nsd | source | dnssec | secondary
this guide is obsoleted by its ansible playbook https://pub.nethence.com/system/ansible/playbooks/nsd/
liberate 53/udp,tcp
apt purge systemd-resolved
either use your distro’s binaries
apt install nsd dns-root-data ldnsutils
or build it from source
server:
username: nsd
pidfile: "/var/run/nsd.pid"
remote-control:
control-enable: no
zone:
name: "example.local"
zonefile: "%s.db"
a few more options e.g. for NetBSD
username: _nsd
pidfile: "/var/run/nsd/nsd.pid"
start with extreme verbosity
nsd -4 -V 5
eventually generate two private keys and two self-signed SSL certificates for handling the daemon from the command line
cd /etc/nsd/ cd /var/chroot/nsd/etc/ nsd-control-setup ls -lhF *.key ls -lhF *.pem
if you don’t plan to use remote control at all, use that instead
remote-control:
control-enable: no
in case your ISP does not require a key for setting up AXFR from their UI,
simply skip the generation of a shared secret and use NOKEY thereafter.
now if you are in control of the secondary NS, generate one
dd if=/dev/random count=1 bs=32 | base64
vi /etc/nsd/nsd.conf
key:
name: "sync"
algorithm: hmac-sha256
secret: "THAT-SECRET-HERE"
then see secondary to setup a full-blown backup NS on your own.
how many cores do you have?
grep ^processor /proc/cpuinfo dmesg | egrep '(^|] )cpu[[:digit:]]+:'
server:
do-ip4: yes
do-ip6: no
username: nsd
server-count: HOW_MANY_CORES
pidfile: /var/run/nsd.pid
hide-version: yes
version: "none of your business"
#round-robin: yes
log-only-syslog: no
logfile: "/var/log/nsd.log"
verbosity: 1
remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 8952
server-key-file: "/etc/nsd/nsd_server.key"
server-cert-file: "/etc/nsd/nsd_server.pem"
control-key-file: "/etc/nsd/nsd_control.key"
control-cert-file: "/etc/nsd/nsd_control.pem"
key:
name: "sync"
algorithm: hmac-sha256
secret: "THAT-SECRET-HERE"
zone:
name: "example.local"
zonefile: "%s.db"
notify: SECONDARY-IP NOKEY
provide-xfr: SECONDARY-IP NOKEY
zone:
name: "c.b.a.in-addr.arpa"
zonefile: "a.b.c.db"
notify: SECONDARY-IP NOKEY
provide-xfr: SECONDARY-IP NOKEY
vi /var/chroot/nsd/etc/nsd.conf
server:
do-ip4: yes
do-ip6: no
verbosity: 1
#verbosity: 3
username: nsd
server-count: HOW_MANY_CORES
pidfile: "/var/chroot/nsd/db/nsd.pid"
hide-version: yes
version: "none of your business"
#round-robin: yes
chroot: "/var/chroot/nsd"
zonesdir: "/var/chroot/nsd/etc"
zonelistfile: "/var/chroot/nsd/db/zone.list"
database: "/var/chroot/nsd/db/nsd.db"
xfrdfile: "/var/chroot/nsd/db/xfrd.state"
xfrdir: "/var/chroot/nsd/db"
remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 8952
server-key-file: "/var/chroot/nsd/etc/nsd_server.key"
server-cert-file: "/var/chroot/nsd/etc/nsd_server.pem"
control-key-file: "/var/chroot/nsd/etc/nsd_control.key"
control-cert-file: "/var/chroot/nsd/etc/nsd_control.pem"
key:
name: "HOST-key"
algorithm: hmac-sha256
secret: "PASTE SECRET HERE"
zone:
name: "example.local"
zonefile: "%s.db"
notify: SECONDARY-IP NOKEY
provide-xfr: SECONDARY-IP NOKEY
zone:
name: "c.b.a.in-addr.arpa"
zonefile: "a.b.c.db"
notify: SECONDARY-IP NOKEY
provide-xfr: SECONDARY-IP NOKEY
see zone setup
it seems only Unbound has special restrictions on serving localhost. NSD serves localhost just fine by default
NSD binds to all interfaces by default (incl. localhost) but we want to use Unbound on the same host and ports would conflict
vi /etc/nsd/nsd.conf
ip-address: 127.0.0.1@5353
ip-address: ::1@5353
read the logs
# debian tail -F /var/log/syslog # slackware tail -F /var/log/messages
check
which nsd nsd -v zone=example.local # w/o chroot nsd-checkconf /etc/nsd/nsd.conf && echo OK nsd-checkzone $zone /etc/nsd/$zone.db nsd-checkzone $zone /etc/nsd/$zone.db.signed # w/ chroot nsd-checkconf /var/chroot/nsd/nsd.conf && echo OK nsd-checkzone $zone /var/chroot/nsd/$zone.db nsd-checkzone $zone /var/chroot/nsd/$zone.db.signed
