Hello community,

here is the log from the commit of package nsd for openSUSE:Factory checked in 
at 2020-10-20 16:07:57
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/nsd (Old)
 and      /work/SRC/openSUSE:Factory/.nsd.new.3486 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "nsd"

Tue Oct 20 16:07:57 2020 rev:18 rq:842496 version:4.3.3

Changes:
--------
--- /work/SRC/openSUSE:Factory/nsd/nsd.changes  2020-07-20 21:06:05.253379822 
+0200
+++ /work/SRC/openSUSE:Factory/.nsd.new.3486/nsd.changes        2020-10-20 
16:18:38.210243523 +0200
@@ -1,0 +2,27 @@
+Thu Oct  8 19:28:21 UTC 2020 - Michael Ströder <mich...@stroeder.com>
+
+- New upstream release 4.3.3
+
+FEATURES:
+- Follow DNS flag day 2020 advice and
+  set default EDNS message size to 1232.
+- Merged PR #113 with fixes.  Instead of listing an IP-address to
+  listen on, an interface name can be specified in nsd.conf, with
+  ip-address: eth0.  The IP-addresses for that interface are then used.
+- Port TSIG code for openssl 3.0.0-alpha6.
+
+BUG FIXES:
+- Fix make install with --with-pidfile="".
+- Merge #115 from millert: Fix strlcpy() usage. From OpenBSD.
+- Merge #117: mini_event.h (4.3.2 and 4.3.1) on OpenBSD cannot find
+  fd_set - patch.
+- Fix that configure checks for EVP_sha256 to detect openssl, because
+  HMAC_CTX_new is deprecated in 3.0.0.
+- Fix #119: fix compile warnings from new gcc.
+- Fix #119: warn when trying to parse a directory.
+- Merge PR #121: Increase log level of recreated database from
+  WARNING to ERR.
+- Remove unused space from LIBS on link line.
+- Updated date in nsd -v output.
+
+-------------------------------------------------------------------

Old:
----
  nsd-4.3.2.tar.gz
  nsd-4.3.2.tar.gz.asc

New:
----
  nsd-4.3.3.tar.gz
  nsd-4.3.3.tar.gz.asc

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ nsd.spec ++++++
--- /var/tmp/diff_new_pack.tOBNin/_old  2020-10-20 16:18:40.270244499 +0200
+++ /var/tmp/diff_new_pack.tOBNin/_new  2020-10-20 16:18:40.274244501 +0200
@@ -23,7 +23,7 @@
 %define zonesdir   %{configdir}/zones
 %define pidfile    %{_rundir}/nsd/nsd.pid
 Name:           nsd
-Version:        4.3.2
+Version:        4.3.3
 Release:        0
 #
 Summary:        An authoritative-only domain name server

++++++ nsd-4.3.2.tar.gz -> nsd-4.3.3.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/nsd-4.3.2/Makefile.in new/nsd-4.3.3/Makefile.in
--- old/nsd-4.3.2/Makefile.in   2020-07-14 12:52:48.000000000 +0200
+++ new/nsd-4.3.3/Makefile.in   2020-10-08 09:14:25.000000000 +0200
@@ -124,7 +124,7 @@
 install: all
        $(INSTALL) -d $(DESTDIR)$(sbindir)
        $(INSTALL) -d $(DESTDIR)$(configdir)
-       $(INSTALL) -d $(DESTDIR)$(piddir)
+       if test -n "$(piddir)"; then $(INSTALL) -d $(DESTDIR)$(piddir); fi
        $(INSTALL) -d $(DESTDIR)$(xfrdir)
        $(INSTALL) -d $(DESTDIR)$(dbdir)
        $(INSTALL) -d $(DESTDIR)$(mandir)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/nsd-4.3.2/acx_nlnetlabs.m4 
new/nsd-4.3.3/acx_nlnetlabs.m4
--- old/nsd-4.3.2/acx_nlnetlabs.m4      2020-07-14 12:52:48.000000000 +0200
+++ new/nsd-4.3.3/acx_nlnetlabs.m4      2020-10-08 09:14:25.000000000 +0200
@@ -2,7 +2,8 @@
 # Copyright 2009, Wouter Wijngaards, NLnet Labs.   
 # BSD licensed.
 #
-# Version 34
+# Version 35
+# 2020-08-24 Use EVP_sha256 instead of HMAC_Update (for openssl-3.0.0).
 # 2016-03-21 Check -ldl -pthread for libcrypto for ldns and openssl 1.1.0.
 # 2016-03-21 Use HMAC_Update instead of HMAC_CTX_Init (for openssl-1.1.0).
 # 2016-01-04 -D_DEFAULT_SOURCE defined with -D_BSD_SOURCE for Linux glibc 2.20
@@ -673,30 +674,30 @@
                 ACX_RUNTIME_PATH_ADD([$ssldir/lib])
             fi
         
-            AC_MSG_CHECKING([for HMAC_Update in -lcrypto])
+            AC_MSG_CHECKING([for EVP_sha256 in -lcrypto])
             LIBS="$LIBS -lcrypto"
             LIBSSL_LIBS="$LIBSSL_LIBS -lcrypto"
             AC_TRY_LINK(, [
-                int HMAC_Update(void);
-                (void)HMAC_Update();
+                int EVP_sha256(void);
+                (void)EVP_sha256();
               ], [
                 AC_MSG_RESULT(yes)
-                AC_DEFINE([HAVE_HMAC_UPDATE], 1, 
-                          [If you have HMAC_Update])
+                AC_DEFINE([HAVE_EVP_SHA256], 1,
+                          [If you have EVP_sha256])
               ], [
                 AC_MSG_RESULT(no)
                 # check if -lwsock32 or -lgdi32 are needed.    
                 BAKLIBS="$LIBS"
                 BAKSSLLIBS="$LIBSSL_LIBS"
-                LIBS="$LIBS -lgdi32"
-                LIBSSL_LIBS="$LIBSSL_LIBS -lgdi32"
+               LIBS="$LIBS -lgdi32 -lws2_32"
+               LIBSSL_LIBS="$LIBSSL_LIBS -lgdi32 -lws2_32"
                 AC_MSG_CHECKING([if -lcrypto needs -lgdi32])
                 AC_TRY_LINK([], [
-                    int HMAC_Update(void);
-                    (void)HMAC_Update();
+                    int EVP_sha256(void);
+                    (void)EVP_sha256();
                   ],[
-                    AC_DEFINE([HAVE_HMAC_UPDATE], 1, 
-                        [If you have HMAC_Update])
+                    AC_DEFINE([HAVE_EVP_SHA256], 1,
+                        [If you have EVP_sha256])
                     AC_MSG_RESULT(yes) 
                   ],[
                     AC_MSG_RESULT(no)
@@ -706,11 +707,11 @@
                     LIBSSL_LIBS="$LIBSSL_LIBS -ldl"
                     AC_MSG_CHECKING([if -lcrypto needs -ldl])
                     AC_TRY_LINK([], [
-                        int HMAC_Update(void);
-                        (void)HMAC_Update();
+                        int EVP_sha256(void);
+                        (void)EVP_sha256();
                       ],[
-                        AC_DEFINE([HAVE_HMAC_UPDATE], 1, 
-                            [If you have HMAC_Update])
+                        AC_DEFINE([HAVE_EVP_SHA256], 1,
+                            [If you have EVP_sha256])
                         AC_MSG_RESULT(yes) 
                       ],[
                         AC_MSG_RESULT(no)
@@ -720,11 +721,11 @@
                         LIBSSL_LIBS="$LIBSSL_LIBS -ldl -pthread"
                         AC_MSG_CHECKING([if -lcrypto needs -ldl -pthread])
                         AC_TRY_LINK([], [
-                            int HMAC_Update(void);
-                            (void)HMAC_Update();
+                            int EVP_sha256(void);
+                            (void)EVP_sha256();
                           ],[
-                            AC_DEFINE([HAVE_HMAC_UPDATE], 1, 
-                                [If you have HMAC_Update])
+                            AC_DEFINE([HAVE_EVP_SHA256], 1,
+                                [If you have EVP_sha256])
                             AC_MSG_RESULT(yes) 
                           ],[
                             AC_MSG_RESULT(no)
@@ -839,7 +840,11 @@
 if test "$ac_cv_header_windows_h" = "yes"; then
        AC_DEFINE(USE_WINSOCK, 1, [Whether the windows socket API is used])
        USE_WINSOCK="1"
-       LIBS="$LIBS -lws2_32"
+       if echo $LIBS | grep 'lws2_32' >/dev/null; then
+               :
+       else
+               LIBS="$LIBS -lws2_32"
+       fi
 fi
 ],
 dnl no quick getaddrinfo, try mingw32 and winsock2 library.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/nsd-4.3.2/config.h.in new/nsd-4.3.3/config.h.in
--- old/nsd-4.3.2/config.h.in   2020-07-14 12:52:49.000000000 +0200
+++ new/nsd-4.3.3/config.h.in   2020-10-08 09:14:25.000000000 +0200
@@ -139,6 +139,12 @@
 /* Define to 1 if you have the `EVP_cleanup' function. */
 #undef HAVE_EVP_CLEANUP
 
