NSD4 beta2

Hi,

The new beta for NSD4 is available, NSD4.0.0b2:
http://nlnetlabs.nl/downloads/nsd/nsd-4.0.0b2.tar.gz
sha1 e093d1519bf2e3f3c458ccf41aec45dce6a84a84
sha256 966bd0a7cdc29654df6579904d6833abfcd913428d68801f49853db7867e86a5

This software is in beta. NSD4 includes a ratelimiting implementation
(with --enable-ratelimit) which is the same as in NSD3.

This is an update from beta1, which pulls it with bugfixes closer to
NSD3, and also fixes NSD4 specific issues. It implements that
repattern picks up zone changes (added and removed, and also the
options) from nsd.conf.

Changes:
- - Fix for use with libev.
- - 'nsd-control start' runs an absolute path to start sbin/nsd.
- - Fix for use with libevent-2.1.2.
- - --with-logfile sets the logfile inside the example documentation.
- - Fixed addzone and delzone inside chroot (thanks Will Pressly).
- - repattern also rereads the zones in the config file and applies that
  to the running server.
- - Fix make outside of source directory.
- - Merge changes from 3.2.15 (such as xname-rcode fix).

Please report user experiences, bugs and omitted features.

Best regards,
   Wouter

1) No mention of libevent/libev support in README.

2) I'm running into the issue described in
http://open.nlnetlabs.nl/pipermail/nsd-users/2011-March/001219.html
This is on Gentoo linux, using gcc 4.5.2 (hardened). Using -fno-inline
also fixes it, switching to gcc 4.6.3 too. The thread isn't completed
with a resolution, and I can't seem to find a related bug in bugzilla
either.

3) Nitpick: nsd.conf.sample has a mix of tabs and spaces in
indentation, which ruins formatting when you set tabsize to anything
else than 4 spaces. Got really really confused reading pattern: and
key: sections with tabsize=2

Kind regards,
  Tom

Hi,

The new beta for NSD4 is available, NSD4.0.0b2:

Please report user experiences, bugs and omitted features.

1) No mention of libevent/libev support in README.

2) I'm running into the issue described in
http://open.nlnetlabs.nl/pipermail/nsd-users/2011-March/001219.html

This is on Gentoo linux, using gcc 4.5.2 (hardened). Using -fno-inline

also fixes it, switching to gcc 4.6.3 too. The thread isn't
completed with a resolution, and I can't seem to find a related bug
in bugzilla either.

3) Nitpick: nsd.conf.sample has a mix of tabs and spaces in
indentation, which ruins formatting when you set tabsize to
anything else than 4 spaces. Got really really confused reading
pattern: and key: sections with tabsize=2

And maybe a late feature request which I think has been mentioned
before (but I can't find the thread): refactor the config options
ip4-only and ip6-only into more straightforward names and
functionality: do-ip4 and do-ip6. A major version change would be a
nice time to do that. The old options could still be supported, and
become deprecated in v4.2 or so...

Kind regards,
  Tom

Hi,

refactor the config options
ip4-only and ip6-only into more straightforward names and
functionality: do-ip4 and do-ip6.

+1.

Unbound is great and all options make sense. So I reckon if you can mimick unbound config options in NSD it would be better (less confusion therefore less mistakes).

Thomas

Hi Tom,

Thank you for the usage report.

Hi,

The new beta for NSD4 is available, NSD4.0.0b2:

Please report user experiences, bugs and omitted features.

1) No mention of libevent/libev support in README.

Fixed, it supports 'em, and you can use 'no' to get a builtin.

2) I'm running into the issue described in
http://open.nlnetlabs.nl/pipermail/nsd-users/2011-March/001219.html

This is on Gentoo linux, using gcc 4.5.2 (hardened). Using
-fno-inline

also fixes it, switching to gcc 4.6.3 too. The thread isn't
completed with a resolution, and I can't seem to find a related
bug in bugzilla either.

I reproduced this, and fixed it in svn trunk. Could you try to see if
it works for you too?

What happens is that -combine does not work with particular
system-headers and gcc-version combinations.

3) Nitpick: nsd.conf.sample has a mix of tabs and spaces in
indentation, which ruins formatting when you set tabsize to
anything else than 4 spaces. Got really really confused reading
pattern: and key: sections with tabsize=2

I tried to clean this up. tabsize=whatever should work fine.

And maybe a late feature request which I think has been mentioned
before (but I can't find the thread): refactor the config options
ip4-only and ip6-only into more straightforward names and
functionality: do-ip4 and do-ip6. A major version change would be
a nice time to do that. The old options could still be supported,
and become deprecated in v4.2 or so...

I'll look at this too.

Best regards,
   Wouter

Hi Tom,

Thank you for the usage report.

Hi,

The new beta for NSD4 is available, NSD4.0.0b2:

Please report user experiences, bugs and omitted features.

