-
Notifications
You must be signed in to change notification settings - Fork 1
/
ChangeLog
764 lines (572 loc) · 30.9 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
################################################################################
#
# Copyright (c) 2011-2019, EURid vzw. All rights reserved.
# The YADIFA TM software product is provided under the BSD 3-clause license:
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
# * Neither the name of EURid nor the names of its contributors may be
# used to endorse or promote products derived from this software
# without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
################################################################################
20190211:
YADIFA 2.3.9
Fixes an issue handling some rdata containing a domain set to '.'
20180214:
YADIFA 2.3.8
Fixes the OPT record Z flags not being cleared in server answers.
20171208:
YADIFA 2.3.7
A master can now be configured to allow updating RRSIG records externally (e.g.: update add domain. RRSIG ...)
Fixes an issue where an IXFR query returning "not implemented" instead of an AXFR would be retried later as an IXFR.
Fixes an issue where hammering reopening the logs on an overloaded server would not work properly.
Note: SunOS 5.10 requires setting --disable-messages in ./configure
Note: Altough Debian/Hurd is not officially supported, YADIFA builds and works on the 2017 iso by setting --disable-messages in ./configure
20171205:
YADIFA 2.2.7
Fixes YADIFA libraries numbering.
20170925:
YADIFA 2.3.2-2.3.3 (internal)
Messages are now default (--enable-messages). Disable them using --disable-messages.
Adds a build option to remove compile date and time from various help messages (--disable-build-timestamp)
Adds more (dynamic) update validation.
From now on, both master and slaves are updating the zone in the same manner (journal transactions)
Fixes an issue where closing an (a)XFR stream could lead to a race over the file descriptors.
Fixes an issue where an AXFR query would return a version of the zone too old to be upgradable by following incremental updates.
Fixes an issue where zones with big-enough NSEC3 coverage (several millions NSEC3 record) could potentially reach an internal limit of the database.
Fixes an issue where shutting down YADIFA while a zone is being downloaded (AXFR) may make it wait forever.
Fixes an issue where the slave would complain about a missing private key.
Fixes an issue where a specifically truncated IXFR query may make YADIFA replying with an AXFR.
20170912:
YADIFA 2.2.6
Fixes an issue where a maliciously crafted message may block the server. (CVE-2017-14339)
20170420:
YADIFA 2.2.5
Fixes an issue on message-enabled servers where the return address would not be captured
Increased the maximum number of network interfaces to 256
20170406:
YADIFA 2.2.4
Fixes an issue with relative include names that would not always be properly computed
Fixes an issue where concurrent configuration reloads could lead to a crash
20170223:
YADIFA 2.3.1 (internal)
Added thread_pool_try_enqueue_call to give up if a queue is full or overworked.
Fixes an issue with the CW queuing mechanism when trying to fill a full queue.
20161124:
YADIFA 2.3.0 (internal)
ECDSA can now be disabled at ./configure time.
The support of ECDSA is not available in the openssl package of older Linux distributions.
You can now add --disable-ecdsa at configure time to allow a build on these systems.
Processed signals are now logged upon processing (info level) to allow the admin to know when a signal has effectively gone through.
CPU affinity can now be tuned to stick a worker on a core. In <main>:
thread-affinity-multiplier can be used to use every (1) or every odd (2) logical CPU.
Parameter range from 0 to 4. (default is 0 = autodetect)
By default, if hypertheading is detected, the multiplier is set to 2, else to 1.
thread-affinity-base can be used to chose the first local CPU to consider.
Parameter range from 0 to 3. (default is 0)
In the end, network workers will have their affinity set to (base + multiplier * workerindex).
The main purpose is to avoid using the hyperthread logical CPU as it can be counterproductive in some setups for high (10Gbps) troughput.
Fixes:
- fixed an issue on servers using the network-model 1 model (<main> : network-model 1)
- fixed an issue where the removal in a certain order of hash/hash* related domains would end-up triggering an abort
- fixed an issue where querying a signed domain that was deleted would answer NOERROR instead of NXDOMAIN
- fixed an issue where a zone loaded with a journal would not be marked "dirty" and thus would not be fully dumped on disk upon kill -USR1
- fixed an issue with network aliases not configured on all setups of --enable-messages
- fixed an issue with the logger not releasing the log files before reconfiguration
- fixed an issue with the journal where heavy load would prevent notification to slaves
20161108:
YADIFA 2.2.2
OpenSSL 1.1.0 crypto API support
20160719:
YADIFA 2.2.1
Multi-master support:
Added axfr-retry-failure-delay-multiplier and axfr-retry-failure-delay-max <main> parameters to increase the time between two AXFR/IXFR retries on a master.
