[nsd-users] Build all NSD features by default

Wed Apr 23 14:13:03 UTC 2025

Hello NSD developers,

The new release candidate of NSD, with the new prometheus metrics feature,
got me thinking about NSD's feature set, and how so many of its features
have to be enabled at compile time. The result of of this is that NSD
packages on various operating systems behave differently. I would like to
propose that you adjust the build process to compile in *all* the features
of NSD, and default them to "off", so that operators can enable the
features they need in the nsd.conf configuration file. My longer rationale
follows.

Let's take the "dnstap" feature, for example. On the Debian/Ubuntu builds,
it is enabled. However, it's not enabled in Fedora EPEL (and thus not
available in Fedora, RedHat, CentOS and all the RedHat derivatives) nor in
Homebrew (macOS).

Another feature, "rate-limit", is enabled in both the Debian family builds
as well as Fedora EPEL, but not in Homebrew. This feature also exposes the
inconsistency in the documentation. The man page of nsd.conf has all the
"dnstap" options described, noting that they only apply if "dnstap" has
been compiled in. But for rate limiting, it's confusing, at the very least.
If RRL is compiled in, then the man page describes all the options.
However, if RRL is not compiled in, then many (but not all) of the options
are omitted from the man page. *Some* RRL options appear here and there
randomly, in relation to other options such as "xfrd-tcp-max", "refuse-any"
and "answer-cookie". A user of macOS, with nsd installed from Homebrew,
reading the nsd.conf man page, would be quite confused.

Fedora user: hey, you can enable rate limiting
macOS user: okay, but how? The man page of nsd.conf doesn't give any
examples.
Fedora user: seriously? are you sure you have the latest version? 4.11.1?
macOS user: yes, I am certain that I have 4.11.1 installed.
Fedora user: and the nsd.conf man page doesn't mention any "rrl" options?
macOS user: well, it does mention *some* options. If I search for "rrl", I
see some options, including a pointer to the "rrl-ratelimit" section, but
it's just not there.
Fedora user: what? seriously? are you sure you compiled with
"--enable-rate-limit"
macOS user: compiled? No, I installed the nsd package from Homebrew. Are
you saying I need to compile it myself just to enable the rate-limit
feature?
Fedora user: yeah, you can download the source, and compile it yourself,
and fine-tune nsd exactly as you like. You can also enable some other
features like X and Y.
macOS user: *groan*. I just wanted to quickly install and use the software,
not faff around with configure scripts, makefiles and all these
enable/disable options.

Over the years, as NSD has acquired more and more features, some have been
randomly compiled in by default, and others left out, to be enabled at
compile time. Most software that I know of, just includes all the features,
to be turned on in the configuration file. The documentation is also
consistent. If a certain feature is not available on a certain OS, then of
course it cannot be compiled in, but this is rare.

I understand that some features, when newly introduced, may need to be
compile-time options, because they might depends on unstable libraries or
need testing. But eventually, such features should just become standard as
well.

What do other users think of this?

Regards,
Anand Buddhdev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20250423/8864e2e3/attachment.htm>