NSD 4.13.0rc1 pre-release

jannik · August 26, 2025, 12:45pm

Dear all,

NSD 4.13.0 pre-release is available:
https://nlnetlabs.nl/downloads/nsd/nsd-4.13.0rc1.tar.gz
sha256 b5b48013eaf72f84c6feddbf452899909970a0194b1dc002a3aea97e70aacd09
pgp https://nlnetlabs.nl/downloads/nsd/nsd-4.13.0rc1.tar.gz.asc

This release enables some commonly used features by default, and introduces
experimental support for AF_XDP sockets that can be enabled with the
`--enable-xdp` feature flag (see https://nsd.docs.nlnetlabs.nl/en/latest/xdp.html).

Please review this pre-release carefully. If no issues arise, the actual
release will follow on Wednesday 2025-09-03.

4.13.0

A_Schulze · August 26, 2025, 4:02pm

Hello,

the new version build without any compile-time warnings and run in my lab environment now.

I scanned an instance (DoT enabled) with https://github.com/drwetter/testssl.sh
some interesting points from that report:

1. ALPN/HTTP2 h2, spdy/3.1, http/1.1, grpc-exp, h2-fb, spdy/1, spdy/2, spdy/3, stun.turn, stun.nat-discovery, webrtc, c-webrtc, ftp (offered)
I think, this is unneeded as DoT has nothing to do with HTTPS, it's simply TLS

2. Finite field group: ffdhe2048 ffdhe3072
Most modern TLS stacks support Key-Exchange with Elliptic curves which are much faster and cheaper.
Postfix, for example, offer an option to disable FFDHE at all: https://www.postfix.org/postconf.5.html#tls_ffdhe_auto_groups

Andreas

anandb · August 30, 2025, 2:49pm

Hi Jannik,

Thanks for this release. I appreciate very much the approach of compiling in all the stable features, and allowing the operator to activate them in the configuration as needed. This makes it very easy to package NSD for general use. I also appreciate the --with-dbdir option to specify one place for many of NSD’s runtime files. My “configure” invocation is now much more compact, and the resulting package is also more useful.

It compiles without warnings under Oracle Linux 9, and is running on a test server.

Regards,
Anand Buddhdev
RIPE NCC

jannik · September 3, 2025, 8:40am

Hi,

Thanks for testing the pre-release.

1. ALPN/HTTP2 h2, spdy/3.1, http/1.1, grpc-exp, h2-fb, spdy/1, spdy/2, spdy/3, stun.turn, stun.nat-discovery, webrtc, c-webrtc, ftp (offered)
I think, this is unneeded as DoT has nothing to do with HTTPS, it's simply TLS

2. Finite field group: ffdhe2048 ffdhe3072
Most modern TLS stacks support Key-Exchange with Elliptic curves which are much faster and cheaper.
Postfix, for example, offer an option to disable FFDHE at all: https://www.postfix.org/postconf.5.html#tls_ffdhe_auto_groups

And thanks for reporting this. We'll add it to our TODO list.

Best,
Jannik

Klaus_Darilion · September 8, 2025, 9:20pm

Hi Jannik!

Do you think it would be possible to convert
configure –enable-packed

and

configure –disable-radix-tree

into config file options? That way we could save RAM without recompiling.

Thanks

Klaus

jannik · September 10, 2025, 6:58am

Hi Klaus,

Do you think it would be possible to convert
configure --enable-packed
and
configure --disable-radix-tree
into config file options? That way we could save RAM without recompiling.

For --enable-packed it is not possible, as it changes the memory layout
of the types used.

For --disable-radix-tree it would be possible. We haven't done it in the
past for simplicity and speed. But thanks for mentioning this, we will
reconsider whether to keep it as a configure option or to make it
a run-time config option.

Best,
Jannik