Migration from dnsmasq to bind9 9.8.1

First I'd like to say, that dnsmasq is a great product, but there were some issues for me:

• It doesn't provide DNS64
• There have been troubles with DNS forwardings in my LAN
• I didn't find a way to allow requests from outside my LAN, I needed to allow at least one public IP address to request zone transfers from my DNS server

So, when now migrating from Ubuntu 10.10. to Ubuntu 12.04, I also migrated my DNS solution from dnsmasq to bind9.

Forwarding DNS requests isn't difficult there, too. I just added this line to "/etc/bind/named.conf":

include "/etc/bind/named.conf.gspdc";

In "named.conf.gspdc", there are the definitions for the zones that should be forwarded:

zone "greatsoft.local" {
        type forward;
        forwarders { 192.168.1.2; };
};

zone "virtual" {
        type forward;
        forwarders { 192.168.1.2; };
};

After doing a "service bind9 restart", it did not work! With nslookup in Windows, I got errors like this one:

speedy.greatsoft.local can't find debian.greatsoft.local: Non-existent domain

In the log file on the server, entries like this one appeared:

Jun  7 22:18:15 speedy named[3725]:   validating @0x7f3488535e10: greatsoft.local SOA: got insecure response; parent indicates it should be secure
Jun  7 22:18:15 speedy named[3725]:   validating @0x7f3480040480: greatsoft.local SOA: got insecure response; parent indicates it should be secure
Jun  7 22:18:15 speedy named[3725]: error (no valid RRSIG) resolving 'debian.greatsoft.local.greatsoft.local/DS/IN': 192.168.1.2#53
Jun  7 22:18:15 speedy named[3725]: error (insecurity proof failed) resolving 'debian.greatsoft.local.greatsoft.local/A/IN': 192.168.1.2#53
Jun  7 22:18:15 speedy named[3725]:   validating @0x7f347801bc80: greatsoft.local SOA: got insecure response; parent indicates it should be secure
Jun  7 22:18:15 speedy named[3725]: error (no valid RRSIG) resolving 'debian.greatsoft.local/DS/IN': 192.168.1.2#53
Jun  7 22:18:15 speedy named[3725]: error (insecurity proof failed) resolving 'debian.greatsoft.local/A/IN': 192.168.1.2#53

But that could be solved easily with changing the following in named.conf.options:

old: dnssec-validation auto;
new: dnssec-validation no;

I found the solution here: https://bugzilla.redhat.com/show_bug.cgi?id=682482

Conclusion: Migrating from dnsmasq to bind9 is easy and offers you enhanced possibilities. However, for small networks that only need a simple DNS cache, I still warmly recommend dnsmasq.