macos playground  nsd: authoritative  nsd: DNSSEC  nsd: DANE  smtpd server  laptop  rdist: intro  pentest notes  talks  whoami 

Authoritative nsd servers

Some information about the scope

My VMs (thanks will play master and slave roles, as authoritative for the following zone (thanks

Their IPv4 and IPv6 addresses are:

I asked both of my hosting contacts to create PTR records.

Both of my machines uses acme-client (ns0 also handles “” as alternative name):

authority letsencrypt {
  api url ""
  account key "/etc/acme/letsencrypt-privkey.pem"

domain {
  domain key "/etc/ssl/private/"
  domain certificate "/etc/ssl/"
  domain full chain certificate "/etc/ssl/"
  sign with letsencrypt

Master NS Configuration

Zone configuration on ns0 (/var/nsd/etc/nsd.conf):

        name: ""
        zonefile: "master/"
        notify: ns1 MYKEY
        provide-xfr: ns1 MYKEY

The zone file (/var/nsd/zones/master/

$ORIGIN   ; default zone domain
$TTL 3600          ; default time to live

; 10800 3600 604800 3600

@ IN SOA (
14400        ; Refresh
1800         ; Retry
1209600      ; Expire
1800         ; Min TTL

@       NS
@       NS

@       MX      10
@       MX      50

@       IN      A
@       IN      AAAA    2a05:f480:1800:33:5400:2ff:fe29:deaa

ns0     IN      A
ns0     IN      AAAA    2a05:f480:1800:33:5400:2ff:fe29:deaa

ns1     IN      A
ns1     IN      AAAA    2a03:6000:6f64:621::121

Don’t forget after each step to:

nsd-control reload
nsd-control notify
rcctl restart nsd

Slave NS Configuration

As we did for the master NS, now let’s do it for the slaves:

        name: ""
        zonefile: "slave/"
        allow-notify: ns0 MYKEY
        request-xfr: ns0 MYKEY

The zone file (/var/nsd/zones/slave/ is the same as master’s one. Note that you don’t need to copy / scp / rsync the flat zone files between Master and Slaves, using NSD you can simply achieve the file generation and write on disk by using the “nsd-control write” command, once the change is made on the Master and (A)XFR’d to the slaves.

Domain registration

Use whatever registrar your familiar with, just keep in mind that you will need to be able to perform some modifications on your zone, eg. some registrar’ “panel” or interface doesn’t allow DS records modification (you’ve been warned before next steps ;-)). Also ensure that both of your TLD and registrar is DNSSEC ready.

I used a free registrar to do so, setting up “” in this example, with a really simple zone file. Yours may be more complex but you got the idea even if you need to add some/many CNAME, A, AAAA, MX, TXT, … and even NS records. This configuration is given for a single master and a single slave name server, but additional slaves could easily be added.


I only set a unicast v4 address for master/slave(s) notify and xfr, but feel free to bind it to your favorite v6 ones too.

Once the domain registration is done and both of your NS working well, you will be able to play with DNSSEC zone signing and setting some DANE entries (TLSA records) to it.

© 2019 _st0m_  and the puffy sisters  User Agreement  Privacy Policy