<div dir="ltr"><div>Dear All,</div><div><br></div><div>
It is good you shared some detail. <br></div><div></div><div>- I did this because I wanted to be specific in what I expect from migration to NSD (or any other DNS server for that matter).</div><div><br></div><div></div><div>
DNS has good ways of implementing redundancies and achieving high availability. <br></div><div></div><div>- What are those like?</div><div><br></div><div>
You can set up new separate servers and test their functionality thoroughly [like Kaulkwappe described], even before telling any outsider about them.
</div><div>- I have already setup the new separate servers. But that is exactly the problem. I want to decide as to whether NSD will serve my needs for a long run? Is there any other DNS software which is more suitable for us?</div><div><br></div><div>
I'm just afraid getting the necessary public IP (IPv4) addresses might be an issue for you - if your organisation really only has 16 -- [1]
</div><div>- We will work to get an alternate ISP connection with 8 more Public IPs with it.</div><div><br></div><div>
One of the important ways towards high availability is to *not* put all the authoritative name servers in the same place (ie all eggs in the same basket).<br>
This seems to be the case currently [2].<br>
More elaborate advice is in RFC2182 -- [3].
</div><div>- Yes, this is the problem with our setup currently. As mentioned above, we will get an alternate Internet connection with a different ISP so that we have 8 more Public IPs on the different subnet.</div><div><br></div><div>
It looks like all current authoritative servers are in direct sequential IP addresses and one could guess that probably the outage of one router could cause all of them to become unreachable.
</div><div>- Yes, that is the case right now. We will sort it out. <br></div><div>- Meantime, we can continue with whatever we have, with high risk of course.</div><div><br></div><div>
I'd try to get a friendly organisation or your upstream provider to provide secondary name service for your domain(s). with automatic updates of zone data / changes from you to that server.
</div><div>- With more Public IP on a different subnet, I think the above will get sorted out.<br></div><div><br>
</div><div>This is of course not what you were asking (how to run *your* servers), <br></div><div>- Obviously not. I said we are running the setup, with all the above constraints, for past 10 years. Yes there are problems, not that something serious has happened. We are not running mission critical server back there. A small amount to downtime is acceptable.</div><div><br></div><div>
but valid consideration for the person/team responsible for the overall availability of the domain in DNS.
</div><div>- Did not get what does that mean. I am only looking for how NSD, and will it help me, if I replace djbdns with NSD?</div><div><br></div><div>
But since this is the mailing list for NSD, I should mention that another mailing list:<br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
would be more appropriate for the general DNS questions. <br></div><div>- I want to more of NSD and hence have posted here. But since NSD is a DNS software, some relevance of DNS and other similar soft wares are bound to come. Moreover, the general questions will disappear, once I come to know more about NSD. As I mentioned before, there is no concise manual for beginners, I have to join the mailing list and post the questions. For the other softwares, eg. djbdn, I learnt that without even knowing a mailing list for it exists.</div><div><br></div><div>I will be posting some direct questions to know more about NSD and it's features. By knowing that I want to get a feel as to whether I will be able to successfully migrate my DNS setup to NSD.</div><div><br></div><div>Thanks a lot for the reply.</div><div><br></div><div>Mukul<br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Jun 7, 2021 at 2:39 AM Frank Habicht via nsd-users <<a href="mailto:nsd-users@lists.nlnetlabs.nl">nsd-users@lists.nlnetlabs.nl</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Mukul,<br>
<br>
it is good you shared some detail.<br>
<br>
DNS has good ways of implementing redundancies and achieving high<br>
availability.<br>
<br>
You can set up new separate servers and test their functionality<br>
thoroughly [like Kaulkwappe described], even before telling any outsider<br>
about them.<br>
