merge differences between nsd-4.6.0 and nsd-4.8.0

merge conflicts between 4.3.5 and 4.6.0, and update build

merge conflicts between our changes for nsd between 4.2.4 and 4.3.5

Simplify to avoid packed struct alignment issue.

branches: 1.1.1;
Initial revision

merge conflicts between 4.3.5 and 4.6.0, and update build

merge conflicts between our changes for nsd between 4.2.4 and 4.3.5

Simplify to avoid packed struct alignment issue.

branches: 1.1.1;
Initial revision

merge conflicts between our changes for nsd between 4.2.4 and 4.3.5

Simplify to avoid packed struct alignment issue.

branches: 1.1.1;
Initial revision

Simplify to avoid packed struct alignment issue.

branches: 1.1.1;
Initial revision

3 December 2019: Wouter
- Fix #52: do not log transient network full errors unless higher
verbosity is set.
- Fix checkconf test for new error output string.
- tag for 4.2.4rc1 release.

27 November 2017 Jeroen
- Fix regressions in configparser.y

22 November 2019: Wouter
- Fix #48: Add make distclean that removes config.h made by configure.
And add maintainer-clean that removes bison and flex output.

18 November 2019: Wouter
- Detect fixed time memcmp for openssl 0.9.8 compatibility.
- Detect EC_KEY_new_by_curve_name for openssl 0.9.8.
- include limits.h for UINT_MAX.
- If no recvmmsg, dont use msg_flags member, but errno for error,
where our fallback function left it, msg_flags also does not exist
on some systems.
- Remove unused variable warning for portability.

14 November 2019: Wouter
- Fix checkconf test with filenames that sort in the same order.
- Tag for 4.2.3rc1. Branch master is 4.2.4 in development.

11 November 2019: Wouter
- Fix #44: document that remote-control is a top-level nsd.conf
attribute.
- Fix compile on OSX.
- Fix for #44: nicer top-level clause documentation.

22 October 2019: Jeroen
- Number of different UDP handlers has been reduced to one. recvmmsg
and sendmmsg implementations are now used on all platforms.
Compatible implementations are in place for systems that lack the
system calls.
- Socket options are now set in designated functions for easy reuse.
- Socket setup has been simplified for easy reuse.
- Configuration parser is now aware of the context in which an option
was specified.

21 October 2019: Wouter
- For #21 add
contrib/patch_for_s6_startup_and_other_service_supervisors.diff
that adds support for readiness notification with READY_FD from
Cameron Nemo.

17 October 2019: Jeroen
- Fix #40: Merge small fixes for confine-to-zone by Greg Bock.

15 October 2019: Jeroen
- For #39: Merge confine-to-zone feature contributes by Greg Bock.

26 September 2019: Wouter
- Fix #38: log address and failure reason with tls handshake errors,
squelches (the same as unbound) some unless high verbosity is used.
- Fixup clang analysis warning in xfrd_parse_received_xfr_packet
master dereference.

25 September 2019: Wouter
- The nsd.conf includes are sorted ascending, for include statements
with a '*' from glob.

16 September 2019: Wouter
- Fixup warnings during --disable-ipv6 compile.
- Fixup unit test executable to run without IPv6.

4 September 2019: Wouter
- Fix #35: excessive logging of ixfr failures, it stops the log when
fallback to axfr is possible. log is enabled at high verbosity.

2 September 2019: Wouter
- For #21: pidfile "" allows to run NSD without a pidfile, for
startup management tools like daemontools.

28 August 2019: Wouter
- In tests check for tls test tool availability.

19 August 2019: Wouter
- Tag for 4.2.2 release. Git master contains 4.2.3 in development.

13 August 2019: Wouter
- Fix error message for out of zone data to have more information.
- Tag for 4.2.2rc2.

12 August 2019: Wouter
- Fix #33: Fix segfault in service of remaining streams on exit.

6 August 2019: Wouter
- Tag for 4.2.2rc1.

5 August 2019: Wouter
- PR #31: nsd-control: Add missing stdio header.
- PR #32: tsig: Fix compilation without HAVE_SSL.
- Cleanup tls context on xfrd exit.

31 July 2019: Wouter
- Fix #29: SSHFP check NULL pointer dereference.
- Fix #30: SSHFP check failure due to missing domain name.
- Fix to timeval_add in minievent for remaining second in microseconds.

22 July 2019: Wouter
- Set timeout for refetch immediately, only spread load when there
are retries.

19 July 2019: Wouter
- Set no renegotiation on the SSL context to stop client
session renegotiation.

18 July 2019: Wouter
- Fix #25: NSD doesn't refresh zones after extended downtime,
it refreshes the old zones, with a random delay of a couple of
seconds to spread the load.
- Fix so that expired zones stay expired when server is down a
long time.

