lightweight "slave" DNS server, +DNSSEC?

I wonder, is there a lightweight DNS server to be used as a
“slave�? The zones to be served are DNSSEC-signed, so it should
check the signature on AXFR/IXFR and only accept the new data if
it's valid. (It isn't much an issue to prepare a list of
trusted keys for it, but DLV support will nevertheless be
handy.)

Will Maradns or PowerDNS fit?

Or is BIND 9.7 really the best possible solution for this task?

--
FSF associate member #7257 Coming soon: Software Freedom Day
http://mail.sf-day.org/lists/listinfo/ planning-ru (ru), sfd-discuss (en)

On Sat, 2011-09-10, Ivan Shmakov wrote:
> I wonder, is there a lightweight DNS server to be used as a
> ???slave???? The zones to be served are DNSSEC-signed, so it should
> check the signature on AXFR/IXFR and only accept the new data if
> it's valid. (It isn't much an issue to prepare a list of
> trusted keys for it, but DLV support will nevertheless be
> handy.)
>
> Will Maradns or PowerDNS fit?
>
> Or is BIND 9.7 really the best possible solution for this task?

Is there any specific reason why you think bind won't do? Or do you
simply think it's overkill because it has lots of features which you
don't need?

/Jorgen

--
// Jorgen Grahn <grahn@ Oo o. . .
\X/ snipabacken.se> O o .

>>>>> Jorgen Grahn <grahn+(E-Mail Removed)> writes:
>>>>> On Sat, 2011-09-10, Ivan Shmakov wrote:

>> I wonder, is there a lightweight DNS server to be used as a "slave"?
>> The zones to be served are DNSSEC-signed, so it should check the
>> signature on AXFR/IXFR and only accept the new data if it's valid.
>> (It isn't much an issue to prepare a list of trusted keys for it,
>> but DLV support will nevertheless be handy.)

>> Will Maradns or PowerDNS fit?

>> Or is BIND 9.7 really the best possible solution for this task?

> Is there any specific reason why you think bind won't do? Or do you
> simply think it's overkill because it has lots of features which you
> don't need?

Mostly the latter. However, I'm also somewhat constrained in
resources (virtual memory, for instance), since this NS is going
to be run on a so-called "virtual server", and it's a really
cheap one. (Not that I had any issues in a similar case, but
nevertheless.)

--
FSF associate member #7257 Coming soon: Software Freedom Day
http://mail.sf-day.org/lists/listinfo/ planning-ru (ru), sfd-discuss (en)

Ivan Shmakov wrote:

> I wonder, is there a lightweight DNS server to be used as a
> “slave�?

I use NSD: http://nlnetlabs.nl/projects/nsd/
It's lightweight enough to serve a number of DNSSEC-signed zones from a
small virtual server.

> The zones to be served are DNSSEC-signed, so it should
> check the signature on AXFR/IXFR and only accept the new data if
> it's valid.

I don't know any nameserver software that does this check on AXFR. The
transferred data is protected by TSIG but the server doesn't validate the
RRSIGs.

You could certainly script the zone transfer and validation outside the
server process and then load the zone as master.

> Will Maradns or PowerDNS fit?

PowerDNS *might* be able to verify transferred records within an
AXFR-script (http://doc.powerdns.com/slave.html#id440309). I have no
firsthand experience in doing so, though.


Hauke.

>>>>> Hauke Lampe <(E-Mail Removed)> writes:
>>>>> Ivan Shmakov wrote:

>> I wonder, is there a lightweight DNS server to be used as a
>> “slave�?

> I use NSD: http://nlnetlabs.nl/projects/nsd/ It's lightweight enough
> to serve a number of DNSSEC-signed zones from a small virtual server.

I've quickly scanned through its page, the Debian's
Description:, and news:gmane.network.dns.nsd.general. It seems
like a good choice, thanks!

>> The zones to be served are DNSSEC-signed, so it should check the
>> signature on AXFR/IXFR and only accept the new data if it's valid.

> I don't know any nameserver software that does this check on AXFR.
> The transferred data is protected by TSIG but the server doesn't
> validate the RRSIGs.

Somehow, I've assumed that BIND will do it. Apparently, I was
mistaken.

I'd probably use TSIG instead.

