Dear colleagues,<style>
body {
font-family: 'Arial';
font-size: 100% !important;
margin: 0;
line-height: 1.2rem;
color: #1F497D;
}
</style><div><br></div><div>unfortunately NSD 4.1.26 still does not work on Debian 10 Buster due to permission errors.</div><div><br></div><div>I have tested it on two fresh Debian 10 Buster installations and I still get this error messages:</div><div><br></div><div>> error: Cannot open /var/log/nsd.log for appending (Read-only file system), logging to stderr</div><div>> warning: failed to unlink pidfile /run/nsd/nsd.pid: Permission denied</div><div><div>> error: could not open zone list /var/lib/nsd/zone.list: Permission denied</div><div>> error: could not read zonelist file /var/lib/nsd/zone.list</div></div><div><br></div><div>Please find attached the configuration file I use (in this case for the master, slave is almost the same).</div><div><br></div><div>Kind Regards,</div><div>Kaulkwappe</div><div><br></div><div>---</div><div><br></div><div><div>#</div><div># nsd.conf -- the NSD(8) configuration file, nsd.conf(5).</div><div>#</div><div># Copyright (c) 2001-2011, NLnet Labs. All rights reserved.</div><div>#</div><div># See LICENSE for the license.</div><div>#</div><div><br></div><div># This is a comment.</div><div># Sample configuration file</div><div># include: "file" # include that file's text over here. Globbed, "*.conf"</div><div><br></div><div># options for the nsd server</div><div>server:</div><div><span style="white-space:pre"> </span># Number of NSD servers to fork. Put the number of CPUs to use here.</div><div><span style="white-space:pre"> </span># server-count: 1</div><div><br></div><div><span style="white-space:pre"> </span># uncomment to specify specific interfaces to bind (default are the</div><div><span style="white-space:pre"> </span># wildcard interfaces 0.0.0.0 and ::0).</div><div><span style="white-space:pre"> </span># For servers with multiple IP addresses, list them one by one,</div><div><span style="white-space:pre"> </span># or the source address of replies could be wrong.</div><div><span style="white-space:pre"> </span># Use ip-transparent to be able to list addresses that turn on later.</div><div><span style="white-space:pre"> </span># ip-address: 1.2.3.4</div><div><span style="white-space:pre"> </span># ip-address: 1.2.3.4@5678</div><div><span style="white-space:pre"> </span># ip-address: 12fe::8ef0</div><div><span style="white-space:pre"> </span></div><div><span style="white-space:pre"> </span>ip-address: 45.***.***.***</div><div><span style="white-space:pre"> </span>ip-address: 2a03:***:***:***::***</div><div><br></div><div><span style="white-space:pre"> </span># Allow binding to non local addresses. Default no.</div><div><span style="white-space:pre"> </span># ip-transparent: no</div><div><br></div><div><span style="white-space:pre"> </span># Allow binding to addresses that are down. Default no.</div><div><span style="white-space:pre"> </span># ip-freebind: no</div><div><br></div><div><span style="white-space:pre"> </span># use the reuseport socket option for performance. Default no.</div><div><span style="white-space:pre"> </span># reuseport: no</div><div><br></div><div><span style="white-space:pre"> </span># enable debug mode, does not fork daemon process into the background.</div><div><span style="white-space:pre"> </span># debug-mode: no</div><div><br></div><div><span style="white-space:pre"> </span># listen on IPv4 connections</div><div><span style="white-space:pre"> </span>do-ip4: yes</div><div><br></div><div><span style="white-space:pre"> </span># listen on IPv6 connections</div><div><span style="white-space:pre"> </span>do-ip6: yes</div><div><br></div><div><span style="white-space:pre"> </span># port to answer queries on. default is 53.</div><div><span style="white-space:pre"> </span>port: 53</div><div><br></div><div><span style="white-space:pre"> </span># Verbosity level.</div><div><span style="white-space:pre"> </span># verbosity: 0</div><div><br></div><div><span style="white-space:pre"> </span># After binding socket, drop user privileges.</div><div><span style="white-space:pre"> </span># can be a username, id or id.gid.</div><div><span style="white-space:pre"> </span>username: nsd</div><div><br></div><div><span style="white-space:pre"> </span># Run NSD in a chroot-jail.</div><div><span style="white-space:pre"> </span># make sure to have pidfile and database reachable from there.</div><div><span style="white-space:pre"> </span># by default, no chroot-jail is used.</div><div><span style="white-space:pre"> </span># chroot: "/etc/nsd"</div><div><br></div><div><span style="white-space:pre"> </span># The directory for zonefile: files. The daemon chdirs here.