[09:04] *** Seju has quit IRC (Remote host closed the connection) [12:48] Anyone use the Knot DNS server? I have it running some slave zones now. Super clean docs and syntax, I couldn't help myself. [12:49] Is that YAML? [12:52] * brycec is still a fan of nsd on OpenBSD [12:53] apparently using nsd and knot is a good idea [12:53] in case one has bugs [12:54] i'm not sure if i agree with that as much as i used to [12:54] that said, bind keeps getting crashing bugs :) [12:56] https://news.ycombinator.com/item?id=8203857 [12:56] this is what i found about it [12:56] hackers news has quite a lot of interesting talk somehow [13:30] mike-burns: that's a good question, kinda looks like it [13:32] up_the_irons: yes, I've got a knotd running - haven't had any issues with it, but I still prefer nsd [13:32] dne: ah [13:33] dne: why do you still prefer nsd? and if you do, why did you try knot? [13:35] i specificially was looking for nsd vs knotd on google to no avail :) [13:35] I tried it out of curiosity I guess. nsd feels simpler and more lightweight. also it's not gpl like knot :) [13:36] ah OK [13:36] interesting, i felt Knot was lighter weight [13:40] probably not a significant difference [13:40] I've got very few zones anyway [13:45] yeah [13:47] why would knot get deleted from FreeBSD Ports? https://www.freshports.org/dns/knot [13:48] probably because it's not being kept up to date [13:48] freebsd has a lot of stale ports [13:48] nsd serving a single zone authoritatively is using <32MB RAM (nsd-control stats: size.db.mem=30200 size.config.mem=2960) and basically 0 CPU load (less CPU than ntp or cron) [13:48] they have a lot of ports in general [13:48] (On an OpenBSD host) [13:48] aur in arch linux is a bit similar [13:49] apparently they split it into knot1 and knot2 packages [13:49] still there [13:49] nathani: Was about to point that out :p [13:49] oh [13:50] next time I shall pkg search [13:50] brycec: that is very memory hungry compared to tinydns [13:51] tinydns serving multiple domains is < 1 MB per instance on openbsd :) [13:52] Is anyone doing DNSSEC? That's my next project for my personal domains [13:52] *** plett_ is now known as plett [13:52] I have to imagine most of that memory footprint is consumed by libssl, libcrypto, libevent, and libc [13:53] (sums to 11.9MB) Okay so it's not super-light. [13:53] oh it's not like it's high brycec :) [13:53] DNSSEC is more of a pain than utility/security - DNS breaks so often when it is misconfigured [13:54] hmm, it appears theguardian is working again [13:55] nathani: So don't misconfigure it :) [13:55] This is why I want to test it on personal stuff before doing it on anything important [13:55] cloudflare does dnssec [13:55] I did DNSSEC on one domain for three months, and then it broke and I gave up. [13:56] I would go with other dns providers before doing it myself [13:56] when is dnscurve going to take off? :) [13:56] ZSK KSK,rollover etc - just too many things to go wrong [13:57] That's about the point I've got to. I've set up DNSSEC a couple of times on a test domain and then left it to see how what I've set up for key rollover works from cron. It never does, and then I don't revisit it [13:57] plett: I'm testing knot's automatic dnssec signing - pretty painless, but you have to keep your keys on the server [13:57] I've done that two or three times now [13:57] dne: I was going to use PowerDNS's automatic signing. I haven't used knot, I'll add it to the list of things to look at [13:59] *** fIorz has quit IRC (Ping timeout: 258 seconds) [14:01] dne: Are your slaves knot as well, or are you slaving to different software? [14:01] the slaves are nsd [14:02] Does that transfer to the slave using AXFR? And does that work okay with signed zones on the master? [14:03] sorry was misremembering, there's only one slave, which is bind I believe (using esgob.com's free secondary dns service) [14:06] *** fIorz_ has joined #arpnetworks [14:07] transfer seems to work ok with axfr [14:07] for the signed zone [14:08] Cool. Are you using automatic signing, or do you pre-sign all your records? [14:08] automatic [14:08] *** fIorz_ is now known as fIorz [14:08] Sounds like that would work for me too [14:10] Thanks. I'll add that to my list of things to play with :) [14:10] have fun :) [14:15] the top star'd docker image for nsd is only like an 11MB image. runs alpine. [20:31] *** Seji has joined #arpnetworks