[nsd-users] Building Up DNS server with NSD; Migration

Kaulkwappe kaulkwappe at prvy.eu
Sun Jun 6 19:33:36 UTC 2021

Dear Mukul!

1) Do you have many changes in your zones, or is it unproblematic if you are not able to change anything for a few days?

I ask because my idea is to add a new name for the new primary and secondary DNS servers build with NSD while leaving your old setup as it is. That means, if your current names are "ns1.example.com" and "ns2.example.com", you would add "alpha.example.com" and "bravo.example.com", build with DNS. Once you think all runs fine, you would change the DNS server names for your domain. In case anything fails and you are not able to fix that in a timely manner, you can switch back. The names "ns1" and "ns2" will be always the old DNS servers and at some point you shut them down.

I think you already know that of course, but with tools such as dig from dnsutils (Debian) you can always easily check if your new NSD nameservers responds correctly:

# dig -t A example.com @PRIMARY_DNS_IP_ADDRESS_OR_HOST
# dig -t A example.com @SECONDARY_DNS_IP_ADDRESS_OR_HOST

2) How do you usually edit your zones?


From: Mukul Shukla via nsd-users <nsd-users at lists.nlnetlabs.nl>
Sent: Sunday,  6. Jun 2021 – 21:16  CEST +0200
To: nsd-users at lists.nlnetlabs.nl

Subject: Re: [nsd-users] (no subject)

Dear All,

Let me give me a little background as to what I am trying to achieve.

1. The domain which I want the Authoritative Name serve  to serve for is sgsits.ac.in. 

2. The ERNET India (ac.in) is the domain name registrar for academic institutes here in India.
3. We are hosting our Website, Email and Moodle servers for which right now djbdns is acting as a authoritative name server.
4. Although, djbdns is working fine since last ten years (I must say its a brilliantly crafted  DNS server), it lacks some security features which are now a must (eg. DNSSEC).
5. I want to migrate this name server to NSD, with al the security feature and high availability so that it meets the current requirements.

Can anybody please tell me how to plan for this migration so that I have a minimum downtime. Moreover, I want to build a setup with NSD so that it runs smoothly for the next 10 years. Of course want to know how to keep on upgrading will be an issue, I need to consider. 

I am reading the only source of information, the man pages on NLNET's website, although there are few tutorial available (eg. Calomel)

Thank you all.


On Mon, Jun 7, 2021 at 12:02 AM Mukul Shukla <mukulmanet at gmail.com> wrote:

Hi Ondřej,

Thanks for such encouraging words.
Gave me a lot of confidence.
It's decided at my end. I will try to migrate my University DNS authoritative setup to much improved NSD setup, of course with the help of all the members here.
Thanks again.


On Sun, Jun 6, 2021 at 10:57 PM Ondřej Surý <ondrej at sury.org> wrote:

Hi Mukul,

don’t worry - the community here is friendly and helpful and you should not run into any hard problems. Take it as an opportunity to learn something new!

- former Knot DNS team lead
- current BIND 9 team lead
--Ondřej Surý <ondrej at sury.org> (He/Him)

On 6. 6. 2021, at 18:50, Mukul Shukla via nsd-users <nsd-users at lists.nlnetlabs.nl> wrote:

Dear All,

There are very  few articles/tutorials on NSD. This is making me nervous to adapt it for a long use. If I am stuck, there is no help to refer to. Man pages are just not sufficient for the people like me who don't have much experience of the system administration and implementing DNS Authoritative Server in particular. Other DNS implementations have very good manuals. The kind of software NSD is, there should have been books written on them.


On Sun, Jun 6, 2021 at 9:06 PM Anand Buddhdev via nsd-users <nsd-users at lists.nlnetlabs.nl> wrote:

On 06/06/2021 16:26, mj via nsd-users wrote:

Hi MJ,

> Actually: we are in a similar situation. We're currently running bind9,

> and were interested in to switching to NSD for the authorative dns

> services, but it seems that you have to compile newer releases (with

> security fixes etc) yourself, or there is a repo somewhere we're missing?


> We're on debian 10. It recommended to simply install the NSD that debian

> comes with, and rely on debian for the security fixes?

Debian packages are often well behind upstream releases. For example,

Debian 10 (buster) still has NSD 4.1.26, whereas the upstream version is


However, for Debian, there's usually a repository called backports. If

you enable it, you can get newer versions of packages. For example,

"buster-backports" currently has NSD 4.3.5 in it. You could also enable

the "experimental" repo and get the latest 4.3.6 release.




nsd-users mailing list

nsd-users at lists.nlnetlabs.nl


nsd-users mailing list
nsd-users at lists.nlnetlabs.nl

More information about the nsd-users mailing list