Dear All, Let me give me a little background as to what I am trying to achieve. 1. The domain which I want the Authoritative Name serve to serve for is sgsits.ac.in. 2. The ERNET India (ac.in) is the domain name registrar for academic institutes here in India. 3. We are hosting our Website, Email and Moodle servers for which right now djbdns is acting as a authoritative name server. 4. Although, djbdns is working fine since last ten years (I must say its a brilliantly crafted DNS server), it lacks some security features which are now a must (eg. DNSSEC). 5. I want to migrate this name server to NSD, with al the security feature and high availability so that it meets the current requirements. Can anybody please tell me how to plan for this migration so that I have a minimum downtime. Moreover, I want to build a setup with NSD so that it runs smoothly for the next 10 years. Of course want to know how to keep on upgrading will be an issue, I need to consider. I am reading the only source of information, the man pages on NLNET's website, although there are few tutorial available (eg. Calomel) Thank you all. Mukul On Mon, Jun 7, 2021 at 12:02 AM Mukul Shukla <mukulmanet at gmail.com> wrote:> Hi Ond?ej, > > Thanks for such encouraging words. > Gave me a lot of confidence. > It's decided at my end. I will try to migrate my University DNS > authoritative setup to much improved NSD setup, of course with the help of > all the members here. > Thanks again. > > Mukul > > On Sun, Jun 6, 2021 at 10:57 PM Ond?ej Sur? <ondrej at sury.org> wrote: > >> Hi Mukul, >> >> don?t worry - the community here is friendly and helpful and you should >> not run into any hard problems. Take it as an opportunity to learn >> something new! >> >> Ond?ej >> - former Knot DNS team lead >> - current BIND 9 team lead >> -- >> Ond?ej Sur? <ondrej at sury.org> (He/Him) >> >> On 6. 6. 2021, at 18:50, Mukul Shukla via nsd-users < >> nsd-users at lists.nlnetlabs.nl> wrote: >> >> ? >> >> Dear All, >> >> There are very few articles/tutorials on NSD. This is making me nervous >> to adapt it for a long use. If I am stuck, there is no help to refer to. >> Man pages are just not sufficient for the people like me who don't have >> much experience of the system administration and implementing DNS >> Authoritative Server in particular. Other DNS implementations have very >> good manuals. The kind of software NSD is, there should have been books >> written on them. >> >> Mukul >> >> On Sun, Jun 6, 2021 at 9:06 PM Anand Buddhdev via nsd-users < >> nsd-users at lists.nlnetlabs.nl> wrote: >> >>> On 06/06/2021 16:26, mj via nsd-users wrote: >>> >>> Hi MJ, >>> >>> > Actually: we are in a similar situation. We're currently running bind9, >>> > and were interested in to switching to NSD for the authorative dns >>> > services, but it seems that you have to compile newer releases (with >>> > security fixes etc) yourself, or there is a repo somewhere we're >>> missing? >>> > >>> > We're on debian 10. It recommended to simply install the NSD that >>> debian >>> > comes with, and rely on debian for the security fixes? >>> >>> Debian packages are often well behind upstream releases. For example, >>> Debian 10 (buster) still has NSD 4.1.26, whereas the upstream version is >>> 4.3.6. >>> >>> However, for Debian, there's usually a repository called backports. If >>> you enable it, you can get newer versions of packages. For example, >>> "buster-backports" currently has NSD 4.3.5 in it. You could also enable >>> the "experimental" repo and get the latest 4.3.6 release. >>> >>> Regards, >>> Anand >>> _______________________________________________ >>> nsd-users mailing list >>> nsd-users at lists.nlnetlabs.nl >>> https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users >>> >> _______________________________________________ >> nsd-users mailing list >> nsd-users at lists.nlnetlabs.nl >> https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users >> >>-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20210607/d70fd3d5/attachment.htm>
Frank Habicht
2021-Jun-06 20:42 UTC
[nsd-users] Building Up DNS server with NSD; Migration