17 July 2019: Wouter
- Fix that NSD warns for wrong length of the hash in SSHFP records.

15 July 2019: Wouter
- PR #23: Fix typo in nsd.conf man-page.

4 July 2019: Wouter
- Set version to 4.2.2 in development.
- clean memory on exit of nsd-checkzone for memory debug.
- Fix #20: CVE-2019-13207 Stack-based Buffer Overflow in the
dname_concatenate() function. Reported by Frederic Cambus.
It causes the zone parser to crash on a malformed zone file,
with assertions enabled, an assertion catches it.
- Fix #19: Out-of-bounds read caused by improper validation of
array index. Reported by Frederic Cambus. The zone parser
fails on type SIG because of mismatched definition with RRSIG.

2 July 2019: Wouter
- Tag for 4.2.1rc1

27 June 2019: Wouter
- Fix unit test for added options and no dot after zone updated
log message.
- Fix compile without accept4.

21 June 2019: Wouter
- Omit remaining tcp processing if the list is empty.
- Fix output of nsd-checkconf -h.

20 June 2019: Wouter
- Initialize event structures before event_set, to stop uninitialized
values from setting event library lists and assertions, that would
sometimes also show after event_del.
- Added num.tls and num.tls6 stat counters.
- PR #12: send-buffer-size, receive-buffer-size,
tcp-reject-overflow options for nsd.conf, from Jeroen Koekkoek.
- Do not use symbol from libc, instead use own replacement, if not
available, for accept4.
- Fix #14, tcp connections have 1/10 to be active and have to work
every second, and then they get time to complete during a reload,
this is a process that lingers with the old version during a version
update.

19 June 2019: Wouter
- Fix tls handshake event callback function mistake, reported
by Mykhailo Danylenko.

18 June 2019: Wouter
- Fix #15: crash in SSL library, initialize variables for TCP access
when TLS is configured.

14 June 2019: Wouter
- Fix to init event not pointer, in reassignment.

12 June 2019: Wouter
- Fix to init event structure for reassignment.

11 June 2019: Wouter
- NSD 4.2.0 release. Current development is 4.2.1.
- Fixup of RELNOTES, corrected RFC reference for 4892.
- Fix #13: Stray dot at the end of some log entries, removes dot
after updated serial number in log entry.
- Fix TLS cipher selection, the previous was redundant, prefers
CHACHA20-POLY1305 over AESGCM and was not as readable as it could be.
- Consolidate server tls context create and remote control context
create, with hardening for the remote control tls context too.

6 June 2019: Wouter
- NSD 4.2.0rc1 tag.

4 June 2019: Wouter
- Fix unit test for outgoing interface to use random port numbers for
the outgoing interface config.

29 May 2019: Wouter
- Fix to guard _OPENBSD_SOURCE from redefinition.

28 May 2019: Wouter
- Fix to define _OPENBSD_SOURCE to get reallocarray on NetBSD.

16 May 2019: Wouter
- Fix #10: Fix memory leaks caused by duplicate rr and include
instructions.

6 May 2019: Wouter
- Note CII best practices badge for NSD on the README.md.

2 May 2019: Wouter
- Fix .gitignore for unit test generated files.
- Fix checkconf unit test for hide-identity and tls.

1 May 2019: Wouter
- Fix makedist.sh for use with git.
- Nicer output on travis for clang analysis.
- Add .gitignore file to exclude built files from version tracking.
- Add README.md file in repository with compile instructions.
- Fix .gitignore for dnstap files and aclocal temp.
- Add aclocal to README.md for pkgconfig for some configure options.

25 April 2019: Wouter
- Add tls.tpkg unit test for DNS over TLS functionality.

18 April 2019: Wouter
- Fix to avoid buffer alloc with global buffer in tls write handler.
- Fix to initialize event structure when accepting TCP connection.
- Use travis for build check, initial unit test and clang analysis.
- Disable SSLv2,3,TLSv1.0,1.1 if TLS1.2 is available in libssl.
- Disable weak ciphers, enable CIPHER_SERVER_PREFERENCE.
- further setup ssl ctx after the keys are loaded, for ECDH.
- TLS OCSP stapling support, enabled with tls-service-ocsp: filename,
patch from Andreas Schulze.

17 April 2019: Wouter
- Fix to share openssl init code, and perform it once.

16 April 2019: Andreas via Sara
- Patch to add support for TCP Fast Open
- Patch to add support for tls service on a specified tls port

16 April 2019: Wouter
- Fix #4249: The option hide-identity: yes stops NSD from responding
with the hostname for chaos class queries. Implements the RFC4829
security considerations.
- Remove starttls, this signalling method was not standardized.
- Remove TO bit, this signalling method was not standardized.
- Remove unused first_query and tls_ok states.
- Remove sign-compare warning in tls packet send code.
- Fix spelling in comment and log printout.
- Fix potential uninitialized variable.
- Fix documentation for DNS over TLS, and set default port 853.
- Fix to add missing comment.
- Fix that the TLS handshake routine sets the correct event to
continue when done.
- Fix that TLS renegotiation calls the read and write routines again
with the same parameters when the desired event has been satisfied.
- Fix that TCP Fastopen has better error message and supports OSX.
- Fix log for fastopen with verbosity.
- Squelch TLS handshake failure log until verbosity 3.
- Add per-zone statistics for TLS queries, and dnstap for TLS queries,
and rcode and TCflag statistics for TCP and TLS queries.