</div><div><span style="white-space:pre"> </span>zonesdir: "/etc/nsd/zones"</div><div><span style="white-space:pre"> </span></div><div><span style="white-space:pre"> </span># the list of dynamically added zones.</div><div><span style="white-space:pre"> </span>zonelistfile: "/var/lib/nsd/zone.list"</div><div><br></div><div><span style="white-space:pre"> </span># the database to use</div><div><span style="white-space:pre"> </span># if set to "" then no disk-database is used, less memory usage.</div><div><span style="white-space:pre"> </span>#database: "/var/lib/nsd/nsd.db"</div><div><span style="white-space:pre"> </span>database: ""</div><div><br></div><div><span style="white-space:pre"> </span># log messages to file. Default to stderr and syslog (with</div><div><span style="white-space:pre"> </span># facility LOG_DAEMON). stderr disappears when daemon goes to bg.</div><div><span style="white-space:pre"> </span>logfile: "/var/log/nsd.log"</div><div><br></div><div><span style="white-space:pre"> </span># File to store pid for nsd in.</div><div><span style="white-space:pre"> </span>pidfile: "/run/nsd/nsd.pid"</div><div><br></div><div><span style="white-space:pre"> </span># The file where secondary zone refresh and expire timeouts are kept.</div><div><span style="white-space:pre"> </span># If you delete this file, all secondary zones are forced to be </div><div><span style="white-space:pre"> </span># 'refreshing' (as if nsd got a notify). Set to "" to disable.</div><div><span style="white-space:pre"> </span># xfrdfile: "/var/lib/nsd/xfrd.state"</div><div><br></div><div><span style="white-space:pre"> </span># The directory where zone transfers are stored, in a subdir of it.</div><div><span style="white-space:pre"> </span># xfrdir: "/tmp"</div><div><br></div><div><span style="white-space:pre"> </span># don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries</div><div><span style="white-space:pre"> </span>hide-version: yes</div><div><br></div><div><span style="white-space:pre"> </span># version string the server responds with for chaos queries.</div><div><span style="white-space:pre"> </span># default is 'NSD x.y.z' with the server's version number.</div><div><span style="white-space:pre"> </span># version: "NSD"</div><div><br></div><div><span style="white-space:pre"> </span># identify the server (CH TXT ID.SERVER entry).</div><div><span style="white-space:pre"> </span># identity: "unidentified server"</div><div><br></div><div><span style="white-space:pre"> </span># NSID identity (hex string, or "ascii_somestring"). default disabled.</div><div><span style="white-space:pre"> </span># nsid: "aabbccdd"</div><div><br></div><div><span style="white-space:pre"> </span># Maximum number of concurrent TCP connections per server.</div><div><span style="white-space:pre"> </span># tcp-count: 100</div><div><br></div><div><span style="white-space:pre"> </span># Maximum number of queries served on a single TCP connection.</div><div><span style="white-space:pre"> </span># By default 0, which means no maximum.</div><div><span style="white-space:pre"> </span># tcp-query-count: 0</div><div><br></div><div><span style="white-space:pre"> </span># Override the default (120 seconds) TCP timeout.</div><div><span style="white-space:pre"> </span># tcp-timeout: 120</div><div><br></div><div><span style="white-space:pre"> </span># Maximum segment size (MSS) of TCP socket on which the server</div><div><span style="white-space:pre"> </span># responds to queries. Default is 0, system default MSS.</div><div><span style="white-space:pre"> </span># tcp-mss: 0</div><div><br></div><div><span style="white-space:pre"> </span># Maximum segment size (MSS) of TCP socket for outgoing AXFR request.</div><div><span style="white-space:pre"> </span># Default is 0, system default MSS.</div><div><span style="white-space:pre"> </span># outgoing-tcp-mss: 0</div><div><br></div><div><span style="white-space:pre"> </span># Preferred EDNS buffer size for IPv4.</div><div><span style="white-space:pre"> </span># ipv4-edns-size: 4096</div><div><br></div><div><span style="white-space:pre"> </span># Preferred EDNS buffer size for IPv6.</div><div><span style="white-space:pre"> </span># ipv6-edns-size: 4096</div><div><br></div><div><span style="white-space:pre"> </span># statistics are produced every number of seconds. Prints to log.</div><div><span style="white-space:pre"> </span># Default is 0, meaning no statistics are produced.</div><div><span style="white-space:pre"> </span>#statistics: 3600</div><div><br></div><div><span style="white-space:pre"> </span># Number of seconds between reloads triggered by xfrd.