Anyone use the Knot DNS server? I have it running some slave zones now. Super clean docs and syntax, I couldn't help myself. Is that YAML? apparently using nsd and knot is a good idea in case one has bugs i'm not sure if i agree with that as much as i used to that said, bind keeps getting crashing bugs :) https://news.ycombinator.com/item?id=8203857 this is what i found about it hackers news has quite a lot of interesting talk somehow mike-burns: that's a good question, kinda looks like it up_the_irons: yes, I've got a knotd running - haven't had any issues with it, but I still prefer nsd dne: ah dne: why do you still prefer nsd? and if you do, why did you try knot? i specificially was looking for nsd vs knotd on google to no avail :) I tried it out of curiosity I guess. nsd feels simpler and more lightweight. also it's not gpl like knot :) ah OK interesting, i felt Knot was lighter weight probably not a significant difference I've got very few zones anyway yeah why would knot get deleted from FreeBSD Ports? https://www.freshports.org/dns/knot probably because it's not being kept up to date freebsd has a lot of stale ports nsd serving a single zone authoritatively is using <32MB RAM (nsd-control stats: size.db.mem=30200 size.config.mem=2960) and basically 0 CPU load (less CPU than ntp or cron) they have a lot of ports in general (On an OpenBSD host) aur in arch linux is a bit similar apparently they split it into knot1 and knot2 packages still there nathani: Was about to point that out :p oh next time I shall pkg search brycec: that is very memory hungry compared to tinydns tinydns serving multiple domains is < 1 MB per instance on openbsd :) Is anyone doing DNSSEC? That's my next project for my personal domains I have to imagine most of that memory footprint is consumed by libssl, libcrypto, libevent, and libc (sums to 11.9MB) Okay so it's not super-light. oh it's not like it's high brycec :) DNSSEC is more of a pain than utility/security - DNS breaks so often when it is misconfigured hmm, it appears theguardian is working again nathani: So don't misconfigure it :) This is why I want to test it on personal stuff before doing it on anything important cloudflare does dnssec I did DNSSEC on one domain for three months, and then it broke and I gave up. I would go with other dns providers before doing it myself when is dnscurve going to take off? :) ZSK KSK,rollover etc - just too many things to go wrong That's about the point I've got to. I've set up DNSSEC a couple of times on a test domain and then left it to see how what I've set up for key rollover works from cron. It never does, and then I don't revisit it plett: I'm testing knot's automatic dnssec signing - pretty painless, but you have to keep your keys on the server I've done that two or three times now dne: I was going to use PowerDNS's automatic signing. I haven't used knot, I'll add it to the list of things to look at dne: Are your slaves knot as well, or are you slaving to different software? the slaves are nsd Does that transfer to the slave using AXFR? And does that work okay with signed zones on the master? sorry was misremembering, there's only one slave, which is bind I believe (using esgob.com's free secondary dns service) transfer seems to work ok with axfr for the signed zone Cool. Are you using automatic signing, or do you pre-sign all your records? automatic Sounds like that would work for me too Thanks. I'll add that to my list of things to play with :) have fun :) the top star'd docker image for nsd is only like an 11MB image. runs alpine.