25 March 2019: Wouter
- Print IP address when bind socket fails with error.

21 March 2019: Wouter
- Fix spelling error in release notes.
- Fix to delete unused zparser.default_apex member.

Import nsd-4.1.26

29 November 2018: Wouter
- Tag for 4.1.26rc1.

27 November 2018: Wouter
- Fix parsezone failure in 4194 fix.

26 November 2018: Wouter
- Fix to not set GLOB_NOSORT so the nsd.conf include: files are
sorted and in a predictable order.
- Added nsd-control changezone. nsd-control changezone name pattern
allows the change of a zone pattern option without downtime for
the zone, in one operation.
- Fix #3433: document that reconfig does not change per-zone stats.

20 November 2018: Wouter
- Fix #4205: enable-recvmmsg in mixed IPv4/IPv6 environment fails.
This sets the msg_hdr.msg_namelen correctly after receipt.

19 November 2018: Wouter
- Support SO_REUSEPORT_LB in FreeBSD 12 with the reuseport: yes
option in nsd.conf.
- Fix #4202: nsd-control delzone incorrect exit code on error.
- Tab style fix to use tab for 8 spaces, from Xiaobo Liu.

25 October 2018: Wouter
- Adjust dnstap socket path for chroot.

22 October 2018: Wouter
- Fix #4194: Zone file parser derailed by non-FQDN names in RHS of
DNSSEC RRs.
- Fix some more, neater code and checks for domain length limit.
- check that the dnstap socket file can be opened and exists, print
error if not.

4 October 2018: Wouter
- dnstap work, the dnstap.proto is a copy of the file from Unbound,
also dnstap.m4 configure include file.
- dnstap collector: free eventbase and memclean nicer.
- dnstap collector: send data and read it in collector.
- dnstap/dnstap.c and .h from Unbound's contribution from
Farsight Security, added to then adapt it for dnstap logging in NSD.
- dnstap.c with auth query and auth response, and called from
the collector.
- dnstap work, config nsd.conf parse.
- dnstap example config.

25 September 2018: Wouter
- NSD 4.1.25 released, trunk has 4.1.26 in development.

18 September 2018: Wouter
- tag for NSD 4.1.25rc1.

17 September 2018: Wouter
- Fix #4156: Fix systemd service manager state change notification

14 September 2018: Wouter
- Remove unused if clause during server service startup.

13 September 2018: Wouter
- Fix typo in clang analysis test.
- Annotate exit functions with noreturn.
- nsd-control prints neater errors for file failures.

12 September 2018: Wouter
- clang analysis test.

11 September 2018: Wouter
- Fix to combine the same error function into one, from Xiaobo Liu.
- Fix initialisation in remote.c.
- please clang analyzer and fix parse of IPSECKEY with bad gateway.
- Fix unit test code for clang analyzer.
- Fix nsd-checkconf fail on bad zone name.

10 September 2018: Wouter
- Fix coding style in nsd.c

7 September 2018: Wouter
- append_trailing_slash has one implementation and is not repeated
differently.

4 September 2018: Wouter
- Fix codingstyle in nsd-checkconf.c in patch from Sharp Liu.

15 August 2018: Wouter
- Fix use_systemd typo/leftover in remote.c.

Import nsd-4.1.24

6 August 2018: Wouter
- tag for 4.1.24 release.

30 July 2018: Wouter
- Tag for NSD 4.1.23 release, trunk is 4.1.24, includes
fix NSD time sensitive TSIG compare vulnerability.
- Fix checkconf test for use-systemd option.

25 July 2018: Wouter
- #4133: Fix that when IXFR contains a zone with broken NSEC3PARAM
chain, NSD leniently attempts to find a working NSEC3PARAM.

23 July 2018: Wouter
- Remove socket activation from systemd code, it was reported as
not useful to enable. The readiness signalling is still there,
and can be enabled with use-systemd: yes.
- Only call sd_notify from systemd when use-systemd is yes.

6 July 2018: Wouter
- RFC8162 support, for record type SMIMEA.
- Fix that type CAA (and URI) in the zone file can contain
dots when not in quotes.

26 June 2018: Wouter
- configure --enable-systemd (needs pkg-config and libsystemd) can
be used to then use-systemd: yes in nsd.conf and use socket
activation and readiness signalling with systemd.

19 June 2018: Wouter
- #4106: Fix that stats printed from nsd-control are recast from
unsigned long to unsigned (remote.c).

14 June 2018: Wouter
- Fix that first control-interface determines if TLS is used. Warn
when IP address interfaces are used without TLS.

12 June 2018: Wouter
- #4102: control interface via local socket.
configure it with control-interface: "/path/nsd.ctl" The path
has to start with a / to separate it from an IP address.
The local socket does not use SSL, but unencrypted traffic, use
file and containing directory permissions to restrict access.

