either use your distro’s binaries or see NSD from scratch
server:
username: nsd
pidfile: "/var/run/nsd.pid"
remote-control:
control-enable: no
zone:
name: "example.local"
zonefile: "%s.db"
a few more options e.g. for NetBSD
username: _nsd
pidfile: "/var/run/nsd/nsd.pid"
start with extreme verbosity
nsd -4 -V 5
you can also control-enable: no and skip the key setup if you do not plan to receive any updates.
generate two private keys and two self-signed SSL certificates
cd /var/chroot/nsd/etc/ nsd-control-setup ls -lhF *.key ls -lhF *.pem
eventually generate a secret for receiving updates
dd if=/dev/random count=1 bs=32 | base64
how many cores do you have?
grep ^processor /proc/cpuinfo dmesg | egrep '(^|] )cpu[[:digit:]]+:'
edit the configuration accordingly, define a zone and its reverse name spaces
vi /var/chroot/nsd/etc/nsd.conf
server:
do-ip4: yes
do-ip6: no
verbosity: 1
#verbosity: 3
username: nsd
server-count: HOW_MANY_CORES
pidfile: "/var/chroot/nsd/db/nsd.pid"
hide-version: yes
version: "NSD"
#round-robin: yes
chroot: "/var/chroot/nsd"
zonesdir: "/var/chroot/nsd/etc"
zonelistfile: "/var/chroot/nsd/db/zone.list"
database: "/var/chroot/nsd/db/nsd.db"
xfrdfile: "/var/chroot/nsd/db/xfrd.state"
xfrdir: "/var/chroot/nsd/db"
remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 8952
server-key-file: "/var/chroot/nsd/etc/nsd_server.key"
server-cert-file: "/var/chroot/nsd/etc/nsd_server.pem"
control-key-file: "/var/chroot/nsd/etc/nsd_control.key"
control-cert-file: "/var/chroot/nsd/etc/nsd_control.pem"
key:
name: "HOST-key"
algorithm: hmac-sha256
secret: "PASTE SECRET HERE"
zone:
name: "example.local"
zonefile: "%s.db"
notify: SECONDARY-IP NOKEY
provide-xfr: SECONDARY-IP NOKEY
zone:
name: "c.b.a.in-addr.arpa"
zonefile: "a.b.c.db"
notify: SECONDARY-IP NOKEY
provide-xfr: SECONDARY-IP NOKEY
If you don’t plan to use remote control nor keys at all, use that instead
remote-control:
control-enable: no
Note: switch to username _nsd on NetBSD.
Note: round-robin would only apply to identical record names pointing to different values/destinations. Besides, it should be for the resolvers to handle the server response properly, whatever the order of the records. So I guess this server-side setup is just a hack against broken clients.
zone=example.local
date +%s
vi /var/chroot/var/db/$zone.db
$ORIGIN example.local.
$TTL 1800
@ IN SOA example.local. abuse.example.local. (
SERIAL-HERE ; serial number
3600 ; refresh
900 ; retry
1209600 ; expire
1800 ; ttl
)
IN NS ns.example.local.