Fixes:
- fixed an issue that would crash a YADIFA slave when restarting with a journal present
- fixed an issue in AXFR/IXFR retry timing management
20160715:
YADIFA 2.2.0
Multi-master support:
In <zone>, the masters field is now a list.
When the master fails to answer, it is moved to the end of the list and (new) first one is used instead.
There is a true-multimaster setting, defaulted to 'no'. In true multimaster mode, changing the master implies dropping local zone data and ignore serial values.
This is to be used for a setup with truly independent masters.
By default, the master change occurs at first failure. This can be changed to a higher value with multimaster-retries (maximum: 255)
This mostly makes sense on true-multimaster mode as you want to be sure before reloading a zone completely.
Smart signing:
Keys with smart signing information are now handled by YADIFA.
DNSSEC policies:
YADIFA generates an rolls your keys and makes a non-DNSSEC zone into an NSEC or NSEC3 one.
Support for ECDSA algorithm.
Better support for huge incremental changes of a zone:
YADIFA used to do the modification in one go, which could make it unresponsive for very big changes.
Now the changes are applied more slowly, allowing queries to be answered.
New network model:
A new network model can be enabled. This model's main purpose is to be more resistent to system stalls with minimal, if any, performance loss.
<main> network-model 1
NSEC3 management improved.
Several improvements have been made on the way NSEC3 is handlded. Chains partially covering the zone are now accepted.
Fixes:
- fixed an issue where the maximum pid value supported was 99999
- fixed an issue with RRSIG TTL values that were not always at the expected value.
- fixed an issue with the $TTL not being respected.
20160126:
YADIFA 2.1.6
Fixes:
- fixed an issue where the referral would not be measured for UDP on a optimised build.
20160108:
YADIFA 2.1.5
Dynamic updates do not use temporary files anymore which improves their general performance.
The statistics now shows the referrals.
Fixes:
- fixed an issue where getting a huge incremental transfer would prevent the server from answering queries while applying the changes.
- fixed an issue serving IXFR that would occur when a incremental change step was bigger than 64KB
- fixed an issue for Solaris with the memory alignment fix not active everywhere
- fixed an issue on the Solaris build settings
- fixed an issue where sometimes yadifad would not find a configuration file given as a parameter with a relative path
- fixed an issue where a wild-card would not be properly returned with an AXFR
- fixed an issue where dynamically updating a zone at a speed such that the zone file would need to be written multiple times on disk
before finishing the previous write could lead to a deadlock
20151026:
YADIFA 2.1.4
The zone reader error reporting has been improved.
Stacktrace support added for Solaris.
Known issue:
- Adding and or removing NSEC3PARAM dynamically is not properly handled.
Fixes:
- fixed an issue where an NSEC3 answer proving a * query would lead to a crash
- fixed an issue where a private key may be not recognised as such
- fixed an issue where dynamic update prerequisite check would fail a valid match
- fixed an issue where zone signature maintenance would only start if all private keys were available.
20150821:
YADIFA 2.1.3
Fixes:
- fixed an issue that could lead to a crash at startup
- fixed an issue where parsing a TYPE#### record would stop the parser prematurely
20150814:
YADIFA 2.1.2
The ./configure script has a new option: --enable-full-ascii7
This changes the behaviour of DNS name validation to accept all the ASCII7 characters instead of only the DNS-space ones.
Enabling this option is not recommended.
Fixes:
- fixes an issue where the hmac-shaX identification string sent with a TSIG had the suffix ".sig-alg.reg.int".
20150714:
YADIFA 2.1.1
The yadifa command line has a new option: --config|-c file : read the specific configuration file instead of ~/.yadifa.rc
Issues detected on the NSEC3 database have now been upgraded from debug to info/warning
Fixes:
- fixed an issue where, on some cases; the garbage collector for the zones was not triggering for a long time.
- fixed an issue in the Makefile (courtesy of DENIC)
- fixed an issue where a few bytes could be leaked in some rare cases when failing to unload a zone
- fixed an issue in RRL where some values of IPv6 prefix
- fixed an issue accepting some answers on IXFR transfers
20150424:
YADIFA 2.1.0
New journal file format:
This new format addresses a few issues like having maximum journal file and
a relatively constant random access time even for very big sizes.
