#arpnetworks 2016-10-19,Wed

↑back Search ←Prev date Next date→ Show only urls(Click on time to select a line by its url)

WhoWhatWhen
***Seju has quit IRC (Remote host closed the connection) [09:04]
............................................. (idle for 3h44mn)
up_the_ironsAnyone use the Knot DNS server? I have it running some slave zones now. Super clean docs and syntax, I couldn't help myself. [12:48]
mike-burnsIs that YAML? [12:49]
brycecbrycec is still a fan of nsd on OpenBSD [12:52]
mercutioapparently using nsd and knot is a good idea
in case one has bugs
i'm not sure if i agree with that as much as i used to
that said, bind keeps getting crashing bugs :)
https://news.ycombinator.com/item?id=8203857
this is what i found about it
hackers news has quite a lot of interesting talk somehow
[12:53]
....... (idle for 34mn)
up_the_ironsmike-burns: that's a good question, kinda looks like it [13:30]
dneup_the_irons: yes, I've got a knotd running - haven't had any issues with it, but I still prefer nsd [13:32]
up_the_ironsdne: ah
dne: why do you still prefer nsd? and if you do, why did you try knot?
[13:32]
mercutioi specificially was looking for nsd vs knotd on google to no avail :) [13:35]
dneI tried it out of curiosity I guess. nsd feels simpler and more lightweight. also it's not gpl like knot :) [13:35]
up_the_ironsah OK
interesting, i felt Knot was lighter weight
[13:36]
dneprobably not a significant difference
I've got very few zones anyway
[13:40]
up_the_ironsyeah [13:45]
nathaniwhy would knot get deleted from FreeBSD Ports? https://www.freshports.org/dns/knot [13:47]
mercutioprobably because it's not being kept up to date
freebsd has a lot of stale ports
[13:48]
brycecnsd serving a single zone authoritatively is using <32MB RAM (nsd-control stats: size.db.mem=30200 size.config.mem=2960) and basically 0 CPU load (less CPU than ntp or cron) [13:48]
mercutiothey have a lot of ports in general [13:48]
brycec(On an OpenBSD host) [13:48]
mercutioaur in arch linux is a bit similar [13:48]
nathaniapparently they split it into knot1 and knot2 packages
still there
[13:49]
brycecnathani: Was about to point that out :p [13:49]
mercutiooh [13:49]
nathaninext time I shall pkg search [13:50]
mercutiobrycec: that is very memory hungry compared to tinydns
tinydns serving multiple domains is < 1 MB per instance on openbsd :)
[13:50]
plett_Is anyone doing DNSSEC? That's my next project for my personal domains [13:52]
***plett_ is now known as plett [13:52]
brycecI have to imagine most of that memory footprint is consumed by libssl, libcrypto, libevent, and libc
(sums to 11.9MB) Okay so it's not super-light.
[13:52]
mercutiooh it's not like it's high brycec :) [13:53]
nathaniDNSSEC is more of a pain than utility/security - DNS breaks so often when it is misconfigured [13:53]
mercutiohmm, it appears theguardian is working again [13:54]
plettnathani: So don't misconfigure it :)
This is why I want to test it on personal stuff before doing it on anything important
[13:55]
nathanicloudflare does dnssec [13:55]
mike-burnsI did DNSSEC on one domain for three months, and then it broke and I gave up. [13:55]
nathaniI would go with other dns providers before doing it myself [13:56]
mercutiowhen is dnscurve going to take off? :) [13:56]
nathaniZSK KSK,rollover etc - just too many things to go wrong [13:56]
plettThat's about the point I've got to. I've set up DNSSEC a couple of times on a test domain and then left it to see how what I've set up for key rollover works from cron. It never does, and then I don't revisit it [13:57]
dneplett: I'm testing knot's automatic dnssec signing - pretty painless, but you have to keep your keys on the server [13:57]
plettI've done that two or three times now
dne: I was going to use PowerDNS's automatic signing. I haven't used knot, I'll add it to the list of things to look at
[13:57]
***fIorz has quit IRC (Ping timeout: 258 seconds) [13:59]
plettdne: Are your slaves knot as well, or are you slaving to different software? [14:01]
dnethe slaves are nsd [14:01]
plettDoes that transfer to the slave using AXFR? And does that work okay with signed zones on the master? [14:02]
dnesorry was misremembering, there's only one slave, which is bind I believe (using esgob.com's free secondary dns service) [14:03]
***fIorz_ has joined #arpnetworks [14:06]
dnetransfer seems to work ok with axfr
for the signed zone
[14:07]
plettCool. Are you using automatic signing, or do you pre-sign all your records? [14:08]
dneautomatic [14:08]
***fIorz_ is now known as fIorz [14:08]
plettSounds like that would work for me too
Thanks. I'll add that to my list of things to play with :)
[14:08]
dnehave fun :) [14:10]
up_the_ironsthe top star'd docker image for nsd is only like an 11MB image. runs alpine. [14:15]
............................................................................ (idle for 6h16mn)
***Seji has joined #arpnetworks [20:31]

↑back Search ←Prev date Next date→ Show only urls(Click on time to select a line by its url)