NSD is authoritative-focused and intentionally minimal. Security centers on zone transfer controls, DNSSEC practices, and host hardening.
- Keep NSD in authoritative-only role.
- Restrict listener interfaces and transfer channels.
- Limit admin/control socket access.
- Use TSIG for all transfers.
- Restrict zone transfers to explicit secondary servers.
- Deny AXFR by default for all other clients.
¶ DNSSEC and Key Protection
- Sign zones and monitor signature validity.
- Protect key storage and backups.
- Rotate keys with documented procedures.
- Run service as dedicated user.
- Keep OS and NSD packages patched.
- Restrict file permissions in
/etc/nsd and zone directories.
¶ Monitoring and Audit
- Monitor transfer failures and unexpected zone updates.
- Centralize logs and retain them for incident analysis.
- Alert on repeated failed admin actions.