6 June 2018: Wouter
- Patch to fix openwrt for mac os build darwin detection in configure.

4 June 2018: Wouter
- tag for 4.1.22rc1. Became 4.1.22 on 11 June, trunk is 4.1.23 in
development from this point.

31 May 2018: Wouter
- Fix to use same condition for nsec3 hash allocation and free.

23 May 2018: Wouter
- Use accept4 to speed up answer of TCP queries, on Linux and FreeBSD
and OpenBSD.

22 May 2018: Wouter
- Fix nsec3 hash of parent and child co-hosted nsec3 enabled zones.

15 May 2018: Wouter
- Fix memory free in unit test.

14 May 2018: Wouter
- Tag for 4.1.21 release.
- trunk has 4.1.22 in development.
- refuse-any sends truncation (+TC) in reply to ANY queries over UDP,
and allows TCP queries like normal.

7 May 2018: Wouter
- Tag for 4.1.21rc1 release.

4 May 2018: Wouter
- Fix #4093: Release notes not using 2018.

3 May 2018: Wouter
- Fix buffer size warnings from compiler on filename lengths.

26 April 2018: Wouter
- lower memory usage for tcp connections, so tcp-count can be higher.
- Fix checkconf test for refuse-any option.

3 April 2018: Wouter
- refuse-any nsd.conf option that refuses queries of type ANY.

5 March 2018: Wouter
- Fix #3562: explain build error when flex missing.

20 February 2018: Wouter
- For more clang warnings
- Fix spelling error in xfr-inspect.

19 February 2018: Wouter
- Fix for clang analysis complaints.

15 February 2018: Wouter
- --enable-memclean cleans up memory for use with memory checkers,
eg. valgrind.
- Fix unused variable warnings from clang analyzer.

14 February 2018: Wouter
- updated RELNOTES for upcoming release.
- tag 4.1.20rc1, became release on 20 feb, trunk has 4.1.21 in
development.

9 February 2018: Wouter
- make depend: updated the make dependencies in the Makefile.

8 February 2018: Wouter
- Fix memory leak when rehashing nsec3 after axfr or zonefile read,
in the selectively allocated precompiled nsec3 hashes.

6 February 2018: Wouter
- Fix memory leak in zone file read of unknown rr formatted RRs.

branches: 1.1.1.2.2; 1.1.1.2.4;

NSD 4.1.19
Dec 11, 2017
Bugfixes
ignore fallthrough compiler warning in flex EOF rule.
Fix warnings emitted by clang for --enable-packed. Alignment is not a problem for x86_64, don't enable packed when the platform requires aligned access.
Fix spelling error in xfr-inspect.
Fix 3392: Fix regression in 4.1.18 for notify lists with ip4 and ip6 targets.
Add test for support of -Wno-address-of-packed-member for --enable-packed.

NSD 4.1.18
Nov 30, 2017
Features
xfr-inspect, it is not installed, it prints xfr files from /tmp made with 'make xfr-inspect' in the source dir.
retry timeout between sending notifies dropped from 15 to 3 sec.
NSD sends 16 notifies simultaneously.
configure --enable-packed reduces memory usage, at expense of unaligned reads. Saves about 17%.
Save memory by selectively allocate precompiled nsec3 hashes, saves about 16% memory.
make ip-transparent option work on OpenBSD.
Save about 2% memory by changing usage count size in name tree.
Fix #2871: Increase number of sockets for xfrd transfers.
Bugfixes
Fix gcc 7.1.1 warnings.
Fix writev compile warning on FreeBSD.
Fix #1446: A corrupted zone file "propagates" to good ones.
nsd-control zonestatus prints wait time between attempts, for zones that are in that waiting time.
Fix collision printout of nsec3 to print name, hash and reverse.
Fix #1567: Change crit to err log level for gettimeofday failure. Add defines for compile without syslog.
Fix crash for DS query when parent and child zones both configured in nsd.conf and parent zone has not loaded properly.

NSD 4.1.17
Jul 21, 2017
Features
zone parser parses type AVC (it has TXT format).
Fix #1272: use writev to put tcp length field with data for outgoing zone transfer requests.
Bugfixes
Fix potential null pointer in nsec3 adjustment tree.
Fix text format of deletes for CDS and CDNSKEY, single 0 to represent empty base64 or hex string.

NSD 4.1.16
Apr 25, 2017
Features
zone parser can parse acronyms for algorithms ED25519 and ED448.
Fix 1243: Option to make NSD emit really minimal responses, minimal-responses: yes in nsd.conf.
Bugfixes
Calculate new udb index after growing the array, fix from Chaofeng Liu.
Fix missing _t to _type conversion for disable-radix-tree option.
Printout serial error with hint it may be too big.
Fix 1228: OpenSSL include is not guarded with HAVE_SSL
Patch for expire state in multi-master when masters includes broken master, from Manabu Sonoda.
minor manpage fix.

