NSD from scratch

tested on netbsd 8,9 slackware 14.2,current

Requirements

debian/ubuntu

apt install build-essential \
    libevent-dev \
    libssl-dev

beware the databases go to /var/lib/nsd/ instead of /var/db/nsd/

slackware

some helper to find out if the packages we need are part of the official repository

for pkg in nghttp2 brotli cyrus-sasl glibc-2 gcc-g++ kernel-headers bison gettext-0 flex m4 guile gc libevent; do
    slackpkg search $pkg
done; unset pkg

libraries on slackware

slackpkg install nghttp2 brotli cyrus-sasl

and for building

gpg --version
slackpkg install glibc-2 gcc-g++ kernel-headers
slackpkg install bison gettext-0 flex m4
slackpkg install guile gc libevent

Build LDNS examples explicitly

grab the latest release with signature

you’ll also need LDNS for signing zones

wget https://www.nlnetlabs.nl/downloads/ldns/ldns-1.7.1.tar.gz
wget https://www.nlnetlabs.nl/downloads/ldns/ldns-1.7.1.tar.gz.asc
gpg --recv-keys 2F77A498
gpg --verify ldns-1.7.1.tar.gz.asc

you will get good signature with fingerprint

Primary key fingerprint: DC34 EE5D B241 7BCC 151E  5100 E5F8 F821 2F77 A498

then proceed

tar xzf ldns-1.7.1.tar.gz
cd ldns-1.7.1/
./configure --with-examples --with-drill
#--with-pyldns
make clean
make -j8 > ../ldns.log && echo BUILT || echo FAILED
make install >/dev/null && echo INSTALLED || echo FAILED
ls -lF /usr/local/bin/ldns-signzone
cd ../

Build NSD

grab the latest release with signature

wget https://www.nlnetlabs.nl/downloads/nsd/nsd-4.3.3.tar.gz
wget https://www.nlnetlabs.nl/downloads/nsd/nsd-4.3.3.tar.gz.asc
gpg --recv-keys 7E045F8D
gpg --verify nsd-4.3.3.tar.gz.asc

you will get good signature with fingerprint

Primary key fingerprint: EDFA A3F2 CA4E 6EB0 5681  AF8E 9F6F 1C2D 7E04 5F8D

extract

tar xzf nsd-4.3.3.tar.gz
cd nsd-4.3.3/

netbsd specific

export CPPFLAGS="-D_OPENBSD_SOURCE"
#export CFLAGS="-g -O2"
export OPENSSL_CFLAGS="-I/usr/local/ssl/include"
export OPENSSL_LIBS="-L/usr/local/ssl/lib -lssl -lcrypto"

slackware does not have it

mkdir -p /var/chroot/nsd/

in case you plan to chroot you might need to force configuration file location for nsd-control reconfig to re-read its configuration

./configure --help|less
./configure --disable-systemd --enable-mmap --enable-pie --enable-relro-now --with-user=nsd \
    --with-chroot=/var/chroot/nsd --with-nsd_conf_file=/var/chroot/nsd/etc/nsd.conf
    #--disable-dnstap --disable-ipv6 --with-ssl=/usr/local/ssl

build and install

make clean
make -j8 > ../nsd.log && echo BUILT || echo FAILED
make install >/dev/null && echo INSTALLED || echo FAILED

if it doesn’t exist yet (NetBSD has _nsd built-in, although nsd is the default), create an account for NSD to drop privileges

groupadd -g 953 nsd
useradd -u 953 -g nsd --system -d /var/chroot/nsd -M -s /sbin/nologin nsd

and fix a few perms

mkdir /var/chroot/nsd/db/
chown -R root:root /var/chroot/nsd/
chown -R nsd:nsd /var/chroot/nsd/db/

ls -ldF /var/chroot/nsd/etc/    #root:root
ls -ldF /var/chroot/nsd/db/ #nsd:nsd

ls -alF /var/db/nsd
rmdir /var/db/nsd/
ln -s ../../var/chroot/nsd/db /var/db/nsd

ls -alF /etc/nsd
rmdir /etc/nsd/
ln -s ../var/chroot/nsd/etc /etc/nsd

Troubles

building on slackware

checking whether lex accepts -i... no
configure: error: unable to find a lexer that supports -i. If one is available then set the LEX variable

==> m4 was missing – found by looking into the configure script and trying to reproduce the error manually:

echo %% | flex -i -t >/dev/null

used to give

flex: fatal internal error, exec of /usr/bin/m4 failed

Resources

NSD https://www.nlnetlabs.nl/projects/nsd/

README https://github.com/NLnetLabs/nsd/tree/master/doc/README

dnstap https://dnstap.info/

DNS query/response logging with dnstap https://jpmens.net/2017/09/11/dns-query-response-logging-with-dnstap/

ldns

LDNS https://www.nlnetlabs.nl/projects/ldns/documentation/

Установка и настройка Unbound+LDNS+NSD https://www.cryptocom.ru/products/unbound_gost-howto-ru.html

USING LDNS+UNBOUND+NSD WITH DNSSEC AND GOST CRYPTOALGORITHMS SUPPORT https://www.cryptocom.ru/products/unbound_gost-howto-en.html

https://pep-security.lu/gitlab/misc/ldns/raw/8ef77be99b3e964151b3f2baabeaac311683a58d/contrib/python/Makefile