either use your distro’s binaries or see NSD from scratch
server: username: nsd pidfile: "/var/run/nsd.pid" remote-control: control-enable: no zone: name: "example.local" zonefile: "%s.db"
a few more options e.g. for NetBSD
username: _nsd pidfile: "/var/run/nsd/nsd.pid"
start with extreme verbosity
nsd -4 -V 5
you can also control-enable: no
and skip the key setup if you do not plan to receive any updates.
generate two private keys and two self-signed SSL certificates
cd /var/chroot/nsd/etc/ nsd-control-setup ls -lhF *.key ls -lhF *.pem
eventually generate a secret for receiving updates
dd if=/dev/random count=1 bs=32 | base64
how many cores do you have?
grep ^processor /proc/cpuinfo dmesg | egrep '(^|] )cpu[[:digit:]]+:'
edit the configuration accordingly, define a zone and its reverse name spaces
vi /var/chroot/nsd/etc/nsd.conf server: do-ip4: yes do-ip6: no verbosity: 1 #verbosity: 3 username: nsd server-count: HOW_MANY_CORES pidfile: "/var/chroot/nsd/db/nsd.pid" hide-version: yes version: "NSD" #round-robin: yes chroot: "/var/chroot/nsd" zonesdir: "/var/chroot/nsd/etc" zonelistfile: "/var/chroot/nsd/db/zone.list" database: "/var/chroot/nsd/db/nsd.db" xfrdfile: "/var/chroot/nsd/db/xfrd.state" xfrdir: "/var/chroot/nsd/db" remote-control: control-enable: yes control-interface: 127.0.0.1 control-port: 8952 server-key-file: "/var/chroot/nsd/etc/nsd_server.key" server-cert-file: "/var/chroot/nsd/etc/nsd_server.pem" control-key-file: "/var/chroot/nsd/etc/nsd_control.key" control-cert-file: "/var/chroot/nsd/etc/nsd_control.pem" key: name: "HOST-key" algorithm: hmac-sha256 secret: "PASTE SECRET HERE" zone: name: "example.local" zonefile: "%s.db" notify: SECONDARY-IP NOKEY provide-xfr: SECONDARY-IP NOKEY zone: name: "c.b.a.in-addr.arpa" zonefile: "a.b.c.db" notify: SECONDARY-IP NOKEY provide-xfr: SECONDARY-IP NOKEY
If you don’t plan to use remote control nor keys at all, use that instead
remote-control: control-enable: no
Note: switch to username _nsd
on NetBSD.
Note: round-robin
would only apply to identical record names pointing to different values/destinations. Besides, it should be for the resolvers to handle the server response properly, whatever the order of the records. So I guess this server-side setup is just a hack against broken clients.
zone=example.local date +%s vi /var/chroot/var/db/$zone.db $ORIGIN example.local. $TTL 1800 @ IN SOA example.local. abuse.example.local. ( SERIAL-HERE ; serial number 3600 ; refresh 900 ; retry 1209600 ; expire 1800 ; ttl ) IN NS ns.example.local. IN MX 5 mx IN A INTERNAL_IP * IN A INTERNAL_IP ns IN A INTERNAL_IP mx IN A INTERNAL_IP host IN A INTERNAL_IP pxe IN CNAME host
it seems only Unbound has special restrictions on serving localhost. NSD serves localhost just fine by default
NSD binds to all interfaces by default (incl. localhost) but we want to use Unbound on the same host and ports would conflict
vi /etc/nsd/nsd.conf ip-address: 127.0.0.1@5353 ip-address: ::1@5353
notify & XFR to backup NS
zone: name: "example.com" zonefile: "%s.db" notify: x.x.x.x NOKEY provide-xfr: x.x.x.x NOKEY
read the logs
tail -F /var/log/messages tail -F /var/log/syslog
check
