-class (\ref{d-unknown-class}) & 482 &0.08\% \\ b-badquery-badanswer (\ref{b-badquery-badanswer}) & 451 &0.07\% \\ b-class0 (\ref{b-class0}) & 97 &0.02\% \\ d-notify (\ref{d-notify}) & 18 &0.00\% \\ b8-ignore-tc-query (\ref{b8-ignore-tc-query}) & 6 &0.00\% \\ b8-badquery-ignored (\ref{b8-badquery-ignored}) & 4 &0.00\% \\ n-ixfr-notimpl (\ref{n-ixfr-notimpl}) & 3 &0.00\% \\ b-soattl (\ref{b-soattl}) & 1 &0.00\% \\ Total number of differences: & 611902 &100\% \\ Number of packets the same after normalization:&1632714 \\ Number of packets exactly the same on the wire:& 2299 \\ Total number of packets inspected: &2244616 \\ \end{tabular} \subsection{Comparison of responses in NL TLD trace} The differences between BIND 8.4.7 and NSD 3.0.0 when presented with queries for the .nl zone are below. \begin{tabular}{lrr} {\em difference} & {\em packets} & {\em \%diff} \\ n-clrcdbit (\ref{n-clrcdbit}) & 2857 &33.53\% \\ d-unknown-opcode (\ref{d-unknown-opcode}) & 2692 &31.59\% \\ n-update (\ref{n-update}) & 1283 &15.06\% \\ d-badqueryflags (\ref{d-badqueryflags}) & 841 &9.87\% \\ d-hostname (\ref{d-hostname}) & 531 &6.23\% \\ d-notify (\ref{d-notify}) & 293 &3.44\% \\ d-version (\ref{d-version}) & 22 &0.26\% \\ b-badquery-badanswer (\ref{b-badquery-badanswer}) & 1 &0.01\% \\ b8-badedns0 (\ref{b8-badedns0}) & 1 &0.01\% \\ Total number of differences: &8521 &100\% \\ Number of packets the same after normalization:&91479 \\ Number of packets exactly the same on the wire:&90837 \\ Total number of packets inspected:&100000 \\ \end{tabular} \subsection{b8-nodata-ttlminup - BIND 8 uses minimum TTL from SOA also if bigger} \label{b8-nodata-ttlminup} For NXDOMAIN queries in root-servers.net BIND 8 uses the minimum TTL from the SOA as the TTL of the included SOA RR. However, this minimum TTL is larger than the original TTL of the SOA, both NSD 2.3.6, NSD 3 and BIND 9 use the smaller of those two values as the TTL of the included SOA. \vspace{-8pt}\subparagraph{Analysis:} Bug in BIND 8 solved in BIND 9. \subsection{b8-badquery-ignored - BIND 8 replies normally for some bad queries} \label{b8-badquery-ignored} BIND8 manages to reply for malformed queries. NSD replies with FORMERR. \vspace{-8pt}\subparagraph{Analysis:} The query is bad, formerr is needed. Fixed in BIND9. \subsection{b8-badedns0 - BIND 8 ignores bad EDNS0 queries} \label{b8-badedns0} BIND 8 ignores queries with bad EDNS0 section. It answers the query. NSD replies with FORMERR. \vspace{-8pt}\subparagraph{Analysis:} BIND8 is more liberal in accepting broken EDNS0 records. NSD is not. Changed in BIND 9. \subsection{b8-auth-any - BIND 8 includes an authority section on queries for ANY .} \label{b8-auth-any} BIND8 includes an authority section on queries for class ANY . BIND9 and NSD return an empty authority section. \vspace{-8pt}\subparagraph{Analysis:} Fixed in BIND9. \subsection{b8-ignore-tc-query - BIND 8 ignores the TC bit in queries} \label{b8-ignore-tc-query} BIND responds to queries that have the TC bit set. NSD gives FORMERR. \vspace{-8pt}\subparagraph{Analysis:} This is like the n-tcinquery (\ref{n-tcinquery}), except where BIND9 returns NXDOMAIN, BIND8 returns the query with qr bit set. This is fixed in BIND9. NSD is less liberal in accepting queries, it returns form error on queries with the TC bit set. \bibliographystyle{nlnetlabs} \bibliography{allbib} \end{document} @