Joe Abley wrote:
I would agree that it is definitely worth trying, though. There are a lot of clever hooks and fancy bits under unbound's hood, and Wouter and co are pleasantly responsive to problem reports.
Unbound also has the distinct advantage that it's not BIND, so if you are interested in software diversity a mixture of the two might give you some protection in the event of a zero-day exploit that affects just one of them.
I too have been running unbound and nsd since January and I've found both work well for me. I think the same caveat for software diversity applies to Bind's authorative role. I've also been using ldns - the NLnet Labs libdns library and tools (http://www.nlnetlabs.nl/projects/ldns/) which has some nice hooks and support for DNSSEC including 'drill' (cf 'dig') and # ldns-keyfecther - Fetches DNSSEC public keys for zones # ldns-keygen - Generate private/pubkey key pair for DNSSEC. # ldns-signzone - Signs a zone file according to DNSSECbis. # ldns-walk - 'Walks' a DNSSEC zone I too have found the guys at NLnet Labs helpful.