################################################################################ # # Copyright (c) 2011-2016, EURid. All rights reserved. # The YADIFA TM software product is provided under the BSD 3-clause license: # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # # * Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # * Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # * Neither the name of EURid nor the names of its contributors may be # used to endorse or promote products derived from this software # without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # ################################################################################ 20160126: YADIFA 2.1.6 Fixes: - fixed an issue where the referral would not be measured for UDP on a optimised build. 20160108: YADIFA 2.1.5 Dynamic updates do not use temporary files anymore which improves their general performance. The statistics now shows the referrals. Fixes: - fixed an issue where getting a huge incremental transfer would prevent the server from answering queries while applying the changes. - fixed an issue serving IXFR that would occur when a incremental change step was bigger than 64KB - fixed an issue for Solaris with the memory alignment fix not active everywhere - fixed an issue on the Solaris build settings - fixed an issue where sometimes yadifad would not find a configuration file given as a parameter with a relative path - fixed an issue where a wild-card would not be properly returned with an AXFR - fixed an issue where dynamically updating a zone at a speed such that the zone file would need to be written multiple times on disk before finishing the previous write could lead to a deadlock 20151026: YADIFA 2.1.4 The zone reader error reporting has been improved. Stacktrace support added for Solaris. Known issue: - Adding and or removing NSEC3PARAM dynamically is not properly handled. Fixes: - fixed an issue where an NSEC3 answer proving a * query would lead to a crash - fixed an issue where a private key may be not recognised as such - fixed an issue where dynamic update prerequisite check would fail a valid match - fixed an issue where zone signature maintenance would only start if all private keys were available. 20150821: YADIFA 2.1.3 Fixes: - fixed an issue that could lead to a crash at startup - fixed an issue where parsing a TYPE#### record would stop the parser prematurely 20150814: YADIFA 2.1.2 The ./configure script has a new option: --enable-full-ascii7 This changes the behaviour of DNS name validation to accept all the ASCII7 characters instead of only the DNS-space ones. Enabling this option is not recommended. Fixes: - fixes an issue where the hmac-shaX identification string sent with a TSIG had the suffix ".sig-alg.reg.int". 20150714: YADIFA 2.1.1 The yadifa command line has a new option: --config|-c file : read the specific configuration file instead of ~/.yadifa.rc Issues detected on the NSEC3 database have now been upgraded from debug to info/warning Fixes: - fixed an issue where, on some cases; the garbage collector for the zones was not triggering for a long time. - fixed an issue in the Makefile (courtesy of DENIC) - fixed an issue where a few bytes could be leaked in some rare cases when failing to unload a zone - fixed an issue in RRL where some values of IPv6 prefix - fixed an issue accepting some answers on IXFR transfers 20150424: YADIFA 2.1.0 New journal file format: This new format addresses a few issues like having maximum journal file and a relatively constant random access time even for very big sizes. The internal messaging queue has been changed to address huge amount of zones. New CHaos queries supported: hostname id.server Known issues: _ building successfully with LTO may require to append both AR=gcc-ar and RANLIB=gcc-ranlib to the ./configure command 20150403: YADIFA 2.0.6 This release is a public release. This minor update's sole purpose is to fix YADIFA builds on OpenBSD. Fixes: - fixed a crash that could occur while sending a massive amount of notifications - OpenBSD builds are fixed. Tested on: OpenBSD 5.6 amd64, standard