Log message:
net/nsd: Update comment in patch with upstream pull request ID.

Log message:
Update nsd to version 4.10.1.

Pkgsrc changes:
 * Add a patch so that this builds again on NetBSD,
   upstream had borrowed some of our code but not ensured
   that it still built for us...

Upstream changes:

NSD 4.10.1

This release consists primarily of bug fixes.

@bilias implemented mutual TLS authentication for zone transfers.
Please consult the nsd.conf manual for details on the newly introduced
configuration options tls-auth-port and tls-auth-xfr-only.

@orlitzky provided integration for the OpenRC init system.

Version 4.10.0 was the first release to integrate simdzone. Build
issues on OpenBSD releases before 5.6, Gentoo and Solaris have been
reported and fixed. The fallback parser, used on systems that lack
SSE4.2 and AVX2 instruction sets, contained some bugs with regards
to state keeping and under certain circumstances a use after free
bug was encountered in buffer management.

FEATURES:

 * Merge #352 from orlitzky: contrib: add OpenRC service script,
   config file, and tmpfiles entry.
 * Merge #337 from bilias: Mutual TLS-AUTH.

BUG FIXES:

 * Fix incorrect punctuation of log messages.
 * Fix for #317, document more text on pidfile permissions.
 * Fix #334: RFC8482 behavior documentation.
 * Fix for OpenSSL 3.0 deprecated functions.
 * Merge #341: Fix allow-query wording in nsd.conf.5.in.
 * Fix test script from making spurious output.
 * Fix cpu_affinity and socket_partitioning tests for --enable-log-role.
 * Fix #344: Update simdzone.
 * Fix #347: Adjust verbosity for TLS (+TCP) to be 5.
 * Merge #348: Move TLS logging to verbosity level 5.
 * For #347: Also adjust verbosity of log message for remaining TCP connections.
 * Merge #349: log file name before loading.
 * Use MAKE variable rather than make command directly in Makefile.
 * Serialize WKS RRs using numeric values rather than names.
 * Fix propagation of Makefile targets to simdzone.
 * Do not log ACL mismatch on followed CNAMEs.
 * Fix link of xfr-inspect for libssl dependency.
 * Initialize tls_auth_port and tls_auth_xfr_only options.
 * Merge #358: Fix Hurd build error due to log_err.
 * Update simdzone to fix detection of AVX2 support.

simdzone 0.1.1

FEATURES:

 * Test to verify configure.ac and Makefile.in are correct.
 * Add support for reading from stdin if filename is "-".
 * Add support for building with Oracle Developer Studio 12.6.
 * Add support for "time" service for Well-Know Services (WKS) RR.

BUG FIXES:

 * Fix makefile dependencies.
 * Fix makefile to use source directory for build dependencies.
 * Fix changelog to reflect v0.1.0 release.
 * Update makefile to not use target-specific variables.
 * Fix makefile clean targets.
 * Fix state keeping in fallback scanner for contiguous and quoted.
 * Fix bug in name scanner.
 * Fix type mnemonic parsing in fallback parser.
 * Fix endian.h to include machine/endian.h on OpenBSD releases before 5.6.
 * Fix use after free on buffer resize.
 * Fix parsing of numeric protocols in WKS RRs.
 * Make devclean target depend on realclean target.
 * Fix detection of AVX2 support by checking generic AVX support
   by the processor and operating system (#222).

CHANGES:

 * Make relative includes relative to current working directory.
 * Split Autoconf and CMake compiler tests for supported SIMD instructions.

Log message:
net/nsd: Updatet to 4.10.1

Changelog:
25 April 2024: Jeroen
	- Bump simdzone to fix OpenBSD build issues.
	- Tag for 4.10.0rc1.

24 April 2024: Wouter
	- Fix that the reload handler for sigchild uses signal_add, and
	  also that the signal handler is restored when done.
	- Fix that when server verify is done it resets the sigchild handler.
	- Fix makedist.sh for simdzone inclusion.
	- Fix makedist.sh to remove simdzone git tracking information and
	  scripting temporaries from tarball.
	- Fix error output of makedist.sh.

23 April 2024: Wouter
	- Fix #329: TCP accept queues number.

22 April 2024: Jeroen
	- Use simdzone version with name parser fix.

16 April 2024: Jeroen
	- Replace Flex+Bison based zone parser with simdzone.

15 April 2024: Wouter
	- Unit test for dname subdomain test used by xfrd-tcp.c.

9 April 2024: Wouter
	- Fix IXFR requests upstream for zones with a long name. Thanks for
	  the report to Yuuki Wakisaka from Internet Initiative Japan Inc.

8 April 2024: Wouter
	- For #317: Modify nsd service script to stop NSD from creating a
	  pid file that systemd is not using.
	- Fix #324: Clarify the purpose of contrib/bug390.patch.