+/* Define to 1 if you have the `EVP_MAC_CTX_new' function. */
+#undef HAVE_EVP_MAC_CTX_NEW
+
+/* Define to 1 if you have the `EVP_MAC_CTX_set_params' function. */
+#undef HAVE_EVP_MAC_CTX_SET_PARAMS
+
 /* Define to 1 if you have the `ev_default_loop' function. */
 #undef HAVE_EV_DEFAULT_LOOP
 
@@ -166,6 +172,9 @@
 /* Define to 1 if you have the `gethostname' function. */
 #undef HAVE_GETHOSTNAME
 
+/* Define to 1 if you have the `getifaddrs' function. */
+#undef HAVE_GETIFADDRS
+
 /* Define to 1 if you have the `getnameinfo' function. */
 #undef HAVE_GETNAMEINFO
 
@@ -251,6 +260,9 @@
 /* Define to 1 if you have the <netinet/tcp.h> header file. */
 #undef HAVE_NETINET_TCP_H
 
+/* Define to 1 if you have the <openssl/core_names.h> header file. */
+#undef HAVE_OPENSSL_CORE_NAMES_H
+
 /* Define to 1 if you have the <openssl/err.h> header file. */
 #undef HAVE_OPENSSL_ERR_H
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/nsd-4.3.2/configure new/nsd-4.3.3/configure
--- old/nsd-4.3.2/configure     2020-07-14 12:52:49.000000000 +0200
+++ new/nsd-4.3.3/configure     2020-10-08 09:14:25.000000000 +0200
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for NSD 4.3.2.
+# Generated by GNU Autoconf 2.69 for NSD 4.3.3.
 #
 # Report bugs to <nsd-b...@nlnetlabs.nl>.
 #
@@ -580,8 +580,8 @@
 # Identity of this package.
 PACKAGE_NAME='NSD'
 PACKAGE_TARNAME='nsd'
-PACKAGE_VERSION='4.3.2'
-PACKAGE_STRING='NSD 4.3.2'
+PACKAGE_VERSION='4.3.3'
+PACKAGE_STRING='NSD 4.3.3'
 PACKAGE_BUGREPORT='nsd-b...@nlnetlabs.nl'
 PACKAGE_URL=''
 
@@ -1303,7 +1303,7 @@
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures NSD 4.3.2 to adapt to many kinds of systems.
+\`configure' configures NSD 4.3.3 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1364,7 +1364,7 @@
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of NSD 4.3.2:";;
+     short | recursive ) echo "Configuration of NSD 4.3.3:";;
    esac
   cat <<\_ACEOF
 
@@ -1524,7 +1524,7 @@
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-NSD configure 4.3.2
+NSD configure 4.3.3
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2233,7 +2233,7 @@
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by NSD $as_me 4.3.2, which was
+It was created by NSD $as_me 4.3.3, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -8338,7 +8338,7 @@
 
 fi
 
-for ac_func in tzset alarm chroot dup2 endpwent gethostname memset memcpy 
pwrite socket strcasecmp strchr strdup strerror strncasecmp strtol writev 
getaddrinfo getnameinfo freeaddrinfo gai_strerror sigaction sigprocmask 
strptime strftime localtime_r setusercontext glob initgroups setresuid setreuid 
setresgid setregid getpwnam mmap ppoll clock_gettime accept4
+for ac_func in tzset alarm chroot dup2 endpwent gethostname memset memcpy 
pwrite socket strcasecmp strchr strdup strerror strncasecmp strtol writev 
getaddrinfo getnameinfo freeaddrinfo gai_strerror sigaction sigprocmask 
strptime strftime localtime_r setusercontext glob initgroups setresuid setreuid 
setresgid setregid getpwnam mmap ppoll clock_gettime accept4 getifaddrs
 do :
   as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -9033,7 +9033,7 @@
 
 
 cat >>confdefs.h <<_ACEOF
-#define EDNS_MAX_MESSAGE_LEN 4096
+#define EDNS_MAX_MESSAGE_LEN 1232
 _ACEOF
 
 
@@ -9494,6 +9494,8 @@
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
+       # remove space after -ldl if there.
+       LIBS=`echo "$LIBS" | sed -e 's/ $//'`
 
        # Check for -pthread
        BAKLIBS="$LIBS"
@@ -9505,8 +9507,8 @@
 main ()
 {
 
-               int HMAC_Update(void);
-               (void)HMAC_Update();
+               int EVP_sha256(void);
+               (void)EVP_sha256();
 
   ;
   return 0;
@@ -9529,11 +9531,11 @@
 #ifdef __cplusplus
 extern "C"
 #endif
-char HMAC_Update ();
+char EVP_sha256 ();
 int
 main ()
 {
-return HMAC_Update ();
+return EVP_sha256 ();
   ;
   return 0;
 }
@@ -9559,9 +9561,9 @@
        LIBS="$BAKLIBS"
 
        if test -n "$ssldir"; then
-            { $as_echo "$as_me:${as_lineno-$LINENO}: checking for HMAC_Update 
in -lcrypto" >&5
-$as_echo_n "checking for HMAC_Update in -lcrypto... " >&6; }
-if ${ac_cv_lib_crypto_HMAC_Update+:} false; then :
+            { $as_echo "$as_me:${as_lineno-$LINENO}: checking for EVP_sha256 
in -lcrypto" >&5
+$as_echo_n "checking for EVP_sha256 in -lcrypto... " >&6; }
+if ${ac_cv_lib_crypto_EVP_sha256+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -9575,27 +9577,27 @@
 #ifdef __cplusplus
 extern "C"
 #endif
-char HMAC_Update ();
+char EVP_sha256 ();
 int
 main ()
 {
-return HMAC_Update ();
+return EVP_sha256 ();
   ;
   return 0;
 }
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_crypto_HMAC_Update=yes
+  ac_cv_lib_crypto_EVP_sha256=yes
 else
-  ac_cv_lib_crypto_HMAC_Update=no
+  ac_cv_lib_crypto_EVP_sha256=no
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: 
$ac_cv_lib_crypto_HMAC_Update" >&5
-$as_echo "$ac_cv_lib_crypto_HMAC_Update" >&6; }
-if test "x$ac_cv_lib_crypto_HMAC_Update" = xyes; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_crypto_EVP_sha256" 
>&5
+$as_echo "$ac_cv_lib_crypto_EVP_sha256" >&6; }
+if test "x$ac_cv_lib_crypto_EVP_sha256" = xyes; then :
   cat >>confdefs.h <<_ACEOF
 #define HAVE_LIBCRYPTO 1
 _ACEOF
@@ -9611,7 +9613,7 @@
        fi
        SSL_LIBS="-lssl"
 
