Maintained by: NLnet Labs

[Unbound-users] unbound vs nsd

W.C.A. Wijngaards
Wed May 21 16:22:14 CEST 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Farkas Levente wrote:
| hi,
| i'm just noticed unbound and getting confused. nlnetlabs develop nsd and
| unbound too. why? what's more it seems from the mailing list that the
| same people involved in both projects? so i've got a few querstions:
| - why are to different name server?
| - why not merge the two project?
| i can even image there are pros and cons for each others. i see nsd is
| authoritative only, while unbound recursive and caching, but still
| wouldn't it be possible to merge the two project and make these features
| configurable?
| thanks in advance.
| yours.
|

Hi Farkas,

The projects NSD and Unbound are different, in that NSD is authoritative
only and Unbound is meant as a 'client' server (a caching validating
recursor). You are correct that that is the difference between the two.

It is currently discouraged to run servers that are both authoritative
and recursive at the same time (IETF dnsop workgroup). This to limit the
number of 'open resolvers' out there, that can become accomplices to DoS
and so on.

Thus it makes sense to split up into two servers, an authoritative and a
recursive one.

Also, NSD was kept as small as possible for its job. That is a goal for
NSD. Unbound however, does support a small amount of authoritative
service, for replying to localhost, blocking 10.in-addr.arpa. and so on.

Also, the history of both servers is different, NSD from root service,
and Unbound from Versign, Nominet, EP.net, Kirei, java-prototype unbound.

Summary: the merge idea was discussed, but we felt that merging DNS
authority service and recursion service is not a good thing in general,
and thus we shouldn't expend a lot of effort to enable it.

Best regards,
~   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkg0MBYACgkQkDLqNwOhpPiuswCfY1SrYULAGkL2Dt+kcUVNpk1x
wKMAmgPJ3RgKs934U2Jo0pVUQWy3sbiK
=+eDx
-----END PGP SIGNATURE-----