The panel that makes BIND9 manageable.

Authoritative DNS on Debian 12 & 13, in one panel. Per-zone master/slave/forward with conditional forms, one-click DNSSEC (KASP) with DS records ready for the registrar, curated RPZ threat-intel feeds plus your own custom feed URLs, live propagation check across Cloudflare and Quad9. Files are the source of truth — no database, vim is a first-class editor.

Get nomina See the stack

Free for personal and non-commercial use — home labs, learning, self-hosting your own DNS. Commercial deployments (paying clients, for-profit production) require a NetForge license — see the terms.

Why nomina

✦

DNSSEC in one click, with DS export

Toggle dnssec-policy default; on a master zone and BIND auto-generates KSK + ZSK in /srv/nomina/dnssec/<zone>/ on the next apply. nomina computes the DS records (SHA-256 + SHA-384) and shows them ready to paste at the registrar — drift detection included.

⌬

RPZ threat-intel out of the box

Curated feeds (URLhaus, Hagezi, OISD, NetForge mining) toggle on/off with a checkbox. Drop in your own feed URLs for private blocklists. Whitelist plus a custom block list as top-level overrides — fix a false positive in one place instead of disabling a whole feed.

⛌

Files, not a database

Zones are .json sidecars next to BIND zone files. Admins are admins.json. Audit log is .jsonl. RPZ lists are zone files. Vim them. Edits round-trip cleanly to the panel — no schema migrations, no hot-copy backup gymnastics.

The chosen stack

One daemon. One panel. No alternatives — less choice means less drift between two nomina boxes and less for you to debug at 2am.

BIND9DNS daemon

KASPDNSSEC policy

RPZResponse Policy Zones

dnspythonparser + DS computation

nftableskernel firewall + blocklist set

plain filesstate under /srv/nomina/

FastAPIpanel HTTP layer

Debian 12 & 13only target

BIND, well-rendered config, and a panel that respects your time.

How a query flows through nomina

Two lanes — inbound (the world resolving your zones) and admin (you editing them). Same daemon, same SQLite-free state, no extra moving parts. Each blue-bordered box is something the panel renders config for and you can read on disk.

nomina data flow: external resolvers query BIND on port 53; BIND reads zones from /srv/nomina/zones/, RPZ from /srv/nomina/rpz/, DNSSEC keys from /srv/nomina/dnssec/. The admin edits state via the panel on 127.0.0.1:8053 (loopback, fronted by arx); apply re-renders /srv/nomina/named.conf.local and rndc reconfigs BIND.

Part of the NetForge family

nomina doesn't try to be everything. Two sister panels handle what's not DNS — together the three cover hosting, mail, and naming on a single self-hosted box.

arx

Hosting panel. nginx + PHP-FPM, per-site outbound firewall, WireGuard admin plane, Squid SNI filter. The HTTPS edge that fronts nomina (and missus). arx.netforge.it →

missus

Mail server panel. Postfix + Dovecot + Rspamd. SMTP, IMAP, DKIM, granular backup. Pairs with nomina to handle the MX records on your domains. missus.netforge.it →

nomina (you are here)

Authoritative DNS. BIND9 + KASP + RPZ + propagation check. The naming half of the triad. arx + missus + nomina = self-hosted home base.