which nsd nsd -v #w/o chroot nsd-checkconf /etc/nsd/nsd.conf && echo OK nsd-checkzone $domain /etc/nsd/$domain.db nsd-checkzone $domain /etc/nsd/$domain.db.signed #w/ chroot nsd-checkconf /var/chroot/nsd/nsd.conf && echo OK nsd-checkzone $domain /var/chroot/nsd/$domain.db nsd-checkzone $domain /var/chroot/nsd/$domain.db.signed
warning: DO NOT ENABLE TMEM otherwise you will get
Out of memory: Killed process 3865 (nsd: xfrd) total-vm:109688kB, anon-rss:83596kB, file-rss:0kB, shmem-rss:0kB
enable at startup
vi /etc/rc.local #self-verbose /usr/local/sbin/nsd -4
status
pgrep -a nsd cat /var/run/nsd/nsd.pid cat /var/db/nsd/nsd.pid cat /var/chroot/nsd/nsd.pid netstat -lntup | grep 53
reload
#kill -HUP PID pkill -HUP nsd
stop
pkill nsd
enable at startup
echo starting nsd /usr/local/sbin/nsd-control start
status
nsd-control status
status for the zones
nsd-control zonestatus
reload
#nsd-control reload [<zone>] #nsd-control reconfig
verify a few records
host $domain localhost host -t ns $domain localhost host -t mx $domain localhost host HOST.$domain localhost dig $domain @localhost +short dig -t ns $domain @localhost +short dig -t mx $domain @localhost +short dig HOST.$domain @localhost +short
and proceed with online checking
https://dnssec-analyzer.verisignlabs.com/
Trying to start the daemon on NetBSD
problems sending reload xfrdtomain: Broken pipe May 12 13:10:45 malabar nsd[13294]: did not get start signal from main
==> this does not help:
rm -f /var/db/nsd/nsd.db /var/run/nsd.pid /var/run/nsd/nsd.pid ll /var/db/nsd/ rm -rf /var/chroot/nsd/nsd.db /var/chroot/nsd/nsd.pid /var/chroot/nsd/nsd-xfr-*/ ll /var/chroot/nsd/
==> this neither
CFLAGS="-g -O2" ... /usr/local/sbin/nsd -V 5 -F -1 -L 2
==> see NSD from scratch, and NSD has been bug fixed in the meanwhile.
Re: No buffer space available https://mail-index.netbsd.org/netbsd-users/2012/09/10/msg011397.html
FS#37588 - Nsd update to 4.0.0-1 causes nsd to fail to start and command nscd not present https://bugs.archlinux.org/task/37588
NSD not starting after upgrade https://discourse.mailinabox.email/t/nsd-not-starting-after-upgrade/1452
[nsd-users] NSD db permissions error after upgrade? https://open.nlnetlabs.nl/pipermail/nsd-users/2014-November/002036.html
[nsd-users] NSD 4.0.2 released https://www.nlnetlabs.nl/pipermail/nsd-users/2014-March/001875.html
man 8 nsd
/ https://www.nlnetlabs.nl/documentation/nsd/nsd/
man 5 nsd.conf
/ https://www.nlnetlabs.nl/documentation/nsd/nsd.conf/
man 8 nsd-control
/ https://www.nlnetlabs.nl/documentation/nsd/nsd-control/
man 8 nsd-checkconf
/ https://www.nlnetlabs.nl/documentation/nsd/nsd-checkconf/
man 8 nsd-checkzone
/ https://www.nlnetlabs.nl/documentation/nsd/nsd-checkzone/
How To Use NSD, an Authoritative-Only DNS Server, on Ubuntu 14.04 https://www.digitalocean.com/community/tutorials/how-to-use-nsd-an-authoritative-only-dns-server-on-ubuntu-14-04
How to get a random string of 32 hexadecimal digits through command line? https://stackoverflow.com/questions/34328759/how-to-get-a-random-string-of-32-hexadecimal-digits-through-command-line
Secondary DNS at Online.net https://documentation.online.net/en/dedicated-server/tutorials/administration/configure-secondary-dns