1) No mention of libevent/libev support in README.

Fixed, it supports 'em, and you can use 'no' to get a builtin.

2) I'm running into the issue described in
http://open.nlnetlabs.nl/pipermail/nsd-users/2011-March/001219.html

This is on Gentoo linux, using gcc 4.5.2 (hardened). Using
-fno-inline

also fixes it, switching to gcc 4.6.3 too. The thread isn't
completed with a resolution, and I can't seem to find a
related bug in bugzilla either.

I reproduced this, and fixed it in svn trunk. Could you try to see
if it works for you too?

Tested with r3811, works now. Thanks

What happens is that -combine does not work with particular
system-headers and gcc-version combinations.

3) Nitpick: nsd.conf.sample has a mix of tabs and spaces in
indentation, which ruins formatting when you set tabsize to
anything else than 4 spaces. Got really really confused reading
pattern: and key: sections with tabsize=2

I tried to clean this up. tabsize=whatever should work fine.

Looks much better now, although tabsize 2 still messes up the
difference between sections and options a bit. maybe just use 4 spaces
in stead of tabs?

And maybe a late feature request which I think has been mentioned
before (but I can't find the thread): refactor the config
options ip4-only and ip6-only into more straightforward names and
functionality: do-ip4 and do-ip6. A major version change would
be a nice time to do that. The old options could still be
supported, and become deprecated in v4.2 or so...

I'll look at this too.

Great, thanks!

Have a nice weekend,
  Tom

first of all: I updated some nameservers to nsd4b2 and they still run fine.
So thanks for such good software...

1.
is there a separate mailinglist for developement?

2.
when comiling 4.0.0b2 I gave no special --with-xfrdir so it defaults to /tmp

$CHROOT/tmp did not exist and I got this:

Jan 19 14:29:10 nsd[24553]: error: /tmp/nsd.24553.task.0: No such file or directory
Jan 19 14:29:10 nsd[24553]: error: /tmp/nsd.24553.task.1: No such file or directory
Segmentation fault

short fix:
install -d $CHROOT/tmp

note the segfault, that should be alarm us.

3.
my nsd.db was not writeable for the nsd user:
"server preparation failed, nsd could not be started"

that also leaves two taksfiles in $CHROOT/tmp which should be deleted before nsd is exiting.

4.
I played arround with the rrl feature and set "rrl-ratelimit: 2"
now I fire some "dig @$(NSD) example.org. ANY"
I found "info: ratelimit block example.org any target $mynetwork/64"
and "ratelimit unblock"

but then the server starts logging this :
nsd[19065]: warning: server 27369 died unexpectedly with status 6, restarting
nsd: ./buffer.h:252: buffer_write_at: Assertion `buffer_available_at(buffer, at, count)' failed.

nsd[19065] is the parent, nsd[27369] looks like the child that died.

btw. I never noticed that a query was not anwered!?

5.
I run nsd from a superviser and use option -d to start nsd.
Now I see three processes:
# ps afx | grep nsd | grep -v grep
7434 ? S 0:00 | \_ supervise nsd
18899 ? S 0:00 | | \_ /usr/sbin/nsd -d
19065 ? S 0:01 | | \_ /usr/sbin/nsd -d
31565 ? S 0:00 | | \_ /usr/sbin/nsd -d

is there a better solution to run nsd supervised?

Thanks
Andreas

Hi Andreas,

The new beta for NSD4 is available, NSD4.0.0b2:

first of all: I updated some nameservers to nsd4b2 and they still
run fine. So thanks for such good software...

1. is there a separate mailinglist for developement?

No, this list is it.

2. when comiling 4.0.0b2 I gave no special --with-xfrdir so it
defaults to /tmp

$CHROOT/tmp did not exist and I got this:

Jan 19 14:29:10 nsd[24553]: error: /tmp/nsd.24553.task.0: No such
file or directory Jan 19 14:29:10 nsd[24553]: error:
/tmp/nsd.24553.task.1: No such file or directory Segmentation
fault

short fix: install -d $CHROOT/tmp

note the segfault, that should be alarm us.

Yes, I'll get on that. And do the install thing.

3. my nsd.db was not writeable for the nsd user: "server
preparation failed, nsd could not be started"

that also leaves two taksfiles in $CHROOT/tmp which should be
deleted before nsd is exiting.

Yes, nsd.db needs to be writable (it does the nsd-patch operation
during reloads to keep nsd.db updated).

4. I played arround with the rrl feature and set "rrl-ratelimit:
2" now I fire some "dig @$(NSD) example.org. ANY" I found "info:
ratelimit block example.org any target $mynetwork/64" and
"ratelimit unblock"

but then the server starts logging this : nsd[19065]: warning:
server 27369 died unexpectedly with status 6, restarting nsd:
./buffer.h:252: buffer_write_at: Assertion
`buffer_available_at(buffer, at, count)' failed.

nsd[19065] is the parent, nsd[27369] looks like the child that
died.