-       for ac_header in openssl/ssl.h openssl/err.h openssl/rand.h 
openssl/ocsp.h
+       for ac_header in openssl/ssl.h openssl/err.h openssl/rand.h 
openssl/ocsp.h openssl/core_names.h
 do :
   as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
 ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" 
"$ac_includes_default
@@ -9625,7 +9627,7 @@
 
 done
 
-       for ac_func in HMAC_CTX_reset HMAC_CTX_new EVP_cleanup 
ERR_load_crypto_strings OPENSSL_init_crypto SSL_CTX_set_security_level 
CRYPTO_memcmp EC_KEY_new_by_curve_name
+       for ac_func in HMAC_CTX_reset HMAC_CTX_new EVP_cleanup 
ERR_load_crypto_strings OPENSSL_init_crypto SSL_CTX_set_security_level 
CRYPTO_memcmp EC_KEY_new_by_curve_name EVP_MAC_CTX_new EVP_MAC_CTX_set_params
 do :
   as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -10766,7 +10768,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by NSD $as_me 4.3.2, which was
+This file was extended by NSD $as_me 4.3.3, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -10828,7 +10830,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; 
s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-NSD config.status 4.3.2
+NSD config.status 4.3.3
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/nsd-4.3.2/configure.ac new/nsd-4.3.3/configure.ac
--- old/nsd-4.3.2/configure.ac  2020-07-14 12:52:48.000000000 +0200
+++ new/nsd-4.3.3/configure.ac  2020-10-08 09:14:25.000000000 +0200
@@ -5,7 +5,7 @@
 sinclude(acx_nlnetlabs.m4)
 sinclude(dnstap/dnstap.m4)
 
-AC_INIT(NSD,4.3.2,nsd-b...@nlnetlabs.nl)
+AC_INIT(NSD,4.3.3,nsd-b...@nlnetlabs.nl)
 AC_CONFIG_HEADER([config.h])
 
 #
@@ -657,7 +657,7 @@
 AC_CHECK_SIZEOF(off_t)
 AC_CHECK_FUNCS([getrandom arc4random arc4random_uniform])
 AC_SEARCH_LIBS([setusercontext],[util],[AC_CHECK_HEADERS([login_cap.h])])
-AC_CHECK_FUNCS([tzset alarm chroot dup2 endpwent gethostname memset memcpy 
pwrite socket strcasecmp strchr strdup strerror strncasecmp strtol writev 
getaddrinfo getnameinfo freeaddrinfo gai_strerror sigaction sigprocmask 
strptime strftime localtime_r setusercontext glob initgroups setresuid setreuid 
setresgid setregid getpwnam mmap ppoll clock_gettime accept4])
+AC_CHECK_FUNCS([tzset alarm chroot dup2 endpwent gethostname memset memcpy 
pwrite socket strcasecmp strchr strdup strerror strncasecmp strtol writev 
getaddrinfo getnameinfo freeaddrinfo gai_strerror sigaction sigprocmask 
strptime strftime localtime_r setusercontext glob initgroups setresuid setreuid 
setresgid setregid getpwnam mmap ppoll clock_gettime accept4 getifaddrs])
 
 AC_CHECK_TYPE([struct mmsghdr], AC_DEFINE(HAVE_MMSGHDR, 1, [If sys/socket.h 
has a struct mmsghdr.]), [], [
 AC_INCLUDES_DEFAULT
@@ -875,7 +875,7 @@
 AC_DEFINE_UNQUOTED([TCP_MAX_MESSAGE_LEN], [65535], [Define to the default 
maximum message length.])
 AC_DEFINE_UNQUOTED([UDP_PORT], ["53"], [Define to the default udp port.])
 AC_DEFINE_UNQUOTED([UDP_MAX_MESSAGE_LEN], [512], [Define to the default 
maximum udp message length.])
-AC_DEFINE_UNQUOTED([EDNS_MAX_MESSAGE_LEN], [4096], [Define to the default 
maximum message length with EDNS.])
+AC_DEFINE_UNQUOTED([EDNS_MAX_MESSAGE_LEN], [1232], [Define to the default 
maximum message length with EDNS.])
 AC_DEFINE_UNQUOTED([TLS_PORT], ["853"], [Define to the default DNS over TLS 
port.])
 AC_DEFINE_UNQUOTED([MAXSYSLOGMSGLEN], [512], [Define to the maximum message 
length to pass to syslog.])
 AC_DEFINE_UNQUOTED([NSD_CONTROL_PORT], [8952], [Define to the default 
nsd-control port.])
@@ -986,19 +986,21 @@
 CHECK_SSL
 if test x$HAVE_SSL = x"yes"; then
        ACX_LIB_SSL
+       # remove space after -ldl if there.
+       LIBS=`echo "$LIBS" | sed -e 's/ $//'`
 
        # Check for -pthread
        BAKLIBS="$LIBS"
        LIBS="-lcrypto $LIBS"
        AC_TRY_LINK([], [
-               int HMAC_Update(void);
-               (void)HMAC_Update();
+               int EVP_sha256(void);
+               (void)EVP_sha256();
        ], [],[
-               dnl so link fails for HMAC_Update, try with -pthread.
+               dnl so link fails for EVP_sha256, try with -pthread.
                BAKCFLAGS="$CFLAGS"
                CFLAGS="$CFLAGS -pthread"
                AC_MSG_CHECKING([if libcrypto needs -pthread])
-               AC_TRY_LINK_FUNC([HMAC_Update], [
+               AC_TRY_LINK_FUNC([EVP_sha256], [
                        AC_MSG_RESULT([yes])
                ] , [
                        AC_MSG_RESULT([no])
@@ -1009,14 +1011,14 @@
        LIBS="$BAKLIBS"
 