IN MX 5 mx
IN A INTERNAL_IP
* IN A INTERNAL_IP
ns IN A INTERNAL_IP
mx IN A INTERNAL_IP
host IN A INTERNAL_IP
pxe IN CNAME host
it seems only Unbound has special restrictions on serving localhost. NSD serves localhost just fine by default
NSD binds to all interfaces by default (incl. localhost) but we want to use Unbound on the same host and ports would conflict
vi /etc/nsd/nsd.conf
ip-address: 127.0.0.1@5353
ip-address: ::1@5353
notify & XFR to backup NS
zone:
name: "example.com"
zonefile: "%s.db"
notify: x.x.x.x NOKEY
provide-xfr: x.x.x.x NOKEY
read the logs
tail -F /var/log/messages tail -F /var/log/syslog
check
which nsd
nsd -v
#w/o chroot
nsd-checkconf /etc/nsd/nsd.conf && echo OK
nsd-checkzone $domain /etc/nsd/$domain.db
nsd-checkzone $domain /etc/nsd/$domain.db.signed
#w/ chroot
nsd-checkconf /var/chroot/nsd/nsd.conf && echo OK
nsd-checkzone $domain /var/chroot/nsd/$domain.db
nsd-checkzone $domain /var/chroot/nsd/$domain.db.signed
warning: DO NOT ENABLE TMEM otherwise you will get
Out of memory: Killed process 3865 (nsd: xfrd) total-vm:109688kB, anon-rss:83596kB, file-rss:0kB, shmem-rss:0kB
enable at startup
vi /etc/rc.local #self-verbose /usr/local/sbin/nsd -4
status
pgrep -a nsd cat /var/run/nsd/nsd.pid cat /var/db/nsd/nsd.pid cat /var/chroot/nsd/nsd.pid netstat -lntup | grep 53
reload
#kill -HUP PID pkill -HUP nsd
stop
pkill nsd
enable at startup
echo starting nsd /usr/local/sbin/nsd-control start
status
nsd-control status
status for the zones
nsd-control zonestatus
reload
#nsd-control reload [<zone>] #nsd-control reconfig
verify a few records
host $domain localhost host -t ns $domain localhost host -t mx $domain localhost host HOST.$domain localhost dig $domain @localhost +short dig -t ns $domain @localhost +short dig -t mx $domain @localhost +short dig HOST.$domain @localhost +short
and proceed with online checking
https://dnssec-analyzer.verisignlabs.com/
Trying to start the daemon on NetBSD
problems sending reload xfrdtomain: Broken pipe May 12 13:10:45 malabar nsd[13294]: did not get start signal from main
==> this does not help:
rm -f /var/db/nsd/nsd.db /var/run/nsd.pid /var/run/nsd/nsd.pid ll /var/db/nsd/ rm -rf /var/chroot/nsd/nsd.db /var/chroot/nsd/nsd.pid /var/chroot/nsd/nsd-xfr-*/ ll /var/chroot/nsd/
==> this neither
CFLAGS="-g -O2" ... /usr/local/sbin/nsd -V 5 -F -1 -L 2
==> see NSD from scratch, and NSD has been bug fixed in the meanwhile.
Re: No buffer space available https://mail-index.netbsd.org/netbsd-users/2012/09/10/msg011397.html
FS#37588 - Nsd update to 4.0.0-1 causes nsd to fail to start and command nscd not present https://bugs.archlinux.org/task/37588
NSD not starting after upgrade https://discourse.mailinabox.email/t/nsd-not-starting-after-upgrade/1452
[nsd-users] NSD db permissions error after upgrade? https://open.nlnetlabs.nl/pipermail/nsd-users/2014-November/002036.html
[nsd-users] NSD 4.0.2 released https://www.nlnetlabs.nl/pipermail/nsd-users/2014-March/001875.html
man 8 nsd / https://www.nlnetlabs.nl/documentation/nsd/nsd/
man 5 nsd.conf / https://www.nlnetlabs.nl/documentation/nsd/nsd.conf/
man 8 nsd-control / https://www.nlnetlabs.nl/documentation/nsd/nsd-control/
man 8 nsd-checkconf / https://www.nlnetlabs.nl/documentation/nsd/nsd-checkconf/
man 8 nsd-checkzone / https://www.nlnetlabs.nl/documentation/nsd/nsd-checkzone/
How To Use NSD, an Authoritative-Only DNS Server, on Ubuntu 14.04 https://www.digitalocean.com/community/tutorials/how-to-use-nsd-an-authoritative-only-dns-server-on-ubuntu-14-04
How to get a random string of 32 hexadecimal digits through command line? https://stackoverflow.com/questions/34328759/how-to-get-a-random-string-of-32-hexadecimal-digits-through-command-line
Secondary DNS at Online.net https://documentation.online.net/en/dedicated-server/tutorials/administration/configure-secondary-dns