(no subject)

Dear All,

I am working as a Professor in a University in India. For our University, I want to setup an Authoritative Name Server. Currently we are running djbdns, since long.
Although djbdns is a wonderful DNS server, the maintenance of it has become very troublesome. It also lacks many new security features. The BIND9, I am not convinced, if it will be useful in our case. Its a huge software, and we dont need all the features of it.

I wan thinking of running my Authoritative Name Servers, Primary and Secondary on NSD, as we are already using Unbound for recursive name resolution.

I would like to get the comments from the users as to whether my decision is correct or not? I have found that very few tutorial/manuals/articles are available for the NSD setup . Being new to NSD, I feel hesitant in replacing by running DNS server with NSD. Would like to have some suggestions and comment. Kindly suggest any other alternatives, if that is useful in my case.

Thank you.

Mukul Shukla
Prof. (IT)
SGSITS, Indore,
INDIA

Thanking

Hi,

Actually: we are in a similar situation. We're currently running bind9, and were interested in to switching to NSD for the authorative dns services, but it seems that you have to compile newer releases (with security fixes etc) yourself, or there is a repo somewhere we're missing?

We're on debian 10. It recommended to simply install the NSD that debian comes with, and rely on debian for the security fixes?

MJ

Hi MJ,

Actually: we are in a similar situation. We're currently running bind9,
and were interested in to switching to NSD for the authorative dns
services, but it seems that you have to compile newer releases (with
security fixes etc) yourself, or there is a repo somewhere we're missing?

We're on debian 10. It recommended to simply install the NSD that debian
comes with, and rely on debian for the security fixes?

Debian packages are often well behind upstream releases. For example,
Debian 10 (buster) still has NSD 4.1.26, whereas the upstream version is
4.3.6.

However, for Debian, there's usually a repository called backports. If
you enable it, you can get newer versions of packages. For example,
"buster-backports" currently has NSD 4.3.5 in it. You could also enable
the "experimental" repo and get the latest 4.3.6 release.

Regards,
Anand

Dear all

I think newer releases of Debian like Debian Testing should have the newer versions. Compiling from sources is also not a problem. It appears to be straight forward. Although, I am yet to test them.

I am in the phase of deciding whether to use NSD for Authoritative services or not.
I am also considering the two others:.

1. PowerDNS - Has got a very good reputation and a very good manual.
2. Knot - Very good security features and manual.

But I liked the lightness of NSD and wanted to know if it would be OK to use it for a long run. The list is very sparse I think. Nobody seems to be responding.

Thank you for your reply.

Mukul

I disagee. Thanks for your elaborate reply, Anand Buddhdev!

The fact that traffic is light here, can also mean that there are only occasional problems and questions.

MJ

Distros are always a little bit slower by design. I'm not as familiar
with Debian/Ubuntu, but I compile the latest NLnetlabs softwate pretty
quickly on Fedora and you can quickly use those spec files on the
slower RHEL/CentOS too. I even recently talked with NLnetlabs about
them/us doing this a bit more structurally.

Paul

Dear All,

There are very few articles/tutorials on NSD. This is making me nervous to adapt it for a long use. If I am stuck, there is no help to refer to. Man pages are just not sufficient for the people like me who don’t have much experience of the system administration and implementing DNS Authoritative Server in particular. Other DNS implementations have very good manuals. The kind of software NSD is, there should have been books written on them.

Mukul

Hi Mukul,

don’t worry - the community here is friendly and helpful and you should not run into any hard problems. Take it as an opportunity to learn something new!

Ondřej

• former Knot DNS team lead
• current BIND 9 team lead

Hi Ondřej,

Thanks for such encouraging words.
Gave me a lot of confidence.
It’s decided at my end. I will try to migrate my University DNS authoritative setup to much improved NSD setup, of course with the help of all the members here.
Thanks again.

Mukul

Dear All,

Let me give me a little background as to what I am trying to achieve.

1. The domain which I want the Authoritative Name serve to serve for is sgsits.ac.in.

2. The ERNET India (ac.in) is the domain name registrar for academic institutes here in India.

3. We are hosting our Website, Email and Moodle servers for which right now djbdns is acting as a authoritative name server.

