The panel that makes BIND9 manageable.

Authoritative DNS on Debian 12 & 13, in one panel. Per-zone master/slave/forward with conditional forms, one-click DNSSEC (KASP) with DS records ready for the registrar, curated RPZ threat-intel feeds plus your own custom feed URLs, live propagation check across Cloudflare and Quad9. Files are the source of truth — no database, vim is a first-class editor.

Get nomina See the stack

Free for personal and non-commercial use — home labs, learning, self-hosting your own DNS. Commercial deployments (paying clients, for-profit production) require a NetForge license — see the terms.

Why nomina

✦

DNSSEC in one click, with DS export

Toggle dnssec-policy default; on a master zone and BIND auto-generates KSK + ZSK in /srv/nomina/dnssec/<zone>/ on the next apply. nomina computes the DS records (SHA-256 + SHA-384) and shows them ready to paste at the registrar — drift detection included.

⌬

RPZ threat-intel out of the box

Curated feeds (URLhaus, Hagezi, OISD, NetForge mining) toggle on/off with a checkbox. Drop in your own feed URLs for private blocklists. Whitelist plus a custom block list as top-level overrides — fix a false positive in one place instead of disabling a whole feed.

⛌

Files, not a database

Zones are .json sidecars next to BIND zone files. Admins are admins.json. Audit log is .jsonl. RPZ lists are zone files. Vim them. Edits round-trip cleanly to the panel — no schema migrations, no hot-copy backup gymnastics.

The chosen stack

One daemon. One panel. No alternatives — less choice means less drift between two nomina boxes and less for you to debug at 2am.

BIND9DNS daemon

KASPDNSSEC policy

RPZResponse Policy Zones

dnspythonparser + DS computation

nftableskernel firewall

fail2banauth abuse defense

plain filesstate under /srv/nomina/

FastAPIpanel HTTP layer

Debian 12 & 13only target

No SQL. No Docker. No web admin baked into a Rust monolith. BIND, well-rendered config, and a panel that respects your time.

How it compares

	nomina	Webmin	BindAgent	Cloudflare DNS
Self-hosted (you own the server)	✓	✓	✓	SaaS
Modern UI	✓	2003 vibes	stale	✓
DNSSEC one-click + DS export	✓	manual keygen	partial	✓
RPZ threat-intel feeds	curated + custom	✗	✗	DNS firewall ($$)
Live propagation check	✓	✗	✗	partial
Pi 4 / 4 GB target	✓	✓	✓	N/A
Files visible & vim-editable	✓	✓	DB-backed	SaaS
Family integration (hosting + mail)	arx + missus	✗	✗	✗

How a query flows through nomina

Two lanes — inbound (the world resolving your zones) and admin (you editing them). Same daemon, same SQLite-free state, no extra moving parts. Each blue-bordered box is something the panel renders config for and you can read on disk.

nomina data flow: external resolvers query BIND on port 53; BIND reads zones from /srv/nomina/zones/, RPZ from /srv/nomina/rpz/, DNSSEC keys from /srv/nomina/dnssec/. The admin edits state via the panel on 127.0.0.1:8053 (loopback, fronted by arx); apply re-renders /srv/nomina/named.conf.local and rndc reconfigs BIND.

Install

On a fresh Debian 12 (bookworm) or 13 (trixie) VPS, Pi, or LXC, as root:

Add the NetForge public APT repo (codename auto-detected):

curl -fsSL https://apt.netforge.it/netforge.asc | sudo tee /etc/apt/keyrings/netforge.asc > /dev/null

echo "deb [signed-by=/etc/apt/keyrings/netforge.asc] https://apt.netforge.it/public $(. /etc/os-release; echo $VERSION_CODENAME) main" | sudo tee /etc/apt/sources.list.d/netforge.list

Install — apt resolves BIND9, nftables, fail2ban:
```
sudo apt update
```
```
sudo apt install nomina
```
(rare) If apt complains about unmet dependencies, fix in one shot:
```
sudo apt -f install
```
First admin + start. The panel is bound to 127.0.0.1:8053 — front it with arx's reverse_proxy or SSH-tunnel from your laptop:
```
sudo nomina admin create
```
```
sudo systemctl enable --now nomina
```
```
ssh -L 8053:127.0.0.1:8053 root@your-vps
```

State and configs live under /srv/nomina/ — backup is just rsync, restore is nomina rehydrate. Migration between boxes is a one-liner. Step 3 (apt -f install) is only needed if a third-party repo or a half-removed previous install left the dependency tree broken — it recomputes what's missing and resolves it.

Part of the NetForge family

nomina doesn't try to be everything. Two sister panels handle what's not DNS — together the three cover hosting, mail, and naming on a single self-hosted box.

arx

Hosting panel. nginx + PHP-FPM, per-site outbound firewall, WireGuard admin plane, Squid SNI filter. The HTTPS edge that fronts nomina (and missus). arx.netforge.it →

missus

Mail server panel. Postfix + Dovecot + Rspamd. SMTP, IMAP, DKIM, granular backup. Pairs with nomina to handle the MX records on your domains. missus.netforge.it →

nomina (you are here)

Authoritative DNS. BIND9 + KASP + RPZ + propagation check. The naming half of the triad. arx + missus + nomina = self-hosted home base.