Using NSD as My Master Nameserver

With my new VPS up and running the first service I am going to add is an authoritative DNS server.

Why NSD?

As I discussed in Bringing E-Mail Server In-House Part 1: Introduction and DNS, I have decided to move away from tinydns towards nsd for my authoritative DNS server(s) because tinydns just does not seem to care about DNSSEC, IPv6, and probably anything else new that comes along.

NSD is used by some of the DNS root servers, and some of the TLD registries.

Although it does occasionally use a lot more RAM than it should (this very moment it is using 12.7% of my RAM on vps2) a reload usually brings it down again (a reload of nsd on vps2 just brought its RAM usage down to 4.6%).

Upgrade Kernel to 3.16

Ubuntu Server 14.04.2 has been released, and there is a newer kernel available. In order to use it you need to opt-in:

sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get install --install-recommends linux-generic-lts-utopic
sudo reboot

Installing and Configuring NSD

sudo apt-get install nsd
sudo nsd-control-setup
sudo cp /usr/share/doc/nsd/examples/nsd.conf.gz /etc/nsd/
sudo gunzip /etc/nsd/nsd.conf.gz
sudo nano /etc/nsd/nsd.conf
	server-count: 2
	ip-address: 2a03:ca80:8001:769d::5
	do-ip4: yes
	do-ip6: yes
	username: nsd
	zonesdir: "/etc/nsd/zones"

	name: "myzones"
	zonefile: ""
	name: "henetslaves"
	include-pattern: "myzones"
	notify: NOKEY
	provide-xfr: NOKEY
	provide-xfr: 2001:470:600::2 NOKEY

	allow-axfr-fallback: yes

	name: ""
	include-pattern: "henetslaves"
sudo mkdir /etc/nsd/zones
sudo chown thejc:thejc /etc/nsd/zones

Copy the content of /etc/ssh/thejc/thejc.vps2 from VPS2 into /etc/ssh/thejc/authorized_keys and then sync the zone files from vps2 to vps3:

rsync -avrpPlog --progress -e 'ssh -p 8043 -i /etc/ssh/thejc/thejc.vps2' /etc/nsd/zones/

Back on vps3, change the permissions back, add the new IPv6 IP address, and then restart nsd.

sudo chown -R nsd:nsd /etc/nsd/zones
sudo ip -6 addr add 2a03:ca80:8001:769d::5 dev eth0
sudo service nsd restart

Finally, add the following line to /etc/network/interfaces to add the IPv6 IP address automatically on boot:

	up /sbin/ip -6 addr add 2a03:ca80:8001:769d::5 dev eth0

Test Everything Works

Test that IP address is accepting DNS requests:

dig @

It works, so the last thing left to do is add the following rules to ip(6) and restore the rules from the files.

### DNS ###
-A in-new -d 2a03:ca80:8001:769d::5 -p udp --dport 53 -j ACCEPT
-A in-new -d 2a03:ca80:8001:769d::5 -p tcp --dport 53 -j ACCEPT
### DNS ###
-A INPUT -d -p udp --dport 53 -j ACCEPT
-A INPUT -d -p tcp --dport 53 -j ACCEPT

After reloading iptables and ip6tables, and restarting nsd, everything was working adequately. I then added to the zones that ns5 & ns7 are authoritative for on both vps2 and vps3, and then logged in to my Nominet registrar account and added ns8 (with IPv4/IPv6 glue) to my Nominet Web Domain Manager.

Upon further testing, however, I stumbled into an issue: Hurricane Electric, who I use for backup/slave DNS for most of my domains, is having trouble with their DNS service.

Although it would not normally be an issue as I only use one of their servers as a backup two 2 (currently 3) of mine, because the only way to change a DNS Master in's interface is to delete it and add it again, it does mean that after several hours of problems I was left with the issue of having a lame delegation (an NS record that is not authoritative for the domain).

I decided to leave the NS records in my zones, but to remove them ( in the root (.uk) zone. This does, however, mean all my nameservers are in the same data centre, which is not the best thing in the world.

Seeing how I am now only one failure away from total DNS failure, and I am also relying on the same provider for my IPv6 reverse zones and my dynamic DNS updates, I am now wondering whether to find a second VPS provider or to wait for Hurricane Electric to fix their servers.

If I want a second server for DNS, what exactly do I need in terms of specs?

Presumably I will want either 256 MB RAM or 512 MB RAM - I am not too sure how much RAM NSD needs to run.

I can put off those thoughts for another day, Hurricane Electric seems to be working again now.

Using NSD as My Slave Nameserver

With VPS3 and VPS2 now hosting my master nameservers, there is a problem: I need to modify both servers' zone files and make sure I make exactly the same changes to both.

After updating a third zone file I decided this was just too much hassle. Were it not for file permissions I could just rsync the changes and reload nsd. Why do that though if NSD supports both IXFR and AXFR?

Thus I added the following to /etc/nsd/nsd.conf on vps3 to the myzones pattern:

notify: NOKEY
provide-xfr: NOKEY
allow-axfr-fallback: yes

On VPS2 I renamed the pattern henetslaves to myslaves, commented out the notify/provide-xfr/allow-axfr-fallback lines and added the following to the pattern:

allow-notify: NOKEY
request-xfr: NOKEY
allow-axfr-fallback: yes

I then changed the include pattern of all the zones from myzones/henetslaves to myslaves, and then saved and exited nano on both VPSs.

I then restarted nsd on both virtual servers, and ran sudo nsd-control zonestatus on both servers. VPS3 listed all zones with a state of master, and VPS2 listed all zones with a state of ok (eventually, after correcting some errors in both files).

I then re-added the zones as slaves in, and waited for them to get pulled. With the SOA matching, I added the NS records back in the Nominet Web Manager.

The one thing I still need to do is to change the SOA record to point at ns8 (vps3) as the primary nameserver in most of my zones, but I have a couple of months before that really needs doing.