</div><div><span style="white-space:pre"> </span># xfrd-reload-timeout: 1</div><div><span style="white-space:pre"> </span></div><div><span style="white-space:pre"> </span># log timestamp in ascii (y-m-d h:m:s.msec), yes is default.</div><div><span style="white-space:pre"> </span># log-time-ascii: yes</div><div><br></div><div><span style="white-space:pre"> </span># round robin rotation of records in the answer.</div><div><span style="white-space:pre"> </span># round-robin: no</div><div><br></div><div><span style="white-space:pre"> </span># check mtime of all zone files on start and sighup</div><div><span style="white-space:pre"> </span># zonefiles-check: yes</div><div><span style="white-space:pre"> </span></div><div><span style="white-space:pre"> </span># write changed zonefiles to disk, every N seconds.</div><div><span style="white-space:pre"> </span># default is 0(disabled) or 3600(if database is "").</div><div><span style="white-space:pre"> </span>zonefiles-write: 1800</div><div><br></div><div><span style="white-space:pre"> </span># RRLconfig</div><div><span style="white-space:pre"> </span># Response Rate Limiting, size of the hashtable. Default 1000000.</div><div><span style="white-space:pre"> </span># rrl-size: 1000000</div><div><br></div><div><span style="white-space:pre"> </span># Response Rate Limiting, maximum QPS allowed (from one query source).</div><div><span style="white-space:pre"> </span># If set to 0, ratelimiting is disabled. Also set</div><div><span style="white-space:pre"> </span># rrl-whitelist-ratelimit to 0 to disable ratelimit processing.</div><div><span style="white-space:pre"> </span># Default is on.</div><div><span style="white-space:pre"> </span># rrl-ratelimit: 200</div><div><br></div><div><span style="white-space:pre"> </span># Response Rate Limiting, number of packets to discard before</div><div><span style="white-space:pre"> </span># sending a SLIP response (a truncated one, allowing an honest</div><div><span style="white-space:pre"> </span># resolver to retry with TCP). Default is 2 (one half of the</div><div><span style="white-space:pre"> </span># queries will receive a SLIP response, 0 disables SLIP (all</div><div><span style="white-space:pre"> </span># packets are discarded), 1 means every request will get a</div><div><span style="white-space:pre"> </span># SLIP response. When the ratelimit is hit the traffic is</div><div><span style="white-space:pre"> </span># divided by the rrl-slip value.</div><div><span style="white-space:pre"> </span># rrl-slip: 2</div><div><br></div><div><span style="white-space:pre"> </span># Response Rate Limiting, IPv4 prefix length. Addresses are</div><div><span style="white-space:pre"> </span># grouped by netblock. </div><div><span style="white-space:pre"> </span># rrl-ipv4-prefix-length: 24</div><div><br></div><div><span style="white-space:pre"> </span># Response Rate Limiting, IPv6 prefix length. Addresses are</div><div><span style="white-space:pre"> </span># grouped by netblock. </div><div><span style="white-space:pre"> </span># rrl-ipv6-prefix-length: 64</div><div><br></div><div><span style="white-space:pre"> </span># Response Rate Limiting, maximum QPS allowed (from one query source)</div><div><span style="white-space:pre"> </span># for whitelisted types. Default is on.</div><div><span style="white-space:pre"> </span># rrl-whitelist-ratelimit: 2000</div><div><span style="white-space:pre"> </span># RRLend</div><div><br></div><div># Remote control config section. </div><div>remote-control:</div><div><span style="white-space:pre"> </span># Enable remote control with nsd-control(8) here.</div><div><span style="white-space:pre"> </span># set up the keys and certificates with nsd-control-setup.</div><div><span style="white-space:pre"> </span>control-enable: yes</div><div><br></div><div><span style="white-space:pre"> </span># what interfaces are listened to for control, default is on localhost.</div><div><span style="white-space:pre"> </span>control-interface: 127.0.0.1</div><div><span style="white-space:pre"> </span>#control-interface: ::1</div><div><br></div><div><span style="white-space:pre"> </span># port number for remote control operations (uses TLS over TCP).</div><div><span style="white-space:pre"> </span>control-port: 8952</div><div><br></div><div><span style="white-space:pre"> </span># nsd server key file for remote control.</div><div><span style="white-space:pre"> </span>server-key-file: "/etc/nsd/nsd_server.key"</div><div><br></div><div><span style="white-space:pre"> </span># nsd server certificate file for remote control.