> You could certainly script the zone transfer and validation outside
> the server process and then load the zone as master.

ACK.

>> Will Maradns or PowerDNS fit?

> PowerDNS *might* be able to verify transferred records within an
> AXFR-script (http://doc.powerdns.com/slave.html#id440309). I have no
> firsthand experience in doing so, though.

It doesn't look feasible to use this feature for DNSSEC
validation, yet it may come handy for other tasks. Thanks.

--
FSF associate member #7257 Coming soon: Software Freedom Day
http://mail.sf-day.org/lists/listinfo/ planning-ru (ru), sfd-discuss (en)

Ivan Shmakov <(E-Mail Removed)> writes:

>>>>>> Jorgen Grahn <grahn+(E-Mail Removed)> writes:
>>>>>> On Sat, 2011-09-10, Ivan Shmakov wrote:
>
> >> I wonder, is there a lightweight DNS server to be used as a "slave"?
> >> The zones to be served are DNSSEC-signed, so it should check the
> >> signature on AXFR/IXFR and only accept the new data if it's valid.
> >> (It isn't much an issue to prepare a list of trusted keys for it,
> >> but DLV support will nevertheless be handy.)
>
> >> Will Maradns or PowerDNS fit?
>
> >> Or is BIND 9.7 really the best possible solution for this task?
>
> > Is there any specific reason why you think bind won't do? Or do you
> > simply think it's overkill because it has lots of features which you
> > don't need?
>
> Mostly the latter. However, I'm also somewhat constrained in
> resources (virtual memory, for instance), since this NS is going
> to be run on a so-called "virtual server", and it's a really
> cheap one. (Not that I had any issues in a similar case, but
> nevertheless.)

dnsmasq is a good, lightweight, easy to configure, caching DNS (and
DHCP) server. I don't know whether it supports DNSSEC.

On 11/09/2011 19:10, Joe Pfeiffer wrote:
> Ivan Shmakov<(E-Mail Removed)> writes:
>
>>>>>>> Jorgen Grahn<grahn+(E-Mail Removed)> writes:
>>>>>>> On Sat, 2011-09-10, Ivan Shmakov wrote:
>>
>> >> I wonder, is there a lightweight DNS server to be used as a "slave"?
>> >> The zones to be served are DNSSEC-signed, so it should check the
>> >> signature on AXFR/IXFR and only accept the new data if it's valid.
>> >> (It isn't much an issue to prepare a list of trusted keys for it,
>> >> but DLV support will nevertheless be handy.)
>>
>> >> Will Maradns or PowerDNS fit?
>>
>> >> Or is BIND 9.7 really the best possible solution for this task?
>>
>> > Is there any specific reason why you think bind won't do? Or do you
>> > simply think it's overkill because it has lots of features which you
>> > don't need?
>>
>> Mostly the latter. However, I'm also somewhat constrained in
>> resources (virtual memory, for instance), since this NS is going
>> to be run on a so-called "virtual server", and it's a really
>> cheap one. (Not that I had any issues in a similar case, but
>> nevertheless.)
>
> dnsmasq is a good, lightweight, easy to configure, caching DNS (and
> DHCP) server. I don't know whether it supports DNSSEC.

Another vote here for dnsmasq - though I also don't know about DNSSEC.
dnsmasq is so fast, lightweight, and easy to configure compared to other
DNS servers that it is definitely the first choice for most uses. Look
at dnsmasq first - if it can do the job you need, use it.

>>>>> Joe Pfeiffer <(E-Mail Removed)> writes:
>>>>> Ivan Shmakov <(E-Mail Removed)> writes:
>>>>> Jorgen Grahn <grahn+(E-Mail Removed)> writes:
>>>>> On Sat, 2011-09-10, Ivan Shmakov wrote:

[…]

>>>> Or is BIND 9.7 really the best possible solution for this task?

>>> Is there any specific reason why you think bind won't do? Or do you
>>> simply think it's overkill because it has lots of features which you
>>> don't need?

>> Mostly the latter. However, I'm also somewhat constrained in
>> resources (virtual memory, for instance), since this NS is going
>> to be run on a so-called "virtual server", and it's a really
>> cheap one. (Not that I had any issues in a similar case, but
>> nevertheless.)

