[nsd-users] Fwd: (no subject)

Mukul Shukla mukulmanet at gmail.com
Mon Jun 7 07:14:15 UTC 2021

Thank You very much Anand for the very detailed answer.

> 4. Although, djbdns is working fine since last ten years (I must say its a
> brilliantly crafted  DNS server), it lacks some security features which
> now a must (eg. DNSSEC).

I agree. I have used djbdns in the past, and its authoritative
component, tinydns, is very simple and light, and does its job very well.140

Djbdns, I am finding it hard to maintain.  Therefore, I  want to shift to
some other contemporary DNS server.

> 5. I want to migrate this name server to NSD, with al the security feature
> and high availability so that it meets the current requirements.

Okay, so let me clarify some things about NSD. It is a very solid and
reliable DNS server. In fact, it powers some of the DNS root name
servers, as well as several ccTLD name servers. The reason you don't
hear so much about it is that mostly it just runs reliably. As with any
software, it has bugs, but they are rare, and are fixed quickly.

The documentation is perhaps sparser than that of BIND or Knot, but it's
mostly complete. The NSD user community here is quite knowledgeable and
helpful, so if you ask good and structured questions, you'll get a lot
of help.

Because NSD is so solid that even some of the TLDs are running over it, got
me to try it.Moreover, we have a very limited use.
There is no problem from the NSD's side,  it is very powerful and solid in
performance, and the community is knowledgeable for sure. I was only
doubtful as to whether, with a little help, I would be able to migrate and
use it in my case. But now with more information under my belt, thanks to
the mailing list, I am ready to give it a try.

But I'd like to point one thing out. You mentioned DNSSEC above. NSD can
certainly serve DNSSEC signed zones. But it does NOT has any signing
ability in it. And it never will. This is what makes NSD so lean,
compared to other servers. If you want to sign your zones, you have to
do that with external tools, such as dnssec-signzone (from BIND), or
ldns-signzone (from LDNS). Or you can install and configure OpenDNSSEC.
However, that it certainly no simple task. OpenDNSSEC is fairly complex.
So if you want to sign your zones with ease, then I'd recommend using
another DNS server such as BIND, Knot DNS or PowerDNS. They all provide
authoritative DNS functionality, but also have signing code in them. At
RIPE NCC, we use BIND, Knot DNS and NSD to serve the root zone as well
as all the reverse DNS zones we operate. It takes quite some work to
maintain equivalent configurations for all three, but I am happy with
all three. We do this for diversity. For DNSSEC signing, we use Knot
DNS, and personally, I am very happy with it. BIND and PowerDNS also
automate DNSSEC rather well.

Djbdns is not supporting the DNSSEC, inherently. Implementing it on NSD is
also not a simple task.
So for my limited setup, would it be more appropriate to go for Knot or
PowerDNS (BIND I am scared of)?
Maybe, even we can try a mix of NSD and Knot, what do you suggest?

> Can anybody please tell me how to plan for this migration so that I have a
> minimum downtime. Moreover, I want to build a setup with NSD so that it
> runs smoothly for the next 10 years. Of course want to know how to keep on
> upgrading will be an issue, I need to consider.

Just install NSD (or BIND, Knot or PowerDNS) on your existing servers,
and bring it up on a different port, for testing. Load your zones into
your new name server, test that they're properly loaded and you can
query them, and then you can turn off djbdns, and bring up the new
server on port 53. If doing this on the same server is too complex, then
set up completely new servers. Once tested, you can ask for your
delegation to be changed to these new servers. Or you can just move the
IP addresses from the old servers to the new ones, and avoid a
delegation change. Use whichever method you feel comfortable with.

Yes. I have planned to install a DNS service on a fresh set of servers. I
have made a HA cluster using Proxmox VE HA. Will run three servers on them.
I am more comfortable with Debian, so plan to run on those. Then will
follow the steps mentioned above to migrate the existing  servers to a new
cluster. Am I thinking it right?
But I want to make sure NSD supports all the features that I may be
requiring in future.

Thanks and regards.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20210607/2f282ce8/attachment.htm>

More information about the nsd-users mailing list