On 2025 Sep 03 (Wed) at 14:59:25 +0100 (+0100), Stuart Henderson wrote:
:Looking at updating NSD - I've polished up an old diff I had, taking
:us to NSD 4.11.0.
:
:I'll look at updating again afterwards, but there have been enough
:changes in 4.11.0 that I'd like to do that as a separate stage (not
:least to simplify the CVS-wrangling).
:
:Currently running the daemon on amd64 (non-BTI machine), also I've built
:nsd and run nsd-checkzone (which exercises the most delicate part, the
:new SIMD zone parser for x86) on aarch64 and BTI amd64.
:
:The SIMD code does cpuid detection and only allows a backend to run on
:a supported cpu. There is a way to use a non-default choice, setting
:ZONE_KERNEL=(haswell|westmere|fallback) in the environment, but IIUC
:this still does the cpuid check and won't try and use e.g. the haswell
:avx2 code on a machine which doesn't support it.
:
:Obviously the zone parser rewrite means there's even more churn than
:normal in this diff...
:

Successfully tested in test setups on amd64(+IBT), arm64, octeon,
riscv64; simple secondary's with the root zone, and my main dns server on
amd64 (no IBT), with 47 zones configured.

Main dns server has: a mix of secondary and primary zones, DoT enabled,
UPDATEs/NOTIFYs, ZONEMD, patterns, etc.

Best I can tell, the new zone parser checks DS and ZONEMD signatures when
they see them.  Maybe?


-- 
Mathematicians do it in theory.