NSD 4.1.15
Feb 16, 2017
Bugfixes
Fix nsd-control and ipv6 only.
Squelch zone transfer error address family not supported by protocol at low verbosity levels.
Fix #1195: Fix so that NSD fails on non-compliant values for Serial.
Fix to rename _t typedefs because POSIX reserves them.
Fix that nsec3 hash collisions only reported on verbosity level 3.

branches: 1.1.1.1.4; 1.1.1.1.8;
Import nsd

Import nsd-4.1.26

29 November 2018: Wouter
- Tag for 4.1.26rc1.

27 November 2018: Wouter
- Fix parsezone failure in 4194 fix.

26 November 2018: Wouter
- Fix to not set GLOB_NOSORT so the nsd.conf include: files are
sorted and in a predictable order.
- Added nsd-control changezone. nsd-control changezone name pattern
allows the change of a zone pattern option without downtime for
the zone, in one operation.
- Fix #3433: document that reconfig does not change per-zone stats.

20 November 2018: Wouter
- Fix #4205: enable-recvmmsg in mixed IPv4/IPv6 environment fails.
This sets the msg_hdr.msg_namelen correctly after receipt.

19 November 2018: Wouter
- Support SO_REUSEPORT_LB in FreeBSD 12 with the reuseport: yes
option in nsd.conf.
- Fix #4202: nsd-control delzone incorrect exit code on error.
- Tab style fix to use tab for 8 spaces, from Xiaobo Liu.

25 October 2018: Wouter
- Adjust dnstap socket path for chroot.

22 October 2018: Wouter
- Fix #4194: Zone file parser derailed by non-FQDN names in RHS of
DNSSEC RRs.
- Fix some more, neater code and checks for domain length limit.
- check that the dnstap socket file can be opened and exists, print
error if not.

4 October 2018: Wouter
- dnstap work, the dnstap.proto is a copy of the file from Unbound,
also dnstap.m4 configure include file.
- dnstap collector: free eventbase and memclean nicer.
- dnstap collector: send data and read it in collector.
- dnstap/dnstap.c and .h from Unbound's contribution from
Farsight Security, added to then adapt it for dnstap logging in NSD.
- dnstap.c with auth query and auth response, and called from
the collector.
- dnstap work, config nsd.conf parse.
- dnstap example config.

25 September 2018: Wouter
- NSD 4.1.25 released, trunk has 4.1.26 in development.

18 September 2018: Wouter
- tag for NSD 4.1.25rc1.

17 September 2018: Wouter
- Fix #4156: Fix systemd service manager state change notification

14 September 2018: Wouter
- Remove unused if clause during server service startup.

13 September 2018: Wouter
- Fix typo in clang analysis test.
- Annotate exit functions with noreturn.
- nsd-control prints neater errors for file failures.

12 September 2018: Wouter
- clang analysis test.

11 September 2018: Wouter
- Fix to combine the same error function into one, from Xiaobo Liu.
- Fix initialisation in remote.c.
- please clang analyzer and fix parse of IPSECKEY with bad gateway.
- Fix unit test code for clang analyzer.
- Fix nsd-checkconf fail on bad zone name.

10 September 2018: Wouter
- Fix coding style in nsd.c

7 September 2018: Wouter
- append_trailing_slash has one implementation and is not repeated
differently.

4 September 2018: Wouter
- Fix codingstyle in nsd-checkconf.c in patch from Sharp Liu.

15 August 2018: Wouter
- Fix use_systemd typo/leftover in remote.c.

Import nsd-4.1.24

6 August 2018: Wouter
- tag for 4.1.24 release.

30 July 2018: Wouter
- Tag for NSD 4.1.23 release, trunk is 4.1.24, includes
fix NSD time sensitive TSIG compare vulnerability.
- Fix checkconf test for use-systemd option.

25 July 2018: Wouter
- #4133: Fix that when IXFR contains a zone with broken NSEC3PARAM
chain, NSD leniently attempts to find a working NSEC3PARAM.

23 July 2018: Wouter
- Remove socket activation from systemd code, it was reported as
not useful to enable. The readiness signalling is still there,
and can be enabled with use-systemd: yes.
- Only call sd_notify from systemd when use-systemd is yes.

6 July 2018: Wouter
- RFC8162 support, for record type SMIMEA.
- Fix that type CAA (and URI) in the zone file can contain
dots when not in quotes.

26 June 2018: Wouter
- configure --enable-systemd (needs pkg-config and libsystemd) can
be used to then use-systemd: yes in nsd.conf and use socket
activation and readiness signalling with systemd.

19 June 2018: Wouter
- #4106: Fix that stats printed from nsd-control are recast from
unsigned long to unsigned (remote.c).

14 June 2018: Wouter
- Fix that first control-interface determines if TLS is used. Warn
when IP address interfaces are used without TLS.

12 June 2018: Wouter
- #4102: control interface via local socket.
configure it with control-interface: "/path/nsd.ctl" The path
has to start with a / to separate it from an IP address.
The local socket does not use SSL, but unencrypted traffic, use
file and containing directory permissions to restrict access.

