[nsd-users] tinydns to nsd

Andreas Schwarz andreas at black-code.de
Sat Dec 28 21:39:05 UTC 2019

On the "nsd-control addzone/delzone": it works a bit different from defining zones in your configuration, just as the error message says.

It is rather intended to be used with patterns. You configure a pattern in your configuration, then you tell nsd via nsd-control addzone to use a specific pattern for a specific zone. nsd keeps track of these assignments in a file usually in "/var/lib/nsd/zone.list" (configurable via "zonelistfile").

Zones can be added/removed pretty dynamically that way. What nsd does internally when receiving the addzone/delzone I haven't cared about so far.

On the config in general:
"server-count" should be set to the number of CPUs of the respective machine. And, if you have this set to more than 1 and run it on Linux, you might also want to consider setting "reuseport" to "yes". I have more experience with this option from a high performance unbound system, but activating this option helped improve performance by a margin of 30-40%. I think it has a similar impact on nsd when a high amount of requests has to be served.

Am 28. Dezember 2019 22:15:54 MEZ schrieb richard lucassen via nsd-users <nsd-users at lists.nlnetlabs.nl>:
>On Sat, 28 Dec 2019 17:02:09 +0100
>richard lucassen via nsd-users <nsd-users at lists.nlnetlabs.nl> wrote:
>> The problem is (was) that I used "include:" statements in nsd.conf
>> to load zone information. Apparently nsd does not reread the include
>> files upon a SIGHUP. I scripted everything into 1 file and a HUP
>> rereads the zone info now.
>Wrong, I made a mistake it does not. A SIGHUP does not make nsd reread
>it's config file. When using nsd-control I get an error:
># nsd-control delzone test.xaq.nl
>error zone defined in nsd.conf, cannot delete it in this manner: remove
>it from nsd.conf yourself and repattern
>The output of "nsd-checkconf -v /etc/nsd/nsd.conf":
>        debug-mode: no
>        ip-transparent: no
>        ip-freebind: no
>        reuseport: no
>        do-ip4: yes
>        do-ip6: no
>        hide-version: yes
>        database: ""
>        #identity:
>        #version:
>        #nsid:
>        #logfile:
>        server-count: 1
>        tcp-count: 100
>        tcp-query-count: 0
>        tcp-timeout: 120
>        tcp-mss: 0
>        outgoing-tcp-mss: 0
>        ipv4-edns-size: 4096
>        ipv6-edns-size: 4096
>        pidfile: "/var/lib/nsd/nsd.pid"
>        port: "53"
>        statistics: 0
>        chroot: "/var/lib/nsd/"
>        username: "nsd"
>        zonesdir: "/var/lib/nsd/domains/"
>        xfrdfile: ""
>        zonelistfile: "/var/lib/nsd/zone.list"
>        xfrdir: "/var/lib/nsd/tmp/"
>        xfrd-reload-timeout: 1
>        log-time-ascii: yes
>        round-robin: yes
>        verbosity: 0
>        ip-address: ""
>        rrl-size: 1000000
>        rrl-ratelimit: 200
>        rrl-slip: 2
>        rrl-ipv4-prefix-length: 24
>        rrl-ipv6-prefix-length: 64
>        rrl-whitelist-ratelimit: 2000
>        zonefiles-check: yes
>        zonefiles-write: 3600
>        control-enable: yes
>        control-port: 8952
>        server-key-file: "/etc/nsd/nsd_server.key"
>        server-cert-file: "/etc/nsd/nsd_server.pem"
>        control-key-file: "/etc/nsd/nsd_control.key"
>        control-cert-file: "/etc/nsd/nsd_control.pem"
>        name: test.xaq.nl
>        zonefile: /var/lib/nsd/domains/nl/xaq/test/zone
>(and a lot of other zones)
>BTW, a "control-enable: no" gives a config error. Any hints?
>And perhaps some more comments on the config? Note: this is a
>supervised version running under "runit"
>richard lucassen
>nsd-users mailing list
>nsd-users at lists.nlnetlabs.nl
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20191228/fee70654/attachment-0001.htm>

More information about the nsd-users mailing list