Lightweight DNS servers

Since I got a lot of responses to my previous journal entry about tinydns, I wanted to share the answers with everyone else (and with search engines) in case anyone else was wondering the same thing.

The general consensus choice for a simple authoritative DNS server was NSD (which is also packaged for Debian, currently as nsd3). I took a brief look and indeed it would do what I want. It's still a bit more complicated than I would prefer, but nowhere near as bad as BIND, and it handles all modern DNS features (IPv6, DNSSEC, etc.).

Several people mentioned unbound, which looks like a great solution for a different problem than the problem that I have. It's a caching DNS server rather than an authoritative DNS server, although it supports some authoritative overrides.

There was also one recommendation of PowerDNS (Debian package pdns-server and friends), which I'd heard of before and which I think I'd turn to if I was looking for a full-featured DNS server. I think it's overkill for my tiny problem, but it has the neat feature that you can run an arbitrary command to provide DNS responses. That means that it could potentially replace lbnamed, should we need something with more features for some of the DNS tricks that we do with Stanford.

Finally, tinydns development hasn't completely stopped since djb stopped working on it, and there are maintained forks that have patches to support new record types. Still no DNSSEC support that I'm aware of, but continuing to use it with patches to support SRV and AAAA records is quite appealing, since I much prefer the zone file format (the "standard" zone file format is a horrible bodge) and, of course, I'm already familiar with it. If a new version were packaged for Debian, I'd probably just keep using it.

And as a bonus follow-up from my original post, on the topic of the divergent handling of iptables for IPv4 and IPv6, Martin Krafft recommended ferm, which looks very interesting but which I haven't yet investigated further.