6 June 2018: Wouter
- Patch to fix openwrt for mac os build darwin detection in configure.

4 June 2018: Wouter
- tag for 4.1.22rc1. Became 4.1.22 on 11 June, trunk is 4.1.23 in
development from this point.

31 May 2018: Wouter
- Fix to use same condition for nsec3 hash allocation and free.

23 May 2018: Wouter
- Use accept4 to speed up answer of TCP queries, on Linux and FreeBSD
and OpenBSD.

22 May 2018: Wouter
- Fix nsec3 hash of parent and child co-hosted nsec3 enabled zones.

15 May 2018: Wouter
- Fix memory free in unit test.

14 May 2018: Wouter
- Tag for 4.1.21 release.
- trunk has 4.1.22 in development.
- refuse-any sends truncation (+TC) in reply to ANY queries over UDP,
and allows TCP queries like normal.

7 May 2018: Wouter
- Tag for 4.1.21rc1 release.

4 May 2018: Wouter
- Fix #4093: Release notes not using 2018.

3 May 2018: Wouter
- Fix buffer size warnings from compiler on filename lengths.

26 April 2018: Wouter
- lower memory usage for tcp connections, so tcp-count can be higher.
- Fix checkconf test for refuse-any option.

3 April 2018: Wouter
- refuse-any nsd.conf option that refuses queries of type ANY.

5 March 2018: Wouter
- Fix #3562: explain build error when flex missing.

20 February 2018: Wouter
- For more clang warnings
- Fix spelling error in xfr-inspect.

19 February 2018: Wouter
- Fix for clang analysis complaints.

15 February 2018: Wouter
- --enable-memclean cleans up memory for use with memory checkers,
eg. valgrind.
- Fix unused variable warnings from clang analyzer.

14 February 2018: Wouter
- updated RELNOTES for upcoming release.
- tag 4.1.20rc1, became release on 20 feb, trunk has 4.1.21 in
development.

9 February 2018: Wouter
- make depend: updated the make dependencies in the Makefile.

8 February 2018: Wouter
- Fix memory leak when rehashing nsec3 after axfr or zonefile read,
in the selectively allocated precompiled nsec3 hashes.

6 February 2018: Wouter
- Fix memory leak in zone file read of unknown rr formatted RRs.

branches: 1.1.1.2.2;

NSD 4.1.19
Dec 11, 2017
Bugfixes
ignore fallthrough compiler warning in flex EOF rule.
Fix warnings emitted by clang for --enable-packed. Alignment is not a problem for x86_64, don't enable packed when the platform requires aligned access.
Fix spelling error in xfr-inspect.
Fix 3392: Fix regression in 4.1.18 for notify lists with ip4 and ip6 targets.
Add test for support of -Wno-address-of-packed-member for --enable-packed.

NSD 4.1.18
Nov 30, 2017
Features
xfr-inspect, it is not installed, it prints xfr files from /tmp made with 'make xfr-inspect' in the source dir.
retry timeout between sending notifies dropped from 15 to 3 sec.
NSD sends 16 notifies simultaneously.
configure --enable-packed reduces memory usage, at expense of unaligned reads. Saves about 17%.
Save memory by selectively allocate precompiled nsec3 hashes, saves about 16% memory.
make ip-transparent option work on OpenBSD.
Save about 2% memory by changing usage count size in name tree.
Fix #2871: Increase number of sockets for xfrd transfers.
Bugfixes
Fix gcc 7.1.1 warnings.
Fix writev compile warning on FreeBSD.
Fix #1446: A corrupted zone file "propagates" to good ones.
nsd-control zonestatus prints wait time between attempts, for zones that are in that waiting time.
Fix collision printout of nsec3 to print name, hash and reverse.
Fix #1567: Change crit to err log level for gettimeofday failure. Add defines for compile without syslog.
Fix crash for DS query when parent and child zones both configured in nsd.conf and parent zone has not loaded properly.

NSD 4.1.17
Jul 21, 2017
Features
zone parser parses type AVC (it has TXT format).
Fix #1272: use writev to put tcp length field with data for outgoing zone transfer requests.
Bugfixes
Fix potential null pointer in nsec3 adjustment tree.
Fix text format of deletes for CDS and CDNSKEY, single 0 to represent empty base64 or hex string.

NSD 4.1.16
Apr 25, 2017
Features
zone parser can parse acronyms for algorithms ED25519 and ED448.
Fix 1243: Option to make NSD emit really minimal responses, minimal-responses: yes in nsd.conf.
Bugfixes
Calculate new udb index after growing the array, fix from Chaofeng Liu.
Fix missing _t to _type conversion for disable-radix-tree option.
Printout serial error with hint it may be too big.
Fix 1228: OpenSSL include is not guarded with HAVE_SSL
Patch for expire state in multi-master when masters includes broken master, from Manabu Sonoda.
minor manpage fix.

