[nsd-users] RHEL package?

[Paul Wouters]

On Thu, 21 May 2015, Anand Buddhdev wrote:

> 1. Why do you ship an nsd.cron file? It should not be necessary in NSD4,
> because it keeps nsd.db up to date by itself.

I understood it does not regularly take the nsd.db and write it out in
the zone files, unless you run "nsdc write"

But the whole autorebuild part of the cron job can be removed I think.

> 2. I see that you're pointing the default log file location to
> /var/log/nsd.log, and the corresponding logrotate snippet also wants to
> rotate that file. However, NSD drops privilege from "root" to "nsd", so
> it cannot write a log file in /var/log.
>
> It is better to pass the --with-logfile option to configure, and set it
> to /var/log/nsd/nsd.log, and create /var/log/nsd writable by nsd. This
> is common practice for daemons that drop privilege, so that they can log
> properly.

Will do.

> 3. You're setting --enable-checking, but I think that's only needed for
> debugging, and should not be set for a production build.

That has been a bit of a question for me. The description seems to
suggest these are like passert()s which IMHO make the code more secure.
I'm not sure how much of an impact that has on performance...

> 4. Does anyone use bind8-stats these days? I'd probably want to disable
> that option.

will do

> 5. --enable-nsec3 and --with-ssl are defaults too, and don't need to be
> specified.

Will clean up.

> 6. The chown nsd:nsd of /var/lib/nsd/nsd.db seems unnecessary. What's
> the reason for having it there?

I don't remember anymore, but I ran into issues and required it or else
it would be root owned and cause problems.

- chown /var/lib/nsd/nsd.db to the nsd user required for nsd4

I think possibly the old nsd3 has it owned as root, so it is only a
problem during update from nsd3 -> nsd4 ?

> 7. You're shipping a standard SysV init script, whereas NSD can run just
> fine under upstart on CentOS 6. I personally prefer upstart, but I guess
> you may want to keep a SysV script for compatibility.

My upstart experience is limited to Ubuntu, and it made me dislike
systemd slightly less. Almost everything on rhel6/centos6 uses sysvinit.

> 8. In that init script, there's a check for networking at the top, and
> then again in the start() function. Seems like a duplicate. Any reason
> for this?

The top one is for /etc/sysconfig/nsd for custom options to the daemon,
such as NSD_EXTRA_OPTS=

The one is start is for /etc/sysconfig/network, which is just to check
if the machine has any networking enabled at all via ${NETWORKING}

> 9. In the init script's stop() section, you're calling "nsd-control
> write". This is not necessary. When nsd4 is running with a database, it
> reads from nsd.db on startup, and writes changes to it when zones are
> updated, so the plain text copy of the zones isn't needed.

I am very old school - I like my zones flat :)

> If an admin
> really needs plain text zones, s/he can call "nsd-control write" by
> hand. Alternatively, if nsd4 is running in the "nodb" mode (where the
> option "database" is set to an empty string), then nsd writes out
> updated zone files every hour automatically, so that it has plain text
> zone files to read from at startup. There's usually no need to write out
> zones at exit. However, this has the slight disadvantage of starting up
> with possibly slightly stale zones, but in most cases they should be
> refresh immediately with XFRs.
>
> I'll leave the choice of whether to write zonefiles or not up to you.

Is there any real impact? Does this cause too much delay for TLD's ?

We could make this an option in /etc/sysconfig/nsd

Paul