nsd | source | dnssec | secondary
tested on netbsd 8,9 slackware 14.2,current
apt install build-essential \
libevent-dev \
libssl-dev
beware the databases go to /var/lib/nsd/ instead of /var/db/nsd/
some helper to find out if the packages we need are part of the official repository
for pkg in nghttp2 brotli cyrus-sasl glibc-2 gcc-g++ kernel-headers bison gettext-0 flex m4 guile gc libevent; do
slackpkg search $pkg
done; unset pkg
libraries on slackware
slackpkg install nghttp2 brotli cyrus-sasl
and for building
gpg --version slackpkg install glibc-2 gcc-g++ kernel-headers slackpkg install bison gettext-0 flex m4 slackpkg install guile gc libevent
grab the latest release with signature
you’ll also need LDNS for signing zones
wget https://www.nlnetlabs.nl/downloads/ldns/ldns-1.7.1.tar.gz wget https://www.nlnetlabs.nl/downloads/ldns/ldns-1.7.1.tar.gz.asc gpg --recv-keys 2F77A498 gpg --verify ldns-1.7.1.tar.gz.asc
you will get good signature with fingerprint
Primary key fingerprint: DC34 EE5D B241 7BCC 151E 5100 E5F8 F821 2F77 A498
then proceed
tar xzf ldns-1.7.1.tar.gz cd ldns-1.7.1/ ./configure --with-examples --with-drill #--with-pyldns make clean make -j8 > ../ldns.log && echo BUILT || echo FAILED make install >/dev/null && echo INSTALLED || echo FAILED ls -lF /usr/local/bin/ldns-signzone cd ../
grab the latest release with signature
wget https://www.nlnetlabs.nl/downloads/nsd/nsd-4.3.3.tar.gz wget https://www.nlnetlabs.nl/downloads/nsd/nsd-4.3.3.tar.gz.asc gpg --recv-keys 7E045F8D gpg --verify nsd-4.3.3.tar.gz.asc
you will get good signature with fingerprint
Primary key fingerprint: EDFA A3F2 CA4E 6EB0 5681 AF8E 9F6F 1C2D 7E04 5F8D
extract
tar xzf nsd-4.3.3.tar.gz cd nsd-4.3.3/
netbsd specific
export CPPFLAGS="-D_OPENBSD_SOURCE" #export CFLAGS="-g -O2" export OPENSSL_CFLAGS="-I/usr/local/ssl/include" export OPENSSL_LIBS="-L/usr/local/ssl/lib -lssl -lcrypto"
slackware does not have it
mkdir -p /var/chroot/nsd/
in case you plan to chroot you might need to force configuration file location for nsd-control reconfig to re-read its configuration
./configure --help|less
./configure --disable-systemd --enable-mmap --enable-pie --enable-relro-now --with-user=nsd \
--with-chroot=/var/chroot/nsd --with-nsd_conf_file=/var/chroot/nsd/etc/nsd.conf
#--disable-dnstap --disable-ipv6 --with-ssl=/usr/local/ssl
build and install
make clean make -j8 > ../nsd.log && echo BUILT || echo FAILED make install >/dev/null && echo INSTALLED || echo FAILED
if it doesn’t exist yet (NetBSD has _nsd built-in, although nsd is the default), create an account for NSD to drop privileges
groupadd -g 953 nsd useradd -u 953 -g nsd --system -d /var/chroot/nsd -M -s /sbin/nologin nsd
/var/db/nsd/ if no chroot is used--system on GNU/Linux only-M as the folder would otherwise get created at install timeand fix a few perms
mkdir /var/chroot/nsd/db/ chown -R root:root /var/chroot/nsd/ chown -R nsd:nsd /var/chroot/nsd/db/ ls -ldF /var/chroot/nsd/etc/ #root:root ls -ldF /var/chroot/nsd/db/ #nsd:nsd ls -alF /var/db/nsd rmdir /var/db/nsd/ ln -s ../../var/chroot/nsd/db /var/db/nsd ls -alF /etc/nsd rmdir /etc/nsd/ ln -s ../var/chroot/nsd/etc /etc/nsd
building on slackware
checking whether lex accepts -i... no configure: error: unable to find a lexer that supports -i. If one is available then set the LEX variable
==> m4 was missing – found by looking into the configure script and trying to reproduce the error manually:
echo %% | flex -i -t >/dev/null
used to give
flex: fatal internal error, exec of /usr/bin/m4 failed
NSD https://www.nlnetlabs.nl/projects/nsd/
README https://github.com/NLnetLabs/nsd/tree/master/doc/README
dnstap https://dnstap.info/
DNS query/response logging with dnstap https://jpmens.net/2017/09/11/dns-query-response-logging-with-dnstap/
LDNS https://www.nlnetlabs.nl/projects/ldns/documentation/
Установка и настройка Unbound+LDNS+NSD https://www.cryptocom.ru/products/unbound_gost-howto-ru.html
USING LDNS+UNBOUND+NSD WITH DNSSEC AND GOST CRYPTOALGORITHMS SUPPORT https://www.cryptocom.ru/products/unbound_gost-howto-en.html