This is a spurious assertion failure in the RRL code, that I have
already fixed in the svn trunk. If you run without --enable-checking,
it does not happen. I have also fixed it for the NSD_3_2 branch.

btw. I never noticed that a query was not anwered!?

5. I run nsd from a superviser and use option -d to start nsd. Now
I see three processes: # ps afx | grep nsd | grep -v grep 7434 ?
S 0:00 | \_ supervise nsd 18899 ? S 0:00 | |
\_ /usr/sbin/nsd -d 19065 ? S 0:01 | | \_
/usr/sbin/nsd -d 31565 ? S 0:00 | | \_
/usr/sbin/nsd -d

is there a better solution to run nsd supervised?

NSD runs these processes (and more if you increase num-server and
while it is performing some tasks).
18899 is the process that handles zone transfers and accepts remote
control connections from nsd-control.
19065 coordinates IPC (has copy-on-write shared memory with 31565).
31565 is the process that serves PORT 53.

So, what you do now, is the best way to run NSD supervised.

Best regards,
   Wouter

I see some errors I do not unserstand.

master & slave: 4.0b2, verbosity 2

master.conf:

Hi Andreas,

The new beta for NSD4 is available, NSD4.0.0b2:

I see some errors I do not unserstand.

master & slave: 4.0b2, verbosity 2

master.conf: -------------------------------------------------
zone: name: "example.org." zonefile: "/etc/nsd/zones/example.org"
notify: $slave_ipv6 NOKEY provide-xfr: $slave_ipv6/128 NOKEY

slave.conf: -------------------------------------------------
zone: name: "example.org." zonefile: "/etc/nsd/zones/example.org"
allow-notify: $master_ipv6/128 NOKEY request-xfr: $master_ipv6
NOKEY

starting the "empty" slave: nsd[27825]: info: zonefile
/etc/nsd/zones/example.org does not exist nsd[27825]: notice: nsd
started (NSD 4.0.0b2), pid 27792 nsd[27792]: info: xfrd: zone
example.org. written received XFR from $master_ipv6 with serial
1358734044 to disk nsd[27792]: info: xfrd: zone example.org.
written received XFR from $master_ipv6 with serial 1358734044 to
disk nsd[27792]: info: xfrd: zone example.org. written received XFR
from $master_ipv6 with serial 1358734044 to disk nsd[27792]: info:
xfrd: zone example.org. committed "received update to serial
1358734044 at 2013-01-21T12:25:36 from $master_ipv6" nsd[27827]:
info: rehash of zone example.org. with parameters 1 0 1 -
nsd[27827]: info: zone example.org. received update to serial
1358734044 at 2013-01-21T12:25:36 from $master_ipv6 of 32745 bytes
in 4295.4 seconds nsd[27792]: info: Zone example.org. serial 0 is
updated to 1358734044.

-> why "in 4295.4 seconds"

This is the time from the first packet that we got from the master
until the last packet was received of this zone transfer. If this
value is too big - I think I just fixed an overflow in the calculation,
thanks for the report :-).

master log nothing.

while the masterzone has not changed the serialnumber I run
"nsd-control transfer". Output: "ok, 1 zones" Returncode: 0

Slave start logging: nsd[27792]: info: new control connection from
::1 nsd[27792]: info: control cmd: transfer nsd[27792]: info:
Handle incoming notify for zone example.org. nsd[27792]: error:
xfrd: zone example.org. received error code NOT IMPL from
$master_ipv6

This is because it tries to do IXFR but NSD does not serve IXFR as the
master (it does work as the slave). It falls back to AXFR later.

nsd[27792]: info: xfrd: zone example.org. bad transfer 0 from
$master_ipv6

This first one is because of the NOTIMPL return code.

nsd[27792]: info: xfrd: zone example.org. bad transfer 0 from
$master_ipv6 nsd[27792]: info: xfrd: zone example.org. bad transfer
0 from $master_ipv6

These other ones, not sure why the transfer is bad, what went over the
wire here. You can get NSD to printout more detail if you compile
with (--enable-checking or --enable-debug) and use -F 20 -L 1 so start
NSD.

same time @master: nsd[7414]: error: failed reading from tcp:
Connection reset by peer nsd[7414]: error: failed reading from tcp:
Connection reset by peer

This is fairly normal - NSD downstream closes the tcp connection and a
connection reset travels to the master - it is printed because you
have high verbosity set, it would not be printed on a lower verbosity.

-> would be helpfull to log the client ip here.

Yes, added that.

If I run "nsd-control force_transfer" I get the same logs as if I
started with an empty slave. Is this normal?

Yes. Because, to make sure it is correct, it'll do an AXFR, ignores
the local datastore, makes sure it updates everything, ignores the
local SOA serial number.

Best regards,
   Wouter