:: Re: [DNG] Clarification please
Top Page
Delete this message
Reply to this message
Author: Rick Moen
Date:  
To: dng
Subject: Re: [DNG] Clarification please
Quoting g4sra via Dng (dng@???):

> Can anybody suggest a suitable authoritative/recursive DNSSEC
> supporting name server for SOHO domain use on embedded systems. What
> I am looking for is something like dnsmasq.


dnsmasq, it should be noted, is _just_ a forwarder. It forwards
outbound queries to one or more IP-identified recursive servers you
specify. Those recursive servers do the actual work.

Respectable recursive(-only) nameserver packages (that are open source):

o Unbound
o PowerDNS-recursor
o dnscache (from the djbdns suite), if patched to modern standards
o Deadwood
o Knot Resolver
o Bundy recursive portion (but it's probably scary betaware)

Respectable authoritative(-only) nameserver packages (that are open
source):

o NSD
o PowerDNS Authoritative Server
o MaraDNS authoritative portion
o rbldnsd
o YADIFA
o MyDNS-NG (which also does forwarding of out-of-bailiwick queries)
o ldapdns
o Knot DNS
o gndsd
o dnsjava
o tinydns (from the djbdns suite), if patched to modern standards
o Bundy authoritative portion (but it's probably scary betaware)

(Something that becomes apparent as one studies this field is that
writing an authoritative daemon is relatively easy and many folks have
done it. Writing a recursive daemon without messing up is difficult,
so there are far fewer successful examples.)

I maintain a bestiary of all known DNS software for Linux, here:
http://linuxmafia.com/faq/Network_Other/dns-servers.html
The above list is extracted from it.

The page is still missing one peculiar^W innovative package, called
Ironsides. Coverage is coming, Real Soon Now.

I _hope_ the page is reasonably clear and complete about DNSSEC support,
but: Errare humanum est, sed perseverare autem diabolicum.

FWIW, I am no longer comfortable with the idea of a combined
authoritative/recursive server on a publicly exposed static IP.
That has been deprecated for long decades as bad security, particularly
because it increases the risk of cache poisoning of the recursive
server. IMO, a LAN connected to public networks, even a small one,
ought to have the authoritative service on a separate, public-facing
host, and the recursive service on a protected, internal-network machine
that is as shielded from public networks as possible.

I have personal experience with: BIND9 (and predecessors), NSD,
Unbound, PowerDNS Recursor, PowerDNS Authoritative Server, dnscache,
tinydns. I can enthusiastically recommend NSD and PowerDNS Server.
Before a recent troubling thing with Unbound where the developers made a
dumb decision to accomodate containerising, I was a huge Unbound
cheerleader and might be again.

Necessary disclaimer: I'm personal friends with Deadwood/MaraDNS author
Sam Trenholme (but have yet to substantially deploy his software).


As an administrator whose experience with BIND goes all the way back to
BIND4 days, I know well that it's the path of least resistance to just
deploy a do-it-all nameserver package like BIND9, but that's been known
to be a bad idea for a long time, and it's past time to stop doing that.

-- 
Cheers,                            "Rand Paul being patient zero for a Senate 
Rick Moen                          viral outbreak is a sign of a writers' room 
rick@???                dropping too much acid, late in the season."
McQ! (4x80)                                        -- @owillis (Oliver Willis)