Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package nsd for openSUSE:Factory checked in at 2022-11-11 14:36:58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/nsd (Old) and /work/SRC/openSUSE:Factory/.nsd.new.1597 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "nsd" Fri Nov 11 14:36:58 2022 rev:30 rq:1035226 version:4.6.1 Changes: -------- --- /work/SRC/openSUSE:Factory/nsd/nsd.changes 2022-07-01 13:45:36.426956925 +0200 +++ /work/SRC/openSUSE:Factory/.nsd.new.1597/nsd.changes 2022-11-11 14:37:02.658457307 +0100 @@ -1,0 +2,20 @@ +Thu Nov 10 18:23:54 UTC 2022 - Michael Ströder <[email protected]> + +- New upstream release 4.6.1 + +FEATURES: +- Set ALPN "dot" token during connection establishment as per RFC9103 + section 7.1 (Thanks Cesar Kuroiwa). +- Add SVCB dohpath support +BUG FIXES: +- Fix static analyzer reports, fix wrong log print when skipping xfr, + fix to print error on pipe read fail, and assert an xfr is in + progress during packet checks. +- Use AC_PROG_CC_STDC with autoconf versions prior to 2.70. +- Add missing documentation for zone verification. +- Fix #212: Change commandline control actions to always log. +- Merge #231 from moritzbuhl: Fix checking if nonblocking sockets work + on OpenBSD. +- Change zone parsing to accept non-trailing newline. + +------------------------------------------------------------------- Old: ---- nsd-4.6.0.tar.gz nsd-4.6.0.tar.gz.asc New: ---- nsd-4.6.1.tar.gz nsd-4.6.1.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ nsd.spec ++++++ --- /var/tmp/diff_new_pack.cyz0df/_old 2022-11-11 14:37:03.206459992 +0100 +++ /var/tmp/diff_new_pack.cyz0df/_new 2022-11-11 14:37:03.210460011 +0100 @@ -23,7 +23,7 @@ %define zonesdir %{configdir}/zones %define pidfile %{_rundir}/nsd/nsd.pid Name: nsd -Version: 4.6.0 +Version: 4.6.1 Release: 0 # Summary: An authoritative-only domain name server ++++++ nsd-4.6.0.tar.gz -> nsd-4.6.1.tar.gz ++++++ ++++ 1815 lines of diff (skipped) ++++ retrying with extended exclude list diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nsd-4.6.0/SECURITY.md new/nsd-4.6.1/SECURITY.md --- old/nsd-4.6.0/SECURITY.md 1970-01-01 01:00:00.000000000 +0100 +++ new/nsd-4.6.1/SECURITY.md 2022-11-10 09:11:36.000000000 +0100 @@ -0,0 +1,31 @@ +# Security Policy + +## Supported Versions + +NLnet Labs adheres to the straightforward, semantic versioning scheme that is +commonly used in the software industry. + +Support is provided in respect of the latest release, i.e. releases with the +highest minor and patch version level. We do not backport security fixes to +older (minor) versions. In the event a new major version is released (e.g. from +3.2.18 to 4.0.0), support will also be provided on the latest minor version of +the previous major version (3.2.18) for a period of one year from the release of +the new major version (4.0.0). + +In the event that, during this period, a new patch or minor version of the +previous major version is released, then support on these versions will only be +provided for the remainder of the one-year-period. + +You can find detailed information on our software support policy here: + +https://www.nlnetlabs.nl/support/software-support-policy/ + +## Reporting a Vulnerability + +We take security very seriously. If you have discovered a security vulnerability +in one of our projects and you would like to report it to us, you can send an +encrypted message to our Security Entry Point. + +Details are described here: + +https://www.nlnetlabs.nl/security-report/ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nsd-4.6.0/acx_nlnetlabs.m4 new/nsd-4.6.1/acx_nlnetlabs.m4 --- old/nsd-4.6.0/acx_nlnetlabs.m4 2022-06-30 09:22:18.000000000 +0200 +++ new/nsd-4.6.1/acx_nlnetlabs.m4 2022-11-10 09:11:36.000000000 +0100 @@ -2,7 +2,8 @@ # Copyright 2009, Wouter Wijngaards, NLnet Labs. # BSD licensed. # -# Version 43 +# Version 44 +# 2022-09-01 fix checking if nonblocking sockets work on OpenBSD. # 2021-08-17 fix sed script in ssldir split handling. # 2021-08-17 fix for openssl to detect split version, with ssldir_include # and ssldir_lib output directories. @@ -963,6 +964,9 @@ #ifdef HAVE_SYS_TYPES_H #include <sys/types.h> #endif +#ifdef HAVE_SYS_SELECT_H +#include <sys/select.h> +#endif #ifdef HAVE_SYS_SOCKET_H #include <sys/socket.h> #endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nsd-4.6.0/configure.ac new/nsd-4.6.1/configure.ac --- old/nsd-4.6.0/configure.ac 2022-06-30 09:22:18.000000000 +0200 +++ new/nsd-4.6.1/configure.ac 2022-11-10 09:11:36.000000000 +0100 @@ -5,7 +5,7 @@ sinclude(acx_nlnetlabs.m4) sinclude(dnstap/dnstap.m4) -AC_INIT([NSD],[4.6.0],[[email protected]]) +AC_INIT([NSD],[4.6.1],[[email protected]]) AC_CONFIG_HEADERS([config.h]) # @@ -174,7 +174,7 @@ AC_SUBST(user) AC_DEFINE_UNQUOTED(USER, ["$user"], [the user name to drop privileges to]) -AC_PROG_CC +m4_version_prereq([2.70], [AC_PROG_CC], [AC_PROG_CC_STDC]) AC_PROG_SED AC_PROG_AWK AC_PROG_GREP diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nsd-4.6.0/difffile.c new/nsd-4.6.1/difffile.c --- old/nsd-4.6.0/difffile.c 2022-06-30 09:22:18.000000000 +0200 +++ new/nsd-4.6.1/difffile.c 2022-11-10 09:11:36.000000000 +0100 @@ -1508,7 +1508,7 @@ } } else { - DEBUG(DEBUG_XFRD,1, (LOG_INFO, "skipping xfr: %s", log_buf)); + DEBUG(DEBUG_XFRD,1, (LOG_INFO, "skipping xfr: %s", zone_buf)); } return 1; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nsd-4.6.0/dns.h new/nsd-4.6.1/dns.h --- old/nsd-4.6.0/dns.h 2022-06-30 09:22:18.000000000 +0200 +++ new/nsd-4.6.1/dns.h 2022-11-10 09:11:36.000000000 +0100 @@ -174,7 +174,8 @@ #define SVCB_KEY_IPV4HINT 4 #define SVCB_KEY_ECH 5 #define SVCB_KEY_IPV6HINT 6 -#define SVCPARAMKEY_COUNT 7 +#define SVCB_KEY_DOHPATH 7 +#define SVCPARAMKEY_COUNT 8 #define MAXLABELLEN 63 #define MAXDOMAINLEN 255 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nsd-4.6.0/doc/ChangeLog new/nsd-4.6.1/doc/ChangeLog --- old/nsd-4.6.0/doc/ChangeLog 2022-06-30 09:22:18.000000000 +0200 +++ new/nsd-4.6.1/doc/ChangeLog 2022-11-10 09:11:36.000000000 +0100 @@ -1,5 +1,42 @@ +1 November 2022: Wouter + - Fixup for non-trailing newline lexer change warnings. + - Update doc/RELNOTES for changes. + - Fix ixfr_gone unit test to not use system default zone list file. + - Fix credns tests for vm usage, and not use system default zone + list file. + - Fix verify tests to use more portable bash location in script. + - Fix verify_again test to use ipv4 address for test. + +1 November 2022: Tom + - Add SVCB dohpath support + +28 September 2022: Jeroen + - Set ALPN "dot" token during connection establishment as per RFC9103 + section 7.1 (Thanks Cesar Kuroiwa). + +21 September 2022: Tom + - Change zone parsing to accept non-trailing newline. + +1 September 2022: Wouter + - Merge #231 from moritzbuhl: Fix checking if nonblocking sockets work + on OpenBSD. + +19 August 2022: Wouter + - Update cirrus build script for newer Ubuntu image, and FreeBSD + build with libtoolize to install auxiliary files. + - Update to clang 14 in cirrus build test on Ubuntu Jammy 22.04. + +7 July 2022: Tom + - Fix #212: Change commandline control actions to always log. + +1 July 2022: Wouter + - Fix static analyzer reports, fix wrong log print when skipping xfr, + fix to print error on pipe read fail, and assert an xfr is in + progress during packet checks. + 23 June 2022: Wouter - - Tag for 4.6.0rc1. + - Tag for 4.6.0rc1. It became 4.6.0 on 30 June 2022, and it continues + with version 4.6.1. 17 June 2022: Wouter - Fix compilation with libev, without event_base_loopbreak. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nsd-4.6.0/doc/NSD-VERIFY-MODS new/nsd-4.6.1/doc/NSD-VERIFY-MODS --- old/nsd-4.6.0/doc/NSD-VERIFY-MODS 1970-01-01 01:00:00.000000000 +0100 +++ new/nsd-4.6.1/doc/NSD-VERIFY-MODS 2022-11-10 09:11:36.000000000 +0100 @@ -0,0 +1,210 @@ +In this file a quick overview of all the modifications that have been made for +zone verification. + + +Configuring the verifier +======================== + +Configure (nsd.conf) options were added. In the new "verify:" clause: + enable: + port: + ip-address: + verify-zones: + verifier: + verifier-count, + verifier-feed-zone, + and verifier-timeout. + +And for the "zone:" and "pattern:" clauses: + verify-zone, + verifier, + verifier-feed-zone, + and verifier-timeout. + +To parse the syntax for those options, configlexer.lex and configparser.y are +modified. To hold those configuration values, the structs nsd_options and +pattern_options in the file options.h are extended. + +The type of pattern_options::verifier, char**, is in the vector of arguments +form that can be used by the execve family of executing functions. The helper +type "struct component" is defined to help parsing a command with arguments. +A zone_verifier is a list of STRING tokens. A stack of component is +constructed from those strings, that eventually is converted to an argument +in configparser.y. + + +Difffile modifications +====================== + +It is possible that during a reload updates for multiple different zones are +read. If some should be loaded (because they verified or didn't need to be +verified) and some not, we have a problem because the database is updated +with all the updates (also the bad ones) and we cannot easily selectively +undo only the bad updates. + +In order to break this situation the committed field of each transfer is +utilized. Initially it will be assigned the value DIFF_NOT_COMMITTED (0). +When an