</div><div><span style="white-space:pre"> </span>server-cert-file: "/etc/nsd/nsd_server.pem"</div><div><br></div><div><span style="white-space:pre"> </span># nsd-control key file.</div><div><span style="white-space:pre"> </span>control-key-file: "/etc/nsd/nsd_control.key"</div><div><br></div><div><span style="white-space:pre"> </span># nsd-control certificate file.</div><div><span style="white-space:pre"> </span>control-cert-file: "/etc/nsd/nsd_control.pem"</div><div><br></div><div><br></div><div># Secret keys for TSIGs that secure zone transfers.</div><div># You could include: "secret.keys" and put the 'key:' statements in there,</div><div># and give that file special access control permissions.</div><div>#</div><div>key:</div><div><span style="white-space:pre"> </span># The key name is sent to the other party, it must be the same</div><div><span style="white-space:pre"> </span>name: "masterkey"</div><div><span style="white-space:pre"> </span># algorithm hmac-md5, or sha1, sha256, sha224, sha384, sha512</div><div><span style="white-space:pre"> </span>algorithm: sha384</div><div><span style="white-space:pre"> </span># secret material, must be the same as the other party uses.</div><div><span style="white-space:pre"> </span># base64 encoded random number.</div><div><span style="white-space:pre"> </span># e.g. from dd if=/dev/random of=/dev/stdout count=1 bs=32 | base64</div><div><span style="white-space:pre"> </span>secret: "***"</div><div><br></div><div><br></div><div># Patterns have zone configuration and they are shared by one or more zones.</div><div># </div><div>pattern:</div><div><span style="white-space:pre"> </span># name by which the pattern is referred to</div><div><span style="white-space:pre"> </span>name: "nsd-api"</div><div><span style="white-space:pre"> </span># the zonefile for the zones that use this pattern.</div><div><span style="white-space:pre"> </span># if relative then from the zonesdir (inside the chroot).</div><div><span style="white-space:pre"> </span># the name is processed: %s - zone name (as appears in zone:name).</div><div><span style="white-space:pre"> </span># %1 - first character of zone name, %2 second, %3 third.</div><div><span style="white-space:pre"> </span># %z - topleveldomain label of zone, %y, %x next labels in name.</div><div><span style="white-space:pre"> </span># if label or character does not exist you get a dot '.'.</div><div><span style="white-space:pre"> </span># for example "%s.zone" or "zones/%1/%2/%3/%s" or "secondary/%z/%s"</div><div><span style="white-space:pre"> </span>zonefile: "%s.zone"</div><div><span style="white-space:pre"> </span></div><div><span style="white-space:pre"> </span># If no master and slave access control elements are provided,</div><div><span style="white-space:pre"> </span># this zone will not be served to/from other servers.</div><div><br></div><div><span style="white-space:pre"> </span># A master zone needs notify: and provide-xfr: lists. A slave</div><div><span style="white-space:pre"> </span># may also allow zone transfer (for debug or other secondaries).</div><div><span style="white-space:pre"> </span># notify these slaves when the master zone changes, address TSIG|NOKEY</div><div><span style="white-space:pre"> </span># IP can be ipv4 and ipv6, with @port for a nondefault port number.</div><div><span style="white-space:pre"> </span>notify: 95.***.***.*** masterkey</div><div><span style="white-space:pre"> </span># allow these IPs and TSIG to transfer zones, addr TSIG|NOKEY|BLOCKED</div><div><span style="white-space:pre"> </span># address range 192.0.2.0/24, 1.2.3.4&255.255.0.0, 3.0.2.20-3.0.2.40</div><div><span style="white-space:pre"> </span>provide-xfr: 95.***.***.*** masterkey</div><div><span style="white-space:pre"> </span># set the number of retries for notify.</div><div><span style="white-space:pre"> </span>#notify-retry: 5</div><div><br></div><div><span style="white-space:pre"> </span># uncomment to provide AXFR to all the world</div><div><span style="white-space:pre"> </span># provide-xfr: 0.0.0.0/0 NOKEY</div><div><span style="white-space:pre"> </span># provide-xfr: ::0/0 NOKEY</div><div><br></div><div><span style="white-space:pre"> </span># A slave zone needs allow-notify: and request-xfr: lists.</div><div><span style="white-space:pre"> </span>#allow-notify: 2001:db8::0/64 my_tsig_key_name</div><div><span style="white-space:pre"> </span># By default, a slave will request a zone transfer with IXFR/TCP.