The internal messaging queue has been changed to address huge amount of zones.
New CHaos queries supported:
hostname
id.server
Known issues:
_ building successfully with LTO may require to append both AR=gcc-ar and RANLIB=gcc-ranlib to the ./configure command
20150403:
YADIFA 2.0.6
This release is a public release.
This minor update's sole purpose is to fix YADIFA builds on OpenBSD.
Fixes:
- fixed a crash that could occur while sending a massive amount of notifications
- OpenBSD builds are fixed.
Tested on: OpenBSD 5.6 amd64, standard installation.
Configure: ./configure
Tested on: OpenBSD 5.6 amd64, with gcc 4.9 installed.
Configure: ./configure CC=egcc
20150226:
YADIFA 2.0.5
This release is a public release.
Fixes:
- fixed an issue with huge IXFR transfers as a master
- fixed an issue with notifications on slave-slave-master setup
- fixed an issue with a potential infinite loop loading an AXFR from a master
- fixed missing hmac-sha* from <key> configuration
- fixed an issue with TLSA records parsing
- fixed an issue with base 16 encoding
- fixed an issue parsing * domains
- fixed an issue with some RRL motivated answers
- increased the maximum number of network interfaces from 5 to 16
- fixed an error in the configuration examples where "statistics" was used instead of "stats"
- minor fixes and improvements
20141216:
YADIFA 2.0.4
This release is a public release.
By popular demand, the default log file directory is now PREFIX/var/log/yadifa. It can be set using --with-logdir=/my/dir
Improved build mechanism.
It has been tested to work automatically on Linux, FreeBSD, OSX, SunOS.
RedHat family builds will use -O2 as maximum optimisations.
Note that some optional features are now enabled by default but can be disabled.
Fixes:
- fixed an issue with the AXFR transfer where the serial number would not be properly taken into account
- fixed an issue with the notify mechanism that could occur if the server was only listening to 127.0.0.1
- fixed an issue with bogus DNSKEY records that may potentially lead to a crash in openssl
- fixed a reported potential "tmpfile" vulnerability on DEBUG builds (generated with make debug)
- fixed an issue with IPv6 connections on some architectures
- typos fixes
- minor fixes and improvements
20141104:
Architecture portability enhancements.
On Solaris, if no --enable-force32bits nor --enable-force64bits is set, then 64 bits will be forced (fixes an issue at link-time)
ELF 64-bit MSB executable SPARCV9 Version 1, UltraSPARC3 Extensions Required, dynamically linked, not stripped, no debugging information available
PATH=/opt/csw/bin:/usr/ccs/bin:$PATH ./configure --enable-force32bits
PATH=/opt/csw/bin:/usr/ccs/bin:$PATH make
20141030:
Architecture portability enhancements.
FreeBSD 9
FreeBSD dnode3 9.0-RELEASE-p3 FreeBSD 9.0-RELEASE-p3 #0: Tue Jun 12 02:52:29 UTC 2012 [email protected]:/usr/obj/usr/src/sys/GENERIC amd64
gcc (GCC) 4.2.1 20070831 patched [FreeBSD]
ELF 64-bit LSB executable, x86-64, version 1 (FreeBSD), dynamically linked (uses shared libs), for FreeBSD 9.0 (900044), not stripped
Ubuntu
Linux dnode10 3.2.0-49-generic #75-Ubuntu SMP Tue Jun 18 17:39:32 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
gcc (Ubuntu/Linaro 4.6.3-1ubuntu5) 4.6.3
ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0xe3b8601b9b5e59f8c9ce519cacbe9b8ff544ff1d, not stripped
OSX
Darwin RD-Mac-Mini.local 13.3.0 Darwin Kernel Version 13.3.0: Tue Jun 3 21:27:35 PDT 2014; root:xnu-2422.110.17~1/RELEASE_X86_64 x86_64
Apple LLVM version 5.1 (clang-503.0.40) (based on LLVM 3.4svn)
Mach-O 64-bit executable x86_64
20141029:
Architecture portability enhancements.