Log message:
net/nsd: Update to 4.9.1

Changelog:
4 April 2024: Jeroen
	- Use rooted temporary path in makedist.sh.
	- Tag for 4.9.1.

3 April 2024: Jeroen
	- Replace multiple strcat and strcpy by snprintf.
	- Tag for 4.9.0.

26 March 2024: Jeroen
	- Test if debug is available in do-tests.
	- Enforce timeout from NSD in ixfr_gone test.
	- Update expressions in ixfr_and_restart test.
	- Make algorithm explicit in control-repattern test.
	- Switch algorithm to hmac-256 for testplan_mess test.
	- Tag for 4.9.0rc1.

25 March 2024: Jeroen
	- Fix timing sensitivity in ixfr_outsync test.

22 March 2024: Jeroen
	- Set up doc/RELNOTES for upcoming release.

26 February 2024: Willem
	- Merge #316: Fix to reap defunct children by the reload process that
	  emerged when some serve child processes were still serving TCP
	  request while the others had already quit, while the reload process
	  was waiting for the signal from the backup/old main process that all
	  children exited.
	- Fix (also from Merge #316) to reap exited children more frequently
	  from server main loop for processes that exited during reload, but
	  missed the initial reaping at start of the main loop because they
	  took somewhat longer to exit.

16 February 2024: Wouter
	- Fix compile with memclean for xfrd nsd.db close.
	- In xfrd del secondary zone, the timer could perhaps have
	  event_added, and if so, it would not be event_del if a tcp connection
	  is active at the time. This could cause the libevent event lists
	  to fail. Also fix to make sure to set event_added for the
	  nsd-control ssl nonblocking handshake and check event_added there
	  too, for extra certainty.

15 February 2024: Willem
	- Merge #304: Support for Catalog zones version "2" as specified in
	  RFC 9432. Both the consumer as well as the producer role are
	  implemented, but only a single catalog consumer zone is allowed.
	  The "coo" property, only relevant with multiple catalog consumer,
	  is therefore not supported. The "group" property is supported.
	  Have a look at the nsd.conf man page for details on how to
	  configure and use catalog zones.

12 February 2024: Willem
	- Allow SOA apex queries to otherwise with allow-query protected zones
	  for clients matching a provide-xfr rule, because clients that are
	  allowed to transfer the zone need to be able to query SOA at the
	  apex preceding the actual transfer.

6 February 2024: Wouter
	- Fix #313: nsd 4.8 stats with implausible spikes.

16 January 2024: Wouter
	- Move acx_nlnetlabs.m4 to version 48, with ssp and getaddrinfo
	  include check.

14 January 2024: Wouter
	- Move acx_nlnetlabs.m4 to version 47, with crypt32 check.

8 December 2023: Wouter
	- Merge #309: More RFC 8499 compliance.
	- Fix #310: NSD stats contain the terms "master" and "slave".
	- Fix control-reconfig-xfrd test for zonestatus primary that is
	  printed by nsd-control zonestatus.

7 December 2023: Wouter
	- Merge #307 from anandb-ripencc: Many improvements to the nsd.conf
	  man page.
	- Fix #308: Deprecate "multi-master-check" in favour of
	  "multi-primary-check".

6 December 2023: Wouter
	- Fix to sync the tests script file common.sh.
	- Update test script file common.sh.
	- Fix #306: Missing AC_SUBST(dbdir) breaks installation with 4.8.0.
	- Fix for #306: Create directory for xfrd.state and zone.list files
	  in make install.

Log message:
nsd: Update to 4.8.0

Changelog:
29 November 2023: Wouter
	- Tag for 4.8.0rc1.

28 November 2023: Wouter
	- Set up doc/RELNOTES for upcoming release.
	- Fix unit test kill_from_pidfile function for nonexistent files
	  because the argument is evaluated before the test expression.
	- Fix rr-test to also convert the contents of the just written output
	  file.
	- Fix test set to remove -f nsd.db and rm nsd.db commands.
	- Fix test set to remove difffile option.

27 November 2023: Jeroen
	- Fix #14: Set timeout to 3s when servicing remaining TCP connections.
	- Fix: Always instate write handler after reading queries from TCP.
	- Answer first query on connections accepted just before reload.

27 November 2023: Wouter
	- Merge #305: faster stats. Statistics can be gathered while a reload
	  is in progress.

27 November 2023: Willem
	- Merge #302: Test package fixes. Correct Auxfiles, kill_from_pidfile
	  function and fix drop_updates, rr-test and xfr_update tests.

