↑back Search ←Prev date Next date→ Show only urls | (Click on time to select a line by its url) |
Who | What | When | |
---|---|---|---|
*** | Seju has quit IRC (Remote host closed the connection) | [09:04] | |
............................................. (idle for 3h44mn) | |||
up_the_irons | Anyone use the Knot DNS server? I have it running some slave zones now. Super clean docs and syntax, I couldn't help myself. | [12:48] | |
mike-burns | Is that YAML? | [12:49] | |
brycec | brycec is still a fan of nsd on OpenBSD | [12:52] | |
mercutio | apparently using nsd and knot is a good idea
in case one has bugs i'm not sure if i agree with that as much as i used to that said, bind keeps getting crashing bugs :)
this is what i found about it hackers news has quite a lot of interesting talk somehow | [12:53] | |
....... (idle for 34mn) | |||
up_the_irons | mike-burns: that's a good question, kinda looks like it | [13:30] | |
dne | up_the_irons: yes, I've got a knotd running - haven't had any issues with it, but I still prefer nsd | [13:32] | |
up_the_irons | dne: ah
dne: why do you still prefer nsd? and if you do, why did you try knot? | [13:32] | |
mercutio | i specificially was looking for nsd vs knotd on google to no avail :) | [13:35] | |
dne | I tried it out of curiosity I guess. nsd feels simpler and more lightweight. also it's not gpl like knot :) | [13:35] | |
up_the_irons | ah OK
interesting, i felt Knot was lighter weight | [13:36] | |
dne | probably not a significant difference
I've got very few zones anyway | [13:40] | |
up_the_irons | yeah | [13:45] | |
nathani | why would knot get deleted from FreeBSD Ports? https://www.freshports.org/dns/knot | [13:47] | |
mercutio | probably because it's not being kept up to date
freebsd has a lot of stale ports | [13:48] | |
brycec | nsd serving a single zone authoritatively is using <32MB RAM (nsd-control stats: size.db.mem=30200 size.config.mem=2960) and basically 0 CPU load (less CPU than ntp or cron) | [13:48] | |
mercutio | they have a lot of ports in general | [13:48] | |
brycec | (On an OpenBSD host) | [13:48] | |
mercutio | aur in arch linux is a bit similar | [13:48] | |
nathani | apparently they split it into knot1 and knot2 packages
still there | [13:49] | |
brycec | nathani: Was about to point that out :p | [13:49] | |
mercutio | oh | [13:49] | |
nathani | next time I shall pkg search | [13:50] | |
mercutio | brycec: that is very memory hungry compared to tinydns
tinydns serving multiple domains is < 1 MB per instance on openbsd :) | [13:50] | |
plett_ | Is anyone doing DNSSEC? That's my next project for my personal domains | [13:52] | |
*** | plett_ is now known as plett | [13:52] | |
brycec | I have to imagine most of that memory footprint is consumed by libssl, libcrypto, libevent, and libc
(sums to 11.9MB) Okay so it's not super-light. | [13:52] | |
mercutio | oh it's not like it's high brycec :) | [13:53] | |
nathani | DNSSEC is more of a pain than utility/security - DNS breaks so often when it is misconfigured | [13:53] | |
mercutio | hmm, it appears theguardian is working again | [13:54] | |
plett | nathani: So don't misconfigure it :)
This is why I want to test it on personal stuff before doing it on anything important | [13:55] | |
nathani | cloudflare does dnssec | [13:55] | |
mike-burns | I did DNSSEC on one domain for three months, and then it broke and I gave up. | [13:55] | |
nathani | I would go with other dns providers before doing it myself | [13:56] | |
mercutio | when is dnscurve going to take off? :) | [13:56] | |
nathani | ZSK KSK,rollover etc - just too many things to go wrong | [13:56] | |
plett | That's about the point I've got to. I've set up DNSSEC a couple of times on a test domain and then left it to see how what I've set up for key rollover works from cron. It never does, and then I don't revisit it | [13:57] | |
dne | plett: I'm testing knot's automatic dnssec signing - pretty painless, but you have to keep your keys on the server | [13:57] | |
plett | I've done that two or three times now
dne: I was going to use PowerDNS's automatic signing. I haven't used knot, I'll add it to the list of things to look at | [13:57] | |
*** | fIorz has quit IRC (Ping timeout: 258 seconds) | [13:59] | |
plett | dne: Are your slaves knot as well, or are you slaving to different software? | [14:01] | |
dne | the slaves are nsd | [14:01] | |
plett | Does that transfer to the slave using AXFR? And does that work okay with signed zones on the master? | [14:02] | |
dne | sorry was misremembering, there's only one slave, which is bind I believe (using esgob.com's free secondary dns service) | [14:03] | |
*** | fIorz_ has joined #arpnetworks | [14:06] | |
dne | transfer seems to work ok with axfr
for the signed zone | [14:07] | |
plett | Cool. Are you using automatic signing, or do you pre-sign all your records? | [14:08] | |
dne | automatic | [14:08] | |
*** | fIorz_ is now known as fIorz | [14:08] | |
plett | Sounds like that would work for me too
Thanks. I'll add that to my list of things to play with :) | [14:08] | |
dne | have fun :) | [14:10] | |
up_the_irons | the top star'd docker image for nsd is only like an 11MB image. runs alpine. | [14:15] | |
............................................................................ (idle for 6h16mn) | |||
*** | Seji has joined #arpnetworks | [20:31] |
↑back Search ←Prev date Next date→ Show only urls | (Click on time to select a line by its url) |