nsd: 4.1.9 -> 4.1.12

4.1.12 ====== Bugfixes -------- Fix malformed edns query assertion failure, reported by Michal Kepien (NASK). 4.1.11 ====== Features -------- * When tcp is more than half full, use short timeout for tcp session. * Patch for {max,min}-{refresh,retry}-time from YAMAGUCHI Takanori. * Fix #790: size-limit-xfr can stop NSD from downloading infinite zone transfer data size, from Toshifumi Sakaguchi. Fixes CVE-2016-6173 JVN#63359718 JPCERT#91251865. Bugfixes -------- * Fix build without IPv6, patch from Zdenek Kaspar. * Fix #783: Trying to run a root server without having configured it silently gives wrong answers. * Fix #782: Serve DS record but parent zone has no NS record. * Fix nsec3 missing for nsec3 signed parent and child for DS at zonecut. 4.1.10 ====== Features -------- * ip-freebind: yesno option in nsd.conf sets IP_FREEBIND socket option for Linux, binds to interfaces and addresses that are down. * NSD includes AAAA before A for queries over IPV6 (in delegations). And TC is set if no glue can be provided with a delegation because of packet size. * print notice that nsd is starting before taking off. Bugfixes -------- * Fix for openssl 1.1.0, HMAC_CTX size not exported from openssl. * Fix #751: NSD fails to occlude names below a DNAME. * If set without nsd.db print "" as the default in the man pages. * Fix #755: NSD spins after a zone update and a lot of TCP queries. * Fix for NSEC3 with zone signed without exact match for empty nonterminals, the answer for that domain gets closest encloser. * #772 Document that recvmmsg has IPv6 problems on some linux kernels. 4.1.9 ===== Bugfixes -------- * Change the nsd.db file version because of nanosecond precision fix.
2016-09-27 00:10:39 +02:00 · 2016-09-27 00:10:39 +02:00 · 553a3295c1
commit 553a3295c1
parent 900a04e6c9
2 changed files with 58 additions and 4 deletions
--- a/nixos/modules/services/networking/nsd.nix
+++ b/nixos/modules/services/networking/nsd.nix
@ -71,6 +71,7 @@ let
      # interfaces
    ${forEach "  ip-address: " cfg.interfaces}

+      ip-freebind:         ${yesOrNo  cfg.ipFreebind}
      hide-version:        ${yesOrNo  cfg.hideVersion}
      identity:            "${cfg.identity}"
      ip-transparent:      ${yesOrNo  cfg.ipTransparent}
@ -84,7 +85,7 @@ let
      reuseport:           ${yesOrNo  cfg.reuseport}
      round-robin:         ${yesOrNo  cfg.roundRobin}
      server-count:        ${toString cfg.serverCount}
-      ${if cfg.statistics == null then "" else "statistics:          ${toString cfg.statistics}"}
+      ${maybeToString "statistics: " cfg.statistics}
      tcp-count:           ${toString cfg.tcpCount}
      tcp-query-count:     ${toString cfg.tcpQueryCount}
      tcp-timeout:         ${toString cfg.tcpTimeout}
@ -117,7 +118,8 @@ let
  '';

  yesOrNo = b: if b then "yes" else "no";
-  maybeString = pre: s: if s == null then "" else ''${pre} "${s}"'';
+  maybeString = prefix: x: if x == null then "" else ''${prefix} "${s}"'';
+  maybeToString = prefix: x: if x == null then "" else ''${prefix} ${toString s}'';
  forEach = pre: l: concatMapStrings (x: pre + x + "\n") l;


@ -146,6 +148,11 @@ let
    ${forEach     "  rrl-whitelist: "      zone.rrlWhitelist}
      ${maybeString "zonestats: "          zone.zoneStats}

+      ${maybeToString "max-refresh-time: " zone.maxRefreshSecs}
+      ${maybeToString "min-refresh-time: " zone.minRefreshSecs}
+      ${maybeToString "max-retry-time:   " zone.maxRetrySecs}
+      ${maybeToString "min-retry-time:   " zone.minRetrySecs}
+
      allow-axfr-fallback: ${yesOrNo       zone.allowAXFRFallback}
    ${forEach     "  allow-notify: "       zone.allowNotify}
    ${forEach     "  request-xfr: "        zone.requestXFR}
@ -241,6 +248,44 @@ let
        '';
      };

+      maxRefreshSecs = mkOption {
+        type = types.nullOr types.int;
+        default = null;
+        description = ''
+          Limit refresh time for secondary zones. This is the timer which
+          checks to see if the zone has to be refetched when it expires.
+          Normally the value from the SOA record is used, but this  option
+          restricts that value.
+        '';
+      };
+
+      minRefreshSecs = mkOption {
+        type = types.nullOr types.int;
+        default = null;
+        description = ''
+          Limit refresh time for secondary zones.
+        '';
+      };
+
+      maxRetrySecs = mkOption {
+        type = types.nullOr types.int;
+        default = null;
+        description = ''
+          Limit retry time for secondary zones. This is the timeout after
+          a failed fetch attempt for the zone. Normally the value from
+          the SOA record is used, but this option restricts that value.
+        '';
+      };
+
+      minRetrySecs = mkOption {
+        type = types.nullOr types.int;
+        default = null;
+        description = ''
+          Limit retry time for secondary zones.
+        '';
+      };
+
+
      notify = mkOption {
        type = types.listOf types.str;
        default = [];
@ -366,6 +411,15 @@ in
      '';
    };

+    ipFreebind = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Whether to bind to nonlocal addresses and interfaces that are down.
+        Similar to ip-transparent.
+      '';
+    };
+
    ipTransparent = mkOption {
      type = types.bool;
      default = false;
--- a/pkgs/servers/dns/nsd/default.nix
+++ b/pkgs/servers/dns/nsd/default.nix
@ -13,11 +13,11 @@
 }:

 stdenv.mkDerivation rec {
-  name = "nsd-4.1.9";
+  name = "nsd-4.1.12";

  src = fetchurl {
    url = "http://www.nlnetlabs.nl/downloads/nsd/${name}.tar.gz";
-    sha256 = "1wn8jm5kpp81m88c77j97850mnmd87yaw8qp3xsdwcakcd6j44dq";
+    sha256 = "fd1979dff1fba55310fd4f439dc9f3f4701d435c0ec4fb9af533e12c7f27d5de";
  };

  buildInputs = [ libevent openssl ];