uname -a
gcc --version
file yadifad
YellowDog Linux
Linux 2.6.29-3.ydl61.4 #1 SMP Mon Sep 7 14:50:27 PDT 2009 ppc64 ppc64 ppc64 GNU/Linux
gcc (GCC) 4.1.2 20080704 (Red Hat 4.1.2-44)
ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), for GNU/Linux 2.6.9, dynamically linked (uses shared libs), for GNU/Linux 2.6.9, not stripped
note: using --enable-force64bits failed because of ssl, no simple/quick way to install openssl-devel.ppc64 seemed available
Debian PPC64
Linux 3.2.0-3-powerpc64 #1 SMP Mon Jul 23 08:03:56 UTC 2012 ppc64 GNU/Linux
gcc (Debian 4.6.3-8) 4.6.3
ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.26, BuildID[sha1]=0xedc47c984a4af7eb9a7ecbc0f135e4d064ba08f0, with unknown capability 0x41000000 = 0x13676e75, with unknown capability 0x10000 = 0xb0401, not stripped
note: using --enable-force64bits failed because of ssl, no simple/quick way to install openssl-devel.ppc64 seemed available
20141016:
YADIFA 2.0.2
TCP fallback support on truncation
20140905:
YADIFA 2.0.0
This release is a public release
Fixes:
- fixed a log incorrectly reporting an error when the client didn't close the TCP connection fast enough
- fixed an issue with the statistics on TCP queries
Known issue:
- removing the last key of a signed zone is permitted by YADIFA but triggers some chicken-egg issue with signatures.
20140829:
YADIFA 2.0.0-beta3-public
This release is a public release
- --disable-master feature at configure now builds a slave-only server
Fixes:
- fixed an issue with TSIG signed queries
- fixed an issue with thread pool live resizing
- fixed an issue where reading an undeleted obsolete journal ending at the start of a newly transferred zone from the master would incorrectly trigger an error
Known issue:
- removing the last key of a signed zone is permitted by YADIFA but triggers some chicken-egg issue with signatures.
20140630:
YADIFA 2.0.0-beta2-public
This release is a public release
- basepath disabled
- pidpath removed, only pidfile remains
- log reopen notification is now timestamped
- slave zones no longer complain about missing NSEC/NSEC3 private keys
- the error code ZRE_FILE_NOT_FOUND has been replaced by the more accurate code ZRE_NO_VALID_FILE_FOUND
- default logging settings no longer output debug
Fixes:
- fixed issue in flag computation (AD,CD)
- fixed an issue with journal truncation sometimes leading to a crash
- zone parsing now correctly accepts '#' as a comment marker
- zone parsing now rejects wrong fqdn as soon as it reads them, leading to a more accurate error message
- removing the last dnskey of a zone no longer crashes the server
Known issue:
- removing the last key of a signed zone is permitted by YADIFA but triggers some chicken-egg issue with signatures.
yadifa remote client commands prototype is now available with the following supported commands:
-shutdown
shuts down yadifa
e.g. ./yadifa -s "192.0.2.1 port 53" -t shutdown
-cfgreload
reloads the <key> and <zone> sections of the yadifad configuration
e.g. ./yadifa -s "192.0.2.1 port 53" -t cfgreload
-logreopen
closes and reopen the log files
e.g. ./yadifa -s "192.0.2.1 port 53" -t logreopen
-freezeall
prevents all zones from being updated dynamically with nsupdate
e.g. ./yadifa -s "192.0.2.1 port 53" -t freezeall
-freeze
prevents a zone from being updated dynamically with nsupdate
e.g. ./yadifa -s "192.0.2.1 port 53" -t freeze -q somedomain.eu
-unfreezeall
enables updates of all zones again
e.g. ./yadifa -s "192.0.2.1 port 53" -t unfreezeall
-unfreeze
enables updates of a zone again
e.g. ./yadifa -s "192.0.2.1 port 53" -t unfreeze -q somedomain.eu
In order to work, the allow-control ACL must be defined either in <main> for the global commands and
may also be defined in <zone> for the ones targeting a specific zone.
e.g. allow-control 127.0.0.1
Note that tsig is not supported in the client yet.