installation. Configure: ./configure Tested on: OpenBSD 5.6 amd64, with gcc 4.9 installed. Configure: ./configure CC=egcc 20150226: YADIFA 2.0.5 This release is a public release. Fixes: - fixed an issue with huge IXFR transfers as a master - fixed an issue with notifications on slave-slave-master setup - fixed an issue with a potential infinite loop loading an AXFR from a master - fixed missing hmac-sha* from configuration - fixed an issue with TLSA records parsing - fixed an issue with base 16 encoding - fixed an issue parsing * domains - fixed an issue with some RRL motivated answers - increased the maximum number of network interfaces from 5 to 16 - fixed an error in the configuration examples where "statistics" was used instead of "stats" - minor fixes and improvements 20141216: YADIFA 2.0.4 This release is a public release. By popular demand, the default log file directory is now PREFIX/var/log/yadifa. It can be set using --with-logdir=/my/dir Improved build mechanism. It has been tested to work automatically on Linux, FreeBSD, OSX, SunOS. RedHat family builds will use -O2 as maximum optimisations. Note that some optional features are now enabled by default but can be disabled. Fixes: - fixed an issue with the AXFR transfer where the serial number would not be properly taken into account - fixed an issue with the notify mechanism that could occur if the server was only listening to 127.0.0.1 - fixed an issue with bogus DNSKEY records that may potentially lead to a crash in openssl - fixed a reported potential "tmpfile" vulnerability on DEBUG builds (generated with make debug) - fixed an issue with IPv6 connections on some architectures - typos fixes - minor fixes and improvements 20141104: Architecture portability enhancements. On Solaris, if no --enable-force32bits nor --enable-force64bits is set, then 64 bits will be forced (fixes an issue at link-time) ELF 64-bit MSB executable SPARCV9 Version 1, UltraSPARC3 Extensions Required, dynamically linked, not stripped, no debugging information available PATH=/opt/csw/bin:/usr/ccs/bin:$PATH ./configure --enable-force32bits PATH=/opt/csw/bin:/usr/ccs/bin:$PATH make 20141030: Architecture portability enhancements. FreeBSD 9 FreeBSD dnode3 9.0-RELEASE-p3 FreeBSD 9.0-RELEASE-p3 #0: Tue Jun 12 02:52:29 UTC 2012 root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64 gcc (GCC) 4.2.1 20070831 patched [FreeBSD] ELF 64-bit LSB executable, x86-64, version 1 (FreeBSD), dynamically linked (uses shared libs), for FreeBSD 9.0 (900044), not stripped Ubuntu Linux dnode10 3.2.0-49-generic #75-Ubuntu SMP Tue Jun 18 17:39:32 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux gcc (Ubuntu/Linaro 4.6.3-1ubuntu5) 4.6.3 ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0xe3b8601b9b5e59f8c9ce519cacbe9b8ff544ff1d, not stripped OSX Darwin RD-Mac-Mini.local 13.3.0 Darwin Kernel Version 13.3.0: Tue Jun 3 21:27:35 PDT 2014; root:xnu-2422.110.17~1/RELEASE_X86_64 x86_64 Apple LLVM version 5.1 (clang-503.0.40) (based on LLVM 3.4svn) Mach-O 64-bit executable x86_64 20141029: Architecture portability enhancements. uname -a gcc --version file yadifad YellowDog Linux Linux 2.6.29-3.ydl61.4 #1 SMP Mon Sep 7 14:50:27 PDT 2009 ppc64 ppc64 ppc64 GNU/Linux gcc (GCC) 4.1.2 20080704 (Red Hat 4.1.2-44) ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), for GNU/Linux 2.6.9, dynamically linked (uses shared libs), for GNU/Linux 2.6.9, not stripped note: using --enable-force64bits failed because of ssl, no simple/quick way to install openssl-devel.ppc64 seemed available Debian PPC64 Linux 3.2.0-3-powerpc64 #1 SMP Mon Jul 23 08:03:56 UTC 2012 ppc64 GNU/Linux gcc (Debian 4.6.3-8) 4.6.3 ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.26, BuildID[sha1]=0xedc47c984a4af7eb9a7ecbc0f135e4d064ba08f0, with unknown capability 0x41000000 = 0x13676e75, with unknown capability 0x10000 = 0xb0401, not stripped note: using --enable-force64bits failed because of ssl, no simple/quick way to install openssl-devel.ppc64 seemed available 20141016: YADIFA 2.0.2 TCP fallback support on truncation 20140905: YADIFA 2.0.0 This release is a public release Fixes: - fixed a log incorrectly reporting an error when the client didn't close the TCP connection fast enough - fixed an issue with the statistics on TCP queries Known issue: - removing the last key of a signed zone is permitted by YADIFA but triggers some chicken-egg issue with signatures. 