> dnsmasq is a good, lightweight, easy to configure, caching DNS (and
> DHCP) server.

Its Debian package's Description: states:

--cut: http://packages.debian.org/sid/dnsmasq --
Dnsmasq is a lightweight, easy to configure, DNS forwarder and DHCP
server. It is designed to provide DNS and optionally, DHCP, to a
small network.
--cut: http://packages.debian.org/sid/dnsmasq --

As it's only a forwarder, and thus doesn't store the zone
locally (beyond its cache), I see it inapplicable to the task of
serving a DNS zone (say, the aforementioned .siamics.net.) as a
«slave» server.

> I don't know whether it supports DNSSEC.

--
FSF associate member #7257 Coming soon: Software Freedom Day
http://mail.sf-day.org/lists/listinfo/ planning-ru (ru), sfd-discuss (en)

On 12/09/2011 10:51, Ivan Shmakov wrote:
>>>>>> Joe Pfeiffer<(E-Mail Removed)> writes:
>>>>>> Ivan Shmakov<(E-Mail Removed)> writes:
>>>>>> Jorgen Grahn<grahn+(E-Mail Removed)> writes:
>>>>>> On Sat, 2011-09-10, Ivan Shmakov wrote:
>
> […]
>
> >>>> Or is BIND 9.7 really the best possible solution for this task?
>
> >>> Is there any specific reason why you think bind won't do? Or do you
> >>> simply think it's overkill because it has lots of features which you
> >>> don't need?
>
> >> Mostly the latter. However, I'm also somewhat constrained in
> >> resources (virtual memory, for instance), since this NS is going
> >> to be run on a so-called "virtual server", and it's a really
> >> cheap one. (Not that I had any issues in a similar case, but
> >> nevertheless.)
>
> > dnsmasq is a good, lightweight, easy to configure, caching DNS (and
> > DHCP) server.
>
> Its Debian package's Description: states:
>
> --cut: http://packages.debian.org/sid/dnsmasq --
> Dnsmasq is a lightweight, easy to configure, DNS forwarder and DHCP
> server. It is designed to provide DNS and optionally, DHCP, to a
> small network.
> --cut: http://packages.debian.org/sid/dnsmasq --
>
> As it's only a forwarder, and thus doesn't store the zone
> locally (beyond its cache), I see it inapplicable to the task of
> serving a DNS zone (say, the aforementioned .siamics.net.) as a
> «slave» server.
>
> > I don't know whether it supports DNSSEC.
>

dnsmasq can serve up fixed names, but not with the flexibility of full
zone configurations. Basically, it can read /etc/hosts (or a similar
format file) and serve up the names from there. In many cases, but
clearly not all cases, that's all you need.

>>>>> David Brown <(E-Mail Removed)> writes:
>>>>> On 12/09/2011 10:51, Ivan Shmakov wrote:

[…]

>> As it's only a forwarder, and thus doesn't store the zone locally
>> (beyond its cache), I see it inapplicable to the task of serving a
>> DNS zone (say, the aforementioned .siamics.net.) as a «slave»
>> server.

[…]

> dnsmasq can serve up fixed names, but not with the flexibility of
> full zone configurations. Basically, it can read /etc/hosts (or a
> similar format file) and serve up the names from there.

Now, when the zone is modified, will it send (receive) notices
to (from) the other servers for this zone? (Having a single NS
serving a “global� zone doesn't seem like a clever solution.)
Will it support the following AXFR (IXFR) queries?

Honestly, I'm failing to see any definition of “slave
nameserver� that dnsmasq may satisfy.

Besides, my zones generally contain not only AAAA and A records,
but also MX, SRV, SSHFP, and, on occasion, TXT ones, which, to
the best of my knowledge, have no representation in the hosts(5)
format.

> In many cases, but clearly not all cases, that's all you need.

Like in serving a .home.local zone, I guess? For such a case,
there's no point in having a “slave� NS, which is mentioned in
both the Subject: and the OP.

(Having said that, I don't think that it supports DNSSEC,
either.)

--
FSF associate member #7257 Coming soon: Software Freedom Day
http://mail.sf-day.org/lists/listinfo/ planning-ru (ru), sfd-discuss (en)