Whilst BIND is a nameserver I use nearly every day, it’s somewhat large and unwieldy being a reference implementation of the DNS spec.
Where possible, I always like to split out resolving and authoritative functionality into two seperate pieces of software. Unbound does a great job in the latter role – also from the authors of NSD, NLnetlabs – so I thought I’d give NSD a go on ns.spoofedpacket.net.
This machine serves only handful of zones, so it’s easy enough to migrate. The transition is made even simpler since NSD supports the old bind zonefile format out of the box. I decided to install NSD from source, following the tried and tested method:
tar zxvf nsd-3.2.4.tar.gz
The dependencies are very few, it should compile without much fuss on nearly any modern *nix system.
By default, all configuration files and zones go into /etc/nsd. There is also an nsd.conf.sample that you can use as a base config. The config file is extremely simple, for a basic setup you only need to look at the server: and the n-number of zone: sections. In the server: section, I only changed the location of the zone files:
At this point, it’s always good practice to organise your zonefiles into directories according to their roles. Here is what I have:
/etc/nsd/zones/slave (nothing here yet)
If you have an old BIND install that you are replacing, it is just a simple matter of copying/moving the existing zonefiles to their new locations. The zones can then be configured in nsd.conf as follows:
notify: 22.214.171.124 NOKEY
provide-xfr: 126.96.36.199 NOKEY
name and zonefile are pretty self explanatory, just remember that the path to your zonefile is always prefixed with the zonesdir statement from earlier on. notify lists all the nameservers you wish to send DNS notifies to when a zone is updated. provide-xfr controls who can carry out zone transfers (AFXR) from your nameserver. The NOKEY statement tells NSD that no cryptographic keys are required to authenticate the notifies or zone transfers between your nameserver and the secondary nameservers.
Once you’ve finished editing nsd.conf, you must now compile your zonefiles into the binary format that NSD understands. This is one of the main reasons for NSDs speed and low footprint:
Verify that nsd is running and serving zones:
pgrep -lf nsd
dig @ns.spoofedpacket.net www.spoofedpacket.net