update is verified this will be modified to DIFF_COMMITTED (1), +DIFF_CORRUPT (2) or DIFF_INCONSISTENT (4) depending on whether the update +was applied and verified successfully. When a reload resulted in one or +more zones being corrupt or inconsistent, the newly forked server will quit +with exit status NSD_RELOAD_FAILED and the parent server will initiate a new +reload. Then it is clear which updates should be merged with the database (the +updates which committed field is neither DIFF_CORRUPT or DIFF_INCONSISTENT). + + Handling of the NSD_RELOAD_FAILED exit status of a child reload server + is in server_main (server.c) + +To allow updates to be applied again on failure, xfrd has been updated to keep +all updates for each zone around until a reload succeeds. The set of updates +is fixed once a reload has been initiated to avoid a potentially infinite +loop. During the update window, xfrd will accept and transfer updates, but +does not schedule them until the reload finishes. As a result, xfrd manages +the updates stored on disk rather than the server, which previously just +removed each update during the reload process regardless of the result. +Potentially resulting in the same transfer being tried mutiple times if the +set of updates contained a bad update. + + +Running verifiers +================= + +In server_reload (in server.c) the function server_verify is called just after +all updates are merged into the (in memory) database, but just before the new +database will be served. server_verify sets up a temporary event loop, calls +verify_zone repeatedly to run the verifiers and mark each updated zone. +server_reload then inspects the update status for each zone and communicates +the number of good and bad zones in the update. server_reload then decides how +to continue based on the number of good and bad zones as described above. + +verify_zone is defined in verify.c (and .h). The function creates the +necessary pipes, starts the verifier and then sets up the required events and +registers them with the event loop. + +The state for each verifier is maintained an array of struct verifier. The +size of the array is "verifier-count:" big. Each verifier that runs +simultaneously is assigned a slot. When no free slots are available it waits +until a running verifier is finished (or timed out) and a free slot is +available for a potential next verifier to run simultaneously with the already +running verifiers. The default setting is to run just one verifier at once, +which will probably be fine in most situations. + +Once all verifiers are finised (or timed out), the event loop is exited and +server_reload communicates the status for each updated zone. + + +Environment variables for the verifiers +======================================= + +Verifiers are informed on how a zone can be verified through environment +variables. The information on which addresses and ports a verifier may query a +zone to be assessed is available and set on startup just after reading the +configuration and setting up the sockets in nsd.c by calling +setup_verifier_environment (also in nsd.c). + +Verifiers are spawned (via verify_zone) with popen3. verify_zone sets the zone +specific environment variables (VERIFY_ZONE and VERIFY_ZONE_ON_STDIN) just +before it executes the verifier with execvp. Server sockets are automatically +closed when the verifier is executed. + + +Logging a verifiers standard output and error streams +===================================================== + +Everything a verifier outputs to stdin and stderr is logged in the nsd log +file. Handler with handle_log_from_fd (verify.c) as a callback are setup by +server_verifiers_add. The log_from_fd_t struct is the user_data for the handler +and contains besides the priority and the file descriptor, variables that are +used by handle_log_from_fd to make sure logged lines will never exceed +LOGLINELEN in length and will be split into parts if necessary. + +Note that in practice error messages are always logged before messages on the +standard output, because stdout is buffered and stderr is not. Maybe it is more +convenient to set stdout to unbuffered too. + + +Feeding a zone to a verifier +============================ + +The complete zone may be fed to the standard input of a verifier when the +"verifier-feed-zone:" configuration option has value "yes" (the default). For +this purpose a verify_handle_feed (verify.c) handler is called when the +standard input file descriptor of the verifier is writeable. The function +utilizes the zone_rr_iter_next (verify.c) function to get the next rr to +write to the verifier. The verifier_zone_feed struct is used to maintain state +(the file handle, the rr