On 20/05/15 16:47, Paul Wouters wrote:
> I have been working on shipping nsd4 in EPEL6 and EPEL7, but no one gave
> me feedback: https://twitter.com/letoams/status/586764009162088448
Hi Paul,
I was just looking at the SPEC file of NSD 4.1.1 in Fedora. I have
noticed some things, and would like to ask you about them:
1. Why do you ship an nsd.cron file? It should not be necessary in NSD4,
because it keeps nsd.db up to date by itself.
2. I see that you're pointing the default log file location to
/var/log/nsd.log, and the corresponding logrotate snippet also wants to
rotate that file. However, NSD drops privilege from "root" to
"nsd", so
it cannot write a log file in /var/log.
It is better to pass the --with-logfile option to configure, and set it
to /var/log/nsd/nsd.log, and create /var/log/nsd writable by nsd. This
is common practice for daemons that drop privilege, so that they can log
properly.
3. You're setting --enable-checking, but I think that's only needed for
debugging, and should not be set for a production build.
4. Does anyone use bind8-stats these days? I'd probably want to disable
that option.
5. --enable-nsec3 and --with-ssl are defaults too, and don't need to be
specified.
6. The chown nsd:nsd of /var/lib/nsd/nsd.db seems unnecessary. What's
the reason for having it there?
7. You're shipping a standard SysV init script, whereas NSD can run just
fine under upstart on CentOS 6. I personally prefer upstart, but I guess
you may want to keep a SysV script for compatibility.
8. In that init script, there's a check for networking at the top, and
then again in the start() function. Seems like a duplicate. Any reason
for this?
9. In the init script's stop() section, you're calling "nsd-control
write". This is not necessary. When nsd4 is running with a database, it
reads from nsd.db on startup, and writes changes to it when zones are
updated, so the plain text copy of the zones isn't needed. If an admin
really needs plain text zones, s/he can call "nsd-control write" by
hand. Alternatively, if nsd4 is running in the "nodb" mode (where the
option "database" is set to an empty string), then nsd writes out
updated zone files every hour automatically, so that it has plain text
zone files to read from at startup. There's usually no need to write out
zones at exit. However, this has the slight disadvantage of starting up
with possibly slightly stale zones, but in most cases they should be
refresh immediately with XFRs.
I'll leave the choice of whether to write zonefiles or not up to you.
Regards,
Anand