[nsd-users] Best practices to switch from BIND to NSD

[Jan-Piet Mens]

> I'm a sys admin and currently working for a french hosting company.  We
> provide DNS services to our customers and at the moment we are using BIND
> on Debian servers.  BIND is a good software but we don't need a recursing
> DNS for our public DNS, and we needed better security than what BIND provides.

As you probably know, you can disable recursion in BIND, thus making it
authoritative only. :)

> So I made the suggestion to replace BIND by another DNS software.
> NSD appears to be the best alternative.

NSD is indeed an excellent choice. There is one thing you must be aware
of: you can't add/remove zones to NSD on-the-fly. You have to configure
them in `nsd.conf' (or an included file) and then rebuild NSD's
database. If you can live with that, you should be set to go.

> I'm currently writing some scripts to help the migration process, but I'd
> like to know if something already exists to help me in this task. If not I
> probably will make my scripts public and post it to this mailing-list.

I'm not really aware of any scripts... Basically it's a matter of
listing your zones and creating nsd.conf "zone" stanzas. A bit of 
[ ls | {awk|perl} ] will probably get you going pretty quickly.

> I also would like to know if you have some best-practices about NSD in
> general.

I recommend you look at past postings in the archive of this mailing-
list.

Good luck!

        -JP

PS: And if you do need recursive service somewhere on your network, I
    greatly recommend you look at Unbound, also by NLnet Labs.