up_the_irons: Anyone use the Knot DNS server? I have it running some slave zones now. Super clean docs and syntax, I couldn't help myself. mike-burns: Is that YAML? -: brycec is still a fan of nsd on OpenBSD mercutio: apparently using nsd and knot is a good idea
in case one has bugs
i'm not sure if i agree with that as much as i used to
that said, bind keeps getting crashing bugs :)
https://news.ycombinator.com/item?id=8203857
this is what i found about it
hackers news has quite a lot of interesting talk somehow up_the_irons: mike-burns: that's a good question, kinda looks like it dne: up_the_irons: yes, I've got a knotd running - haven't had any issues with it, but I still prefer nsd up_the_irons: dne: ah
dne: why do you still prefer nsd? and if you do, why did you try knot? mercutio: i specificially was looking for nsd vs knotd on google to no avail :) dne: I tried it out of curiosity I guess. nsd feels simpler and more lightweight. also it's not gpl like knot :) up_the_irons: ah OK
interesting, i felt Knot was lighter weight dne: probably not a significant difference
I've got very few zones anyway up_the_irons: yeah nathani: why would knot get deleted from FreeBSD Ports? https://www.freshports.org/dns/knot mercutio: probably because it's not being kept up to date
freebsd has a lot of stale ports brycec: nsd serving a single zone authoritatively is using <32MB RAM (nsd-control stats: size.db.mem=30200 size.config.mem=2960) and basically 0 CPU load (less CPU than ntp or cron) mercutio: they have a lot of ports in general brycec: (On an OpenBSD host) mercutio: aur in arch linux is a bit similar nathani: apparently they split it into knot1 and knot2 packages
still there brycec: nathani: Was about to point that out :p mercutio: oh nathani: next time I shall pkg search mercutio: brycec: that is very memory hungry compared to tinydns
tinydns serving multiple domains is < 1 MB per instance on openbsd :) plett_: Is anyone doing DNSSEC? That's my next project for my personal domains ***: plett_ is now known as plett brycec: I have to imagine most of that memory footprint is consumed by libssl, libcrypto, libevent, and libc
(sums to 11.9MB) Okay so it's not super-light. mercutio: oh it's not like it's high brycec :) nathani: DNSSEC is more of a pain than utility/security - DNS breaks so often when it is misconfigured mercutio: hmm, it appears theguardian is working again plett: nathani: So don't misconfigure it :)
This is why I want to test it on personal stuff before doing it on anything important nathani: cloudflare does dnssec mike-burns: I did DNSSEC on one domain for three months, and then it broke and I gave up. nathani: I would go with other dns providers before doing it myself mercutio: when is dnscurve going to take off? :) nathani: ZSK KSK,rollover etc - just too many things to go wrong plett: That's about the point I've got to. I've set up DNSSEC a couple of times on a test domain and then left it to see how what I've set up for key rollover works from cron. It never does, and then I don't revisit it dne: plett: I'm testing knot's automatic dnssec signing - pretty painless, but you have to keep your keys on the server plett: I've done that two or three times now
dne: I was going to use PowerDNS's automatic signing. I haven't used knot, I'll add it to the list of things to look at ***: fIorz has quit IRC (Ping timeout: 258 seconds) plett: dne: Are your slaves knot as well, or are you slaving to different software? dne: the slaves are nsd plett: Does that transfer to the slave using AXFR? And does that work okay with signed zones on the master? dne: sorry was misremembering, there's only one slave, which is bind I believe (using esgob.com's free secondary dns service) ***: fIorz_ has joined #arpnetworks dne: transfer seems to work ok with axfr
for the signed zone plett: Cool. Are you using automatic signing, or do you pre-sign all your records? dne: automatic ***: fIorz_ is now known as fIorz plett: Sounds like that would work for me too
Thanks. I'll add that to my list of things to play with :) dne: have fun :) up_the_irons: the top star'd docker image for nsd is only like an 11MB image. runs alpine. ***: Seji has joined #arpnetworks