← DNS SoftwareDNS Software / Authoritative

NSD

Name Server Daemon — a simple, security-focused authoritative-only DNS server by NLnet Labs, used by root server operators and TLD registries worldwide.

Overview

Security-First Authoritative Server

NSD (Name Server Daemon) is built by NLnet Labs — the same organization that builds Unbound. The two products are designed to be complementary: NSD handles authoritative zones, Unbound handles recursive resolution. This clean separation is the recommended production architecture for security-conscious deployments.

NSD is intentionally minimal. It compiles zone files into an optimized binary database for fast loading and query answering. It has no recursion, no caching beyond zone data, and a small codebase — properties that reduce attack surface. Several root nameserver operators (including k.root-servers.net) run NSD.

  • Authoritative-only — no recursion, no cache, minimal attack surface
  • Compiles zone files to binary database (nsd-checkzone + nsdc rebuild)
  • DNSSEC: serves pre-signed zones; does not sign zones itself (use ldns-signzone or dnssec-signzone)
  • AXFR/IXFR zone transfer for secondary/primary setups
  • Fast zone reload via nsd-control reload
  • IPv6 support, TSIG for secure zone transfers
  • Used at root nameservers — proven at extreme scale
When to Choose NSD
  • You want a minimal, security-focused authoritative server
  • You are pairing it with Unbound as your recursive resolver
  • You prefer simplicity and a small codebase over feature richness
  • You manage pre-signed DNSSEC zones externally
2003
First released
Root
Used at root nameservers
Configuration

Key Configuration Examples

nsd.conf — basic setup

# /etc/nsd/nsd.conf server: server-count: 1 ip-address: 0.0.0.0 ip-address: ::0 port: 53 username: nsd logfile: /var/log/nsd.log pidfile: /run/nsd/nsd.pid zonesdir: /etc/nsd/zones remote-control: control-enable: yes control-interface: 127.0.0.1 zone: name: example.com zonefile: example.com.zone zone: name: example.net zonefile: example.net.zone

Primary + secondary setup

# On the primary (nsd.conf): key: name: tsig-key algorithm: hmac-sha256 secret: "base64encodedkey==" zone: name: example.com zonefile: example.com.zone notify: 192.0.2.10 tsig-key provide-xfr: 192.0.2.10 tsig-key # On the secondary (nsd.conf): zone: name: example.com zonefile: example.com.zone allow-notify: 192.0.2.1 tsig-key request-xfr: AXFR 192.0.2.1 tsig-key

nsd-control commands

# Setup control socket (first time) nsd-control-setup # Start / stop / restart nsd-control start nsd-control stop nsd-control reload # reload zone files # Reload a specific zone nsd-control reload example.com # Check zone status nsd-control zonestatus example.com # Force zone transfer from primary nsd-control transfer example.com # View server stats nsd-control stats

Zone file validation

# Check zone file syntax nsd-checkzone example.com \ /etc/nsd/zones/example.com.zone # Check NSD config nsd-checkconf /etc/nsd/nsd.conf # Rebuild binary zone database # (required after editing zone files # when not using nsd-control reload) nsdc rebuild nsdc reload # Sign a zone with ldns-signzone # (NSD serves pre-signed zones) ldns-keygen -a ECDSAP256SHA256 example.com ldns-signzone example.com.zone K*.key

Related Topics

BIND 9

Full-featured authoritative and recursive DNS server — the most widely deployed alternative.

Knot DNS

High-performance authoritative server from CZ.NIC — similar scope to NSD, designed for TLD scale.

PowerDNS

Authoritative DNS with database backends and REST API — suitable when automation is a priority.