</div><div><span style="white-space:pre"> </span># If you want to make use of IXFR/UDP use: UDP addr tsigkey</div><div><span style="white-space:pre"> </span># for a master that only speaks AXFR (like NSD) use AXFR addr tsigkey</div><div><span style="white-space:pre"> </span>#request-xfr: 192.0.2.2 the_tsig_key_name</div><div><span style="white-space:pre"> </span># Attention: You cannot use UDP and AXFR together. AXFR is always over </div><div><span style="white-space:pre"> </span># TCP. If you use UDP, we higly recommend you to deploy TSIG.</div><div><span style="white-space:pre"> </span># Allow AXFR fallback if the master does not support IXFR. Default</div><div><span style="white-space:pre"> </span># is yes.</div><div><span style="white-space:pre"> </span>#allow-axfr-fallback: yes</div><div><span style="white-space:pre"> </span># set local interface for sending zone transfer requests.</div><div><span style="white-space:pre"> </span># default is let the OS choose.</div><div><span style="white-space:pre"> </span>#outgoing-interface: 10.0.0.10</div><div><span style="white-space:pre"> </span># limit the refresh and retry interval in seconds.</div><div><span style="white-space:pre"> </span>#max-refresh-time: 2419200</div><div><span style="white-space:pre"> </span>#min-refresh-time: 0</div><div><span style="white-space:pre"> </span>#max-retry-time: 1209600</div><div><span style="white-space:pre"> </span>#min-retry-time: 0</div><div><span style="white-space:pre"> </span># Slave server tries zone transfer to all masters and picks highest</div><div><span style="white-space:pre"> </span># zone version available, for when masters have different versions.</div><div><span style="white-space:pre"> </span>#multi-master-check: no</div><div><br></div><div><span style="white-space:pre"> </span># limit the zone transfer size (in bytes), stops very large transfers</div><div><span style="white-space:pre"> </span># 0 is no limits enforced.</div><div><span style="white-space:pre"> </span># size-limit-xfr: 0</div><div><br></div><div><span style="white-space:pre"> </span># if compiled with --enable-zone-stats, give name of stat block for</div><div><span style="white-space:pre"> </span># this zone (or group of zones). Output from nsd-control stats.</div><div><span style="white-space:pre"> </span># zonestats: "%s"</div><div><br></div><div><span style="white-space:pre"> </span># if you give another pattern name here, at this point the settings</div><div><span style="white-space:pre"> </span># from that pattern are inserted into this one (as if it were a </div><div><span style="white-space:pre"> </span># macro). The statement can be given in between other statements,</div><div><span style="white-space:pre"> </span># because the order of access control elements can make a difference</div><div><span style="white-space:pre"> </span># (which master to request from first, which slave to notify first).</div><div><span style="white-space:pre"> </span>#include-pattern: "common-masters"</div><div><br></div><div><br></div><div># Fixed zone entries. Here you can config zones that cannot be deleted.</div><div># Zones that are dynamically added and deleted are put in the zonelist file.</div><div>#</div><div># zone:</div><div> <span style="white-space:pre"> </span># name: "example.com"</div><div> <span style="white-space:pre"> </span># you can give a pattern here, all the settings from that pattern</div><div> <span style="white-space:pre"> </span># are then inserted at this point</div><div> <span style="white-space:pre"> </span># include-pattern: "master"</div><div> <span style="white-space:pre"> </span># You can also specify (additional) options directly for this zone.</div><div> <span style="white-space:pre"> </span># zonefile: "example.com.zone"</div><div> <span style="white-space:pre"> </span># request-xfr: 192.0.2.1 example.com.key</div><div><br></div><div><span style="white-space:pre"> </span># RRLconfig</div><div><span style="white-space:pre"> </span># Response Rate Limiting, whitelist types</div><div><span style="white-space:pre"> </span># rrl-whitelist: nxdomain</div><div><span style="white-space:pre"> </span># rrl-whitelist: error</div><div><span style="white-space:pre"> </span># rrl-whitelist: referral</div><div><span style="white-space:pre"> </span># rrl-whitelist: any</div><div><span style="white-space:pre"> </span># rrl-whitelist: rrsig</div><div><span style="white-space:pre"> </span># rrl-whitelist: wildcard</div><div><span style="white-space:pre"> </span># rrl-whitelist: nodata</div><div><span style="white-space:pre"> </span># rrl-whitelist: dnskey</div><div><span style="white-space:pre"> </span># rrl-whitelist: positive</div><div><span style="white-space:pre"> </span># rrl-whitelist: all</div><div><span style="white-space:pre"> </span># RRLend</div></div><div><br></div>