[nsd-users] (no subject)

Kaulkwappe kaulkwappe at prvy.eu
Mon Jun 7 00:43:23 UTC 2021

Dear Anand,

unfortunately I cannot agree. I had multiple problems with PowerDNS, while I had not a single problem with NSD. It only required a small amount of time for me to setup two servers which are already running fine for years and it serves a lot (not tons of, but a lot) of zones. I even created an own API and I still plan to release it under the same license as NSD when I am happy with it.

NSD in my opinion is very different from PowerDNS. Its design is consistent and logical. This, in my opinion does not apply to PowerDNS. What I encountered was:

a) PowerDNS refused to offer a TLS protected API. First it sounded like a bad joke for me, but they are serious: "Indeed. We are not doing this. Closing ticket, sorry!" (Add SSL support to the API #6521). This alone makes PowerDNS useless for me. TLS is a common standard and their is no room to argue that.
b) They refused to fix bugs, if you are not providing **absolutely unredacted** logs, even and especially for cases, where the sensitive data is obviously not required at all. No unredacted logs? No bug.
c) Design problems where it seems they moved program logic into the database. Even if it uses a relational database such like MySQL, for a DNS server, it is (in my opion) absolutey not the databases responsibilty to prevent duplicate entries. The DNS server itself needs to prevent that. It is simply a sensitive piece of software.

Thus, if you say my statement is not true, that may be true for hosters which handled these problems *or* just do not care about these problems. About missing TLS, about misleading error logs, about authoritative developers which refuse to fix bugs which are evident. But from my perspective, this is not a project I would ever use in a setup where I am required to rely on a consistent and logical build software. NSD met these requirements easily and the developers were never unhelpful or authoritative.

Still my opinion of course, but these are reasons which lead to my decision to not use it and especially never recommend it over NSD.


From: Anand Buddhdev <anandb at ripe.net>
Sent: Monday,  7. Jun 2021 – 00:03  CEST +0200
To: Kaulkwappe <kaulkwappe at prvy.eu>

Subject: Re: [nsd-users] (no subject)

On 06/06/2021 17:22, Kaulkwappe via nsd-users wrote:

Hi Kaulkwappe,

>>  1. PowerDNS - Has got a very good reputation and a very good manual.
> I have to strongly advise against PowerDNS. In my opinion it is not
> robust and serious enough for long-term use. I had many problems with it.

I have to disagree with you. PowerDNS is used by many large hosting
providers, and it serves thousands, if not millions, of domains. And not
only that, but it provides DNSSEC signing for them. The PowerDNS
developers are very smart, helpful, and responsive to bugs and feature
requests. They regularly contribute to the design and improvement of the
DNS protocol in the IETF. Your statement that it is not "robust and
serious enough" is certainly not true.

> I cannot say anything about Knot, but another alternative is YADIFA
> (developed by EURid). I tried it out a few years ago, but then I have
> chosen NSD. YADIFA's mailing list was quite unresponsive at that time.
> But maybe the situation is better today. It doesn't look bad at all.

Yes, YADIFA is also one of the choices. However, as far as I am aware,
it is not in use for any critical DNS infrastructure. I personally don't
know anyone who uses it. Its user community is quite small, and there
isn't much collective knowledge about it. I would certainly NOT
recommend it to someone who doesn't work with DNS servers all day.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20210607/9de30302/attachment.htm>

More information about the nsd-users mailing list