NSD 4.2.0rc1 pre-release available

Wouter · June 6, 2019, 9:29am

Hi,

NSD 4.2.0rc1 release candidate is available:
https://www.nlnetlabs.nl/downloads/nsd/nsd-4.2.0rc1.tar.gz
sha256 7d26005615e9a7bb1e77069f1c6738fdc927a0b31a4ecc1a5fa9ed58d129ec13
pgp https://www.nlnetlabs.nl/downloads/nsd/nsd-4.2.0rc1.tar.gz.asc

This release contains new features, contributed from Sinodun, that
implement TCP fast open support and also support for service on DNS over
TLS.

There is also TLS OCSP stapling support with the tls-service-ocsp option
in nsd.conf.

The new option hide-identity can be used in nsd.conf to stop NSD from
responding with the hostname for probe queries that elicit the chaos
class response, this is conform RFC4829.

There is a bug fix for memory leaks during zone file read, with
duplicate records in the zone file.

4.2.0

A_Schulze · June 7, 2019, 7:29am

NSD 4.2.0rc1 release candidate is available:
https://www.nlnetlabs.nl/downloads/nsd/nsd-4.2.0rc1.tar.gz

- Patch to add support for tls service on a specified tls port,
from Sara Dickinson (Sinodun).

cool, the patch works here since March

- TLS OCSP stapling support, enabled with tls-service-ocsp: filename,
patch from Andreas Schulze.

OCSP-Data are valid for a much shorter time then certificates.
For this reason I renew OCSP-data daily.

Currently this mean, I restart nsd once a day.

At the long tail it would be helpful if updated certificates,
private keys and ocsp-data would only require a reload.

- Disable TLS1.0, TLS1.1 and weak ciphers, enable
CIPHER_SERVER_PREFERENCE, patch from Andreas Schulze.

there is TLS setup code in
- server.c ~lines 1660...1270, server_tls_ctx_create()
- remote.c ~lines 250...300, remote_setup_ctx

the code for the same problem exists twice but only in server.c the "hardening" happen.
Is this not implemented in remote.c to not break existing remote control installations?

Also I've a problem with the cipher selection "CHACHA20+ECDH:AESGCM+ECDH:!SHA:!AESCCM"
( server.c, line 1709 ) I suggested months ago:

It's redundant, prefer CHACHA20-POLY1305 over AESGCM and is not as readable as it could be.
-> new Suggestion: SSL_CTX_set_cipher_list(ctx, "ECDHE+AESGCM:ECDHE+CHACHA20")

Andreas

A_Schulze · June 7, 2019, 8:35am

A. Schulze:

At the long tail it would be helpful if updated certificates,
private keys and ocsp-data would only require a reload.

reload of unprivileded, maybe chrooted processes is hard or even impossible.

There is an other model (for example used in postfix):
A master process starts worker with a limited livetime or number of requests they handle.
Every now and then the master process starts a new worker and
use current/fresh configuation read from disk.

This way no reload is required.

No idea if this is/could be implemented in nsd/unbound.

Andreas

Wouter · June 11, 2019, 12:48pm

Hi,

NSD 4.2.0 is available:
https://www.nlnetlabs.nl/downloads/nsd/nsd-4.2.0.tar.gz
sha256 51df1ca44a00e588c09ff0696e588c13566ce889b50d953896d8b6e507eda74c
pgp https://www.nlnetlabs.nl/downloads/nsd/nsd-4.2.0.tar.gz.asc

This release contains new features, contributed from Sinodun, that
implement TCP fast open support and also support for service on DNS over
TLS.

There is also TLS OCSP stapling support with the tls-service-ocsp option
in nsd.conf.

The new option hide-identity can be used in nsd.conf to stop NSD from
responding with the hostname for probe queries that elicit the chaos
class response, this is conform RFC4892.

There is a bug fix for memory leaks during zone file read, with
duplicate records in the zone file.

4.2.0

Wouter · June 11, 2019, 1:25pm

Hi Andreas,

Fixed the ctx create code and the cipher selection you suggested (for
the next release). Thanks for the suggestions, it is good to harden the
remote control connection too.

Best regards, Wouter