nsd users - Jun 2012 - Best practices to switch from BIND to NSD

Hi,

I'm a sys admin and currently working for a french hosting company.  We
provide DNS services to our customers and at the moment we are using BIND
on Debian servers.  BIND is a good software but we don't need a recursing
DNS for our public DNS, and we needed better security than what BIND provides.
So I made the suggestion to replace BIND by another DNS software.
NSD appears to be the best alternative.

I'm currently writing some scripts to help the migration process, but
I'd
like to know if something already exists to help me in this task. If not I
probably will make my scripts public and post it to this mailing-list.

I also would like to know if you have some best-practices about NSD in
general.

Thanks in advance.

Alexandre Maumen?
----------------------------------------------------------
P./ +33.1.49.70.86.12
M./ alexandre at enovance.com
W./ www.enovance.com
S./ enovance-alexandre.maumene
eNovance SAS - 10 rue de la Victoire 75009 Paris - France
----------------------------------------------------------

On 08/06/2012 11:24, Alexandre Maumen? wrote:

Hi Alexandre,
> I'm a sys admin and currently working for a french hosting company.  We
> provide DNS services to our customers and at the moment we are using BIND
> on Debian servers.  BIND is a good software but we don't need a
recursing
> DNS for our public DNS, and we needed better security than what BIND
provides.
> So I made the suggestion to replace BIND by another DNS software.
> NSD appears to be the best alternative.
> 
> I'm currently writing some scripts to help the migration process, but
I'd
> like to know if something already exists to help me in this task. If not I
> probably will make my scripts public and post it to this mailing-list.
> 
> I also would like to know if you have some best-practices about NSD in
> general.
In general, NSD works well as a replacement for BIND as an
authoritative-only server. However, it lacks one feature, which may, or
may not be important to you: you cannot add zones to, or remove them
from NSD without a restart. If you want to add a new zone, or remove
one, you have to stop NSD completely, rebuild the zone database, and
then start it again. This will cause downtime. Keep this in mind when
making your switch to NSD.

Regards,

Anand Buddhdev
RIPE NCC

> I'm a sys admin and currently working for a french hosting company.  We
> provide DNS services to our customers and at the moment we are using BIND
> on Debian servers.  BIND is a good software but we don't need a
recursing
> DNS for our public DNS, and we needed better security than what BIND
provides.
As you probably know, you can disable recursion in BIND, thus making it
authoritative only. :)
> So I made the suggestion to replace BIND by another DNS software.
> NSD appears to be the best alternative.
NSD is indeed an excellent choice. There is one thing you must be aware
of: you can't add/remove zones to NSD on-the-fly. You have to configure
them in `nsd.conf' (or an included file) and then rebuild NSD's
database. If you can live with that, you should be set to go.
> I'm currently writing some scripts to help the migration process, but
I'd
> like to know if something already exists to help me in this task. If not I
> probably will make my scripts public and post it to this mailing-list.
I'm not really aware of any scripts... Basically it's a matter of
listing your zones and creating nsd.conf "zone" stanzas. A bit of 
[ ls | {awk|perl} ] will probably get you going pretty quickly.
> I also would like to know if you have some best-practices about NSD in
> general.
I recommend you look at past postings in the archive of this mailing-
list.

Good luck!

        -JP

PS: And if you do need recursive service somewhere on your network, I
    greatly recommend you look at Unbound, also by NLnet Labs.