Dear all.

NSD 4.15.0rc1 pre-release is available:

https://nlnetlabs.nl/downloads/nsd/nsd-4.15.0rc1.tar.gz

sha256 2c7be631b1788e613ac29423e49524cd285437082c99fca4ebfc862a6bf1a675
pgp https://nlnetlabs.nl/downloads/nsd/nsd-4.15.0rc1.tar.gz.asc

This is the maintainer's pre-release of NSD 4.15.0rc1.
This release has many bugfixes, and a single new feature: Improved Prometheus metrics.

Before, the zone to which a certain metric related was put in the metric name. The new feature is to put the zone in a label instead, for example:

nsd_zonestats_queries_by_type_total{type="A",zone="example.com"} 99
nsd_zonestats_queries_by_type_total{type="NS",zone="example.com"} 99
...
nsd_zonestats_queries_by_type_total{type="A",zone="example.org"} 99
nsd_zonestats_queries_by_type_total{type="NS",zone="example.org"} 99
...

This has many advantages in the way Prometheus can handle the data, for details see: #482

⚠️ Beware that everyone currently using the Prometheus metrics need to revisit their configuration, as this is a breaking change from how these metrics were exposed before

Thanks to Ruud van Asseldonk for this great contribution

The release is signed with the OpenPGP software signing key that is in use since Jan 1st 2026:

User ID: NLnet Labs releases signing key G2 <releases@nlnetlabs.nl>
Key ID: A144 323D EAAC DF45
Fingerprint: 2310 1869 0C4D 903E F419  146A A144 323D EAAC DF45

The key is available from https://nlnetlabs.nl/signing-keys

Please review this pre-release carefully. If all is well, the actual release will follow Tuesday, the 7th of July 2026.

NSD 4.15.0rc1

FEATURES:

• Merge #483 from ruuda: Improve Prometheus metrics: Move zonestats from metric name to label

BUG FIXES:

• Fix #478: Feature request: reduce syslog noise from frequent read-only control commands (e.g. stats_noreset). It logs the verbosity command always, and others at 2 and higher.
• Fix XDP cleanup code being executed even if xdp is not configured
• Merge #481 from jaredmauch: Fix pedantic/CodeQL warning in sources
• Merge #484 from orlitzky: OpenRC: fix network deps and support both supervisors
• Fix PROXYv2 header read and consume, it checks the header size.
  Thanks to Qifan Zhang, Palo Alto Networks for the report.
• Fix notify relay ipc to check for large size. This stops desync of the internal notify pipe.
  Thanks to Qifan Zhang, Palo Alto Networks for the report.
• Fix print of malformed HIP records.
  Thanks to Qifan Zhang, Palo Alto Networks, for the report, and Haruki Oyama (Waseda University) for also reporting this issue.
• Fix to not fail on NSEC3 records with a bad owner name.
  Thanks to Qifan Zhang, Palo Alto Networks, for the report.
• Fix print of NXT RR without bitmap
  Thanks to Qifan Zhang, Palo Alto Networks, for the report.
• Fix overflow for NSEC3 zones with 255-octet name
  Thanks to Haruki Oyama (Waseda University) for the report, and Qifan Zhang, Palo Alto Networks, for also reporting this issue.
• Fix to update github ci actions/checkout to v7.
• Fix notify and zone transfer processing for malformed SOA records, with a short rdata content. It stops an assertion failure.
  Thanks to Tristan Madani (@TristanInSec) from Talence Security for the report.
• Fix that wrong buffer position in IXFR for the first SOA causes the storage to retrieve wrong information. Later data would overwrite it so it did not cause observable trouble.
  Thanks to Tristan Madani (@TristanInSec) from Talence Security for the report.
• More robust removing of RRs from an IXFR processing.
  Thanks zhangph for reporting this issue
• Fix unit test for stopmany for process role logs.
• Fix nsd-control assoc_tsig, if that interrupts a zone transfer in progress, to not crash. It restarts the transfer from the primary.
  Thanks to Qifan Zhang, Palo Alto Networks, for the report.
• Fix nsd-control del_tsig, if that interrupts a zone transfer in progress, to not crash. It does not delete the key, if in use.
  Thanks to Qifan Zhang, Palo Alto Networks, for the report.
• Fix catalog producer zone with long name, so that it does not crash on that. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
• Fix catalog consumer zone with long name for member unique label that is long, so that it does not crash on that.
  Thanks to Qifan Zhang, Palo Alto Networks, for the report.
• Fix that non-IN-class records cause a zone transfer to be rejected. Also such records are not added from a transfer. This stops an assertion failure.
  Thanks to Qifan Zhang, Palo Alto Networks, for the report.
• Fix to disallow a SOA record in the middle of an AXFR. This stops an assertion failure.
  Thanks to Qifan Zhang, Palo Alto Networks, for the report.
• Fix to set zone is_secure to false when IXFR removes RRSIG DNSKEY.
  This stops an assertion failure. Also fix soa and ns rrset change in IXFR when packed rrsets are disabled.
  Thanks to Qifan Zhang, Palo Alto Networks, for the report.
• Fix to handle NSEC3 zones without space for hashes. Zones with a apex domain name length >= 223 bytes, that have a NSEC3PARAM must not be prehashed, since the hashed owner name would not fit.
  Thanks Qifan Zhang, Palo Alto Networks, for the report
• Fix to add hardening to zone_ixfr_remove_oldest, for IXFR processing.
  Thanks to Qifan Zhang, Palo Alto Networks, for the report.
• Fix for xfrd crash with too short response to a UDP SOA query Only for release builds and only when configured for XFR over UDP
  Thanks to Qifan Zhang, Palo Alto Networks, for the report.
• Fix that out-of-zone records are skipped from zone transfers.
  Otherwise such records could stick around after zone deletion and cause failures for DS queries.
  Thanks to Qifan Zhang, Palo Alto Networks, for the report.

simdzone 0.2.5rc1

FEATURES:

• Add riscv fallback detection (#261)

BUG FIXES:

• Fix to parse SVCB and HTTPS svcparam ech=0.