I'm just afraid getting the necessary public IP (IPv4) addresses might<br>
be an issue for you - if your organisation really only has 16 -- [1]<br>
<br>
One of the important ways towards high availability is to *not* put all<br>
the authoritative name servers in the same place (ie all eggs in the<br>
same basket).<br>
This seems to be the case currently [2].<br>
More elaborate advise is in RFC2182 -- [3].<br>
<br>
It looks like all current authoritative servers are in direct sequential<br>
IP addresses and one could guess that probably the outage of one router<br>
could cause all of them to become unreachable.<br>
I'd try to get a friendly organisation or your upstream provider to<br>
provide secondary name service for your domain(s). with automatic<br>
updates of zone data / changes from you to that server.<br>
<br>
This is of course not what you were asking (how to run *your* servers),<br>
but valid consideration for the person/team responsible for the overall<br>
availability of the domain in DNS.<br>
<br>
But since this is the mailing list for NSD, I should mention that<br>
another mailing list:<br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
would be more appropriate for the general DNS questions.<br>
<br>
Regards,<br>
Frank<br>
<br>
[1]<br>
inetnum: 14.139.250.80 - 14.139.250.95<br>
<br>
[2]<br>
dig <a href="http://sgsits.ac.in" rel="noreferrer" target="_blank">sgsits.ac.in</a>. ns<br>
<br>
[3]<br>
<a href="https://datatracker.ietf.org/doc/html/rfc2182" rel="noreferrer" target="_blank">https://datatracker.ietf.org/doc/html/rfc2182</a><br>
<br>
<br>
<br>
On 06/06/2021 22:16, Mukul Shukla via nsd-users wrote:<br>
> Dear All,<br>
> <br>
> Let me give me a little background as to what I am trying to achieve.<br>
> <br>
> 1. The domain which I want the Authoritative Name serve to serve for is<br>
> <a href="http://sgsits.ac.in" rel="noreferrer" target="_blank">sgsits.ac.in</a> <<a href="http://sgsits.ac.in" rel="noreferrer" target="_blank">http://sgsits.ac.in</a>>.<br>
> 2. The ERNET India (<a href="http://ac.in" rel="noreferrer" target="_blank">ac.in</a> <<a href="http://ac.in" rel="noreferrer" target="_blank">http://ac.in</a>>) is the domain name registrar<br>
> for academic institutes here in India.<br>
> 3. We are hosting our Website, Email and Moodle servers for which right<br>
> now djbdns is acting as a authoritative name server.<br>
> 4. Although, djbdns is working fine since last ten years (I must say its<br>
> a brilliantly crafted DNS server), it lacks some security features<br>
> which are now a must (eg. DNSSEC).<br>
> 5. I want to migrate this name server to NSD, with al the security<br>
> feature and high availability so that it meets the current requirements.<br>
> <br>
> Can anybody please tell me how to plan for this migration so that I have<br>
> a minimum downtime. Moreover, I want to build a setup with NSD so that<br>
> it runs smoothly for the next 10 years. Of course want to know how to<br>
> keep on upgrading will be an issue, I need to consider.<br>
> <br>
> I am reading the only source of information, the man pages on NLNET's<br>
> website, although there are few tutorial available (eg. Calomel)<br>
> <br>
> Thank you all.<br>
> <br>
> Mukul<br>
> <br>
> <br>
> <br>
> On Mon, Jun 7, 2021 at 12:02 AM Mukul Shukla <<a href="mailto:mukulmanet@gmail.com" target="_blank">mukulmanet@gmail.com</a><br>
> <mailto:<a href="mailto:mukulmanet@gmail.com" target="_blank">mukulmanet@gmail.com</a>>> wrote:<br>
> <br>
> Hi Ondřej,<br>
> <br>
> Thanks for such encouraging words.<br>
> Gave me a lot of confidence.<br>
> It's decided at my end. I will try to migrate my University DNS<br>
> authoritative setup to much improved NSD setup, of course with the<br>
> help of all the members here.<br>
> Thanks again.<br>
> <br>
> Mukul<br>
> <br>
> On Sun, Jun 6, 2021 at 10:57 PM Ondřej Surý <<a href="mailto:ondrej@sury.org" target="_blank">ondrej@sury.org</a><br>
> <mailto:<a href="mailto:ondrej@sury.org" target="_blank">ondrej@sury.org</a>>> wrote:<br>
> <br>
> Hi Mukul,<br>
> <br>
> don’t worry - the community here is friendly and helpful and you<br>
> should not run into any hard problems. Take it as an opportunity<br>
> to learn something new!<br>
> <br>
> Ondřej<br>
> - former Knot DNS team lead<br>
> - current BIND 9 team lead<br>
> --<br>
> Ondřej Surý <<a href="mailto:ondrej@sury.org" target="_blank">ondrej@sury.org</a> <mailto:<a href="mailto:ondrej@sury.org" target="_blank">ondrej@sury.org</a>>> (He/Him)<br>