20140829: YADIFA 2.0.0-beta3-public This release is a public release - --disable-master feature at configure now builds a slave-only server Fixes: - fixed an issue with TSIG signed queries - fixed an issue with thread pool live resizing - fixed an issue where reading an undeleted obsolete journal ending at the start of a newly transferred zone from the master would incorrectly trigger an error Known issue: - removing the last key of a signed zone is permitted by YADIFA but triggers some chicken-egg issue with signatures. 20140630: YADIFA 2.0.0-beta2-public This release is a public release - basepath disabled - pidpath removed, only pidfile remains - log reopen notification is now timestamped - slave zones no longer complain about missing NSEC/NSEC3 private keys - the error code ZRE_FILE_NOT_FOUND has been replaced by the more accurate code ZRE_NO_VALID_FILE_FOUND - default logging settings no longer output debug Fixes: - fixed issue in flag computation (AD,CD) - fixed an issue with journal truncation sometimes leading to a crash - zone parsing now correctly accepts '#' as a comment marker - zone parsing now rejects wrong fqdn as soon as it reads them, leading to a more accurate error message - removing the last dnskey of a zone no longer crashes the server Known issue: - removing the last key of a signed zone is permitted by YADIFA but triggers some chicken-egg issue with signatures. yadifa remote client commands prototype is now available with the following supported commands: -shutdown shuts down yadifa e.g. ./yadifa -s "192.0.2.1 port 53" -t shutdown -cfgreload reloads the and sections of the yadifad configuration e.g. ./yadifa -s "192.0.2.1 port 53" -t cfgreload -logreopen closes and reopen the log files e.g. ./yadifa -s "192.0.2.1 port 53" -t logreopen -freezeall prevents all zones from being updated dynamically with nsupdate e.g. ./yadifa -s "192.0.2.1 port 53" -t freezeall -freeze prevents a zone from being updated dynamically with nsupdate e.g. ./yadifa -s "192.0.2.1 port 53" -t freeze -q somedomain.eu -unfreezeall enables updates of all zones again e.g. ./yadifa -s "192.0.2.1 port 53" -t unfreezeall -unfreeze enables updates of a zone again e.g. ./yadifa -s "192.0.2.1 port 53" -t unfreeze -q somedomain.eu In order to work, the allow-control ACL must be defined either in
for the global commands and may also be defined in for the ones targeting a specific zone. e.g. allow-control 127.0.0.1 Note that tsig is not supported in the client yet. 20140528: YADIFA 2.0.0-beta1-public This release is a public release - NSID implemented (enabled at ./configure time with --enable-nsid - generic parser for: - getops - zone file - resolv.conf - configuration - '@' can now be used in a zone file - new binary for controlling 'yadifad' (yadifa) - framework is rewritten for multi core systems - single core server has been removed Fixes: - fixed several minor issues Know issues: - removing all dnskeys from a zone file crashes the server - yadifa has some issues with nodelay, nocork 20130424: YADIFA 1.1.0 _ added DSA signature _ added SHA-256 SHA-384 SHA-512 digest algorithms _ now supports additional DNSSEC algorithms: DSASHA1 DSASHA1_NSEC3 RSASHA256_NSEC3 RSASHA512_NSEC3 _ Respone Rate Limitation implemented (enabled at ./configure time with --enable-rrl) _ --enable-tiny-footprint now reduces the memory usage further by reducing the standard log queue from 2^20 to 2^12 entries _ the general speed has been slightly improved _ dynamic updates pending for more than 3 seconds are now dropped with an error _ dynamic provisioning Fixes: _ fixed a memory leak that could occur at NSEC3 generation when loading the zone failed in a particular way _ fixed a memory leak at ixfr send _ fixed handling of '_' character that was improperly stored in the database _ fixed bandwidth limit