4. Although, djbdns is working fine since last ten years (I must say its a brilliantly crafted DNS server), it lacks some security features which are now a must (eg. DNSSEC).

5. I want to migrate this name server to NSD, with al the security feature and high availability so that it meets the current requirements.

Can anybody please tell me how to plan for this migration so that I have a minimum downtime. Moreover, I want to build a setup with NSD so that it runs smoothly for the next 10 years. Of course want to know how to keep on upgrading will be an issue, I need to consider.

I am reading the only source of information, the man pages on NLNET’s website, although there are few tutorial available (eg. Calomel)

Thank you all.

Mukul

Hi Mukul,

it is good you shared some detail.

DNS has good ways of implementing redundancies and achieving high
availability.

You can set up new separate servers and test their functionality
thoroughly [like Kaulkwappe described], even before telling any outsider
about them.
I'm just afraid getting the necessary public IP (IPv4) addresses might
be an issue for you - if your organisation really only has 16 -- [1]

One of the important ways towards high availability is to *not* put all
the authoritative name servers in the same place (ie all eggs in the
same basket).
This seems to be the case currently [2].
More elaborate advise is in RFC2182 -- [3].

It looks like all current authoritative servers are in direct sequential
IP addresses and one could guess that probably the outage of one router
could cause all of them to become unreachable.
I'd try to get a friendly organisation or your upstream provider to
provide secondary name service for your domain(s). with automatic
updates of zone data / changes from you to that server.

This is of course not what you were asking (how to run *your* servers),
but valid consideration for the person/team responsible for the overall
availability of the domain in DNS.

But since this is the mailing list for NSD, I should mention that
another mailing list:
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
would be more appropriate for the general DNS questions.

Regards,
Frank

[1]
inetnum: 14.139.250.80 - 14.139.250.95

[2]
dig sgsits.ac.in. ns

[3]
https://datatracker.ietf.org/doc/html/rfc2182

Hi Mukul,

4. Although, djbdns is working fine since last ten years (I must say its a
brilliantly crafted DNS server), it lacks some security features which are
now a must (eg. DNSSEC).

I agree. I have used djbdns in the past, and its authoritative
component, tinydns, is very simple and light, and does its job very well.

5. I want to migrate this name server to NSD, with al the security feature
and high availability so that it meets the current requirements.

Okay, so let me clarify some things about NSD. It is a very solid and
reliable DNS server. In fact, it powers some of the DNS root name
servers, as well as several ccTLD name servers. The reason you don't
hear so much about it is that mostly it just runs reliably. As with any
software, it has bugs, but they are rare, and are fixed quickly.

The documentation is perhaps sparser than that of BIND or Knot, but it's
mostly complete. The NSD user community here is quite knowledgeable and
helpful, so if you ask good and structured questions, you'll get a lot
of help.

But I'd like to point one thing out. You mentioned DNSSEC above. NSD can
certainly serve DNSSEC signed zones. But it does NOT has any signing
ability in it. And it never will. This is what makes NSD so lean,
compared to other servers. If you want to sign your zones, you have to
do that with external tools, such as dnssec-signzone (from BIND), or
ldns-signzone (from LDNS). Or you can install and configure OpenDNSSEC.
However, that it certainly no simple task. OpenDNSSEC is fairly complex.
So if you want to sign your zones with ease, then I'd recommend using
another DNS server such as BIND, Knot DNS or PowerDNS. They all provide
authoritative DNS functionality, but also have signing code in them. At
RIPE NCC, we use BIND, Knot DNS and NSD to serve the root zone as well
as all the reverse DNS zones we operate. It takes quite some work to
maintain equivalent configurations for all three, but I am happy with
all three. We do this for diversity. For DNSSEC signing, we use Knot
DNS, and personally, I am very happy with it. BIND and PowerDNS also
automate DNSSEC rather well.

Can anybody please tell me how to plan for this migration so that I have a
minimum downtime. Moreover, I want to build a setup with NSD so that it
runs smoothly for the next 10 years. Of course want to know how to keep on
upgrading will be an issue, I need to consider.

