RSS

NSD 4.14.3 Released, includes fixes for DoS crash loop

Bender1 pts0 comments

NLnet Labs - NSD - Download

NSD

About

Download

Support

RFC Compliance

Security Advisories

NSD 4.14.3 (Current version)

Source:

nsd-4.14.3.tar.gz<br>| sha1<br>| sha256<br>| pgp sig

Doc:<br>man-page<br>Date:<br>25 June, 2026

Linux and *BSD sources and binaries can easily be obtained using your (favorite) package manager or ports collection.

Bug Fixes

Fix for CVE-2026-12244: A specially crafted SVCB RR can cause a heap overflow of up to 65509 attacker controlled bytes. Thanks to Qifan Zhang, Palo Alto Networks for the report https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12244.txt

Fix for CVE-2026-12245: If NSD is configured with DNS over TLS, a client that performs a TLS action, closing the connection early, causes a crash and restart of the server process. An attacker can keep all children in a crash-restart loop denying DoT service. Thanks to Qifan Zhang, Palo Alto Networks for the report. https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12245.txt

Fix for CVE-2026-12246: The RR type APL rdata address, if too large, causes out of bounds write on the stack, when the zonefile is written out. Thanks to Qifan Zhang from Palo Alto Networks, Haruki Oyama from Waseda University and zhangph for the report. https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12246.txt

Fix for CVE-2026-12490: Secondaries authenticated by a client certificate to transfer a zone over TLS, can bypass verification by transferring over TCP. Thanks to Qifan Zhang, Palo Alto Networks for the report. https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12490.txt

Toggle older versions

Older versions

NSD 4.14.2

Download:

nsd-4.14.2.tar.gz<br>| sha1<br>| sha256<br>| pgp sig

Date:<br>19 March, 2026

Bug Fixes

Merge #477: Improve ignored old serial log message.

Fix in IXFR processing, to commit the collected RRs before deletions.

NSD 4.14.1

Download:

nsd-4.14.1.tar.gz<br>| sha1<br>| sha256<br>| pgp sig

Date:<br>24 februari, 2026

Features

Merge #469 from jschlyter: Add container build files

Bug Fixes

Fix to note DSYNC RFC9859 reference.

Fix to note reference for NXNAME in comment.

Merge #470 from jschlyter: Update path to default container configuration and entrypoint

Fix rr-test.tdir so AMTRELAY relay field is "." with type 0

Fix checkconf.tdir test to anticipate default values for send-buffer-size and receive-buffer-size when configured with 0

skip dns-cookies.tdir test with restricted unpriviledged userns

Fix #474: metrics output with zone statistics to change disallowed characters in metric names to underscores.

Fix that non normalized NSEC next owner names are preserved.

Fix to preserve case in literal dnames in RR types RRSIG, IPSECKEY, TALINK, DSYNC and AMTRELAY.

Fix for #474: Fix metrics name for zone statistics for the queries_total to have disallowed characters changed to underscores.

Fix to silence restricted userns check in test script.

Fix #475 info: axfr for domain from not-verified.

Fix metrics to clear server variable after close and log error on allocation failure.

Fix to escape slashes when they appear in the zone name for a pattern zonefile that is created. Also for per zone statistics.

Merge #472: Reduce memory usage with zones with RRsets consisting of many RRs.

Fix man page for ip-address, add text about process numbers, bindtodevice and setfib.

Fix systemd signalling so that it does not reload for too long. The reload is not signalled to systemd, so that long operations can complete, without systemd acting on a timer to stop them.

NSD 4.14.0

Download:

nsd-4.14.0.tar.gz<br>| sha1<br>| sha256<br>| pgp sig

Date:<br>04 December, 2025

Features

Fix #137: Adds tcp-listen-queue: number config option to set the TCP backlog. And the default for the listen TCP backlog is set to -1 on BSDs and Linux.

Merge #444: Refactor RDATA storage to reduce memory footprint

Bug Fixes

Fix empty debug statement body in catalog consumer zone process.

Merge #459: Check for libfstrm version >= 0.4.

For #459: Add configure check for fstrm_tcp_writer_options_init in addition to the check for fstrm_iothr_init.

Merge #460: Add XDP_OBJ fixing link errors for XDP.

Fix XDP build error with --enable-checking

Resolve warnings about mixed declaration and code and unused variable

Fix confusing report for default send and receive buffer-size by nsd-checkconf

Fix to log more details when send-buffer-size or receive-buffer-size is not granted, on verbosity level 2.

Update in acx_nlnetlabs.m4 to version 49.

Update in acx_nlnetlabs.m4 to version 50, with cache value for malloc function check.

Update acx_nlnetlabs.m4 to version 51, with nonstring unknown attribute warning fix.

Merge #466: Do not delete nodes from non-existent zone's NSEC3 hash trees

NSD 4.13.0

Download:

nsd-4.13.0.tar.gz<br>| sha1<br>| sha256<br>| pgp sig

Date:<br>03 September, 2025

Features

Use '(all)' and '(none)' for the socket server affinity log output instead of '*' and '-'.

The --enable-bind8-stats feature, was already enabled by default, is described as enabled by default in usage.

The...

merge zone download from default fixes

Related Articles

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

Is AI ruining our skills? Early results are in – and they're not good

Michelangelo1124 ptstools skills during physicians colonoscopies tool

The Anatomy of an AI-Native Org

kiyanwang22 ptstranslated managers business translation language engineering

Apertus – Open Foundation Model for Sovereign AI

T-A16 ptsopen model apertus foundation sovereign fully

Britain Became as Poor as Mississippi

SanjayMehta15 ptsbritain mississippi next financial crisis self
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.