Hi Mukul, it is good you shared some detail. DNS has good ways of implementing redundancies and achieving high availability. You can set up new separate servers and test their functionality thoroughly [like Kaulkwappe described], even before telling any outsider about them. I'm just afraid getting the necessary public IP (IPv4) addresses might be an issue for you - if your organisation really only has 16 -- [1] One of the important ways towards high availability is to *not* put all the authoritative name servers in the same place (ie all eggs in the same basket). This seems to be the case currently [2]. More elaborate advise is in RFC2182 -- [3]. It looks like all current authoritative servers are in direct sequential IP addresses and one could guess that probably the outage of one router could cause all of them to become unreachable. I'd try to get a friendly organisation or your upstream provider to provide secondary name service for your domain(s). with automatic updates of zone data / changes from you to that server. This is of course not what you were asking (how to run *your* servers), but valid consideration for the person/team responsible for the overall availability of the domain in DNS. But since this is the mailing list for NSD, I should mention that another mailing list: https://lists.dns-oarc.net/mailman/listinfo/dns-operations would be more appropriate for the general DNS questions. Regards, Frank [1] inetnum: 14.139.250.80 - 14.139.250.95 [2] dig sgsits.ac.in. ns [3] https://datatracker.ietf.org/doc/html/rfc2182 On 06/06/2021 22:16, Mukul Shukla via nsd-users wrote:> Dear All, > > Let me give me a little background as to what I am trying to achieve. > > 1. The domain which I want the Authoritative Name serve? to serve for is > sgsits.ac.in <http://sgsits.ac.in>. > 2. The ERNET India (ac.in <http://ac.in>) is the domain name registrar > for academic institutes here in India. > 3. We are hosting our Website, Email and Moodle servers for which right > now djbdns is acting as a authoritative name server. > 4. Although, djbdns is working fine since last ten years (I must say its > a brilliantly crafted? DNS server), it lacks some security features > which are now a must (eg. DNSSEC). > 5. I want to migrate this name server to NSD, with al the security > feature and high availability so that it meets the current requirements. > > Can anybody please tell me how to plan for this migration so that I have > a minimum downtime. Moreover, I want to build a setup with NSD so that > it runs smoothly for the next 10 years. Of course want to know how to > keep on upgrading will be an issue, I need to consider. > > I am reading the only source of information, the man pages on NLNET's > website, although there are few tutorial available (eg. Calomel) > > Thank you all. > > Mukul > > > > On Mon, Jun 7, 2021 at 12:02 AM Mukul Shukla <mukulmanet at gmail.com > <mailto:mukulmanet at gmail.com>> wrote: > > Hi?Ond?ej, > > Thanks for such encouraging words. > Gave me a lot of confidence. > It's decided at my end. I will try to migrate my University DNS > authoritative setup to much improved NSD setup, of course with the > help of all the members here. > Thanks again. > > Mukul > > On Sun, Jun 6, 2021 at 10:57 PM Ond?ej Sur? <ondrej at sury.org > <mailto:ondrej at sury.org>> wrote: > > Hi Mukul, > > don?t worry - the community here is friendly and helpful and you > should not run into any hard problems. Take it as an opportunity > to learn something new! > > Ond?ej > - former Knot DNS team lead > - current BIND 9 team lead > -- > Ond?ej Sur? <ondrej at sury.org <mailto:ondrej at sury.org>> (He/Him) > >> On 6. 6. 2021, at 18:50, Mukul Shukla via nsd-users >> <nsd-users at lists.nlnetlabs.nl >> <mailto:nsd-users at lists.nlnetlabs.nl>> wrote: >> >> ? >> >> Dear All, >> >> There are very? few articles/tutorials on NSD. This is making >> me nervous to adapt it for a long use. If I am stuck, there is >> no?help to refer to. Man pages are just not sufficient for the >> people like me who don't?have much experience of the system >> administration and implementing DNS Authoritative Server in >> particular. Other DNS implementations?have very good manuals. >> The kind of software NSD is, there should have been books >> written on them. >> >> Mukul >> >> On Sun, Jun 6, 2021 at 9:06 PM Anand Buddhdev via nsd-users >> <nsd-users at lists.nlnetlabs.nl >> <mailto:nsd-users at lists.nlnetlabs.nl>> wrote: >> >> On 06/06/2021 16:26, mj via nsd-users wrote: >> >> Hi MJ, >> >> > Actually: we are in a similar situation. We're currently >> running bind9, >> > and were interested in to switching to NSD for the >> authorative dns >> > services, but it seems that you have to compile newer >> releases (with >> > security fixes etc) yourself, or there is a repo >> somewhere we're