Caching configuration:
rndc.conf is standard
SOA for co.uk is hostmaster at nominet.org.uk .com is nstld at verisign-grs.com
The forwarding facility can be used to create a large site-wide cache on a few servers, reducing traf?c over links to external name servers.
ns0.tiscali.co.uk = mk-slave-1
ns0.as9105.com = th-slave-1
re-use newdom, vidom etc.
dnstop analyser for DNS traffic
bindgraph rrd tool for bind
WebGuis - WeBBind and ProBind (PHP)
DNSSEC
keep key for 60 days and overlap for 30 with previous key
* BIND is claimed to be less efficient than dnscache as a caching DNS server, and may drop more requests as a default. BIND’s default cache is limited by the TTL of its entries however, whereas dnscache only has 1MB by default.
* BIND will not send out duplicate queries, and is less likely to be treated as an abusive DNS server, whereas dnscache does not limit outgoing queries if the answer hasn’t been cached yet.
* dnscache is not multithreaded, so will not make use of more than one CPU. BIND is multithreaded, but this seems to be problematic in some cases.
* In terms of performance, dnscache seems to beat BIND at high loads.
* BIND will return results quicker in some cases, due to less extensive checking than dnscache. For example, Akamai has some really obnoxious dns entries for its worldwide load-balancing service which is used by yahoo.com. Try a dig www.yahoo.com @bindip and a dig www.yahoo.com @dnscacheip. dnscache takes a while before you get an answer.
* A lot of people cite the file format as big feature. That is, they find tinydns’s file format much easier to understand than BIND’s. One person likened BIND’s file format to a ‘programming language’ - I wonder if they were confusing it with sendmail?
djbdns Does not, and author’s code will not, support - DNSSEC, TSIG, IXFR, NOTIFY, EDNS0, IPv6
djbdns can probably stay on the caches as I think DNSSEC will only need to go on the authoritive.
We need to start using view statement in bind for RFC1918 addresses that we want to use on public.