        if test -n "$ssldir"; then
-            AC_CHECK_LIB(crypto, HMAC_Update,, [
+            AC_CHECK_LIB(crypto, EVP_sha256,, [
                     AC_MSG_ERROR([OpenSSL found in $ssldir, but version 0.9.7 
or higher is required])
                 ])
        fi
        SSL_LIBS="-lssl"
        AC_SUBST(SSL_LIBS)
-       AC_CHECK_HEADERS([openssl/ssl.h openssl/err.h openssl/rand.h 
openssl/ocsp.h],,, [AC_INCLUDES_DEFAULT])
-       AC_CHECK_FUNCS([HMAC_CTX_reset HMAC_CTX_new EVP_cleanup 
ERR_load_crypto_strings OPENSSL_init_crypto SSL_CTX_set_security_level 
CRYPTO_memcmp EC_KEY_new_by_curve_name])
+       AC_CHECK_HEADERS([openssl/ssl.h openssl/err.h openssl/rand.h 
openssl/ocsp.h openssl/core_names.h],,, [AC_INCLUDES_DEFAULT])
+       AC_CHECK_FUNCS([HMAC_CTX_reset HMAC_CTX_new EVP_cleanup 
ERR_load_crypto_strings OPENSSL_init_crypto SSL_CTX_set_security_level 
CRYPTO_memcmp EC_KEY_new_by_curve_name EVP_MAC_CTX_new EVP_MAC_CTX_set_params])
        AC_CHECK_DECLS([SSL_CTX_set_ecdh_auto,SSL_CTX_set_tmp_ecdh], [], [], [
 AC_INCLUDES_DEFAULT
 #ifdef HAVE_OPENSSL_ERR_H
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/nsd-4.3.2/dbaccess.c new/nsd-4.3.3/dbaccess.c
--- old/nsd-4.3.2/dbaccess.c    2020-07-14 12:52:48.000000000 +0200
+++ new/nsd-4.3.3/dbaccess.c    2020-10-08 09:14:25.000000000 +0200
@@ -391,13 +391,13 @@
        if(!(db->udb=udb_base_create_fd(filename, fd, &namedb_walkfunc,
                NULL))) {
                /* fd is closed by failed udb create call */
-               VERBOSITY(1, (LOG_WARNING, "can not use %s, "
+               VERBOSITY(1, (LOG_ERR, "can not use %s, "
                        "will create anew", filename));
                return 0;
        }
        /* sanity check if can be opened */
        if(udb_base_get_userflags(db->udb) != 0) {
-               log_msg(LOG_WARNING, "%s was not closed properly, it might "
+               log_msg(LOG_ERR, "%s was not closed properly, it might "
                        "be corrupted, will create anew", filename);
                udb_base_free(db->udb);
                db->udb = NULL;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/nsd-4.3.2/doc/ChangeLog new/nsd-4.3.3/doc/ChangeLog
--- old/nsd-4.3.2/doc/ChangeLog 2020-07-14 12:52:48.000000000 +0200
+++ new/nsd-4.3.3/doc/ChangeLog 2020-10-08 09:14:25.000000000 +0200
@@ -1,3 +1,58 @@
+1 October 2020: Wouter
+       - tag for 4.3.3rc1 release.
+
+30 September 2020: Wouter
+       - Updated date in nsd -v output.
+       - Fixup bug013_truncate, checkconf and cutest_qroot tests for new
+         default EDNS size.
+
+29 September 2020: Willem
+       - Follow DNS flag day 2020 advice and
+         set default EDNS message size to 1232.
+
+4 September 2020: Wouter
+       - Remove unused space from LIBS on link line.
+
+3 September 2020: Wouter
+       - Merge PR #121: Increase log level of recreated database from
+         WARNING to ERR.
+
+1 September 2020: Wouter
+       - Fix #119: fix compile warnings from new gcc.
+       - Fix #119: warn when trying to parse a directory.
+
+27 August 2020: Wouter
+       - Merged PR #113 with fixes.  Instead of listing an IP-address to
+         listen on, an interface name can be specified in nsd.conf, with
+         ip-address: eth0.  The IP-addresses for that interface are then used.
+
+26 August 2020: Wouter
+       - Add xstrdup for PR #113.
+       - Tidy up code like in PR #113.
+       - Import code from PR #113.
+       - Fix for unknown EVP_MAC_CTX_free function in openssl 3.0.0 tsig code.
+
+24 August 2020: Wouter
+       - Fix that configure checks for EVP_sha256 to detect openssl, because
+         HMAC_CTX_new is deprecated in 3.0.0.
+       - Port TSIG code for openssl 3.0.0-alpha6.
+       - Sync acx_nlnetlabs.m4 with the unbound repo.
+       - Review fixes for tsig, defensive free and zero.
+
+4 August 2020: Wouter
+       - Merge #117: mini_event.h (4.3.2 and 4.3.1) on OpenBSD cannot find
+         fd_set - patch.
+
+23 July 2020: Wouter
+       - Merge #115 from millert: Fix strlcpy() usage. From OpenBSD.
+
+15 July 2020: Wouter
+       - Fix make install with --with-pidfile="".
+
+14 July 2020: Wouter
+       - Tag for 4.3.2 release.  Master branch contains the next version
+         in development, 4.3.3.
+
 7 July 2020: Wouter
        - Tag for 4.3.2rc1.
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/nsd-4.3.2/doc/README new/nsd-4.3.3/doc/README
--- old/nsd-4.3.2/doc/README    2020-07-14 12:52:49.000000000 +0200
+++ new/nsd-4.3.3/doc/README    2020-10-08 09:14:26.000000000 +0200
@@ -20,7 +20,7 @@
 
 1.0 Introduction
 
-This is NSD Name Server Daemon (NSD) version 4.3.2.
+This is NSD Name Server Daemon (NSD) version 4.3.3.
 
 The NLnet Labs Name Server Daemon (NSD) is an authoritative RFC compliant 
 DNS nameserver. It was first conceived to allow for more genetic 
@@ -56,7 +56,7 @@
 
 1.2 Quick build and install
 
-Step 1: Unpack the source with gtar -xzvf nsd-4.3.2.tar.gz
+Step 1: Unpack the source with gtar -xzvf nsd-4.3.3.tar.gz
 
 Step 2: Create user nsd or any other unprivileged user of your
         choice. In case of later make sure to use
@@ -110,9 +110,9 @@
 Use your favorite combination of tar and gnu zip to unpack the source,
 for example
 
-$ gtar -xzvf nsd-4.3.2.tar.gz
+$ gtar -xzvf nsd-4.3.3.tar.gz
 
-will unpack the source into the ./nsd-4.3.2 directory...
+will unpack the source into the ./nsd-4.3.3 directory...
 
 
 2.2 Configuring NSD
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/nsd-4.3.2/doc/RELNOTES new/nsd-4.3.3/doc/RELNOTES
--- old/nsd-4.3.2/doc/RELNOTES  2020-07-14 12:52:48.000000000 +0200
+++ new/nsd-4.3.3/doc/RELNOTES  2020-10-08 09:14:25.000000000 +0200
@@ -1,5 +1,29 @@
 NSD RELEASE NOTES
 
+4.3.3
+================
+FEATURES:
+       - Follow DNS flag day 2020 advice and
+         set default EDNS message size to 1232.
+       - Merged PR #113 with fixes.  Instead of listing an IP-address to
+         listen on, an interface name can be specified in nsd.conf, with
+         ip-address: eth0.  The IP-addresses for that interface are then used.
+       - Port TSIG code for openssl 3.0.0-alpha6.
+BUG FIXES:
+       - Fix make install with --with-pidfile="".
+       - Merge #115 from millert: Fix strlcpy() usage. From OpenBSD.
+       - Merge #117: mini_event.h (4.3.2 and 4.3.1) on OpenBSD cannot find
+         fd_set - patch.
+       - Fix that configure checks for EVP_sha256 to detect openssl, because
+         HMAC_CTX_new is deprecated in 3.0.0.
+       - Fix #119: fix compile warnings from new gcc.
+       - Fix #119: warn when trying to parse a directory.
+       - Merge PR #121: Increase log level of recreated database from
+         WARNING to ERR.
+       - Remove unused space from LIBS on link line.
+       - Updated date in nsd -v output.
+
+
 4.3.2
 ================
 FEATURES:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/nsd-4.3.2/ipc.c new/nsd-4.3.3/ipc.c
--- old/nsd-4.3.2/ipc.c 2020-07-14 12:52:48.000000000 +0200
+++ new/nsd-4.3.3/ipc.c 2020-10-08 09:14:25.000000000 +0200
@@ -50,6 +50,7 @@
        region_destroy(nsd->server_region);
 #endif
        server_shutdown(nsd);
+       /* ENOTREACH */
        exit(0);
 }
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/nsd-4.3.2/mini_event.h new/nsd-4.3.3/mini_event.h
--- old/nsd-4.3.2/mini_event.h  2020-07-14 12:52:48.000000000 +0200
+++ new/nsd-4.3.3/mini_event.h  2020-10-08 09:14:25.000000000 +0200
@@ -55,6 +55,11 @@
 
 #if defined(USE_MINI_EVENT) && !defined(USE_WINSOCK)
 
