I am experimenting with IPv6 at home using Hurricane Electric’s free tunnel broker. I had to upgrade my Cisco 877 router’s RAM, flash and software to get IPv6 support, and also my local caching DNS resolver, dnscache. There are IPv6 patches for djbdns, but since I installed them my DNS lookups seem slow. Using snoop and ethereal, it looks like the behavior of the server with or without the patches is quite different.

Considering the fact that djbdns has not had an official update since 2001, only collections of patches from third-parties, it was time to change, even though it was immune by construction to the Kaminsky bug. I opted for unbound from the same people who wrote the high-performance NSD server used on the RIPE root nameserver. It has a relatively simple architecture design for performance and security, and it supports DNSSEC, something that will become increasingly important.

While the configuration file format for unbound is simple, unlike the nightmare that is BIND, the devil in the details made the migration more painful than it ought have been, thanks in part to my split-horizon DNS configuration for machines on my local subnet. I don’t know if it is placebo effect, but my queries now feel faster.