20140528:
YADIFA 2.0.0-beta1-public
This release is a public release
- NSID implemented (enabled at ./configure time with --enable-nsid
- generic parser for:
- getops
- zone file
- resolv.conf
- configuration
- '@' can now be used in a zone file
- new binary for controlling 'yadifad' (yadifa)
- framework is rewritten for multi core systems
- single core server has been removed
Fixes:
- fixed several minor issues
Know issues:
- removing all dnskeys from a zone file crashes the server
- yadifa has some issues with nodelay, nocork
20130424:
YADIFA 1.1.0
_ added DSA signature
_ added SHA-256 SHA-384 SHA-512 digest algorithms
_ now supports additional DNSSEC algorithms:
DSASHA1
DSASHA1_NSEC3
RSASHA256_NSEC3
RSASHA512_NSEC3
_ Respone Rate Limitation implemented (enabled at ./configure time with --enable-rrl)
_ --enable-tiny-footprint now reduces the memory usage further by reducing the standard log queue from 2^20 to 2^12 entries
_ the general speed has been slightly improved
_ dynamic updates pending for more than 3 seconds are now dropped with an error
_ dynamic provisioning
Fixes:
_ fixed a memory leak that could occur at NSEC3 generation when loading the zone failed in a particular way
_ fixed a memory leak at ixfr send
_ fixed handling of '_' character that was improperly stored in the database
_ fixed bandwidth limit settings (tcp stream in and out) not always being taken from the configuration
_ fixed TSIG answer verification for notifies
_ fixed error codes not being registered and thus logged as unknown hexadecimal error code.
_ other minor fixes
20130612:
YADIFA 1.0.3
Fixes only (backports from 1.1.0)
Fixes:
_ fixed an issue preventing YADIFA from being build from another directory
_ fixed an issue with OSX systems where gsed has to be used instead of sed
_ fixed an issue with the '_' character not being properly handled
_ fixed an issue where reading MX record from a zone file would incorrecly be rejected as invalid
_ fixed an issue where the OPT record would not be properly written
_ fixed an issue where an undefined ACL reference would be silently ignored
_ fixed missing code tags for several error codes. From now on unregistered codes are dumped in hexadicimal.
_ fixed portability issues with BSD and OSX
_ fixed several minor issues
20120921:
YADIFA 1.0.2
Fixes only
Fixes:
_ fixed an issue where the journal file was sometimes not properly closed at the end of a task
_ fixed an issue where the TCP usage slots would sometimes wrongly return that they were all being used
_ fixed an issue on IXFR processing (slave side) where the type of answer from the master would not be properly detected
_ fixed an issue with TSIG on secrets not exactly 16 bytes long (binary form)
_ fixed an issue on 32 bits architectures where the sig-validity-* fields would not be properly handled if not set
on each zone section.
_ slightly improved the replay time of big journal files
_ fixed several minor issues
Known issues:
_ if the serial of a zone is changed in a way that it goes beyond a value such as
the journal serial start is bigger than the journal serial end, issues are expected
for IXFR answers.
_ notify is ignored on TCP
20120709:
YADIFA 1.0.1
_ logging repeat compression is now by channel instead of global
Fixes:
_ fixed an issue where glibc whould assert if libgcc_s.so (libgcc_s.so.1) and libc.so (libc.so.6) where not
available inside the chrooted directory of YADIFA
_ fixed an issue in the syslog module
Known issues:
_ on 32 bits architectures, the sig-validity-* fields are not properly copied from <main> to <zone>
as a workaround, set the sig-validity fields in each <zone> container in 32 bits architectures
ie:
sig-validity-interval 7
sig-validity-regeneration 168
sig-validity-jitter 3600
_ if the serial of a zone is changed in a way that it goes beyond a value such as
the journal serial start is bigger than the journal serial end, issues are expected
for IXFR answers.
_ notify is ignored on TCP
20120625:
YADIFA 1.0.0
_ LTO support can be enabled with --enable-lto but this is not working with clang. LTO does not increase
the performance significally
_ parallel processing of listening addresses can now be enabled.
It can be set using thread-count-by-address in the <main> section.
By default YADIFA will not use parallel processing as this feature has not been
as thoroughly tested as the single-thread processing model
_ default parameters tuning
_ fixes
Known issue:
_ on 32 bits architectures, the sig-validity-* fields are not properly copied from <main> to <zone>
as a workaround, set the sig-validity fields in each <zone> container in 32 bits architectures
ie:
sig-validity-interval 7
sig-validity-regeneration 168
sig-validity-jitter 3600
20120530:
YADIFA 1.0.0RC3
_ the configuration parser now ignores undefined logger names and
report them with a warning
_ syslog messages are now put in the name of "yadifad" instead of the name used for the "syslog" channel
_ syslog messages do not print the time from YADIFA anymore
_ improved the steps involved in loading a locally cached slave zone
_ zones are now loaded in background
_ man page yadifad-conf.man5 renamed into yadifad.conf.man5
Fixes:
_ AXFR/IXFR answers with the RA bit set are nolonger rejected as invalid
_ YADIFA now answers to SIGINT again (shutdown)
_ fixed an issue where obsolete AXFR files were not always being deleted
_ fixed an issue occurring when both IPv4 and IPv6 were available to handle a notify
_ fixed journal replay issue where some RRSIGs records were not properly removed
_ fixed an issue occurring with IPv6 queries
_ fixed an issue in the generation of a specific NSEC3 error answer
_ fixed named query style layout
Known issue:
_ if the serial of a zone is changed in a way that it goes beyond a value such as
the journal serial start is bigger than the journal serial end, issues are expected
for IXFR answers.
