ANNOUNCEMENT: NSD 1.4.0 alpha 1

Alexis Yushin alexis at
Fri Nov 7 10:29:18 UTC 2003

Once Erik Rozendaal wrote:
>A final note on why we made these changes.  Adding DNSSEC in the 
>"obvious" way to the precompiled answer database would probably have 
>resulted in a database that was 2-3 times larger just because of 
>duplication of answer data (non-DNSSEC answer, DNSSEC answer, DNSSEC 
>NXDOMAIN answer).  Combined with the fact that a signed zone is about 
>4-6 (?) times larger than the non-signed zone this would result in a 
>database size that was 8-18 times larger.  Even in the best case that 
>would result in a 1.3 gig NL zone database (170 Mb currently).  This 
>gets pretty close to the limits of 32-bit machines and architectures.
>The alternative would be to cut these packets up (non-DNSSEC part, 
>DNSSEC parts) and combine them depending on the query.  This would 
>require less memory but more CPU time.  We figured this approach was too 
>complicated and would not gain us much in CPU performance over the 
>approach taken with NSD 1.4.0.  The signed NL zone 1.4.0 database is 
>just 264 Mb, with NSD using about ~450 Mb memory when running on a 
>32-bit machine.  The signed zone file itself is 325 Mb, larger than the 
>compiled database :)

This is where I disagree. As people might have noticed I'm not in the
NSD development team anymore and do not influence the design choices.
I've been watching the changes to NSD in the last half year (or should I
say a complete rewrite of it) and to my regret I dont like the development
route the team has chosen. The ``too complicated'' approach as Erik says
is not complicated at all and would have required minimum changes to NSD
design. What I see happening is that NSD is loosing its unique characteristics
which defies the very purpose for its development. To come to think of it
I should probably have started an open discussion about these choices
on nsd-users list back then, NSD is an open source software anyways.

I'm even thinking about implementing DNSSEC for 1.2.2 myself, but lacking
cooperatiion from the nlnetlabs and test platform I guess it is not very
realistic plan.

Of course we have to see what will happen, but it would be very upsetting
for me if the new versions of NSD deminish its reputation.

Sorry guys, had to get it off my chest.


More information about the nsd-users mailing list