Just install NSD (or BIND, Knot or PowerDNS) on your existing servers,
and bring it up on a different port, for testing. Load your zones into
your new name server, test that they're properly loaded and you can
query them, and then you can turn off djbdns, and bring up the new
server on port 53. If doing this on the same server is too complex, then
setup completely new servers. Once tested, you can ask for your
delegation to be changed to these new servers. Or you can just move the
IP addresses from the old servers to the new ones, and avoid a
delegation change. Use whichever method you feel comfortable with.

Regards,
Anand

Dear All,

It is good you shared some detail.

• I did this because I wanted to be specific in what I expect from migration to NSD (or any other DNS server for that matter).

DNS has good ways of implementing redundancies and achieving high availability.

• What are those like?

You can set up new separate servers and test their functionality thoroughly [like Kaulkwappe described], even before telling any outsider about them.

• I have already setup the new separate servers. But that is exactly the problem. I want to decide as to whether NSD will serve my needs for a long run? Is there any other DNS software which is more suitable for us?

I’m just afraid getting the necessary public IP (IPv4) addresses might be an issue for you - if your organisation really only has 16 – [1]

• We will work to get an alternate ISP connection with 8 more Public IPs with it.

One of the important ways towards high availability is to not put all the authoritative name servers in the same place (ie all eggs in the same basket).
This seems to be the case currently [2].
More elaborate advice is in RFC2182 – [3].

• Yes, this is the problem with our setup currently. As mentioned above, we will get an alternate Internet connection with a different ISP so that we have 8 more Public IPs on the different subnet.

It looks like all current authoritative servers are in direct sequential IP addresses and one could guess that probably the outage of one router could cause all of them to become unreachable.

• Yes, that is the case right now. We will sort it out.

• Meantime, we can continue with whatever we have, with high risk of course.

I’d try to get a friendly organisation or your upstream provider to provide secondary name service for your domain(s). with automatic updates of zone data / changes from you to that server.

• With more Public IP on a different subnet, I think the above will get sorted out.

This is of course not what you were asking (how to run your servers),

• Obviously not. I said we are running the setup, with all the above constraints, for past 10 years. Yes there are problems, not that something serious has happened. We are not running mission critical server back there. A small amount to downtime is acceptable.

but valid consideration for the person/team responsible for the overall availability of the domain in DNS.

• Did not get what does that mean. I am only looking for how NSD, and will it help me, if I replace djbdns with NSD?

But since this is the mailing list for NSD, I should mention that another mailing list:
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
would be more appropriate for the general DNS questions.

• I want to more of NSD and hence have posted here. But since NSD is a DNS software, some relevance of DNS and other similar soft wares are bound to come. Moreover, the general questions will disappear, once I come to know more about NSD. As I mentioned before, there is no concise manual for beginners, I have to join the mailing list and post the questions. For the other softwares, eg. djbdn, I learnt that without even knowing a mailing list for it exists.

I will be posting some direct questions to know more about NSD and it’s features. By knowing that I want to get a feel as to whether I will be able to successfully migrate my DNS setup to NSD.

Thanks a lot for the reply.

Mukul

Thank You very much Anand for the very detailed answer.

4. Although, djbdns is working fine since last ten years (I must say its a
   brilliantly crafted DNS server), it lacks some security features which are
   now a must (eg. DNSSEC).

I agree. I have used djbdns in the past, and its authoritative
component, tinydns, is very simple and light, and does its job very well.140

Djbdns, I am finding it hard to maintain. Therefore, I want to shift to some other contemporary DNS server.

5. I want to migrate this name server to NSD, with al the security feature
   and high availability so that it meets the current requirements.

Okay, so let me clarify some things about NSD. It is a very solid and
reliable DNS server. In fact, it powers some of the DNS root name
servers, as well as several ccTLD name servers. The reason you don’t
hear so much about it is that mostly it just runs reliably. As with any
software, it has bugs, but they are rare, and are fixed quickly.

The documentation is perhaps sparser than that of BIND or Knot, but it’s
mostly complete. The NSD user community here is quite knowledgeable and
helpful, so if you ask good and structured questions, you’ll get a lot
of help.