> <br>
>> On 6. 6. 2021, at 18:50, Mukul Shukla via nsd-users<br>
>> <<a href="mailto:nsd-users@lists.nlnetlabs.nl" target="_blank">nsd-users@lists.nlnetlabs.nl</a><br>
>> <mailto:<a href="mailto:nsd-users@lists.nlnetlabs.nl" target="_blank">nsd-users@lists.nlnetlabs.nl</a>>> wrote:<br>
>><br>
>> <br>
>><br>
>> Dear All,<br>
>><br>
>> There are very few articles/tutorials on NSD. This is making<br>
>> me nervous to adapt it for a long use. If I am stuck, there is<br>
>> no help to refer to. Man pages are just not sufficient for the<br>
>> people like me who don't have much experience of the system<br>
>> administration and implementing DNS Authoritative Server in<br>
>> particular. Other DNS implementations have very good manuals.<br>
>> The kind of software NSD is, there should have been books<br>
>> written on them.<br>
>><br>
>> Mukul<br>
>><br>
>> On Sun, Jun 6, 2021 at 9:06 PM Anand Buddhdev via nsd-users<br>
>> <<a href="mailto:nsd-users@lists.nlnetlabs.nl" target="_blank">nsd-users@lists.nlnetlabs.nl</a><br>
>> <mailto:<a href="mailto:nsd-users@lists.nlnetlabs.nl" target="_blank">nsd-users@lists.nlnetlabs.nl</a>>> wrote:<br>
>><br>
>> On 06/06/2021 16:26, mj via nsd-users wrote:<br>
>><br>
>> Hi MJ,<br>
>><br>
>> > Actually: we are in a similar situation. We're currently<br>
>> running bind9,<br>
>> > and were interested in to switching to NSD for the<br>
>> authorative dns<br>
>> > services, but it seems that you have to compile newer<br>
>> releases (with<br>
>> > security fixes etc) yourself, or there is a repo<br>
>> somewhere we're missing?<br>
>> ><br>
>> > We're on debian 10. It recommended to simply install the<br>
>> NSD that debian<br>
>> > comes with, and rely on debian for the security fixes?<br>
>><br>
>> Debian packages are often well behind upstream releases.<br>
>> For example,<br>
>> Debian 10 (buster) still has NSD 4.1.26, whereas the<br>
>> upstream version is<br>
>> 4.3.6.<br>
>><br>
>> However, for Debian, there's usually a repository called<br>
>> backports. If<br>
>> you enable it, you can get newer versions of packages. For<br>
>> example,<br>
>> "buster-backports" currently has NSD 4.3.5 in it. You<br>
>> could also enable<br>
>> the "experimental" repo and get the latest 4.3.6 release.<br>
>><br>
>> Regards,<br>
>> Anand<br>
>> _______________________________________________<br>
>> nsd-users mailing list<br>
>> <a href="mailto:nsd-users@lists.nlnetlabs.nl" target="_blank">nsd-users@lists.nlnetlabs.nl</a><br>
>> <mailto:<a href="mailto:nsd-users@lists.nlnetlabs.nl" target="_blank">nsd-users@lists.nlnetlabs.nl</a>><br>
>> <a href="https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users" rel="noreferrer" target="_blank">https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users</a><br>
>> <<a href="https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users" rel="noreferrer" target="_blank">https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users</a>><br>
>><br>
>> _______________________________________________<br>
>> nsd-users mailing list<br>
>> <a href="mailto:nsd-users@lists.nlnetlabs.nl" target="_blank">nsd-users@lists.nlnetlabs.nl</a> <mailto:<a href="mailto:nsd-users@lists.nlnetlabs.nl" target="_blank">nsd-users@lists.nlnetlabs.nl</a>><br>
>> <a href="https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users" rel="noreferrer" target="_blank">https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users</a><br>
>> <<a href="https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users" rel="noreferrer" target="_blank">https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users</a>><br>
> <br>
> <br>
> _______________________________________________<br>
> nsd-users mailing list<br>
> <a href="mailto:nsd-users@lists.nlnetlabs.nl" target="_blank">nsd-users@lists.nlnetlabs.nl</a><br>
> <a href="https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users" rel="noreferrer" target="_blank">https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users</a><br>
> <br>
_______________________________________________<br>
nsd-users mailing list<br>
<a href="mailto:nsd-users@lists.nlnetlabs.nl" target="_blank">nsd-users@lists.nlnetlabs.nl</a><br>
<a href="https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users" rel="noreferrer" target="_blank">https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users</a><br>
</blockquote></div>