enable at startup
vi /etc/rc.local # self-verbose rm -f /var/chroot/nsd/db/nsd.pid /usr/local/sbin/nsd #-4
status
pgrep -a nsd cat /var/run/nsd/nsd.pid cat /var/db/nsd/nsd.pid cat /var/chroot/nsd/nsd.pid netstat -lntup | grep 53
reload
# DOES NOT WORK #pkill -HUP nsd # YOU NEED TO GRAB THE PID MANUALLY - THE PARENT PROCESS ps auxfww | grep nsd kill -HUP PID
stop
# IDEM #pkill nsd kill PID
enable at startup
echo starting nsd /usr/local/sbin/nsd-control start
status
nsd-control status
status for the zones
nsd-control zonestatus
reload
#nsd-control reload [<zone>] #nsd-control reconfig
systemctl restart nsd systemctl status nsd # enabled already netstat -lntup | grep :53
verify a few records
host $zone localhost host -t ns $zone localhost host -t mx $zone localhost host HOST.$zone localhost dig $zone @localhost +short dig ns $zone @localhost +short dig mx $zone @localhost +short dig HOST.$zone @localhost +short
see nsd-dnssec
Note: round-robin would only apply to identical record names pointing to different values/destinations. Besides, it should be for the resolvers to handle the server response properly, whatever the order of the records. So I guess this server-side setup is just a hack against broken clients.
Trying to start the daemon on NetBSD
problems sending reload xfrdtomain: Broken pipe May 12 13:10:45 malabar nsd[13294]: did not get start signal from main
==> this does not help:
rm -f /var/db/nsd/nsd.db /var/run/nsd.pid /var/run/nsd/nsd.pid ll /var/db/nsd/ rm -rf /var/chroot/nsd/nsd.db /var/chroot/nsd/nsd.pid /var/chroot/nsd/nsd-xfr-*/ ll /var/chroot/nsd/
==> this neither
CFLAGS="-g -O2" ... /usr/local/sbin/nsd -V 5 -F -1 -L 2
==> see NSD from scratch, and NSD has been bug fixed in the meanwhile.
Out of memory: Killed process 3865 (nsd: xfrd) total-vm:109688kB, anon-rss:83596kB, file-rss:0kB, shmem-rss:0kB
==> DO NOT ENABLE TMEM
nsd - Name Server Daemon (NSD) version 4.3.6. https://www.nlnetlabs.nl/documentation/nsd/nsd/
nsd.conf - NSD configuration file https://www.nlnetlabs.nl/documentation/nsd/nsd.conf/
nsd-control, nsd-control-setup - NSD remote server control utility. https://www.nlnetlabs.nl/documentation/nsd/nsd-control/
nsd-checkconf - NSD configuration file checker. https://www.nlnetlabs.nl/documentation/nsd/nsd-checkconf/
nsd-checkzone - NSD zone file syntax checker. https://www.nlnetlabs.nl/documentation/nsd/nsd-checkzone/
How To Use NSD, an Authoritative-Only DNS Server, on Ubuntu 14.04 https://www.digitalocean.com/community/tutorials/how-to-use-nsd-an-authoritative-only-dns-server-on-ubuntu-14-04
How to get a random string of 32 hexadecimal digits through command line? https://stackoverflow.com/questions/34328759/how-to-get-a-random-string-of-32-hexadecimal-digits-through-command-line
https://linux.die.net/man/5/nsd.conf ==> logfile
Secondary DNS at Online.net https://documentation.online.net/en/dedicated-server/tutorials/administration/configure-secondary-dns
What is DNS TTL + Best Practices https://www.varonis.com/blog/dns-ttl/
Re: No buffer space available https://mail-index.netbsd.org/netbsd-users/2012/09/10/msg011397.html
FS#37588 - Nsd update to 4.0.0-1 causes nsd to fail to start and command nscd not present https://bugs.archlinux.org/task/37588
NSD not starting after upgrade https://discourse.mailinabox.email/t/nsd-not-starting-after-upgrade/1452
[nsd-users] NSD db permissions error after upgrade? https://open.nlnetlabs.nl/pipermail/nsd-users/2014-November/002036.html
[nsd-users] NSD 4.0.2 released https://www.nlnetlabs.nl/pipermail/nsd-users/2014-March/001875.html