+#ifdef HAVE_SYS_SELECT_H
+/* for fd_set on OpenBSD */
+#include <sys/select.h>
+#endif
+
 #ifndef HAVE_EVENT_BASE_FREE
 #define HAVE_EVENT_BASE_FREE
 #endif 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/nsd-4.3.2/nsd-checkconf.8.in 
new/nsd-4.3.3/nsd-checkconf.8.in
--- old/nsd-4.3.2/nsd-checkconf.8.in    2020-07-14 12:52:49.000000000 +0200
+++ new/nsd-4.3.3/nsd-checkconf.8.in    2020-10-08 09:14:26.000000000 +0200
@@ -1,4 +1,4 @@
-.TH "nsd\-checkconf" "8" "Jul 14, 2020" "NLnet Labs" "nsd 4.3.2"
+.TH "nsd\-checkconf" "8" "Oct  8, 2020" "NLnet Labs" "nsd 4.3.3"
 .\" Copyright (c) 2001\-2008, NLnet Labs. All rights reserved.
 .\" See LICENSE for the license.
 .SH "NAME"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/nsd-4.3.2/nsd-checkzone.8.in 
new/nsd-4.3.3/nsd-checkzone.8.in
--- old/nsd-4.3.2/nsd-checkzone.8.in    2020-07-14 12:52:49.000000000 +0200
+++ new/nsd-4.3.3/nsd-checkzone.8.in    2020-10-08 09:14:26.000000000 +0200
@@ -1,4 +1,4 @@
-.TH "nsd\-checkzone" "8" "Jul 14, 2020" "NLnet Labs" "nsd 4.3.2"
+.TH "nsd\-checkzone" "8" "Oct  8, 2020" "NLnet Labs" "nsd 4.3.3"
 .\" Copyright (c) 2014, NLnet Labs. All rights reserved.
 .\" See LICENSE for the license.
 .SH "NAME"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/nsd-4.3.2/nsd-control.8.in 
new/nsd-4.3.3/nsd-control.8.in
--- old/nsd-4.3.2/nsd-control.8.in      2020-07-14 12:52:49.000000000 +0200
+++ new/nsd-4.3.3/nsd-control.8.in      2020-10-08 09:14:26.000000000 +0200
@@ -1,4 +1,4 @@
-.TH "nsd\-control" "8" "Jul 14, 2020" "NLnet Labs" "nsd 4.3.2"
+.TH "nsd\-control" "8" "Oct  8, 2020" "NLnet Labs" "nsd 4.3.3"
 .\" Copyright (c) 2011, NLnet Labs. All rights reserved.
 .\" See LICENSE for the license.
 .SH "NAME"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/nsd-4.3.2/nsd-control.c new/nsd-4.3.3/nsd-control.c
--- old/nsd-4.3.2/nsd-control.c 2020-07-14 12:52:48.000000000 +0200
+++ new/nsd-4.3.3/nsd-control.c 2020-10-08 09:14:25.000000000 +0200
@@ -63,7 +63,7 @@
 #include "tsig.h"
 #include "options.h"
 
-static void usage() ATTR_NORETURN;
+static void usage(void) ATTR_NORETURN;
 static void ssl_err(const char* s) ATTR_NORETURN;
 static void ssl_path_err(const char* s, const char *path) ATTR_NORETURN;
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/nsd-4.3.2/nsd.8.in new/nsd-4.3.3/nsd.8.in
--- old/nsd-4.3.2/nsd.8.in      2020-07-14 12:52:49.000000000 +0200
+++ new/nsd-4.3.3/nsd.8.in      2020-10-08 09:14:26.000000000 +0200
@@ -1,9 +1,9 @@
-.TH "NSD" "8" "Jul 14, 2020" "NLnet Labs" "NSD 4.3.2"
+.TH "NSD" "8" "Oct  8, 2020" "NLnet Labs" "NSD 4.3.3"
 .\" Copyright (c) 2001\-2008, NLnet Labs. All rights reserved.
 .\" See LICENSE for the license.
 .SH "NAME"
 .B nsd
-\- Name Server Daemon (NSD) version 4.3.2.
+\- Name Server Daemon (NSD) version 4.3.3.
 .SH "SYNOPSIS"
 .B nsd
 .RB [ \-4 ] 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/nsd-4.3.2/nsd.c new/nsd-4.3.3/nsd.c
--- old/nsd-4.3.2/nsd.c 2020-07-14 12:52:48.000000000 +0200
+++ new/nsd-4.3.3/nsd.c 2020-10-08 09:14:25.000000000 +0200
@@ -139,12 +139,141 @@
                );
 #endif
        fprintf(stderr,
-               "Copyright (C) 2001-2006 NLnet Labs.  This is free software.\n"
+               "Copyright (C) 2001-2020 NLnet Labs.  This is free software.\n"
                "There is NO warranty; not even for MERCHANTABILITY or 
FITNESS\n"
                "FOR A PARTICULAR PURPOSE.\n");
        exit(0);
 }
 
+#ifdef HAVE_GETIFADDRS
+static void
+resolve_ifa_name(struct ifaddrs *ifas, const char *search_ifa, char 
***ip_addresses, size_t *ip_addresses_size)
+{
+       struct ifaddrs *ifa;
+       size_t last_ip_addresses_size = *ip_addresses_size;
+
+       for(ifa = ifas; ifa != NULL; ifa = ifa->ifa_next) {
+               sa_family_t family;
+               const char* atsign;
+#ifdef INET6      /* |   address ip    | % |  ifa name  | @ |  port  | nul */
+               char addr_buf[INET6_ADDRSTRLEN + 1 + IF_NAMESIZE + 1 + 16 + 1];
+#else
+               char addr_buf[INET_ADDRSTRLEN + 1 + 16 + 1];
+#endif
+
+               if((atsign=strrchr(search_ifa, '@')) != NULL) {
+                       if(strlen(ifa->ifa_name) != (size_t)(atsign-search_ifa)
+                          || strncmp(ifa->ifa_name, search_ifa,
+                          atsign-search_ifa) != 0)
+                               continue;
+               } else {
+                       if(strcmp(ifa->ifa_name, search_ifa) != 0)
+                               continue;
+                       atsign = "";
+               }
+
+               if(ifa->ifa_addr == NULL)
+                       continue;
+
+               family = ifa->ifa_addr->sa_family;
+               if(family == AF_INET) {
+                       char a4[INET_ADDRSTRLEN + 1];
+                       struct sockaddr_in *in4 = (struct sockaddr_in *)
+                               ifa->ifa_addr;
+                       if(!inet_ntop(family, &in4->sin_addr, a4, sizeof(a4)))
+                               error("inet_ntop");
+                       snprintf(addr_buf, sizeof(addr_buf), "%s%s",
+                               a4, atsign);
+               }
+#ifdef INET6
+               else if(family == AF_INET6) {
+                       struct sockaddr_in6 *in6 = (struct sockaddr_in6 *)
+                               ifa->ifa_addr;
+                       char a6[INET6_ADDRSTRLEN + 1];
+                       char if_index_name[IF_NAMESIZE + 1];
+                       if_index_name[0] = 0;
+                       if(!inet_ntop(family, &in6->sin6_addr, a6, sizeof(a6)))
+                               error("inet_ntop");
+                       if_indextoname(in6->sin6_scope_id,
+                               (char *)if_index_name);
+                       if (strlen(if_index_name) != 0) {
+                               snprintf(addr_buf, sizeof(addr_buf),
+                                       "%s%%%s%s", a6, if_index_name, atsign);
+                       } else {
+                               snprintf(addr_buf, sizeof(addr_buf), "%s%s",
+                                       a6, atsign);
+                       }
+               }
+#endif
+               else {
+                       continue;
+               }
+               VERBOSITY(4, (LOG_INFO, "interface %s has address %s",
+                       search_ifa, addr_buf));
+
+               *ip_addresses = xrealloc(*ip_addresses, sizeof(char *) * 
(*ip_addresses_size + 1));
+               (*ip_addresses)[*ip_addresses_size] = xstrdup(addr_buf);
+               (*ip_addresses_size)++;
+       }
+
+       if (*ip_addresses_size == last_ip_addresses_size) {
+               *ip_addresses = xrealloc(*ip_addresses, sizeof(char *) * 
(*ip_addresses_size + 1));
+               (*ip_addresses)[*ip_addresses_size] = xstrdup(search_ifa);
+               (*ip_addresses_size)++;
+       }
+}
+#endif /* HAVE_GETIFADDRS */
+
+static void
+resolve_interface_names(struct nsd_options* options)
+{
+#ifdef HAVE_GETIFADDRS
+       struct ifaddrs *addrs;
+       struct ip_address_option *ip_addr;
+       struct ip_address_option *last = NULL;
+       struct ip_address_option *first = NULL;
+
+       if(getifaddrs(&addrs) == -1)
+                 error("failed to list interfaces");
+
+       /* replace the list of ip_adresses with a new list where the
+        * interface names are replaced with their ip-address strings
+        * from getifaddrs.  An interface can have several addresses. */
+       for(ip_addr = options->ip_addresses; ip_addr; ip_addr = ip_addr->next) {
+               char **ip_addresses = NULL;
+               size_t ip_addresses_size = 0, i;
+               resolve_ifa_name(addrs, ip_addr->address, &ip_addresses,
+                       &ip_addresses_size);
+
+               for (i = 0; i < ip_addresses_size; i++) {
+                       struct ip_address_option *current;
+                       /* this copies the range_option, dev, and fib from
+                        * the original ip_address option to the new ones
+                        * with the addresses spelled out by resolve_ifa_name*/
+                       current = region_alloc_init(options->region, ip_addr,
+                               sizeof(*ip_addr));
+                       current->address = region_strdup(options->region,
+                               ip_addresses[i]);
+                       current->next = NULL;
+                       free(ip_addresses[i]);
+
+                       if(first == NULL) {
+                               first = current;
+                       } else {
+                               last->next = current;
+                       }
+                       last = current;
+               }
+               free(ip_addresses);
+       }
+
+       freeifaddrs(addrs);
+       options->ip_addresses = first;
+#else
+       (void)options;
+#endif /* HAVE_GETIFADDRS */
+}
+
 static void
 copyaddrinfo(struct nsd_addrinfo *dest, struct addrinfo *src)
 {
@@ -161,26 +290,26 @@
        struct addrinfo *hints)
 {
        int ret;
-       char *sep = NULL;
-       char *host, host_buf[INET6_ADDRSTRLEN + 1 /* '\0' */];
+       char *host;
+       char host_buf[sizeof("65535") + INET6_ADDRSTRLEN + 1 /* '\0' */];
        const char *service;
-       char service_buf[6 + 1 /* '\0' */]; /* 65535 */
        struct addrinfo *addr = NULL;
 
