[sf-lug] DNS, testing/troubleshooting ... (Re: Looks great, thanks! Re: linuxmafia.com/svlug.org DNS slaves for sf-lug.{com, org}! :-))

Thu Jul 23 02:14:34 PDT 2015

Quoting Michael Paoli (Michael.Paoli at cal.berkeley.edu):

> Hoping you don't mind that I take some of this on-list.  :-)

No problem.  But then, I'll override your 'Reply-To:
sf-lug-sysadmins at balug.org', here.

[NSD:]

> Yes, you'd mentioned earlier - an excellent alternative to BIND.
> I think one of the few reasons/excuses SF-LUG (and likewise parts of
> BALUG) have BIND (bind9) is being used there, is more Linux(/Unix)
> sysadmins are more familiar with BIND than NSD or other DNS server
> software.  Not exactly a great reason to use BIND ... but certainly a
> factor of consideration.

FWIW, to the extent that familiarity of zonefile format is involved, 
BIND and NSD use the _same_ zonefile format -- RFC 1035 format.

(FYI, three of the world's 13 root nameservers now use NSD.  Some of the
others use BIND, some use Knot DNS and BIND, some use all three.)

NSD operations closely mimic BIND ones in most particulars, by design,
e.g., NSD's 'nsdc' administrative tool works pretty much exactly the way
BIND's ever-handy 'rndc' one does.

The main difference is that NSD compiles the RFC 1035 zonefiles to a
binary format for speed during usage.  Also, NSD is authoritative-only,
whereas BIND does authoritative service and also recursive service in a
single monolithic binary.

So, much less unfamiliar than you might assume.  And you get blazing
speed, much lower memory usage, better security.

(In accordance with the NLnet Labs programmers' modular approach, they
wrote an exceptionally good recursive-only nameserver called Unbound to
complement their authoritive-only nameserver called NSD.  The pair of
them I consider superior in every way to BIND, in part because of
modularity of function.  To clarify:  I'm sure there is BIND9
functionality not presently provided by NSD + Unbound.  I consider this
a feature rather than a bug, as I consider BIND9 grossly overfeatured.)

2006 slides from the NSD 3.0 beta cycle:
https://www.dns-oarc.net/files/dnsops-2006/Kolkman-NSD.pdf

> Ah, well, but ... I often do what you'd suggested, rather than use
> +trace.  Actually, *not* using +trace certainly has its advantages -
> notably not unnecessarily hitting root nameservers, etc. with traffic.

Indeed, one has to be careful to _avoid_ +trace for solving some
problems.  As you discovered from the manpage, it disables recursion, so
you implicitly switch to iterative querying -- which may mask the very
problem you're trying to investigate.

> $ (tld=com; dig @$(dig -t ns "$tld". +short | head -n 1) -t ns sf-lug."$tld". +noall +authority +norecurse) | grep '^[^;]'

Nice!

> Random ... I wish dig(1) had an option to turn off *all* its commenting.

Yeah, no kidding!  I've yet to come up with a truly satisfactory set of
flags to suppress everything but what's important, and the closest
approximations are so verbose they look goofy.

> Perhaps someone *besides* myself or Rick Moen would
> first like to take a stab at it and determine why it's indicating
> ;; connection timed out; no servers could be reached
> and what is or may (presumably) be awry.

{shrug}  Not sure, sorry.