> On Jun 7, 2021, at 00:14, Mukul Shukla via nsd-users
> <nsd-users@lists.nlnetlabs.nl> wrote:
>
> Djbdns is not supporting the DNSSEC, inherently. Implementing it on NSD is
> also not a simple task.
> So for my limited setup, would it be more appropriate to go for Knot or
> PowerDNS (BIND I am scared of)?
> Maybe, even we can try a mix of NSD and Knot, what do you suggest?
A common setup is to use one set of software for maintaining the zone data (and
DNSSEC signing), but have the “external facing” (published in DNS) servers use
something else (for example NSD). The external facing servers will do zone
transfers from the “hidden” server used to maintain the data.
Another version of this is to maintain the data on server A, do zone transfer
to server B which adds the DNSSEC signing and then (with zone transfers,
typically) sends the data to server C-Z that are published in DNS.
For just two servers this might be needlessly complicated, but if you are new
to DNSSEC and want to use NSD on the published name servers I think it might be
simpler than using “offline” tools for signing and resigning the zone data.
I haven’t used PowerDNS’ DNSSEC signing for a while; but my experience in the
past (many years ago) was very good.
Ask
_______________________________________________
nsd-users mailing list
nsd-users@lists.nlnetlabs.nl
https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