pretty printing state and the zone iterator). + + +Serving a zone to a verifier +============================ + +The nsd struct (in nsd.h) is extended with two arrays of nsd_socket structs: +verify_tcp and verify_udp and an verify_ifs size_t which holds the number of +sockets for verifying. This reflects the tcp, udp and ifs members that are used +for normal serving. Several parts in the code that operate on the tcp and udp +arrays is simply reused with the verify_tcp and verify_udp arrays. + +Furthermore, in places in server.c were before the server_close_all_sockets +(server.c) function was used with the normal server sockets, the function is +called subsequently for the verify sockets. Also in server_start_xfrd the +sockets for verifiers are closed in the xfrd child process, because it has no +need for them. + + +Verifier timeouts +================= + +A handler for timeouts (as configured with the "verifier-timeout:" option) is +added by server_verifiers_add at verifier initialization time. The callback is +handle_verifier_timeout (verify.c) and the verifier_state_type for the verifier +is used as user_data. + +verify_handle_timeout simply kills the verifier (by sending SIGTERM) and does +not cleanup the verifier state for reuse. This is done in verify_handle_exit, +which is triggered once the verifier exits, because it can handle and start +more verifiers simultaneously. + + +Aborting the reload process (and killing all running verifiers) +=============================================================== + +A reload might (especially with a verifier) take some time. A parent server +process could in this time be asked to quit. If that happens and it has a child +reload server process, it sends the NSD_QUIT command over the communication +channel. verify_handle_command, which is registered when the temporary event +loop is created, is triggered and sends a SIGTERM signal to each of the +verifiers. + + +Refreshing and expiring zones +============================= + +When the SOA-Refresh timer runs out, a fresh zone is tried to be fetched from +the master server. If that fails, each SOA-Retry time will be tried again. To +prevent a bad zone from being verified again and again, xfrd remembers the +last serial number of the zone that didn't verify. It will not try to transfer +a zone with the bad serial number again. + +Before afer reloading, the reload process informed xfrd which SOA's were +merged in the database, so that xfrd knew when zone needed to be refreshed. +This is adapted to inform xfrd about bad zones. The function +inform_xfrd_new_soas is called for this in server.c. It communicated either +good or bad soas. When bad soas are communicated a session starts with +NSD_BAD_SOA_BEGIN. For only good zones it starts with NSD_SOA_BEGIN. Each soa +is preceded by a NSD_SOA_INFO. When all soas are communicated, NSD_SOA_END is +send. Reception of these messages by xfrd is handled by function +xfrd_handle_ipc_read in ipc.c. In the xfrd_state struct (in xfrd.h), the +boolean parent_bad_soa_infos is added to help with this control flow in ipc. + +The soas are eventually processed by xfrd, via xfrd_handle_ipc_SOAINFO in +ipc.c, with the xfrd_handle_incoming_soa function in xfrd.c. The function +make sure that if a bad soa was received it is remembered in the xfrd_zone +struct. Two new variables are added for the purpose to this struct: soa_bad +and soa_bad_acquired. The values are stored and read to the xfrd.state file +with the functions xfrd_write_state_soa and xfrd_read_state respectively. + +In xfrd.c function xfrd_parse_received_xfr_packet is adapted to make sure that +known bad serials are not transfered again unless the transfer is in a +response to a notify. And even then only when the SOA matches the one in the +notify (if it contained one, otherwise any SOA is good). + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nsd-4.6.0/doc/README new/nsd-4.6.1/doc/README --- old/nsd-4.6.0/doc/README 2022-06-30 09:22:21.000000000 +0200 +++ new/nsd-4.6.1/doc/README 2022-11-10 09:11:39.000000000 +0100 @@ -21,7 +21,7 @@ 1.0 Introduction -This is NSD Name Server Daemon (NSD) version 4.6.0. +This is NSD Name Server Daemon (NSD) version 4.6.1. The NLnet Labs Name Server Daemon (NSD) is an authoritative RFC compliant DNS nameserver. It was first conceived to allow for more genetic @@ -57,7 +57,7 @@ 1.2 Quick build and install -Step 1: Unpack the source with gtar -xzvf nsd-4.6.0.tar.gz +Step 1: Unpack the source with gtar -xzvf nsd-4.6.1.tar.gz Step 2: Create user nsd or any other unprivileged user of your choice. In case of later make sure to use @@ -111,9 +111,9 @@ Use your favorite combination of tar and gnu zip to unpack the source, for example -$ gtar -xzvf nsd-4.6.0.tar.gz +$ gtar -xzvf nsd-4.6.1.tar.gz -will unpack the source into the ./nsd-4.6.0 directory... +will unpack the source into the ./nsd-4.6.1 directory... 