settings (tcp stream in and out) not always being taken from the configuration _ fixed TSIG answer verification for notifies _ fixed error codes not being registered and thus logged as unknown hexadecimal error code. _ other minor fixes 20130612: YADIFA 1.0.3 Fixes only (backports from 1.1.0) Fixes: _ fixed an issue preventing YADIFA from being build from another directory _ fixed an issue with OSX systems where gsed has to be used instead of sed _ fixed an issue with the '_' character not being properly handled _ fixed an issue where reading MX record from a zone file would incorrecly be rejected as invalid _ fixed an issue where the OPT record would not be properly written _ fixed an issue where an undefined ACL reference would be silently ignored _ fixed missing code tags for several error codes. From now on unregistered codes are dumped in hexadicimal. _ fixed portability issues with BSD and OSX _ fixed several minor issues 20120921: YADIFA 1.0.2 Fixes only Fixes: _ fixed an issue where the journal file was sometimes not properly closed at the end of a task _ fixed an issue where the TCP usage slots would sometimes wrongly return that they were all being used _ fixed an issue on IXFR processing (slave side) where the type of answer from the master would not be properly detected _ fixed an issue with TSIG on secrets not exactly 16 bytes long (binary form) _ fixed an issue on 32 bits architectures where the sig-validity-* fields would not be properly handled if not set on each zone section. _ slightly improved the replay time of big journal files _ fixed several minor issues Known issues: _ if the serial of a zone is changed in a way that it goes beyond a value such as the journal serial start is bigger than the journal serial end, issues are expected for IXFR answers. _ notify is ignored on TCP 20120709: YADIFA 1.0.1 _ logging repeat compression is now by channel instead of global Fixes: _ fixed an issue where glibc whould assert if libgcc_s.so (libgcc_s.so.1) and libc.so (libc.so.6) where not available inside the chrooted directory of YADIFA _ fixed an issue in the syslog module Known issues: _ on 32 bits architectures, the sig-validity-* fields are not properly copied from
to as a workaround, set the sig-validity fields in each container in 32 bits architectures ie: sig-validity-interval 7 sig-validity-regeneration 168 sig-validity-jitter 3600 _ if the serial of a zone is changed in a way that it goes beyond a value such as the journal serial start is bigger than the journal serial end, issues are expected for IXFR answers. _ notify is ignored on TCP 20120625: YADIFA 1.0.0 _ LTO support can be enabled with --enable-lto but this is not working with clang. LTO does not increase the performance significally _ parallel processing of listening addresses can now be enabled. It can be set using thread-count-by-address in the
section. By default YADIFA will not use parallel processing as this feature has not been as thoroughly tested as the single-thread processing model _ default parameters tuning _ fixes Known issue: _ on 32 bits architectures, the sig-validity-* fields are not properly copied from
to as a workaround, set the sig-validity fields in each container in 32 bits architectures ie: sig-validity-interval 7 sig-validity-regeneration 168 sig-validity-jitter 3600 20120530: YADIFA 1.0.0RC3 _ the configuration parser now ignores undefined logger names and report them with a warning _ syslog messages are now put in the name of "yadifad" instead of the name used for the "syslog" channel _ syslog messages do not print the time from YADIFA anymore _ improved the steps involved in loading a locally cached slave zone _ zones are now loaded in background _ man page yadifad-conf.man5 renamed into yadifad.conf.man5 Fixes: _ AXFR/IXFR answers with the RA bit set are nolonger rejected as invalid _ YADIFA now answers to SIGINT again (shutdown) _ fixed an issue where obsolete AXFR files were not always being deleted _ fixed an issue occurring when both IPv4 and IPv6 were available to handle a notify _ fixed journal replay issue where some RRSIGs records were