NSD from scratch

tested on netbsd8,9 and slackware14.2

Requirements

debian/ubuntu

apt install build-essential \
    libevent-dev \
    libssl-dev

beware the databases go to /var/lib/nsd/ instead of /var/db/nsd/

slackware

#gpg --recv-keys wants
slackpkg install nghttp2 brotli cyrus-sasl

#building
slackpkg install glibc gcc-g++ kernel-headers
slackpkg install bison gettext flex m4
slackpkg guile gc

Build LDNS examples explicitly

grab the latest release with signature

you’ll also need LDNS for signing zones

wget https://www.nlnetlabs.nl/downloads/ldns/ldns-1.7.1.tar.gz
gpg --verify ldns-1.7.1.tar.gz.asc
gpg --recv-keys 2F77A498
gpg --verify ldns-1.7.1.tar.gz.asc

you will get good signature with fingerprint

Primary key fingerprint: DC34 EE5D B241 7BCC 151E  5100 E5F8 F821 2F77 A498

then proceed

tar xzf ldns-1.7.1.tar.gz
cd ldns-1.7.1/
./configure --with-examples --with-drill
#--with-pyldns
make clean
make -j2 > ../ldns.log && echo BUILT
make install
cd examples/
autoreconf && ./configure && make

Build NSD

grab the latest release with signature

wget https://www.nlnetlabs.nl/downloads/nsd/nsd-4.3.1.tar.gz
wget https://www.nlnetlabs.nl/downloads/nsd/nsd-4.3.1.tar.gz.asc
gpg --verify nsd-4.3.1.tar.gz.asc
gpg --recv-keys 7E045F8D
gpg --verify nsd-4.3.1.tar.gz.asc

you will get good signature with fingerprint

Primary key fingerprint: EDFA A3F2 CA4E 6EB0 5681  AF8E 9F6F 1C2D 7E04 5F8D

extract

tar xzf nsd-4.3.1.tar.gz
cd nsd-4.3.1/
./configure --help|less

netbsd specific

export CPPFLAGS="-D_OPENBSD_SOURCE"
#export CFLAGS="-g -O2"
export OPENSSL_CFLAGS="-I/usr/local/ssl/include"
export OPENSSL_LIBS="-L/usr/local/ssl/lib -lssl -lcrypto"

shared/common

./configure --disable-systemd --enable-mmap --enable-pie --enable-relro-now --with-user=nsd
#--disable-dnstap --disable-ipv6 --with-ssl=/usr/local/ssl

in case you plan to chroot you might need to force configuration file location for nsd-control reconfig to re-read its configuration

#--with-chroot=/var/chroot/nsd --with-nsd_conf_file=/var/chroot/nsd/nsd.conf

build and install

time nice make -j2 > ../nsd.log && echo BUILT
#1m3.902s with two weak cores
make install
ls -alhF /var/db/nsd/
ls -alhF /etc/nsd/

if it doesn’t exist yet (NetBSD has _nsd built-in, although nsd is the default), create an account for NSD to drop privileges

groupadd -g 32764 nsd
useradd -u 32764 -g nsd --system -d /var/db/nsd -M -s /sbin/nologin nsd
#-d /var/chroot/nsd
chown -R nsd:nsd /var/db/nsd/

Troubles

building on slackware

checking whether lex accepts -i... no
configure: error: unable to find a lexer that supports -i. If one is available then set the LEX variable

==> m4 was missing – found by looking into the configure script and trying to reproduce the error manually:

echo %% | flex -i -t >/dev/null

used to give

flex: fatal internal error, exec of /usr/bin/m4 failed

Resources

NSD https://www.nlnetlabs.nl/projects/nsd/

README https://github.com/NLnetLabs/nsd/tree/master/doc/README

dnstap https://dnstap.info/

DNS query/response logging with dnstap https://jpmens.net/2017/09/11/dns-query-response-logging-with-dnstap/

ldns

LDNS https://www.nlnetlabs.nl/projects/ldns/documentation/

Установка и настройка Unbound+LDNS+NSD https://www.cryptocom.ru/products/unbound_gost-howto-ru.html

USING LDNS+UNBOUND+NSD WITH DNSSEC AND GOST CRYPTOALGORITHMS SUPPORT https://www.cryptocom.ru/products/unbound_gost-howto-en.html

https://pep-security.lu/gitlab/misc/ldns/raw/8ef77be99b3e964151b3f2baabeaac311683a58d/contrib/python/Makefile


HOME | GUIDES | BENCHMARKS | html