diff options
author | Christoph Hrdinka <c.git@hrdinka.at> | 2016-09-27 00:10:39 +0200 |
---|---|---|
committer | Christoph Hrdinka <c.git@hrdinka.at> | 2016-09-27 00:14:24 +0200 |
commit | 553a3295c126fd9e73635bcde7dc1714a230c3f2 (patch) | |
tree | 4c28d584224c33f6e5912747b779d9f52691878f /nixos | |
parent | 900a04e6c9953fbdc59d4a51bef8283594357d28 (diff) | |
download | nixlib-553a3295c126fd9e73635bcde7dc1714a230c3f2.tar nixlib-553a3295c126fd9e73635bcde7dc1714a230c3f2.tar.gz nixlib-553a3295c126fd9e73635bcde7dc1714a230c3f2.tar.bz2 nixlib-553a3295c126fd9e73635bcde7dc1714a230c3f2.tar.lz nixlib-553a3295c126fd9e73635bcde7dc1714a230c3f2.tar.xz nixlib-553a3295c126fd9e73635bcde7dc1714a230c3f2.tar.zst nixlib-553a3295c126fd9e73635bcde7dc1714a230c3f2.zip |
nsd: 4.1.9 -> 4.1.12
4.1.12 ====== Bugfixes -------- Fix malformed edns query assertion failure, reported by Michal Kepien (NASK). 4.1.11 ====== Features -------- * When tcp is more than half full, use short timeout for tcp session. * Patch for {max,min}-{refresh,retry}-time from YAMAGUCHI Takanori. * Fix #790: size-limit-xfr can stop NSD from downloading infinite zone transfer data size, from Toshifumi Sakaguchi. Fixes CVE-2016-6173 JVN#63359718 JPCERT#91251865. Bugfixes -------- * Fix build without IPv6, patch from Zdenek Kaspar. * Fix #783: Trying to run a root server without having configured it silently gives wrong answers. * Fix #782: Serve DS record but parent zone has no NS record. * Fix nsec3 missing for nsec3 signed parent and child for DS at zonecut. 4.1.10 ====== Features -------- * ip-freebind: yesno option in nsd.conf sets IP_FREEBIND socket option for Linux, binds to interfaces and addresses that are down. * NSD includes AAAA before A for queries over IPV6 (in delegations). And TC is set if no glue can be provided with a delegation because of packet size. * print notice that nsd is starting before taking off. Bugfixes -------- * Fix for openssl 1.1.0, HMAC_CTX size not exported from openssl. * Fix #751: NSD fails to occlude names below a DNAME. * If set without nsd.db print "" as the default in the man pages. * Fix #755: NSD spins after a zone update and a lot of TCP queries. * Fix for NSEC3 with zone signed without exact match for empty nonterminals, the answer for that domain gets closest encloser. * #772 Document that recvmmsg has IPv6 problems on some linux kernels. 4.1.9 ===== Bugfixes -------- * Change the nsd.db file version because of nanosecond precision fix.
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/networking/nsd.nix | 58 |
1 files changed, 56 insertions, 2 deletions
diff --git a/nixos/modules/services/networking/nsd.nix b/nixos/modules/services/networking/nsd.nix index 333a3378c4cc..6af1dd736431 100644 --- a/nixos/modules/services/networking/nsd.nix +++ b/nixos/modules/services/networking/nsd.nix @@ -71,6 +71,7 @@ let # interfaces ${forEach " ip-address: " cfg.interfaces} + ip-freebind: ${yesOrNo cfg.ipFreebind} hide-version: ${yesOrNo cfg.hideVersion} identity: "${cfg.identity}" ip-transparent: ${yesOrNo cfg.ipTransparent} @@ -84,7 +85,7 @@ let reuseport: ${yesOrNo cfg.reuseport} round-robin: ${yesOrNo cfg.roundRobin} server-count: ${toString cfg.serverCount} - ${if cfg.statistics == null then "" else "statistics: ${toString cfg.statistics}"} + ${maybeToString "statistics: " cfg.statistics} tcp-count: ${toString cfg.tcpCount} tcp-query-count: ${toString cfg.tcpQueryCount} tcp-timeout: ${toString cfg.tcpTimeout} @@ -117,7 +118,8 @@ let ''; yesOrNo = b: if b then "yes" else "no"; - maybeString = pre: s: if s == null then "" else ''${pre} "${s}"''; + maybeString = prefix: x: if x == null then "" else ''${prefix} "${s}"''; + maybeToString = prefix: x: if x == null then "" else ''${prefix} ${toString s}''; forEach = pre: l: concatMapStrings (x: pre + x + "\n") l; @@ -146,6 +148,11 @@ let ${forEach " rrl-whitelist: " zone.rrlWhitelist} ${maybeString "zonestats: " zone.zoneStats} + ${maybeToString "max-refresh-time: " zone.maxRefreshSecs} + ${maybeToString "min-refresh-time: " zone.minRefreshSecs} + ${maybeToString "max-retry-time: " zone.maxRetrySecs} + ${maybeToString "min-retry-time: " zone.minRetrySecs} + allow-axfr-fallback: ${yesOrNo zone.allowAXFRFallback} ${forEach " allow-notify: " zone.allowNotify} ${forEach " request-xfr: " zone.requestXFR} @@ -241,6 +248,44 @@ let ''; }; + maxRefreshSecs = mkOption { + type = types.nullOr types.int; + default = null; + description = '' + Limit refresh time for secondary zones. This is the timer which + checks to see if the zone has to be refetched when it expires. + Normally the value from the SOA record is used, but this option + restricts that value. + ''; + }; + + minRefreshSecs = mkOption { + type = types.nullOr types.int; + default = null; + description = '' + Limit refresh time for secondary zones. + ''; + }; + + maxRetrySecs = mkOption { + type = types.nullOr types.int; + default = null; + description = '' + Limit retry time for secondary zones. This is the timeout after + a failed fetch attempt for the zone. Normally the value from + the SOA record is used, but this option restricts that value. + ''; + }; + + minRetrySecs = mkOption { + type = types.nullOr types.int; + default = null; + description = '' + Limit retry time for secondary zones. + ''; + }; + + notify = mkOption { type = types.listOf types.str; default = []; @@ -366,6 +411,15 @@ in ''; }; + ipFreebind = mkOption { + type = types.bool; + default = false; + description = '' + Whether to bind to nonlocal addresses and interfaces that are down. + Similar to ip-transparent. + ''; + }; + ipTransparent = mkOption { type = types.bool; default = false; |