doc: Incomplete Tutorial for DNS server setup?

[teward]

Hello hello! I was perusing the how to section of the Server Documentation, and would like to make a note that this is the bare minimum setup for a DNS server. However, it seems that it's missing some things for "Sane Default Configurations" which make it comply with RFC and other DNS-important features.

Such things are "Enabling DNSSEC verification on lookups" among other 'sane defaults' such as conforming to RFC 1035 which is not part of the default standard configs, etc.

Would contributions appending useful information or such be useful? Or would you prefer there be a more in-depth description of how to do things with regards to DNS servers? (I'm willing to put together a "DNS Server Setup, Configuration, and Considerations" workshop or such if necessary as I have some pretty interesting things I do with DNS servers and BIND9 if it's interesting to have those.)

---

Document: how-to/networking/install-dns.md

[panlinux]

Such things are "Enabling DNSSEC verification on lookups"

That is the default in bind9 already, but I suppose we could hightlight that.

DNSSEC itself just got a whole new set of docs, merged in the past week. Please check these and file issues or PRs if you see something wrong:

• https://github.com/canonical/ubuntu-server-documentation/blob/main/explanation/dnssec/dnssec.md
• https://github.com/canonical/ubuntu-server-documentation/blob/main/how-to/networking/install-dnssec.md
• https://github.com/canonical/ubuntu-server-documentation/blob/main/how-to/networking/dnssec-troubleshooting.md

Would contributions appending useful information or such be useful? Or would you prefer there be a more in-depth
description of how to do things with regards to DNS servers?

In these guides we try to introduce the topic, show examples, practical configurations, but leave the more in-depth aspects of it to the upstream documentation where applicable. I think upstream BIND has good documentation, and we shouldn't try to reinvent it. But it makes sense to document Ubuntu changes, for example, or what our default configuration is, etc.

As to RFC1035, given the above, if you have something specific that you would like to see the docs cover, please tell, and we will evaluate.

Feel free to file PRs and issues, and we will get to them and decide.

[teward]

@panlinux RE: RFC 1035, except for very old DNS clients, caching DNS servers and non-authoritative servers for a given domain should NOT respond with the "authoritative" bit set in the response for NXDOMAIN responses.

The default in BIND9 is to have the configuration option of auth-nxdomain no; as a default, but many DNS configuration guides say to put this in your configuration directly as auth-nxdomain no; with a note that this is to conform with RFC1035. It's a simple one line to add to the named.conf.options file but it makes sure that the 'default of auth-nxdomain is no'' which could be compiled differently is in fact "no", thus confirming to RFC1035.

Older DNS clients before then will need auth-nxdomain set to "yes" but the vast majority don't require that, and I think it'd be better to inform people to conform to RFC than not.

[panlinux]

I'm on the fence about changing the default config file with an option that already has a sane default.

Changing shipped config files in a debian package always has the "risk" of generating a dpkg conf prompt on upgrades, which is something we try to avoid. And in this case, its purpose would be more aligned with documentation, rather than changing or setting a config option, because the default already has the value we want. So some users would get a dpkg conf prompt for no benefit.

Is auth-nxdomain being set to yes erroneously a real problem out there? I think we can add it to the DNS guide (with the value no, of course), but probably not in the package.