1 November 2023: Jeroen
	- Remove on-disk database.

31 October 2023: Wouter
	- Merge #301: improve the logging of ixfr fallbacks to axfr.

30 October 2023: Jeroen
	- Fix processing of consolidated IXFRs.

30 October 2023: Wouter
	- Fix for interprocess communication to set quit sync command from
	  main process explicitly.

3 October 2023: Wouter
	- Merge #281: Proxy protocol. An implementation of PROXYv2 for NSD.
	  It can be configured with proxy-protocol-port: portnum with the
	  port number of the interface on which proxy traffic is handled.
	  The interface can support proxy traffic for UDP, TCP and TLS.

21 September 2023: Wouter
	- Merge #295: Update e-mail addresses, add ref to support contracts

31 August 2023: Wouter
	- Fix autoconf 2.69 warnings in configure.

14 July 2023: Wouter
	- Merge #287: Update nsd.conf.5.in.

11 July 2023: Wouter
	- Fix unused variable warning in unit test of udb.

22 June 2023: Wouter
	- Fix #284: dnstap_collector.c: SOCK_NONBLOCK is not available on
	  Mac/Darwin.

7 June 2023: Wouter
	- Merge #282: Improve nsd.conf man page.
	- Fix unused but set variable warning.
	- Fix #283: Compile failure in remote.c when --disable-bind8-stats
	  and --without-ssl are specified.

Log message:
*: bump for openssl 3

Log message:
nsd: Update to 4.7.0

Changelog:
This release adds a script for bash autocompletion for nsd-control. Also
nsd-control can be configured to use unencrypted operation also when
compiled without openssl. There is also a systemd service unit example
file contributed. The dnstap log service can be contacted over TCP, with
the dnstap-ip: ip option. It is also possible to use TLS, with
dnstap-tls, it is enabled by default, and can be configured with the
dnstap-server-name, dnstap-cert-bundle, dnstap-client-key-file and
dnstap-client-cert-file options. The configure option
--enable-root-server is obsolete, it is no longer used and defaults to
on. In addition, the build file should support multicore build with
flex and bison more easily.

FEATURES:

    Merge #263: Add bash autocompletion script for nsd-control.
    Fix #267: Allow unencrypted local operation of nsd-control.
    Merge #269 from Fale: Add systemd service unit.
    Fix #271: DNSTAP over TCP, with dnstap-ip: "127.0.0.1@3333".
    dnstap over TLS, default enabled. Configured with the
    options dnstap-tls, dnstap-tls-server-name, dnstap-tls-cert-bundle,
    dnstap-tls-client-key-file and dnstap-tls-client-cert-file.

BUG FIXES:

    Fix #239: -Wincompatible-pointer-types warning in remote.c.
    Fix configure for -Wstrict-prototypes.
    Fix #262: Zone(s) not synchronizing properly via TLS.
    Fix for #262: More error logging for SSL read failures for zone
    transfers.
    Merge #265: Fix C99 compatibility issue.
    Fix #266: Fix build with --without-ssl.
    Fix for #267: neater variable definitions.
    Fix #270: reserved identifier violation.
    Fix to clean more memory on exit of dnstap collector.
    Fix dnstap to not check socket path when using IP address.
    Fix to compile without ssl with dnstap-tls code.
    Dnstap tls code fixes.
    Fix include brackets for ssl.h include statements, instead of quotes.
    Fix static analyzer warning about nsd_event_method initialization.
    Fix #273: Large TXT record breaks AXFR.
    Fix ixfr create from adding too many record types.
    Fix cirrus script for submit to coverity scan to libtoolize
    the configure script components config.guess and config.sub.
    Fix readme status badge links.
    make depend.
    Fix for build to run flex and bison before compiling code that needs
    the headers.
    Fix to remove unused whitespace from acx_nlnetlabs.m4 and config.h.
    For #279: Note that autoreconf -fi creates the configure script
    and also the needed auxiliary files, for autoconf 2.69 and 2.71.
    Fix unused variable warning in unit test, from clang compile.
    Fix #240: Prefix messages originating from verifier.
    Fix #275: Drop unnecessary root server checks.

Log message:
nsd: Update to 4.6.1

CHangelog:
4.6.1
================
FEATURES:
- Set ALPN "dot" token during connection establishment as per RFC9103
   section 7.1 (Thanks Cesar Kuroiwa).
- Add SVCB dohpath support
BUG FIXES:
- Fix static analyzer reports, fix wrong log print when skipping xfr,
   fix to print error on pipe read fail, and assert an xfr is in
   progress during packet checks.
- Use AC_PROG_CC_STDC with autoconf versions prior to 2.70.
- Add missing documentation for zone verification.
- Fix #212: Change commandline control actions to always log.
- Merge #231 from moritzbuhl: Fix checking if nonblocking sockets work
   on OpenBSD.
- Change zone parsing to accept non-trailing newline.