2.2 Configuring NSD diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nsd-4.6.0/doc/RELNOTES new/nsd-4.6.1/doc/RELNOTES --- old/nsd-4.6.0/doc/RELNOTES 2022-06-30 09:22:18.000000000 +0200 +++ new/nsd-4.6.1/doc/RELNOTES 2022-11-10 09:11:36.000000000 +0100 @@ -1,5 +1,22 @@ NSD RELEASE NOTES +4.6.1 +================ +FEATURES: + - Set ALPN "dot" token during connection establishment as per RFC9103 + section 7.1 (Thanks Cesar Kuroiwa). + - Add SVCB dohpath support +BUG FIXES: + - Fix static analyzer reports, fix wrong log print when skipping xfr, + fix to print error on pipe read fail, and assert an xfr is in + progress during packet checks. + - Use AC_PROG_CC_STDC with autoconf versions prior to 2.70. + - Add missing documentation for zone verification. + - Fix #212: Change commandline control actions to always log. + - Merge #231 from moritzbuhl: Fix checking if nonblocking sockets work + on OpenBSD. + - Change zone parsing to accept non-trailing newline. + 4.6.0 ================ FEATURES: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nsd-4.6.0/nsd-checkconf.8.in new/nsd-4.6.1/nsd-checkconf.8.in --- old/nsd-4.6.0/nsd-checkconf.8.in 2022-06-30 09:22:21.000000000 +0200 +++ new/nsd-4.6.1/nsd-checkconf.8.in 2022-11-10 09:11:39.000000000 +0100 @@ -1,4 +1,4 @@ -.TH "nsd\-checkconf" "8" "Jun 30, 2022" "NLnet Labs" "nsd 4.6.0" +.TH "nsd\-checkconf" "8" "Nov 10, 2022" "NLnet Labs" "nsd 4.6.1" .\" Copyright (c) 2001\-2008, NLnet Labs. All rights reserved. .\" See LICENSE for the license. .SH "NAME" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nsd-4.6.0/nsd-checkzone.8.in new/nsd-4.6.1/nsd-checkzone.8.in --- old/nsd-4.6.0/nsd-checkzone.8.in 2022-06-30 09:22:21.000000000 +0200 +++ new/nsd-4.6.1/nsd-checkzone.8.in 2022-11-10 09:11:39.000000000 +0100 @@ -1,4 +1,4 @@ -.TH "nsd\-checkzone" "8" "Jun 30, 2022" "NLnet Labs" "nsd 4.6.0" +.TH "nsd\-checkzone" "8" "Nov 10, 2022" "NLnet Labs" "nsd 4.6.1" .\" Copyright (c) 2014, NLnet Labs. All rights reserved. .\" See LICENSE for the license. .SH "NAME" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nsd-4.6.0/nsd-control.8.in new/nsd-4.6.1/nsd-control.8.in --- old/nsd-4.6.0/nsd-control.8.in 2022-06-30 09:22:21.000000000 +0200 +++ new/nsd-4.6.1/nsd-control.8.in 2022-11-10 09:11:39.000000000 +0100 @@ -1,4 +1,4 @@ -.TH "nsd\-control" "8" "Jun 30, 2022" "NLnet Labs" "nsd 4.6.0" +.TH "nsd\-control" "8" "Nov 10, 2022" "NLnet Labs" "nsd 4.6.1" .\" Copyright (c) 2011, NLnet Labs. All rights reserved. .\" See LICENSE for the license. .SH "NAME" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nsd-4.6.0/nsd.8.in new/nsd-4.6.1/nsd.8.in --- old/nsd-4.6.0/nsd.8.in 2022-06-30 09:22:21.000000000 +0200 +++ new/nsd-4.6.1/nsd.8.in 2022-11-10 09:11:39.000000000 +0100 @@ -1,9 +1,9 @@ -.TH "NSD" "8" "Jun 30, 2022" "NLnet Labs" "NSD 4.6.0" +.TH "NSD" "8" "Nov 10, 2022" "NLnet Labs" "NSD 4.6.1" .\" Copyright (c) 2001\-2008, NLnet Labs. All rights reserved. .\" See LICENSE for the license. .SH "NAME" .B nsd -\- Name Server Daemon (NSD) version 4.6.0. +\- Name Server Daemon (NSD) version 4.6.1. .SH "SYNOPSIS" .B nsd .RB [ \-4 ] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nsd-4.6.0/nsd.conf.5.in new/nsd-4.6.1/nsd.conf.5.in --- old/nsd-4.6.0/nsd.conf.5.in 2022-06-30 09:22:21.000000000 +0200 +++ new/nsd-4.6.1/nsd.conf.5.in 2022-11-10 09:11:39.000000000 +0100 @@ -1,4 +1,4 @@ -.TH "nsd.conf" "5" "Jun 30, 2022" "NLnet Labs" "nsd 4.6.0" +.TH "nsd.conf" "5" "Nov 10, 2022" "NLnet Labs" "nsd 4.6.1" .\" Copyright (c) 2001\-2008, NLnet Labs. All rights reserved. .\" See LICENSE for the license. .SH "NAME" @@ -101,6 +101,7 @@ .P At the top level only .BR server: , +.BR verify: , .BR key: , .BR pattern: , .BR zone: , @@ -113,7 +114,9 @@ .B server: attribute is followed by global options for the .B NSD -server. A +server. The +.B verify: +attribute is used to control zone verification. A .B key: attribute is used to define keys for authentication. The .B pattern: @@ -626,6 +629,86 @@ This certificate has to be signed with the server certificate. This file is generated by the \fInsd\-control\-setup\fR utility. This file is used by \fInsd\-control\fR. +.SS "Verifier options" +The +.B verify: +clause is used to enable or disable zone verification, configure listen +interfaces and control the global defaults. +.TP +.B enable:\fR <yes or no> +Enable zone verification. Default is no. +.TP +.B port:\fR <number> +The port to answer verifier queries on. Default is 5347. +.TP +.B ip\-address:\fR +Interfaces to bind for zone verification (default are