NSD 4.1.15
Feb 16, 2017
Bugfixes
Fix nsd-control and ipv6 only.
Squelch zone transfer error address family not supported by protocol at low verbosity levels.
Fix #1195: Fix so that NSD fails on non-compliant values for Serial.
Fix to rename _t typedefs because POSIX reserves them.
Fix that nsec3 hash collisions only reported on verbosity level 3.

branches: 1.1.1.1.4; 1.1.1.1.8;
Import nsd

Import nsd-4.1.24

6 August 2018: Wouter
- tag for 4.1.24 release.

30 July 2018: Wouter
- Tag for NSD 4.1.23 release, trunk is 4.1.24, includes
fix NSD time sensitive TSIG compare vulnerability.
- Fix checkconf test for use-systemd option.

25 July 2018: Wouter
- #4133: Fix that when IXFR contains a zone with broken NSEC3PARAM
chain, NSD leniently attempts to find a working NSEC3PARAM.

23 July 2018: Wouter
- Remove socket activation from systemd code, it was reported as
not useful to enable. The readiness signalling is still there,
and can be enabled with use-systemd: yes.
- Only call sd_notify from systemd when use-systemd is yes.

6 July 2018: Wouter
- RFC8162 support, for record type SMIMEA.
- Fix that type CAA (and URI) in the zone file can contain
dots when not in quotes.

26 June 2018: Wouter
- configure --enable-systemd (needs pkg-config and libsystemd) can
be used to then use-systemd: yes in nsd.conf and use socket
activation and readiness signalling with systemd.

19 June 2018: Wouter
- #4106: Fix that stats printed from nsd-control are recast from
unsigned long to unsigned (remote.c).

14 June 2018: Wouter
- Fix that first control-interface determines if TLS is used. Warn
when IP address interfaces are used without TLS.

12 June 2018: Wouter
- #4102: control interface via local socket.
configure it with control-interface: "/path/nsd.ctl" The path
has to start with a / to separate it from an IP address.
The local socket does not use SSL, but unencrypted traffic, use
file and containing directory permissions to restrict access.

6 June 2018: Wouter
- Patch to fix openwrt for mac os build darwin detection in configure.

4 June 2018: Wouter
- tag for 4.1.22rc1. Became 4.1.22 on 11 June, trunk is 4.1.23 in
development from this point.

31 May 2018: Wouter
- Fix to use same condition for nsec3 hash allocation and free.

23 May 2018: Wouter
- Use accept4 to speed up answer of TCP queries, on Linux and FreeBSD
and OpenBSD.

22 May 2018: Wouter
- Fix nsec3 hash of parent and child co-hosted nsec3 enabled zones.

15 May 2018: Wouter
- Fix memory free in unit test.

14 May 2018: Wouter
- Tag for 4.1.21 release.
- trunk has 4.1.22 in development.
- refuse-any sends truncation (+TC) in reply to ANY queries over UDP,
and allows TCP queries like normal.

7 May 2018: Wouter
- Tag for 4.1.21rc1 release.

4 May 2018: Wouter
- Fix #4093: Release notes not using 2018.

3 May 2018: Wouter
- Fix buffer size warnings from compiler on filename lengths.

26 April 2018: Wouter
- lower memory usage for tcp connections, so tcp-count can be higher.
- Fix checkconf test for refuse-any option.

3 April 2018: Wouter
- refuse-any nsd.conf option that refuses queries of type ANY.

5 March 2018: Wouter
- Fix #3562: explain build error when flex missing.

20 February 2018: Wouter
- For more clang warnings
- Fix spelling error in xfr-inspect.

19 February 2018: Wouter
- Fix for clang analysis complaints.

15 February 2018: Wouter
- --enable-memclean cleans up memory for use with memory checkers,
eg. valgrind.
- Fix unused variable warnings from clang analyzer.

14 February 2018: Wouter
- updated RELNOTES for upcoming release.
- tag 4.1.20rc1, became release on 20 feb, trunk has 4.1.21 in
development.

9 February 2018: Wouter
- make depend: updated the make dependencies in the Makefile.

8 February 2018: Wouter
- Fix memory leak when rehashing nsec3 after axfr or zonefile read,
in the selectively allocated precompiled nsec3 hashes.

6 February 2018: Wouter
- Fix memory leak in zone file read of unknown rr formatted RRs.

NSD 4.1.19
Dec 11, 2017
Bugfixes
ignore fallthrough compiler warning in flex EOF rule.
Fix warnings emitted by clang for --enable-packed. Alignment is not a problem for x86_64, don't enable packed when the platform requires aligned access.
Fix spelling error in xfr-inspect.
Fix 3392: Fix regression in 4.1.18 for notify lists with ip4 and ip6 targets.
Add test for support of -Wno-address-of-packed-member for --enable-packed.

