<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hello community,<br>
<br>
To minimize downtime to 0 you can configure one NSD, or BIND server
for that matter,<br>
as a stealth/hidden name server. You configure all the public facing
name servers as<br>
slaves for the hidden one. If you have a lot of zones before
starting the slave you can<br>
copy the zone files, rebuild the database and start NSD. I didn't
tried this but I don't see<br>
why it wouldn't work.<br>
<br>
As for best practices I suggest you read the NLnet Labs publication
called DNS Threat<br>
Analysis [1]. The publications presents an hierarchical attack tree
to map DNS security<br>
threats. <br>
<br>
Another useful resource is the RFC 2870 - Root Name Server
Operational Requirements [2]. <br>
I can tell that you don't run a Root Server but it sure can help
taking the right decisions for <br>
you particular case.<br>
<br>
[1] - <a class="moz-txt-link-freetext" href="http://www.nlnetlabs.nl/downloads/publications/se-consult.pdf">http://www.nlnetlabs.nl/downloads/publications/se-consult.pdf</a><br>
[2] - <a class="moz-txt-link-freetext" href="http://www.icann.org/en/groups/rssac/rfc2870-01jun00-en.txt">http://www.icann.org/en/groups/rssac/rfc2870-01jun00-en.txt</a><br>
<br>
Cheers and Goodwill,<br>
|e<br>
<br>
<br>
On 6/8/12 6:04 PM, Peter Andreev wrote:
<blockquote
cite="mid:CAE_wXn0WwGA9z5E78arfmmu1e4iSqrZN=tdMkRHEinfsuZviZg@mail.gmail.com"
type="cite"><br>
<br>
<div class="gmail_quote">2012/6/8 Alexandre Maumené <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:alexandre@enovance.com" target="_blank">alexandre@enovance.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi,<br>
<br>
Thanks for all your quick answers.<br>
<br>
To begin with, I must say that I already had taken all your
advices into<br>
account on BIND, but still, I'd like to give NSD a shot.<br>
<br>
I have several questions about various pieces of advice on
this post:<br>
<br>
Is it long to rebuild entirely the database if I got ~17 000
DNS entries? I<br>
can accept a small downtime but I'll be interest if you have
any advices to<br>
minimize it<br>
</blockquote>
<div><br>
You can launch NSD on other port than BIND, prepare everything
and measure how long it takes to start. After all is done
simply stop BIND and start NSD on default port. <br>
I tried stop/start my NSD server with four big (millions of
records) and about twenty small zones, it takes about 30
seconds to start.<br>
<br>
</div>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
I already wrote a small python script to create a file
containing a key and a<br>
zone for a domain.<br>
<br>
Example for one domain for the master:<br>
<br>
Example for one domain for the slave:<br>
<br>
I joined as attachement my Python script, its unittest and a
example of a zone<br>
file definition, please feel free to review it and post your
critics.<br>
</blockquote>
<div><br>
I don't see any attachments. <br>
<br>
</div>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Since I had to generate these files while I add/remove zones,
I'm asking<br>
myself if a master/slave configuration is really the best
option? I mean I can<br>
also scp to all my NSD servers theses files and databases and
not use the<br>
master/slave mechanism.<br>
<br>
But since I had to re-create these files when I add/remove
some zones, I only<br>
benefit from the master/slave scheme when I update my zones.
So I can launch<br>
the generation on a server and scp them to my others servers.
