Am Montag, den 23.11.2015, 12:24 +0100 schrieb Alessandro Baggi:
Today, the last version is 5.8 and from 5.6 named was replaced from
nsd
and unbound.
The first is only authoritative and the other is
recursive/forwarder/caching/validating/authoritative.
Right. Except that unbound is not really intended to work as an
authoritative server, except maybe for a tiny local stub zone.
Now today I've nsd and unbound that I can use on my firewall.
I don't need authoritative server, and I should use unbound.
Correct.
nsd and unbound have similar syntax and I reading from web I can
resolve
dns with each of them.
Wrong. You cannot use nsd as a resolver. It is authoritative only.
Now I'm confused...who use?
You want to announce your domain to the whole internet? Use NSD.
You want to resolve internet domain names for your clients? Use unbound.
You want to do both? Use both.
Correct me if I'm wrong:
1) I must use only nsd for authoritative server (internet exposed) for
my ipotetic zone (I can use it in my lan for dns resolver?).
No. It is not a resolver. It won't answer to queries for domains that it
does not host.
2) I can use only unbound for lan dns resolving/caching/validating
with
zones if not needed an authoritative domain.
Correct.
3) I can use nsd for authoritative server (internet exposed) and for
lan
use unbound as recursive/cache dns with the authoritative server.
With the authoritative server being nsd, right.
4) I can use unbound as authoritative server and for recursing and
other.
You seem to confuse the concepts of authoritative and recursing. The
authoritative server is the Facebook DNS server that answers queries for
the facebook.com domain. Just for that domain. It won't answer queries
for other domains nor queries that have the "recurse" flag set.
A resolver is typically located at your provider. You query it for any
domain and it will happily resolve that query for you (by querying the
authoritative servers). See https://en.wikipedia.org/wiki/Domain_Name_Sy
stem image in chapter "Address resolution mechanism": The "DNS recurser"
in the image is the resolver, the "root/org/wikipedia.org nameservers"
are authoritative ones.
Unbound is a resolver. It may also have authoritative functions for a
small local zone (e.g. "mylaptop.local", "myfileshare.local" and
"mytv.local"). But if you really want to host a domain, you should use
NSD instead.
5) NSD is the best for authoritative and unbound for other things.
NSD is /only/ useful as an authoritative server (i.e. serving a zone).
It cannot resolve.
Unbound is most useful for resolving DNS names (i.e. you send it a
query, it will figure out the answer).
Here is how it works:
(1) Your clients (PC, Laptop, Playstation) will send queries to the
resolver (e.g. dnsmasq, unbound, bind9). Asking them for IP adresses for
openbsd.org, gmail.com and sony.com.
(2) The resolver will send queries to the authoritative nameservers
(e.g. bind9, nsd) of Root, Verisign (.com and .org), Google (gmail.com)
OpenBSD and Sony to find out the requested IP addresses.
(3) The resolver will return the result to your clients.
Bind9 of the Internet Systems Consortium just happens to be a software,
that can do both jobs: It can be a resolver, or an authoritative
nameserver, or even both at the same time.
NLnet Labs decided not to go that way. They created software just for
the authoritative nameserver task (NSD) and one for the resolver task
(unbound).
Cheers
David
