Alan McKinnon <alan.mckinnon <at> gmail.com> writes:
> > I need to setup DNS primary/secondary systems on gentoo. So right now > > I'm looking for a suggested list of packages to install with Bind, > > iptables and DNSSEC-tools as these (2) gentoo dns servers will only > > run the minimum packages to operate securely? > auth or cache? These are the (2) net facing primary and slave dns servers, just for the few domain names I willauthenticate. They'll be behind a firewall (iptables/dmz) with no internal zone information. Strictly auth, public facing, with DNSsec. The plan is to go slow with manual configuration and and slow add features like a database, as I roll out new auth-DNS servers on newer, embedded hardware (very small very low power, but lots of ram (2G)). So over time the scope will evolve. It's a manual approach to a refresher for me. Eventually one of the auth-dns-slaves will be an arm cluster for performance testing on mesos. (That's a ways off). So also, the iptables rules for such a setup will need to be revisited, dusting off what I use to use. Again, the importance is trying different packages and sniffing the results and examining log files (manually and with scripts) on a log host. So only ports 53 (public/routable net visible and port 22 from a select sets of private ips is all these will need. > First of all, bind is a pain to use. Reason: it's actually a reference > implementation that as usual got forced into production use. It's slower > than it could be because it deals with every possible corner case per RFC. > As an auth server (few queries) it's OK Bind is an old acquaintance of mine:: been a few years, hence the post. I may test/migrate to something else, later. > As a cache (many queries), there are better servers out there. I prefer > unbound. A Caching DNS server for internal usages is another project for another time. It will be totally isolated; still, good to know. > > Also, what is the (nominal) minimum amount of RAM needed to keep all > > routes in ram in these name servers? > I don't understand. DNS servers don't keep routes in memory - routers do > that. Perhaps you mean cached DNS records? > DNS is light on RAM, there are only so many records typical users will > look up. DNS caches not too long ago ran for years problem free with a > puny few hundred MB. It's not something to be worried about. There should be a way to keep all the responses for the zones info they server in ram? I know it often happens without intervention, but surely there are published methods to insure this info is kept "in ram" like bcachefs? Also flushing and ram usage status monitoring, as these auth dns servers will eventually migrate to low power embedded machines where keeping things in ram is critical to performance. 'eix -cC net-dns | grep auth' <shows:: knot and nsd Curiously, Are they better, more easily secured solutions? It's been a hwile for me.... so a vetting of the packages is the first step for this minimal, manual setup of the auth-dns servers for a few domain names:: Bind9, dnssec-tools, iptables:: any other packages relevant/germane on a amd-default profile [1] ? James