the localhost +interfaces, usually 127.0.0.1 and ::1). To bind to multiple IP addresses, +list them one by one. Optionally, Socket options cannot be specified for verify +ip-address +.TP +.B verify\-zones:\fR <yes or no> +Verify zones by default. +.TP +.B verifier:\fR <command> +When an update is received for the zone (by IXFR or AXFR) this program will be +run to assess the zone with the update. When the program exists with a status +code of 0, the zone is considered good and will be served. Any other status +code will designate the zone bad and the received update will be discarded. +The zone will continue to be served but without the update. +.P +.RS +The following environment variables are available to verifiers: +.P +.RS +.B VERIFY_ZONE +.RS +The domain name of the zone to be verified. +.RE +.B VERIZFY_ZONE_ON_STDIN +.RS +When the zone can be read from standard input (stdin), this variable is set +to "yes", otherwise it is set to "no". +.RE +.B VERIFY_IP_ADDRESSES +.RS +The first address on which the zones to be assessed will be served. +If IPv6 is available an IPv6 address will be preferred over IPv4. +.RE +.B VERIFY_PORT +.RS +The port number for \fBVERIFY_IP_ADDRESS\fR. +.RE +.B VERIFY_IPV6_ADDRESS +.RS +The first IPv6 address on which the zones to be assessed will be served. +.RE +.B VERIFY_IPV6_PORT +.RS +The port number for \fBVERIFY_IPV6_ADDRESS\fR. +.RE +.B VERIFY_IPV4_ADDRESS +.RS +The first IPv4 address on which the zones to be assessed will be served. +.RE +.B VERIFY_IPV4_PORT +.RS +The port number for \fBVERIFY_IPV4_ADDRESS\fR. +.RE +.RE +.RE +.TP +.B verifier\-count:\fR <number> +Maximum number of verifiers to run concurrently. Default is 1. +.TP +.B verifier\-feed\-zone:\fR <yes or no> +Feed the updated zone to the verifier over standard input (stdin). +.TP +.B verifier\-timeout:\fR <seconds> +The maximum number of seconds a verifier is allowed to run for assessing one +zone. If the verifier takes longer, it will be terminated and the zone update +will be discarded. The default is 0 seconds which means the verifier may take +as long as it needs. .SS "Pattern Options" The .B pattern: @@ -656,8 +739,12 @@ .BR ixfr\-size , .BR create\-ixfr , .BR zonestats , +.BR outgoing\-interface , +.BR verify\-zone , +.BR verifier , +.BR verifier\-feed\-zone , and -.B outgoing\-interface +.B verifier\-timeout can be given. They are applied to the patterns and zones that include this pattern. .SS "Zone Options" @@ -894,6 +981,25 @@ Default no. If enabled, checks all masters for the last version. It uses the higher version of all the configured masters. Useful if you have multiple masters that have different version numbers served. +.TP +.B verify\-zone:\fR <yes or no> +Enable or disable verification for this zone. Default is value\-zones +configured in +.B verify:\fR. +.TP +.B verifier:\fR <command> +Command to execute to assess this zone. Default is verifier configured in +.B verify:\fR. +.TP +.B verifier-feed-zone:\fR <yes or no> +Feed updated zone to verifier over standard input. Default is +verifier\-feed\-zone configured in +.B verify:\fR. +.TP +.B verifier\-timeout: <seconds> +Number of seconds before verifier is forcefully terminated. Specify 0 (zero) +to not use a specific timeout. Default is verifier\-timeout from +.B verify:\fR. .SS "Key Declarations" The .B key: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nsd-4.6.0/rdata.c new/nsd-4.6.1/rdata.c --- old/nsd-4.6.0/rdata.c 2022-06-30 09:22:18.000000000 +0200 +++ new/nsd-4.6.1/rdata.c 2022-11-10 09:11:36.000000000 +0100 @@ -68,7 +68,7 @@ const char *svcparamkey_strs[] = { "mandatory", "alpn", "no-default-alpn", "port", - "ipv4hint", "ech", "ipv6hint" + "ipv4hint", "ech", "ipv6hint", "dohpath" }; typedef int (*rdata_to_string_type)(buffer_type *output, @@ -824,6 +824,7 @@ case SVCB_KEY_IPV4HINT: case SVCB_KEY_IPV6HINT: case SVCB_KEY_MANDATORY: + case SVCB_KEY_DOHPATH: return 0; default: return 1; @@ -844,6 +845,8 @@ return rdata_svcparam_alpn_to_string(output, val_len, data+2); case SVCB_KEY_ECH: return rdata_svcparam_ech_to_string(output, val_len, data+2); + case SVCB_KEY_DOHPATH: + /* fallthrough */ default: buffer_write(output, "=\"", 2); dp = (void*) (data + 2); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nsd-4.6.0/remote.c new/nsd-4.6.1/remote.c --- old/nsd-4.6.0/remote.c 2022-06-30 09:22:18.000000000 +0200 +++ new/nsd-4.6.1/remote.c 2022-11-10 09:11:36.000000000 +0100 @@ -2443,7 +2443,8 @@ (void)ssl_printf(res, "error version mismatch\n"); return; } - VERBOSITY(2, (LOG_INFO, "control cmd: %s", buf)); + /* always log control commands */ + VERBOSITY(0, (LOG_INFO, "control cmd: %s", buf)); /* figure out what to do */ execute_cmd(rc, res, buf, s); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nsd-4.6.0/verify.c new/nsd-4.6.1/verify.c --- old/nsd-4.6.0/verify.c 2022-06-30 09:22:18.000000000 +0200 +++ new/nsd-4.6.1/verify.c 2022-11-10 09:11:36.000000000 +0100 @@ -296,7 +296,11 @@ nsd = (struct nsd *)arg; - (void)read(fd, buf, sizeof(buf)); + if(read(fd, buf, sizeof(buf)) == -1) { + if(errno != EAGAIN && errno != EINTR && errno != EWOULDBLOCK) + log_msg(LOG_ERR, "verify_handle_exit: read failed: %s", + strerror(errno)); + } while(((pid = waitpid(-1, &wstatus, WNOHANG)) == -1 && errno == EINTR) || (pid > 0)) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nsd-4.6.0/xfrd-tcp.c new/nsd-4.6.1/xfrd-tcp.c --- old/nsd-4.6.0/xfrd-tcp.c 2022-06-30 09:22:18.000000000 +0200 +++ new/nsd-4.6.1/xfrd-tcp.c 2022-11-10 09:11:36.000000000 +0100 @@ -36,6 +36,7 @@ create_ssl_context() { SSL_CTX *ctx; + unsigned char protos[] = { 3, 'd', 'o', 't' }; ctx = SSL_CTX_new(TLS_client_method()); if (!ctx) { log_msg(LOG_ERR, "xfrd tls: Unable to create SSL ctxt"); @@ -51,6 +52,12 @@ log_msg(LOG_ERR, "xfrd tls: Unable to set minimum TLS version 1.3"); return NULL; } + + if (SSL_CTX_set_alpn_protos(ctx, protos, sizeof(protos)) != 0) { + SSL_CTX_free(ctx); + log_msg(LOG_ERR, "xfrd tls: Unable to set ALPN protocols"); + return NULL; + } return ctx; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nsd-4.6.0/xfrd.c new/nsd-4.6.1/xfrd.c --- old/nsd-4.6.0/xfrd.c 2022-06-30 09:22:18.000000000 +0200 +++ new/nsd-4.6.1/xfrd.c 2022-11-10 09:11:36.000000000 +0100 @@ -2246,6 +2246,7 @@ xfrd_soa_type soa; enum xfrd_packet_result res; uint64_t xfrfile_size; + assert(zone->latest_xfr); /* parse and check the packet - see if it ends the xfr */ switch((res=xfrd_parse_received_xfr_packet(zone, packet, &soa))) @@ -2282,7 +2283,6 @@ zone->master->ip_address_spec)); } if (res == xfrd_packet_notimpl - && zone->latest_xfr && zone->latest_xfr->query_type == TYPE_IXFR) return res; else diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nsd-4.6.0/zlexer.c new/nsd-4.6.1/zlexer.c --- old/nsd-4.6.0/zlexer.c 2022-06-30 09:22:21.000000000 +0200 +++ new/nsd-4.6.1/zlexer.c 2022-11-10 09:11:39.000000000 +0100 @@ -627,6 +627,12 @@ lexer_state = EXPECT_OWNER; } +int at_eof(void) +{ + static int once = 1; + return (once = !once) ? 0 : NL; +} + #ifndef yy_set_bol /* compat definition, for flex 2.4.6 */ #define yy_set_bol(at_bol) \ { \ @@ -636,18 +642,18 @@ } #endif -#line 638 "<stdout>" +#line 644 "<stdout>" #define YY_NO_INPUT 1 -#line 121 "zlexer.lex" +#line 127 "zlexer.lex" #ifndef YY_NO_UNPUT #define YY_NO_UNPUT 1 #endif #ifndef YY_NO_INPUT #define YY_NO_INPUT 1 #endif -#line 647 "<stdout>" +#line 653 "<stdout>" -#line 649 "<stdout>" +#line 655 "<stdout>" #define INITIAL 0 #define incl 1 @@ -868,9 +874,9 @@ } { -#line 143 "zlexer.lex" +#line 149 "zlexer.lex" -#line 872 "<stdout>" +#line 878 "<stdout>" while ( /*CONSTCOND*/1 ) /* loops until end-of-file is reached */ { @@ -936,17 +942,17 @@ case 1: YY_RULE_SETUP -#line 144 "zlexer.lex" +#line 150 "zlexer.lex" /* ignore */ YY_BREAK case 2: YY_RULE_SETUP -#line 145 "zlexer.lex" +#line 151 "zlexer.lex" { lexer_state = PARSING_RDATA; return DOLLAR_TTL; } YY_BREAK case 3: YY_RULE_SETUP -#line 146 "zlexer.lex" +#line 152 "zlexer.lex" { lexer_state = PARSING_RDATA; return DOLLAR_ORIGIN; } YY_BREAK /* @@ -955,7 +961,7 @@ */ case 4: YY_RULE_SETUP -#line 152 "zlexer.lex" +#line 158 "zlexer.lex" { BEGIN(incl); /* ignore case statement fallthrough on incl<EOF> flex rule */ @@ -963,10 +969,10 @@ YY_BREAK case 5: /* rule 5 can match eol */ -#line 157 "zlexer.lex" +#line 163 "zlexer.lex" YY_RULE_SETUP case YY_STATE_EOF(incl): -#line 157 "zlexer.lex" +#line 163 "zlexer.lex" { int error_occurred = parser->error_occurred; BEGIN(INITIAL); @@ -978,7 +984,7 @@ YY_BREAK case 6: YY_RULE_SETUP -#line 165 "zlexer.lex" +#line 171 "zlexer.lex" { char *tmp; domain_type *origin = parser->origin; @@ -1042,25 +1048,30 @@ } YY_BREAK case YY_STATE_EOF(INITIAL): -#line 226 "zlexer.lex" +#line 232 "zlexer.lex" { + int eo = at_eof(); yy_set_bol(1); /* Set beginning of line, so "^" rules match. */ if (include_stack_ptr == 0) { + if(eo == NL) + return eo; yyterminate(); } else { fclose(yyin); pop_parser_state(); + if(eo == NL) + return eo; } } YY_BREAK case 7: YY_RULE_SETUP -#line 235 "zlexer.lex" +#line 246 "zlexer.lex" { zc_warning("Unknown directive: %s", yytext); } YY_BREAK case 8: YY_RULE_SETUP -#line 236 "zlexer.lex" +#line 247 "zlexer.lex" { LEXOUT((". ")); return parse_token('.', yytext, &lexer_state); @@ -1068,7 +1079,7 @@ YY_BREAK case 9: YY_RULE_SETUP -#line 240 "zlexer.lex" +#line 251 "zlexer.lex" { LEXOUT(("@ ")); return parse_token('@', yytext, &lexer_state); @@ -1076,7 +1087,7 @@ YY_BREAK case 10: YY_RULE_SETUP -#line 