        sock->fib = -1;
        if(node) {
+               char *sep;
+
+               if (strlcpy(host_buf, node, sizeof(host_buf)) >= 
sizeof(host_buf)) {
+                       error("cannot parse address '%s': %s", node,
+                           strerror(ENAMETOOLONG));
+               }
+
                host = host_buf;
-               sep = strchr(node, '@');
-               if(sep) {
-                       size_t len = (sep - node) + 1;
-                       if (len > sizeof(host_buf)) {
-                               len = sizeof(host_buf);
-                       }
-                       strlcpy(host_buf, node, len);
-                       strlcpy(service_buf, sep + 1, sizeof(service_buf));
-                       service = service_buf;
+               sep = strchr(host_buf, '@');
+               if(sep != NULL) {
+                       *sep = '\0';
+                       service = sep + 1;
                } else {
-                       strlcpy(host_buf, node, sizeof(host_buf));
                        service = port;
                }
        } else {
@@ -373,16 +502,11 @@
        }
 
        if(ifa != NULL) {
-               char *colon;
-               size_t len;
-
-               if((colon = strchr(ifa->ifa_name, ':')) != NULL) {
-                       len = (size_t)((uintptr_t)colon - 
(uintptr_t)ifa->ifa_name);
-               } else {
-                       len  = strlen(ifa->ifa_name);
-               }
-               if (len < sizeof(sock->device)) {
-                       strlcpy(sock->device, ifa->ifa_name, len+1);
+               size_t len = strlcpy(sock->device, ifa->ifa_name, 
sizeof(sock->device));
+               if(len < sizeof(sock->device)) {
+                       char *colon = strchr(sock->device, ':');
+                       if(colon != NULL)
+                               *colon = '\0';
                        return 1;
                }
        }
@@ -662,8 +786,9 @@
                if (fd == -1) {
                        /* Truncate the pid file.  */
                        log_msg(LOG_ERR, "can not truncate the pid file %s: 
%s", file, strerror(errno));
-               } else 
+               } else {
                        close(fd);
+               }
 
                /* unlink pidfile */
                if (unlink(file) == -1) {
@@ -1243,6 +1368,7 @@
 
        nsd.this_child = NULL;
 
+       resolve_interface_names(nsd.options);
        figure_sockets(&nsd.udp, &nsd.tcp, &nsd.ifs,
                nsd.options->ip_addresses, udp_port, tcp_port, &hints);
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/nsd-4.3.2/nsd.conf.5.in new/nsd-4.3.3/nsd.conf.5.in
--- old/nsd-4.3.2/nsd.conf.5.in 2020-07-14 12:52:49.000000000 +0200
+++ new/nsd-4.3.3/nsd.conf.5.in 2020-10-08 09:14:26.000000000 +0200
@@ -1,4 +1,4 @@
-.TH "nsd.conf" "5" "Jul 14, 2020" "NLnet Labs" "nsd 4.3.2"
+.TH "nsd.conf" "5" "Oct  8, 2020" "NLnet Labs" "nsd 4.3.3"
 .\" Copyright (c) 2001\-2008, NLnet Labs. All rights reserved.
 .\" See LICENSE for the license.
 .SH "NAME"
@@ -143,11 +143,15 @@
 to bind multiple ip\-addresses. Optionally, a port number can be given.
 If none are given NSD listens to the wildcard interface. Same as commandline 
option
 .BR \-a.
+.IP
 To limit which NSD server(s) listen on the given interface, specify one or
 more servers separated by whitespace after <ip>[@port]. Ranges can be used as
 a shorthand to specify multiple consecutive servers. By default every server
 will listen.
-.BR
+.IP
+If an interface name is used instead of ip4 or ip6, the list of IP addresses
+associated with that interface is picked up and used at server start.
+.IP
 For servers with multiple IP addresses that can be used to send traffic
 to the internet, list them one by one, or the source address of replies
 could be wrong.  This is because if the udp socket associates a source
@@ -298,10 +302,10 @@
 negotiation between NSD and other servers.
 .TP
 .B ipv4\-edns\-size:\fR <number>
-Preferred EDNS buffer size for IPv4.  Default 4096.
+Preferred EDNS buffer size for IPv4.  Default 1232.
 .TP
 .B ipv6\-edns\-size:\fR <number>
-Preferred EDNS buffer size for IPv6.  Default 4096.
+Preferred EDNS buffer size for IPv6.  Default 1232.
 .TP
 .B pidfile:\fR <filename>
 Use the pid file instead of the platform specific default, usually 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/nsd-4.3.2/nsd.conf.sample.in 
new/nsd-4.3.3/nsd.conf.sample.in
--- old/nsd-4.3.2/nsd.conf.sample.in    2020-07-14 12:52:48.000000000 +0200
+++ new/nsd-4.3.3/nsd.conf.sample.in    2020-10-08 09:14:25.000000000 +0200
@@ -175,10 +175,10 @@
        # outgoing-tcp-mss: 0
 
        # Preferred EDNS buffer size for IPv4.
-       # ipv4-edns-size: 4096
+       # ipv4-edns-size: 1232
 
        # Preferred EDNS buffer size for IPv6.
-       # ipv6-edns-size: 4096
+       # ipv6-edns-size: 1232
 
        # statistics are produced every number of seconds. Prints to log.
        # Default is 0, meaning no statistics are produced.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/nsd-4.3.2/options.c new/nsd-4.3.3/options.c
--- old/nsd-4.3.2/options.c     2020-07-14 12:52:48.000000000 +0200
+++ new/nsd-4.3.3/options.c     2020-10-08 09:14:25.000000000 +0200
@@ -9,6 +9,7 @@
 #include "config.h"
 #include <string.h>
 #include <stdio.h>
+#include <sys/stat.h>
 #include <errno.h>
 #include "options.h"
 #include "query.h"
@@ -161,6 +162,20 @@
        return 1;
 }
 
