Ok this is possibly the easiest thing on earth but I didn’t see any clear documentation on the topic apart from a simple text file which actually helped.

The server runs into a FreeBSD jail, I won’t cover this part as there are plenty of good documentation on this matter already.

The first step is obviously to install nsd, for example using pkg:

# pkg install nsd

My master DNS server runs BIND so there’s no specifics regarding nsd, here’s the most basic configuration the slave needs:

# cat /usr/local/etc/nsd/nsd.conf
        control-enable: yes

        zonesdir: "/usr/local/etc/nsd"
        verbosity: 1
        name: "imil.net"
        zonefile: imil.net.signed
        allow-notify: NOKEY
        request-xfr: AXFR NOKEY

Ensure /usr/local/etc/nsd belongs to nsd for the zone file to be created, and run nsd-control-setup to create keys needed for nsd-control commands such as:

# nsd-control zonestatus imil.net
zone:   imil.net
        state: ok
        served-serial: "2023052702 since 2023-05-27T06:53:39"
        commit-serial: "2023052702 since 2023-05-27T06:53:39"
        wait: "19567 sec between attempts"

Enable nsd in /etc/rc.conf by adding nsd_enable="YES" (yes I know about sysrc) and start nsd:

# service nsd start

Check that the daemon is happy by tail’ing /vag/log/daemon.log.

You might want to force zone write to disk just to check everything is setup right:

# nsd-control write

And… that’s it really!