Pre-compiling zone data lets NSD start up very quickly. A new version called NSD4 is on the horizon, and I want to look at some of its new features.
NSD evolved out of a server designed to power the K. As described above, one of NSD3’s major features is that zone data is “compiled” into a database from which NSD3 serves replies.
(BTW, if you currently use NSD3, migration to NSD4 ought to be quite easy.) Configuration of NSD4 is mostly unchanged, but there are some new bits in server: database: "/usr/local/nsd4/etc/nsd/nsd.db" zonesdir: "/usr/local/nsd4/etc/nsd/zones" zonelistfile: "/usr/local/nsd4/etc/nsd/zones.list" ...
remote-control: control-enable: yes control-interface: "127.0.0.1" control-port: 8952 server-key-file: "/usr/local/nsd4/etc/nsd/nsd_server.key" server-cert-file: "/usr/local/nsd4/etc/nsd/nsd_server.pem" control-key-file: "/usr/local/nsd4/etc/nsd/nsd_control.key" control-cert-file: "/usr/local/nsd4/etc/nsd/nsd_control.pem" pattern: name: "sl" zonefile: "sl-hosts/%s.zone" request-xfr: 10.0.12.1 NOKEY request-xfr: 10.1.43.5 NOKEY provide-xfr: 0.0.0.0/0 NOKEY pattern: name: "pdns" zonefile: "slaves/%1/%s.zone" request-xfr: 192.168.1.3 NOKEY request-xfr: 192.168.1.4 NOKEY as groups.
DNS zones are typically served by more than one server.
Files can be included using the include: directive.If BIND is your master, you could use BIND’s statistics server and, as Tony points out in the comments below, Paul Vixie’s metazones solve the “transport” of a zone list as well.Other typical ways include writing a small program to slurp through the provisioning system, dump a list of zones, etc.NSD is a name server implementation developed and maintained by NLnet Labs in cooperation with RIPE. # cd /var/chroot/nsd/zonefiles # ls -arlt e total 16 drwxr-xr-x. Either define an appropriate SELinux ruleset, or set it to disabled or permissive, again depending upon the security requirements of the server.NSD is an authoritative-only DNS implementation, and is memory efficient, secure and fairly straightforward. zone: name: "example.com" zonefile: "e/db.example.com" notify: 1.169 tsig-testtsig provide-xfr: 1.169 tsig-testtsig outgoing-interface: 1.172 # vi /usr/local/nsd/etc/nsd/server: ip-address: 0.0.0.0 hide-version: yes chroot: "/var/chroot/nsd" username: nsd zonesdir: "/var/chroot/nsd/zonefiles" difffile: "/var/chroot/nsd/db/nsd/ixfr.db" xfrdfile: "/var/chroot/nsd/db/nsd/xfrd.state" pidfile: "/var/chroot/nsd/db/nsd/nsd.pid" database: "/var/chroot/nsd/db/nsd/nsd.db" verbosity: 2 key: name: tsig-testtsig algorithm: hmac-sha1 secret: "0915i GWHa1BQ12kkx D57/7fqc J0=" zone: name: "example.com" zonefile: "e/db.example.com" allow-notify: 1.172 tsig-testtsig allow-notify: 127.0.0.1 NOKEY request-xfr: 1.172 tsig-testtsig Feb 4 dolan nsd: Notify received and accepted, forward to xfrd Feb 4 dolan nsd: Handle incoming notify for zone Feb 4 dolan nsd: xfrd: zone written received XFR from 1.172 with serial 2013020603 to disk Feb 4 dolan nsd: xfrd: zone committed "xfrd: zone received update to serial 2013020603 at time 1359946077 from 1.172 in 1 parts TSIG verified with key tsig-testtsig" # /usr/local/nsd/sbin/nsdc patch reading database reading updates to database writing changed zones writing zone to file e/db.done zonec: reading zone "example.com". This has been a very brief introduction and has really only just scraped the surface of what is a very mature and robust piece of technology.unbound.conf(5) unbound 1.6.5 unbound.conf(5) NAME - Unbound configuration file. Stop the server with: $ kill `cat /etc/unbound/unbound.pid` Below is a minimal config file.