+void
+warn_if_directory(const char* filetype, FILE* f, const char* fname)
+{
+       if(fileno(f) != -1) {
+               struct stat st;
+               memset(&st, 0, sizeof(st));
+               if(fstat(fileno(f), &st) != -1) {
+                       if(S_ISDIR(st.st_mode)) {
+                               log_msg(LOG_WARNING, "trying to read %s but it 
is a directory: %s", filetype, fname);
+                       }
+               }
+       }
+}
+
 int
 parse_options_file(struct nsd_options* opt, const char* file,
        void (*err)(void*,const char*), void* err_arg)
@@ -197,6 +212,7 @@
                }
                return 0;
        }
+       warn_if_directory("configfile", in, file);
        c_in = in;
        c_parse();
        fclose(in);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/nsd-4.3.2/options.h new/nsd-4.3.3/options.h
--- old/nsd-4.3.2/options.h     2020-07-14 12:52:48.000000000 +0200
+++ new/nsd-4.3.3/options.h     2020-10-08 09:14:25.000000000 +0200
@@ -468,5 +468,9 @@
 void replace_str(char* buf, size_t len, const char* one, const char* two);
 /* apply pattern to the existing pattern in the parser */
 void config_apply_pattern(struct pattern_options *dest, const char* name);
+/* if the file is a directory, print a warning, because flex just exit()s
+ * when a fileread fails because it is a directory, helps the user figure
+ * out what just happened */
+void warn_if_directory(const char* filetype, FILE* f, const char* fname);
 
 #endif /* OPTIONS_H */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/nsd-4.3.2/server.c new/nsd-4.3.3/server.c
--- old/nsd-4.3.2/server.c      2020-07-14 12:52:48.000000000 +0200
+++ new/nsd-4.3.3/server.c      2020-10-08 09:14:25.000000000 +0200
@@ -1654,6 +1654,7 @@
                        udb_base_sync(nsd->db->udb, 1);
                        udb_base_close(nsd->db->udb);
                        server_shutdown(nsd);
+                       /* ENOTREACH */
                        exit(0);
                }
        }
@@ -1851,6 +1852,7 @@
        (void)ctx;
 #if HAVE_DECL_SSL_CTX_SET_ECDH_AUTO
        if(!SSL_CTX_set_ecdh_auto(ctx,1)) {
+               /* ENOTREACH */
                log_crypto_err("Error in SSL_CTX_ecdh_auto, not enabling 
ECDHE");
        }
 #elif defined(HAVE_DECL_SSL_CTX_SET_TMP_ECDH) && defined(NID_X9_62_prime256v1) 
&& defined(HAVE_EC_KEY_NEW_BY_CURVE_NAME)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/nsd-4.3.2/tsig-openssl.c new/nsd-4.3.3/tsig-openssl.c
--- old/nsd-4.3.2/tsig-openssl.c        2020-07-14 12:52:48.000000000 +0200
+++ new/nsd-4.3.3/tsig-openssl.c        2020-10-08 09:14:25.000000000 +0200
@@ -11,6 +11,9 @@
 
 #if defined(HAVE_SSL)
 
+#ifdef HAVE_OPENSSL_CORE_NAMES_H
+#include <openssl/core_names.h>
+#endif
 #include "tsig-openssl.h"
 #include "tsig.h"
 #include "util.h"
@@ -22,11 +25,36 @@
 static void update(void *context, const void *data, size_t size);
 static void final(void *context, uint8_t *digest, size_t *size);
 
+#ifdef HAVE_EVP_MAC_CTX_NEW
+struct tsig_openssl_data {
+       /* the MAC for the algorithm, 'hmac' */
+       EVP_MAC* mac;
+       /* the digest name for creating the EVP_MAC_CTX with, 'sha256' */
+       const char* digest;
+};
+
+struct tsig_openssl_context {
+       /* the evp mac context, if notNULL it has algo and key set. */
+       EVP_MAC_CTX* hmac_ctx;
+       /* the size of destination buffers */
+       size_t outsize;
+};
+
+static void
+cleanup_tsig_openssl_data(void *data)
+{
+       struct tsig_openssl_data* d = (struct tsig_openssl_data*)data;
+       EVP_MAC_free(d->mac);
+       d->mac = NULL;
+}
+#endif
+
 static int
 tsig_openssl_init_algorithm(region_type* region,
        const char* digest, const char* name, const char* wireformat)
 {
        tsig_algorithm_type* algorithm;
+#ifndef HAVE_EVP_MAC_CTX_NEW
        const EVP_MD *hmac_algorithm;
 
        hmac_algorithm = EVP_get_digestbyname(digest);
@@ -34,6 +62,44 @@
                /* skip but don't error */
                return 0;
        }
+#else
+       struct tsig_openssl_data* data;
+       EVP_MAC_CTX* hmac_ctx;
+       OSSL_PARAM params[3];
+       data = region_alloc(region, sizeof(*data));
+       data->digest = digest;
+       data->mac = EVP_MAC_fetch(NULL, "hmac", NULL);
+       if(!data->mac) {
+               log_msg(LOG_ERR, "could not fetch MAC implementation 'hmac' 
with EVP_MAC_fetch");
+               return 0;
+       }
+       /* this context is created to see what size the output is */
+       hmac_ctx = EVP_MAC_CTX_new(data->mac);
+       if(!hmac_ctx) {
+               EVP_MAC_free(data->mac);
+               return 0;
+       }
+       params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
+               (char*)digest, 0);
+       params[1] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY,
+               "", 1);
+       params[2] = OSSL_PARAM_construct_end();
+#ifdef HAVE_EVP_MAC_CTX_SET_PARAMS
+       if(EVP_MAC_CTX_set_params(hmac_ctx, params) <= 0) {
+               log_msg(LOG_ERR, "could not EVP_MAC_CTX_set_params");
+               EVP_MAC_CTX_free(hmac_ctx);
+               EVP_MAC_free(data->mac);
+               return 0;
+       }
+#else
+       if(EVP_MAC_set_ctx_params(hmac_ctx, params) <= 0) {
+               log_msg(LOG_ERR, "could not EVP_MAC_set_ctx_params");
+               EVP_MAC_CTX_free(hmac_ctx);
+               EVP_MAC_free(data->mac);
+               return 0;
+       }
+#endif
+#endif
 
        algorithm = (tsig_algorithm_type *) region_alloc(
                region, sizeof(tsig_algorithm_type));
@@ -42,18 +108,34 @@
                = dname_parse(region, wireformat);
        if (!algorithm->wireformat_name) {
                log_msg(LOG_ERR, "cannot parse %s algorithm", wireformat);
+#ifdef HAVE_EVP_MAC_CTX_NEW
+               EVP_MAC_CTX_free(hmac_ctx);
+               EVP_MAC_free(data->mac);
+#endif
                return 0;
        }
+#ifndef HAVE_EVP_MAC_CTX_NEW
        algorithm->maximum_digest_size = EVP_MD_size(hmac_algorithm);
+#else
+       algorithm->maximum_digest_size = EVP_MAC_size(hmac_ctx);
+#endif
        if(algorithm->maximum_digest_size < 20)
                algorithm->maximum_digest_size = EVP_MAX_MD_SIZE;
+#ifndef HAVE_EVP_MAC_CTX_NEW
        algorithm->data = hmac_algorithm;
+#else
+       algorithm->data = data;
+       region_add_cleanup(region, cleanup_tsig_openssl_data, data);
+#endif
        algorithm->hmac_create_context = create_context;
        algorithm->hmac_init_context = init_context;
        algorithm->hmac_update = update;
        algorithm->hmac_final = final;
        tsig_add_algorithm(algorithm);
 
+#ifdef HAVE_EVP_MAC_CTX_NEW
+       EVP_MAC_CTX_free(hmac_ctx);
+#endif
        return 1;
 }
 
@@ -86,6 +168,7 @@
 static void
 cleanup_context(void *data)
 {
+#ifndef HAVE_EVP_MAC_CTX_NEW
        HMAC_CTX *context = (HMAC_CTX *) data;
 #ifdef HAVE_HMAC_CTX_NEW
        HMAC_CTX_free(context);
@@ -93,11 +176,17 @@
        HMAC_CTX_cleanup(context);
        free(context);
 #endif
+#else
+       struct tsig_openssl_context* c = (struct tsig_openssl_context*)data;
+       EVP_MAC_CTX_free(c->hmac_ctx);
+       c->hmac_ctx = NULL;
+#endif
 }
 
 static void *
 create_context(region_type *region)
 {
+#ifndef HAVE_EVP_MAC_CTX_NEW
 #ifdef HAVE_HMAC_CTX_NEW
        HMAC_CTX *context = HMAC_CTX_new();
 #else
@@ -109,6 +198,12 @@
 #else
        HMAC_CTX_init(context);
 #endif
+#else
+       struct tsig_openssl_context* context = region_alloc(region,
+               sizeof(*context));
+       memset(context, 0, sizeof(*context));
+       region_add_cleanup(region, cleanup_context, context);
+#endif
        return context;
 }
 