Are there any<br>
disadvantages?<br>
</blockquote>
<div><br>
Why not rsync? Linux has a bit strange but secure and powerful
piece of software called csync2 based on rsync.<br>
We used to use ssh inside perl scripts to transfer about 100k
zones, not a very good idea unless you have very fast disks.<br>
<br>
</div>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Trick question: do you have any thoughts about how to
integrate (in the<br>
best way) puppet and NSD? We start to deploy as much as
possible using puppet.<br>
(I'm not personnaly working but some collegues are).<br>
<br>
Kind regards,<br>
<div class="im HOEnZb"><br>
Alexandre Maumené<br>
----------------------------------------------------------<br>
P./ +33.1.49.70.86.12<br>
M./ <a moz-do-not-send="true"
href="mailto:alexandre@enovance.com">alexandre@enovance.com</a><br>
W./ <a moz-do-not-send="true"
href="http://www.enovance.com" target="_blank">www.enovance.com</a><br>
S./ enovance-alexandre.maumene<br>
eNovance SAS - 10 rue de la Victoire 75009 Paris - France<br>
----------------------------------------------------------<br>
<br>
</div>
<div class="HOEnZb">
<div class="h5">----- Original Message -----<br>
<br>
<br>
2012/6/8 Jan-Piet Mens < <a moz-do-not-send="true"
href="mailto:jpmens.dns@gmail.com">jpmens.dns@gmail.com</a>
><br>
<br>
<br>
<br>
> I'm a sys admin and currently working for a french
hosting company. We<br>
> provide DNS services to our customers and at the
moment we are using BIND<br>
> on Debian servers. BIND is a good software but we
don't need a recursing<br>
> DNS for our public DNS, and we needed better security
than what BIND provides.<br>
<br>
As you probably know, you can disable recursion in BIND,
thus making it<br>
authoritative only. :)<br>
<br>
<br>
I would also recommend disabling additional-from-cache.<br>
<br>
<br>
<br>
<br>
<br>
> So I made the suggestion to replace BIND by another
DNS software.<br>
> NSD appears to be the best alternative.<br>
<br>
NSD is indeed an excellent choice. There is one thing you
must be aware<br>
of: you can't add/remove zones to NSD on-the-fly. You have
to configure<br>
them in `nsd.conf' (or an included file) and then rebuild
NSD's<br>
database. If you can live with that, you should be set to
go.<br>
<br>
<br>
NSD also means no outgoing IXFR's and some additional cron
jobs for "nsdc patch".<br>
<br>
May be TS should take a look on Knot DNS and Yadifa to
choose the proper server for his tasks?<br>
<br>
<br>
<br>
<br>
<br>
> I'm currently writing some scripts to help the
migration process, but I'd<br>
> like to know if something already exists to help me
in this task. If not I<br>
> probably will make my scripts public and post it to
this mailing-list.<br>
<br>
I'm not really aware of any scripts... Basically it's a
matter of<br>
listing your zones and creating nsd.conf "zone" stanzas. A
bit of<br>
[ ls | {awk|perl} ] will probably get you going pretty
quickly.<br>
<br>
<br>
> I also would like to know if you have some
best-practices about NSD in<br>
> general.<br>
<br>
I recommend you look at past postings in the archive of
this mailing-<br>
list.<br>
<br>
Good luck!<br>
<br>
-JP<br>
<br>
PS: And if you do need recursive service somewhere on your
network, I<br>
greatly recommend you look at Unbound, also by NLnet Labs.<br>
<br>
<br>
_______________________________________________<br>
nsd-users mailing list<br>
<a class="moz-txt-link-abbreviated" href="mailto:nsd-users@NLnetLabs.nl">nsd-users@NLnetLabs.nl</a><br>
<a moz-do-not-send="true"
href="http://open.nlnetlabs.nl/mailman/listinfo/nsd-users"
target="_blank">http://open.nlnetlabs.nl/mailman/listinfo/nsd-users</a><br>
<br>
<br>
<br>
--<br>
AP<br>
<br>
_______________________________________________<br>
nsd-users mailing list<br>
<a class="moz-txt-link-abbreviated" href="mailto:nsd-users@NLnetLabs.nl">nsd-users@NLnetLabs.nl</a><br>
<a moz-do-not-send="true"
href="http://open.nlnetlabs.nl/mailman/listinfo/nsd-users"
target="_blank">http://open.nlnetlabs.nl/mailman/listinfo/nsd-users</a><br>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
AP<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
nsd-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:nsd-users@NLnetLabs.nl">nsd-users@NLnetLabs.nl</a>
<a class="moz-txt-link-freetext" href="http://open.nlnetlabs.nl/mailman/listinfo/nsd-users">http://open.nlnetlabs.nl/mailman/listinfo/nsd-users</a>
</pre>
</blockquote>
<br>
</body>
</html>