missing? >> > >> > We're on debian 10. It recommended to simply install the >> NSD that debian >> > comes with, and rely on debian for the security fixes? >> >> Debian packages are often well behind upstream releases. >> For example, >> Debian 10 (buster) still has NSD 4.1.26, whereas the >> upstream version is >> 4.3.6. >> >> However, for Debian, there's usually a repository called >> backports. If >> you enable it, you can get newer versions of packages. For >> example, >> "buster-backports" currently has NSD 4.3.5 in it. You >> could also enable >> the "experimental" repo and get the latest 4.3.6 release. >> >> Regards, >> Anand >> _______________________________________________ >> nsd-users mailing list >> nsd-users at lists.nlnetlabs.nl >> <mailto:nsd-users at lists.nlnetlabs.nl> >> https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users >> <https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users> >> >> _______________________________________________ >> nsd-users mailing list >> nsd-users at lists.nlnetlabs.nl <mailto:nsd-users at lists.nlnetlabs.nl> >> https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users >> <https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users> > > > _______________________________________________ > nsd-users mailing list > nsd-users at lists.nlnetlabs.nl > https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users >
On 06/06/2021 21:16, Mukul Shukla via nsd-users wrote: Hi Mukul,> 4. Although, djbdns is working fine since last ten years (I must say its a > brilliantly crafted DNS server), it lacks some security features which are > now a must (eg. DNSSEC).I agree. I have used djbdns in the past, and its authoritative component, tinydns, is very simple and light, and does its job very well.> 5. I want to migrate this name server to NSD, with al the security feature > and high availability so that it meets the current requirements.Okay, so let me clarify some things about NSD. It is a very solid and reliable DNS server. In fact, it powers some of the DNS root name servers, as well as several ccTLD name servers. The reason you don't hear so much about it is that mostly it just runs reliably. As with any software, it has bugs, but they are rare, and are fixed quickly. The documentation is perhaps sparser than that of BIND or Knot, but it's mostly complete. The NSD user community here is quite knowledgeable and helpful, so if you ask good and structured questions, you'll get a lot of help. But I'd like to point one thing out. You mentioned DNSSEC above. NSD can certainly serve DNSSEC signed zones. But it does NOT has any signing ability in it. And it never will. This is what makes NSD so lean, compared to other servers. If you want to sign your zones, you have to do that with external tools, such as dnssec-signzone (from BIND), or ldns-signzone (from LDNS). Or you can install and configure OpenDNSSEC. However, that it certainly no simple task. OpenDNSSEC is fairly complex. So if you want to sign your zones with ease, then I'd recommend using another DNS server such as BIND, Knot DNS or PowerDNS. They all provide authoritative DNS functionality, but also have signing code in them. At RIPE NCC, we use BIND, Knot DNS and NSD to serve the root zone as well as all the reverse DNS zones we operate. It takes quite some work to maintain equivalent configurations for all three, but I am happy with all three. We do this for diversity. For DNSSEC signing, we use Knot DNS, and personally, I am very happy with it. BIND and PowerDNS also automate DNSSEC rather well.> Can anybody please tell me how to plan for this migration so that I have a > minimum downtime. Moreover, I want to build a setup with NSD so that it > runs smoothly for the next 10 years. Of course want to know how to keep on > upgrading will be an issue, I need to consider.Just install NSD (or BIND, Knot or PowerDNS) on your existing servers, and bring it up on a different port, for testing. Load your zones into your new name server, test that they're properly loaded and you can query them, and then you can turn off djbdns, and bring up the new server on port 53. If doing this on the same server is too complex, then setup completely new servers. Once tested, you can ask for your delegation to be changed to these new servers. Or you can just move the IP addresses from the old servers to the new ones, and avoid a delegation change. Use whichever method you feel comfortable with. Regards, Anand