NSD 4.1.18
Nov 30, 2017
Features
xfr-inspect, it is not installed, it prints xfr files from /tmp made with 'make xfr-inspect' in the source dir.
retry timeout between sending notifies dropped from 15 to 3 sec.
NSD sends 16 notifies simultaneously.
configure --enable-packed reduces memory usage, at expense of unaligned reads. Saves about 17%.
Save memory by selectively allocate precompiled nsec3 hashes, saves about 16% memory.
make ip-transparent option work on OpenBSD.
Save about 2% memory by changing usage count size in name tree.
Fix #2871: Increase number of sockets for xfrd transfers.
Bugfixes
Fix gcc 7.1.1 warnings.
Fix writev compile warning on FreeBSD.
Fix #1446: A corrupted zone file "propagates" to good ones.
nsd-control zonestatus prints wait time between attempts, for zones that are in that waiting time.
Fix collision printout of nsec3 to print name, hash and reverse.
Fix #1567: Change crit to err log level for gettimeofday failure. Add defines for compile without syslog.
Fix crash for DS query when parent and child zones both configured in nsd.conf and parent zone has not loaded properly.

NSD 4.1.17
Jul 21, 2017
Features
zone parser parses type AVC (it has TXT format).
Fix #1272: use writev to put tcp length field with data for outgoing zone transfer requests.
Bugfixes
Fix potential null pointer in nsec3 adjustment tree.
Fix text format of deletes for CDS and CDNSKEY, single 0 to represent empty base64 or hex string.

NSD 4.1.16
Apr 25, 2017
Features
zone parser can parse acronyms for algorithms ED25519 and ED448.
Fix 1243: Option to make NSD emit really minimal responses, minimal-responses: yes in nsd.conf.
Bugfixes
Calculate new udb index after growing the array, fix from Chaofeng Liu.
Fix missing _t to _type conversion for disable-radix-tree option.
Printout serial error with hint it may be too big.
Fix 1228: OpenSSL include is not guarded with HAVE_SSL
Patch for expire state in multi-master when masters includes broken master, from Manabu Sonoda.
minor manpage fix.

NSD 4.1.15
Feb 16, 2017
Bugfixes
Fix nsd-control and ipv6 only.
Squelch zone transfer error address family not supported by protocol at low verbosity levels.
Fix #1195: Fix so that NSD fails on non-compliant values for Serial.
Fix to rename _t typedefs because POSIX reserves them.
Fix that nsec3 hash collisions only reported on verbosity level 3.

branches: 1.1.1.1.4;
Import nsd

NSD 4.1.19
Dec 11, 2017
Bugfixes
ignore fallthrough compiler warning in flex EOF rule.
Fix warnings emitted by clang for --enable-packed. Alignment is not a problem for x86_64, don't enable packed when the platform requires aligned access.
Fix spelling error in xfr-inspect.
Fix 3392: Fix regression in 4.1.18 for notify lists with ip4 and ip6 targets.
Add test for support of -Wno-address-of-packed-member for --enable-packed.

NSD 4.1.18
Nov 30, 2017
Features
xfr-inspect, it is not installed, it prints xfr files from /tmp made with 'make xfr-inspect' in the source dir.
retry timeout between sending notifies dropped from 15 to 3 sec.
NSD sends 16 notifies simultaneously.
configure --enable-packed reduces memory usage, at expense of unaligned reads. Saves about 17%.
Save memory by selectively allocate precompiled nsec3 hashes, saves about 16% memory.
make ip-transparent option work on OpenBSD.
Save about 2% memory by changing usage count size in name tree.
Fix #2871: Increase number of sockets for xfrd transfers.
Bugfixes
Fix gcc 7.1.1 warnings.
Fix writev compile warning on FreeBSD.
Fix #1446: A corrupted zone file "propagates" to good ones.
nsd-control zonestatus prints wait time between attempts, for zones that are in that waiting time.
Fix collision printout of nsec3 to print name, hash and reverse.
Fix #1567: Change crit to err log level for gettimeofday failure. Add defines for compile without syslog.
Fix crash for DS query when parent and child zones both configured in nsd.conf and parent zone has not loaded properly.

NSD 4.1.17
Jul 21, 2017
Features
zone parser parses type AVC (it has TXT format).
Fix #1272: use writev to put tcp length field with data for outgoing zone transfer requests.
Bugfixes
Fix potential null pointer in nsec3 adjustment tree.
Fix text format of deletes for CDS and CDNSKEY, single 0 to represent empty base64 or hex string.

NSD 4.1.16
Apr 25, 2017
Features
zone parser can parse acronyms for algorithms ED25519 and ED448.
Fix 1243: Option to make NSD emit really minimal responses, minimal-responses: yes in nsd.conf.
Bugfixes
Calculate new udb index after growing the array, fix from Chaofeng Liu.
Fix missing _t to _type conversion for disable-radix-tree option.
Printout serial error with hint it may be too big.
Fix 1228: OpenSSL include is not guarded with HAVE_SSL
Patch for expire state in multi-master when masters includes broken master, from Manabu Sonoda.
minor manpage fix.

NSD 4.1.15
Feb 16, 2017
Bugfixes
Fix nsd-control and ipv6 only.
Squelch zone transfer error address family not supported by protocol at low verbosity levels.
Fix #1195: Fix so that NSD fails on non-compliant values for Serial.
Fix to rename _t typedefs because POSIX reserves them.
Fix that nsec3 hash collisions only reported on verbosity level 3.

branches: 1.1.1.1.4;
Import nsd

Import nsd