_ notify is ignored on TCP
20120328:
YADIFA 1.0.0RC2
_ fixed logging issue on work file creation error
_ fixed an issue where IXFR queries could be rejected as being wrongly formatted
_ fixed an issue in the query logging text
_ enabled command line options ( -u uid -g gid -d )
20120319:
YADIFA 1.0.0RC1
Is a full functional authoritative name server:
- works as primary or secondary name server
- AXFR
- IXFR
- NOTIFY
- NSUPDATE
- TSIG
- CLASSES:
- IN
- CH (just for version)
- TYPES:
- AAAA
- CNAME
- DNSKEY
- DS
- HINFO
- MX
- NAPTR
- NS
- NSEC3
- NSEC3PARAM
- NSEC
- PTR
- RRSIG
- SOA
- SRV
- SSHFP
- TXT
- Automatic resigning
- DNSSEC algorithms:
- 5 (RSASHA1)
- 7 (RSASHA1-NSEC3
- ACL's
KNOWN ISSUES:
NSEC3: _ cannot work with multiple NSEC3PARAM chains with mixed OPT-IN/OUT settings
_ adding a new NSEC3 chain expects that the master sends the NSEC3PARAM first (it does not seems to be always the case)
We have a case where a master starts with 2 thousands NSEC3 opt-out records then adds 6 millions NSEC3 opt-in records but does not give the NSEC3PARAM record
first. The slave server rejects them all because it's unable to link them to a chain. (This one has high priority)
DNSSEC: _ it is not allowed to change the zone security mode (unsecure, NSEC, or NSEC3). Once the zone is loaded it keeps its security mode.
_ dynamic updates of NSEC as well as NSEC3 records are refused
QUIT: the server will shutdown on the following conditions:
_ detection of an impossible situation or an internal integrity issue (ie: for any reason the SOA has vanished from a zone)
_ memory limit reached which prevents any more work
_ ipc issue which prevent internal services communication
ACL: _ since the access control is set by zone and CHAOS class is not implemented as a configurable zone, it is not possible (yet) to specifically block CHAOS queries.
20111121:
YADIFA 0.5.5
- many fixes
KNOWN ISSUE: NSEC3 slave zone replay fails.
20110706:
YADIFA 0.5.0
- slave mode, AXFR/IXFR (no TSIG yet for the slave-side transfer)
- answers to a notify from the master
- polls the (first) master on the masters list
- maintains the .axfr & .ix files (deletes the obsoletes ones)
- TSIG queries are checked
- Replays the zone journal on startup after the zone load (journaling)
- Answers IXFR queries (journaling)
20110601:
YADIFA 0.4.0
Operational:
- It works as a no dnssec name server
- No notifies to slave name servers
- daemon
- Answers AXFR queries with TSIG
- nsupdate functionality (journaling)
- TSIG on client server side will be transmitted, but not checked
- ACL works
- The zone has SOA, NS A resource records.
20110524:
YADIFA 0.3.0
First release internally of yadifad 20110524115500 GMT+1.
Operational:
- It works as a no dnssec name server
- No notifies to slave name servers
- daemon
- Answers AXFR queries
- The zone has SOA, NS A resource records.
20091224:
YADIFA 0.2.0
_ Answers AXFR queries
_ ACL based on IP and TSIG (not all query types are ACL'ed yet)
20091104:
YADIFA 0.1.0
YADIFA is a work in progress. The main goal is to have an alternative for BIND or NSD.
Version 0.1.0 is an authoritative server only.
It has no:
- AXFR/IXFR functionality
- dynupdate
- support for NSEC
- support for NSEC3
- caching mechanism
- additional tools (eg.dig, dnssectools, drill,...)
It has:
- a very fast way to give authoritative answer
- a very fast method for loading the database and checking the zone files
This first release is to have a feeling how it works in an operational environment.
TODO
Everything what is not implemented, has to be implemented. Most of the code is there, but is not activated.
No comformity tests has been done. (This of course is on the todo list)
Bug Reports and Mailing Lists
Bugs reports should be sent to