Quoting g4sra via Dng (dng@lists.dyne.org): > Can anybody suggest a suitable authoritative/recursive DNSSEC > supporting name server for SOHO domain use on embedded systems. What > I am looking for is something like dnsmasq.
dnsmasq, it should be noted, is _just_ a forwarder. It forwards outbound queries to one or more IP-identified recursive servers you specify. Those recursive servers do the actual work. Respectable recursive(-only) nameserver packages (that are open source): o Unbound o PowerDNS-recursor o dnscache (from the djbdns suite), if patched to modern standards o Deadwood o Knot Resolver o Bundy recursive portion (but it's probably scary betaware) Respectable authoritative(-only) nameserver packages (that are open source): o NSD o PowerDNS Authoritative Server o MaraDNS authoritative portion o rbldnsd o YADIFA o MyDNS-NG (which also does forwarding of out-of-bailiwick queries) o ldapdns o Knot DNS o gndsd o dnsjava o tinydns (from the djbdns suite), if patched to modern standards o Bundy authoritative portion (but it's probably scary betaware) (Something that becomes apparent as one studies this field is that writing an authoritative daemon is relatively easy and many folks have done it. Writing a recursive daemon without messing up is difficult, so there are far fewer successful examples.) I maintain a bestiary of all known DNS software for Linux, here: http://linuxmafia.com/faq/Network_Other/dns-servers.html The above list is extracted from it. The page is still missing one peculiar^W innovative package, called Ironsides. Coverage is coming, Real Soon Now. I _hope_ the page is reasonably clear and complete about DNSSEC support, but: Errare humanum est, sed perseverare autem diabolicum. FWIW, I am no longer comfortable with the idea of a combined authoritative/recursive server on a publicly exposed static IP. That has been deprecated for long decades as bad security, particularly because it increases the risk of cache poisoning of the recursive server. IMO, a LAN connected to public networks, even a small one, ought to have the authoritative service on a separate, public-facing host, and the recursive service on a protected, internal-network machine that is as shielded from public networks as possible. I have personal experience with: BIND9 (and predecessors), NSD, Unbound, PowerDNS Recursor, PowerDNS Authoritative Server, dnscache, tinydns. I can enthusiastically recommend NSD and PowerDNS Server. Before a recent troubling thing with Unbound where the developers made a dumb decision to accomodate containerising, I was a huge Unbound cheerleader and might be again. Necessary disclaimer: I'm personal friends with Deadwood/MaraDNS author Sam Trenholme (but have yet to substantially deploy his software). As an administrator whose experience with BIND goes all the way back to BIND4 days, I know well that it's the path of least resistance to just deploy a do-it-all nameserver package like BIND9, but that's been known to be a bad idea for a long time, and it's past time to stop doing that. -- Cheers, "Rand Paul being patient zero for a Senate Rick Moen viral outbreak is a sign of a writers' room r...@linuxmafia.com dropping too much acid, late in the season." McQ! (4x80) -- @owillis (Oliver Willis) _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng