[nsd-users] (no subject)

Ask Bjørn Hansen ask at develooper.com
Mon Jun 7 08:57:25 UTC 2021

> On Jun 7, 2021, at 00:14, Mukul Shukla via nsd-users <nsd-users at lists.nlnetlabs.nl> wrote:
> Djbdns is not supporting the DNSSEC, inherently. Implementing it on NSD is also not a simple task.
> So for my limited setup, would it be more appropriate to go for Knot or PowerDNS (BIND I am scared of)?
> Maybe, even we can try a mix of NSD and Knot, what do you suggest?

A common setup is to use one set of software for maintaining the zone data (and DNSSEC signing), but have the “external facing” (published in DNS) servers use something else (for example NSD). The external facing servers will do zone transfers from the “hidden” server used to maintain the data.

Another version of this is to maintain the data on server A, do zone transfer to server B which adds the DNSSEC signing and then (with zone transfers, typically) sends the data to server C-Z that are published in DNS.

For just two servers this might be needlessly complicated, but if you are new to DNSSEC and want to use NSD on the published name servers I think it might be simpler than using “offline” tools for signing and resigning the zone data.

I haven’t used PowerDNS’ DNSSEC signing for a while; but my experience in the past (many years ago) was very good.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20210607/ce2e5bd6/attachment.htm>

More information about the nsd-users mailing list