Because NSD is so solid that even some of the TLDs are running over it, got me to try it.Moreover, we have a very limited use.

There is no problem from the NSD’s side, it is very powerful and solid in performance, and the community is knowledgeable for sure. I was only doubtful as to whether, with a little help, I would be able to migrate and use it in my case. But now with more information under my belt, thanks to the mailing list, I am ready to give it a try.

But I’d like to point one thing out. You mentioned DNSSEC above. NSD can
certainly serve DNSSEC signed zones. But it does NOT has any signing
ability in it. And it never will. This is what makes NSD so lean,
compared to other servers. If you want to sign your zones, you have to
do that with external tools, such as dnssec-signzone (from BIND), or
ldns-signzone (from LDNS). Or you can install and configure OpenDNSSEC.
However, that it certainly no simple task. OpenDNSSEC is fairly complex.
So if you want to sign your zones with ease, then I’d recommend using
another DNS server such as BIND, Knot DNS or PowerDNS. They all provide
authoritative DNS functionality, but also have signing code in them. At
RIPE NCC, we use BIND, Knot DNS and NSD to serve the root zone as well
as all the reverse DNS zones we operate. It takes quite some work to
maintain equivalent configurations for all three, but I am happy with
all three. We do this for diversity. For DNSSEC signing, we use Knot
DNS, and personally, I am very happy with it. BIND and PowerDNS also
automate DNSSEC rather well.

Djbdns is not supporting the DNSSEC, inherently. Implementing it on NSD is also not a simple task.
So for my limited setup, would it be more appropriate to go for Knot or PowerDNS (BIND I am scared of)?
Maybe, even we can try a mix of NSD and Knot, what do you suggest?

Can anybody please tell me how to plan for this migration so that I have a
minimum downtime. Moreover, I want to build a setup with NSD so that it
runs smoothly for the next 10 years. Of course want to know how to keep on
upgrading will be an issue, I need to consider.

Just install NSD (or BIND, Knot or PowerDNS) on your existing servers,
and bring it up on a different port, for testing. Load your zones into
your new name server, test that they’re properly loaded and you can
query them, and then you can turn off djbdns, and bring up the new
server on port 53. If doing this on the same server is too complex, then
set up completely new servers. Once tested, you can ask for your
delegation to be changed to these new servers. Or you can just move the
IP addresses from the old servers to the new ones, and avoid a
delegation change. Use whichever method you feel comfortable with.

Yes. I have planned to install a DNS service on a fresh set of servers. I have made a HA cluster using Proxmox VE HA. Will run three servers on them. I am more comfortable with Debian, so plan to run on those. Then will follow the steps mentioned above to migrate the existing servers to a new cluster. Am I thinking it right?
But I want to make sure NSD supports all the features that I may be requiring in future.

Thanks and regards.

Mukul

Hi Mukul,

So for my limited setup, would it be more appropriate to go for Knot or
PowerDNS (BIND I am scared of)?
Maybe, even we can try a mix of NSD and Knot, what do you suggest?

Since you're still new to all this, do not mix things. You'll struggle
even more. If you have a plan to sign your zones soon, then I suggest
you start with Knot DNS. It's a really good authoritative DNS server,
and it does DNSSEC signing. It has very good documentation, and an
equally helpful community and mailing list.

Regards,
Anand

A common setup is to use one set of software for maintaining the zone data (and DNSSEC signing), but have the “external facing” (published in DNS) servers use something else (for example NSD). The external facing servers will do zone transfers from the “hidden” server used to maintain the data.

Another version of this is to maintain the data on server A, do zone transfer to server B which adds the DNSSEC signing and then (with zone transfers, typically) sends the data to server C-Z that are published in DNS.

For just two servers this might be needlessly complicated, but if you are new to DNSSEC and want to use NSD on the published name servers I think it might be simpler than using “offline” tools for signing and resigning the zone data.

I haven’t used PowerDNS’ DNSSEC signing for a while; but my experience in the past (many years ago) was very good.

Ask

If I drop the requirement of DNSSEC for now, NSD provides all the other features I suppose.
I will try to setup NSD, and will see how it goes.

Thanks all.

Mukul