@@ -117,25 +212,75 @@
                          tsig_algorithm_type *algorithm,
                          tsig_key_type *key)
 {
+#ifndef HAVE_EVP_MAC_CTX_NEW
        HMAC_CTX *ctx = (HMAC_CTX *) context;
        const EVP_MD *md = (const EVP_MD *) algorithm->data;
        HMAC_Init_ex(ctx, key->data, key->size, md, NULL);
+#else
+       OSSL_PARAM params[3];
+       struct tsig_openssl_data* algo_data = (struct tsig_openssl_data*)
+               algorithm->data;
+       struct tsig_openssl_context* c = (struct tsig_openssl_context*)context;
+       if(c->hmac_ctx) {
+               EVP_MAC_CTX_free(c->hmac_ctx);
+       }
+       c->hmac_ctx = EVP_MAC_CTX_new(algo_data->mac);
+       if(!c->hmac_ctx) {
+               log_msg(LOG_ERR, "could not EVP_MAC_CTX_new");
+               return;
+       }
+       params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
+               (char*)algo_data->digest, 0);
+       params[1] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY,
+               key->data, key->size);
+       params[2] = OSSL_PARAM_construct_end();
+#ifdef HAVE_EVP_MAC_CTX_SET_PARAMS
+       if(EVP_MAC_CTX_set_params(c->hmac_ctx, params) <= 0) {
+               log_msg(LOG_ERR, "could not EVP_MAC_CTX_set_params");
+               EVP_MAC_CTX_free(c->hmac_ctx);
+               c->hmac_ctx = NULL;
+               return;
+       }
+#else
+       if(EVP_MAC_set_ctx_params(hmac_ctx, params) <= 0) {
+               log_msg(LOG_ERR, "could not EVP_MAC_set_ctx_params");
+               EVP_MAC_CTX_free(c->hmac_ctx);
+               c->hmac_ctx = NULL;
+               return;
+       }
+#endif
+       c->outsize = algorithm->maximum_digest_size;
+#endif
 }
 
 static void
 update(void *context, const void *data, size_t size)
 {
+#ifndef HAVE_EVP_MAC_CTX_NEW
        HMAC_CTX *ctx = (HMAC_CTX *) context;
        HMAC_Update(ctx, (unsigned char *) data, (int) size);
+#else
+       struct tsig_openssl_context* c = (struct tsig_openssl_context*)context;
+       if(EVP_MAC_update(c->hmac_ctx, data, size) <= 0) {
+               log_msg(LOG_ERR, "could not EVP_MAC_update");
+       }
+#endif
 }
 
 static void
 final(void *context, uint8_t *digest, size_t *size)
 {
+#ifndef HAVE_EVP_MAC_CTX_NEW
        HMAC_CTX *ctx = (HMAC_CTX *) context;
        unsigned len = (unsigned) *size;
        HMAC_Final(ctx, digest, &len);
        *size = (size_t) len;
+#else
+       struct tsig_openssl_context* c = (struct tsig_openssl_context*)context;
+       if(EVP_MAC_final(c->hmac_ctx, digest, size, c->outsize) <= 0) {
+               log_msg(LOG_ERR, "could not EVP_MAC_final");
+       }
+#endif
 }
 
 void
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/nsd-4.3.2/tsig-openssl.h new/nsd-4.3.3/tsig-openssl.h
--- old/nsd-4.3.2/tsig-openssl.h        2020-07-14 12:52:48.000000000 +0200
+++ new/nsd-4.3.3/tsig-openssl.h        2020-10-08 09:14:25.000000000 +0200
@@ -22,7 +22,7 @@
  */
 int tsig_openssl_init(region_type *region);
 
-void tsig_openssl_finalize();
+void tsig_openssl_finalize(void);
 
 #endif /* defined(HAVE_SSL) */
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/nsd-4.3.2/util.c new/nsd-4.3.3/util.c
--- old/nsd-4.3.2/util.c        2020-07-14 12:52:48.000000000 +0200
+++ new/nsd-4.3.3/util.c        2020-10-08 09:14:25.000000000 +0200
@@ -266,6 +266,19 @@
        return NULL;
 }
 
+char *
+xstrdup(const char *src)
+{
+       char *result = strdup(src);
+
+       if(!result) {
+               log_msg(LOG_ERR, "strdup failed: %s", strerror(errno));
+               exit(1);
+       }
+
+       return result;
+}
+
 void *
 xalloc(size_t size)
 {
@@ -701,10 +714,10 @@
        }
        if(srclength)
        {
-               if(targsize < strlen(buf)+1)
+               size_t tlen = strlcpy(target, buf, targsize);
+               if (tlen >= targsize)
                        return -1;
-               strlcpy(target, buf, targsize);
-               len += strlen(buf);
+               len += tlen;
        }
        else if(targsize < 1)
                return -1;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/nsd-4.3.2/util.h new/nsd-4.3.3/util.h
--- old/nsd-4.3.2/util.h        2020-07-14 12:52:48.000000000 +0200
+++ new/nsd-4.3.3/util.h        2020-10-08 09:14:25.000000000 +0200
@@ -148,6 +148,7 @@
 void *xalloc_zero(size_t size);
 void *xalloc_array_zero(size_t num, size_t size);
 void *xrealloc(void *ptr, size_t size);
+char *xstrdup(const char *src);
 
 /*
  * Mmap allocator routines.
@@ -400,7 +401,7 @@
 struct state_pretty_rr* create_pretty_rr(struct region* region);
 /* print rr to file, returns 0 on failure(nothing is written) */
 int print_rr(FILE *out, struct state_pretty_rr* state, struct rr *record,
-       struct region* tmp_region, struct buffer* tmp_buffer); 
+       struct region* tmp_region, struct buffer* tmp_buffer);
 
 /*
  * Convert a numeric rcode value to a human readable string
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/nsd-4.3.2/zonec.c new/nsd-4.3.3/zonec.c
--- old/nsd-4.3.2/zonec.c       2020-07-14 12:52:48.000000000 +0200
+++ new/nsd-4.3.3/zonec.c       2020-10-08 09:14:25.000000000 +0200
@@ -1341,8 +1341,12 @@
        if (strcmp(filename, "-") == 0) {
                yyin = stdin;
                filename = "<stdin>";
-       } else if (!(yyin = fopen(filename, "r"))) {
-               return 0;
+               warn_if_directory("zonefile from stdin", yyin, filename);
+       } else {
+               if (!(yyin = fopen(filename, "r"))) {
+                       return 0;
+               }
+               warn_if_directory("zonefile", yyin, filename);
        }
 
        zparser_init(filename, ttl, klass, origin);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/nsd-4.3.2/zonec.h new/nsd-4.3.3/zonec.h
--- old/nsd-4.3.2/zonec.h       2020-07-14 12:52:48.000000000 +0200
+++ new/nsd-4.3.3/zonec.h       2020-10-08 09:14:25.000000000 +0200
@@ -117,7 +117,7 @@
 uint32_t zparser_ttl2int(const char *ttlstr, int* error);
 void zadd_rdata_wireformat(uint16_t *data);
 void zadd_rdata_txt_wireformat(uint16_t *data, int first);
-void zadd_rdata_txt_clean_wireformat();
+void zadd_rdata_txt_clean_wireformat(void);
 void zadd_rdata_domain(domain_type *domain);
 
 void set_bitnsec(uint8_t  bits[NSEC_WINDOW_COUNT][NSEC_WINDOW_BITS_SIZE],



Reply via email to