not properly removed _ fixed an issue occurring with IPv6 queries _ fixed an issue in the generation of a specific NSEC3 error answer _ fixed named query style layout Known issue: _ if the serial of a zone is changed in a way that it goes beyond a value such as the journal serial start is bigger than the journal serial end, issues are expected for IXFR answers. _ notify is ignored on TCP 20120328: YADIFA 1.0.0RC2 _ fixed logging issue on work file creation error _ fixed an issue where IXFR queries could be rejected as being wrongly formatted _ fixed an issue in the query logging text _ enabled command line options ( -u uid -g gid -d ) 20120319: YADIFA 1.0.0RC1 Is a full functional authoritative name server: - works as primary or secondary name server - AXFR - IXFR - NOTIFY - NSUPDATE - TSIG - CLASSES: - IN - CH (just for version) - TYPES: - AAAA - CNAME - DNSKEY - DS - HINFO - MX - NAPTR - NS - NSEC3 - NSEC3PARAM - NSEC - PTR - RRSIG - SOA - SRV - SSHFP - TXT - Automatic resigning - DNSSEC algorithms: - 5 (RSASHA1) - 7 (RSASHA1-NSEC3 - ACL's KNOWN ISSUES: NSEC3: _ cannot work with multiple NSEC3PARAM chains with mixed OPT-IN/OUT settings _ adding a new NSEC3 chain expects that the master sends the NSEC3PARAM first (it does not seems to be always the case) We have a case where a master starts with 2 thousands NSEC3 opt-out records then adds 6 millions NSEC3 opt-in records but does not give the NSEC3PARAM record first. The slave server rejects them all because it's unable to link them to a chain. (This one has high priority) DNSSEC: _ it is not allowed to change the zone security mode (unsecure, NSEC, or NSEC3). Once the zone is loaded it keeps its security mode. _ dynamic updates of NSEC as well as NSEC3 records are refused QUIT: the server will shutdown on the following conditions: _ detection of an impossible situation or an internal integrity issue (ie: for any reason the SOA has vanished from a zone) _ memory limit reached which prevents any more work _ ipc issue which prevent internal services communication ACL: _ since the access control is set by zone and CHAOS class is not implemented as a configurable zone, it is not possible (yet) to specifically block CHAOS queries. 20111121: YADIFA 0.5.5 - many fixes KNOWN ISSUE: NSEC3 slave zone replay fails. 20110706: YADIFA 0.5.0 - slave mode, AXFR/IXFR (no TSIG yet for the slave-side transfer) - answers to a notify from the master - polls the (first) master on the masters list - maintains the .axfr & .ix files (deletes the obsoletes ones) - TSIG queries are checked - Replays the zone journal on startup after the zone load (journaling) - Answers IXFR queries (journaling) 20110601: YADIFA 0.4.0 Operational: - It works as a no dnssec name server - No notifies to slave name servers - daemon - Answers AXFR queries with TSIG - nsupdate functionality (journaling) - TSIG on client server side will be transmitted, but not checked - ACL works - The zone has SOA, NS A resource records. 20110524: YADIFA 0.3.0 First release internally of yadifad 20110524115500 GMT+1. Operational: - It works as a no dnssec name server - No notifies to slave name servers - daemon - Answers AXFR queries - The zone has SOA, NS A resource records. 20091224: YADIFA 0.2.0 _ Answers AXFR queries _ ACL based on IP and TSIG (not all query types are ACL'ed yet) 20091104: YADIFA 0.1.0 YADIFA is a work in progress. The main goal is to have an alternative for BIND or NSD. Version 0.1.0 is an authoritative server only. It has no: - AXFR/IXFR functionality - dynupdate - support for NSEC - support for NSEC3 - caching mechanism - additional tools (eg.dig, dnssectools, drill,...) It has: - a very fast way to give authoritative answer - a very fast method for loading the database and checking the zone files This first release is to have a feeling how it works in an operational environment. TODO Everything what is not implemented, has to be implemented. Most of the code is there, but is not activated. No comformity tests has been done. (This of course is on the todo list) Bug Reports and Mailing Lists Bugs reports should be sent to bugreport@yadifa.eu