244 "zlexer.lex" +#line 255 "zlexer.lex" { LEXOUT(("\\# ")); return parse_token(URR, yytext, &lexer_state); @@ -1085,7 +1096,7 @@ case 11: /* rule 11 can match eol */ YY_RULE_SETUP -#line 248 "zlexer.lex" +#line 259 "zlexer.lex" { ++parser->line; if (!paren_open) { @@ -1100,7 +1111,7 @@ YY_BREAK case 12: YY_RULE_SETUP -#line 259 "zlexer.lex" +#line 270 "zlexer.lex" { if (paren_open) { zc_error("nested parentheses"); @@ -1113,7 +1124,7 @@ YY_BREAK case 13: YY_RULE_SETUP -#line 268 "zlexer.lex" +#line 279 "zlexer.lex" { if (!paren_open) { zc_error("closing parentheses without opening parentheses"); @@ -1126,7 +1137,7 @@ YY_BREAK case 14: YY_RULE_SETUP -#line 277 "zlexer.lex" +#line 288 "zlexer.lex" { if (!paren_open && lexer_state == EXPECT_OWNER) { lexer_state = PARSING_TTL_CLASS_TYPE; @@ -1143,11 +1154,11 @@ /* Bitlabels. Strip leading and ending brackets. */ case 15: YY_RULE_SETUP -#line 291 "zlexer.lex" +#line 302 "zlexer.lex" { BEGIN(bitlabel); } YY_BREAK case YY_STATE_EOF(bitlabel): -#line 292 "zlexer.lex" +#line 303 "zlexer.lex" { zc_error("EOF inside bitlabel"); BEGIN(INITIAL); @@ -1157,18 +1168,18 @@ YY_BREAK case 16: YY_RULE_SETUP -#line 298 "zlexer.lex" +#line 309 "zlexer.lex" { yymore(); } YY_BREAK case 17: /* rule 17 can match eol */ YY_RULE_SETUP -#line 299 "zlexer.lex" +#line 310 "zlexer.lex" { ++parser->line; yymore(); } YY_BREAK case 18: YY_RULE_SETUP -#line 300 "zlexer.lex" +#line 311 "zlexer.lex" { BEGIN(INITIAL); yytext[yyleng - 1] = '\0'; @@ -1178,11 +1189,11 @@ /* Quoted strings. Strip leading and ending quotes. */ case 19: YY_RULE_SETUP -#line 307 "zlexer.lex" +#line 318 "zlexer.lex" { BEGIN(quotedstring); LEXOUT(("\" ")); } YY_BREAK case YY_STATE_EOF(quotedstring): -#line 308 "zlexer.lex" +#line 319 "zlexer.lex" { zc_error("EOF inside quoted string"); BEGIN(INITIAL); @@ -1192,18 +1203,18 @@ YY_BREAK case 20: YY_RULE_SETUP -#line 314 "zlexer.lex" +#line 325 "zlexer.lex" { LEXOUT(("QSTR ")); yymore(); } YY_BREAK case 21: /* rule 21 can match eol */ YY_RULE_SETUP -#line 315 "zlexer.lex" +#line 326 "zlexer.lex" { ++parser->line; yymore(); } YY_BREAK case 22: YY_RULE_SETUP -#line 316 "zlexer.lex" +#line 327 "zlexer.lex" { LEXOUT(("\" ")); BEGIN(INITIAL); @@ -1214,7 +1225,7 @@ case 23: /* rule 23 can match eol */ YY_RULE_SETUP -#line 323 "zlexer.lex" +#line 334 "zlexer.lex" { /* Any allowed word. */ return parse_token(STR, yytext, &lexer_state); @@ -1222,7 +1233,7 @@ YY_BREAK case 24: YY_RULE_SETUP -#line 327 "zlexer.lex" +#line 338 "zlexer.lex" { zc_error("unknown character '%c' (\\%03d) seen - is this a zonefile?", (int) yytext[0], (int) yytext[0]); @@ -1230,10 +1241,10 @@ YY_BREAK case 25: YY_RULE_SETUP -#line 331 "zlexer.lex" +#line 342 "zlexer.lex" ECHO; YY_BREAK -#line 1235 "<stdout>" +#line 1246 "<stdout>" case YY_END_OF_BUFFER: { @@ -2202,7 +2213,7 @@ #define YYTABLES_NAME "yytables" -#line 331 "zlexer.lex" +#line 342 "zlexer.lex" /* diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nsd-4.6.0/zlexer.lex new/nsd-4.6.1/zlexer.lex --- old/nsd-4.6.0/zlexer.lex 2022-06-30 09:22:18.000000000 +0200 +++ new/nsd-4.6.1/zlexer.lex 2022-11-10 09:11:36.000000000 +0100 @@ -105,6 +105,12 @@ lexer_state = EXPECT_OWNER; } +int at_eof(void) +{ + static int once = 1; + return (once = !once) ? 0 : NL; +} + #ifndef yy_set_bol /* compat definition, for flex 2.4.6 */ #define yy_set_bol(at_bol) \ { \ @@ -224,12 +230,17 @@ parser->error_occurred = error_occurred; } <INITIAL><<EOF>> { + int eo = at_eof(); yy_set_bol(1); /* Set beginning of line, so "^" rules match. */ if (include_stack_ptr == 0) { + if(eo == NL) + return eo; yyterminate(); } else { fclose(yyin); pop_parser_state(); + if(eo == NL) + return eo; } } ^{DOLLAR}{LETTER}+ { zc_warning("Unknown directive: %s", yytext); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nsd-4.6.0/zonec.c new/nsd-4.6.1/zonec.c --- old/nsd-4.6.0/zonec.c 2022-06-30 09:22:18.000000000 +0200 +++ new/nsd-4.6.1/zonec.c 2022-11-10 09:11:36.000000000 +0100 @@ -798,6 +798,10 @@ if (!strncmp(key, "ipv6hint", sizeof("ipv6hint")-1)) return SVCB_KEY_IPV6HINT; break; + case sizeof("dohpath")-1: + if (!strncmp(key, "dohpath", sizeof("dohpath")-1)) + return SVCB_KEY_DOHPATH; + break; case sizeof("ech")-1: if (!strncmp(key, "ech", sizeof("ech")-1)) return SVCB_KEY_ECH; @@ -1132,6 +1136,8 @@ return zparser_conv_svcbparam_ech_value(region, val); case SVCB_KEY_ALPN: return zparser_conv_svcbparam_alpn_value(region, val, val_len); + case SVCB_KEY_DOHPATH: + /* fallthrough */ default: break; } @@ -1177,6 +1183,7 @@ case SVCB_KEY_PORT: case SVCB_KEY_IPV4HINT: case SVCB_KEY_IPV6HINT: + case SVCB_KEY_DOHPATH: if(zone_is_slave(parser->current_zone->opts)) zc_warning_prev_line("value expected for SvcParam: %s", key); else