Log message:
nsd: Update to 4.6.0

Changelog:
This release adds the zone verification support from the CreDNS code.
There are also some bug fixes in the ixfr out code.

Zone verification can start a verifier program that reads the new zone
data. It can reject the update. Or process the new zone data. The intent
is for a DNSSEC verifier to inspect the zone before it is passed on with
zone transfer or served to clients.

The zone verification can be enabled with enable: yes in the verify
section in nsd.conf. You can then list the interfaces the NSD listens on
while the verifier is active, so it can send queries for the new zone
contents. With verify-zones: yes zones are verified by default. The
command that is executed can be set with the verifier: ldns-verify-zone
option. With verifier-count the max number of concurrent verifiers can
be set. With the verifier-feed-zone: yes option the zone can be input
on stdin to the verifier program. A timeout to stop the verifier can be
set with the verifier-timeout option.

Per zone options can also be set for a pattern or for a zone, for zone
verification. With verify-zone the zone verification can be enabled
per zone. The verifier can be set per zone. And the verifier-feed-zone
and verifier-timeout options can be controlled per zone.

FEATURES:
    Port zone-verification from CreDNS to NSD4.

BUG FIXES:
    Fix static analyzer reports on ixfrcreate temp file.
    Fixup wrong ixfrcreate fread return check.

Log message:
nsd: Update to 4.5.0

Changelog:
6 May 2022: Wouter
	- Merge #209: IXFR out
	  This adds IXFR out functionality to NSD. NSD can copy IXFRs from
	  upstream to downstream clients, or create IXFRs from zonefiles.
	  The options store-ixfr: yes and create-ixfr: yes can be used to
	  turn this on. Default is turned off. The options ixfr-number and
	  ixfr-size can be used to tune the number of IXFR transfers and
	  total data size stored. This is configured per zone, the IXFRs
	  are served to the hosts that are allowed to perform zone transfers.
	  And if TSIG is configured, signed with the same key. The content
	  is stored to file if a zonefile is configured for the zone, in
	  the zonefile.ixfr and zonefile.ixfr.2, .. files. They contain
	  readable text format. The number of IXFRs is num.rixfr in
	  statistics output, also per zone if per zone statistics are enabled.
	  If offline, nsd-checkzone -i can create ixfr files.
	  NSD already supports requesting IXFRs, this addition allows NSD
	  to serve IXFR transfers to clients.
	  NSD stops responding with NOTIMPL to IXFR requests, also for zones
	  that do not have IXFR enabled. The clients gets a full zone reply
	  or a status reply if the serial is up to date.
	- set version to 4.5.0 for feature change.
	- Tag for 4.5.0rc1 release. It became the 4.5.0 release on 13 May 2022.

14 April 2022: Wouter
	- Update cirrus script FreeBSD version.

25 March 2022: Wouter
	- Fix spelling error in comment in svcbparam_lookup_key.

2 March 2022: Wouter
	- Fix code analyzer zero divide warning.
	- Fix code analyzer large value with assertion.
	- Fix another code analyzer zero divide warning.
	- Fix code analyzer warning about uninitialized temp storage in loop.

10 February 2022: Wouter
	- Tag for 4.4.0rc1 release. This became 4.4.0 release on 17 Feb 2022,
	  the code repository continues with version 4.4.1.

9 February 2022: Wouter
	- Fix unit tests for nds-control-setup exit code and the
	  xfrd-tcp-max default.

7 February 2022: Wouter
	- Merge #207 Sync nsd-control-setup with unbound-control-setup to
	  generate certificates with SANs.

28 January 2022: Wouter
	- Fix #206: build with --without-ssl fails.

27 January 2022: Wouter
	- current code branch continues as version 4.4.0, because of added
	  feature.

26 January 2022: Wouter
	- Merge #193: Lower memory usage of the XFRD process by default.
	  Instead of preallocating all elements, they are allocated when used.
	  There are options for managing the memory usage, defaults are the
	  same as before. xfrd-tcp-max sets the number of sockets for tcp
	  connections that xfrd can make to download zone contents. And
	  xfrd-tcp-pipeline the number of simultaneous transfers over the
	  same connection.

12 January 2022: Wouter
	- Fix to document nsd-checkzone -p in the man page for nsd-checkzone.

7 January 2022: Wouter
	- Fix to change file mode before changing file owner for the
	  nsd-control unix socket file.

3 January 2022: Wouter
	- Merge #204 from jonathangray: correct some spelling mistakes.

15 December 2021: Wouter
	- Fix #200: nsd-checkzone succeeds even with incorrect serial in SOA
	  record.

2 December 2021: Wouter
	- Fix socket_partitioning unit test for FreeBSD.
	- Fix SVCB test to work around older dig with drill.
	- Fix unit test to not syslog setlogin failures.