Difference between revisions of "Service/Nameservers"

From Sugar Labs
Jump to navigation Jump to search
(→‎Checkout nameserver config: remove obsolete FIXME and mention of user branches)
(34 intermediate revisions by 4 users not shown)
Line 1: Line 1:
== Hostmasters ==
+
== Administrative contact ==
  
 
To request changes to DNS records, contact <hostmaster AT sugarlabs DOT org>
 
To request changes to DNS records, contact <hostmaster AT sugarlabs DOT org>
 +
 +
== Hostmasters ==
  
 
Current hostmasters are:
 
Current hostmasters are:
  
 
* [[User:Bernie|Bernie Innocenti]]
 
* [[User:Bernie|Bernie Innocenti]]
* [[User:dogi|Stefan Unterhauser]]
+
* [[User:Scg|Samuel Cantero]]
 +
 
 +
(please use preferably the administrative address)
  
 
== Registered nameservers ==
 
== Registered nameservers ==
  
The following nameservers are currently registerted in whois records for our domains:
+
The following nameservers are currently registered in whois records for our domains:
 
 
(FIXME: this is what it should look like after the current transitional mess)
 
  
 
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"
Line 24: Line 26:
 
!  '''ns1.sugarlabs.org'''
 
!  '''ns1.sugarlabs.org'''
 
|  lightwave
 
|  lightwave
FSF, Boston, USA
+
MIT Media Lab, Cambridge, USA
140.186.70.102
+
18.85.44.64
|  2002:8cba:4666::1
+
|  2002:1255:2c40::1
 
|-
 
|-
 
|  ns2.sugarlabs.net
 
|  ns2.sugarlabs.net
 
|  sunjammer
 
|  sunjammer
|  FSF, Boston
+
|  FSF, Boston, USA
140.186.70.53
+
208.118.235.53
2002:8cba:4635::1
+
2001:4830:134:7::11
 
|-
 
|-
 
|  ns1.codewiz.org
 
|  ns1.codewiz.org
Line 39: Line 41:
 
|  83.149.158.210
 
|  83.149.158.210
 
|  2002:5395:9ed2::1
 
|  2002:5395:9ed2::1
|-
 
|  ns2.auth.osuosl.org
 
|  -
 
|  OSU-OSL, Seattle, USA
 
|  140.211.166.141
 
|  -
 
 
|}
 
|}
 
Note that ns2.auth.osuosl.org is not under our control and does not serve all our domains.
 
  
 
== Editing zone data ==
 
== Editing zone data ==
  
 
We use distributed version control and admin scripts to arbitrate edits to the zone files and nameserver configurations.
 
We use distributed version control and admin scripts to arbitrate edits to the zone files and nameserver configurations.
'''DO NOT EDIT THESE FILES LOCALLY, ANY CHANGES WILL BE OVERWRITTEN'''.
+
'''DO NOT EDIT THESE FILES DIRECTLY ON THE MASTER NAMESERVER, ANY CHANGES WILL BE OVERWRITTEN'''.
  
=== Checkout nameserver config ===
+
== Checkout nameserver config ==
  
Checkout the repository as usual:
+
Checkout the git repository containing the DNS zone data:
  
 
  git clone lightwave.sugarlabs.org:/var/lib/bind/etc/bind ns
 
  git clone lightwave.sugarlabs.org:/var/lib/bind/etc/bind ns
  
Do not checkout the repository as root. Your user needs to be in group bind.
+
Do not checkout the repository as root. Your user on [[Machine/lightwave]] needs to be in group hostmaster.
 +
 
 +
In order to make changes, you will also need the private keys for your domain. For security reasons, these
 +
are not kept on the master DNS itself. Ask one of the other hostmasters for a copy and put it in the keys/
 +
directory alongside the public keys.
  
 
== Edit zone data ==
 
== Edit zone data ==
Line 67: Line 65:
  
 
* Please keep the zone files tidy, by following indentation style
 
* Please keep the zone files tidy, by following indentation style
 +
* Add comments as needed to describe obscure records in the zone files
 +
* Remember to keep reverse zones always up to date
 +
* '''Bump the serials after each update!''' (this is done automatically by our update-zone script)
  
* Add comments as needed to describe obscure records in the zone files
+
== Push changes back to master nameserver ==
 +
 
 +
After you edited the sugarlabs.org zone, execute this script to re-sign the zone
 +
and push your changes to the master DNS:
 +
 
 +
./update-sugarlabs
 +
 
 +
The script does:
 +
* bump the serial number
 +
* re-sign the zone with the DNSSEC private keys (which you must copy to keys/)
 +
* commit your changes
 +
* push the commit to the remote repository
 +
 
 +
The post-receive hook automates the rest of the procedure:
 +
* send a notification email to systems-logs@
 +
* checkout your changes to the bind configuration directory
 +
* make BIND reload its configuration
 +
* watch BIND's log file to ensure there are no errors and slaves are actually transferring the changed zones
 +
 
 +
For other domains hosted on Sugar Labs infrastructure (such as eg. somosazucar.org) use:
 +
 
 +
./update-zone somosazucar.org
 +
 
 +
This will check the zone before pushing.
 +
 
 +
== GIT repository implementation details ==
 +
 
 +
We use a detached working directory to allow the automatic checkout to work (see post-receive hook below). The git repository is in <code>/var/lib/bind/etc/bind.git</code> and the working directory lives in <code>/var/lib/bind/etc/bind</code>. <code>/etc/bind</code> is a symlink to the working directory (<code>/var/lib/bind/etc/bind</code>).
  
* Remember to keep reverse zones always up to date
+
See [[Sysadmin/Autocheckout repositories]] for all the implementation details.
  
* '''Bump the serials after each update!'''
+
== DNSSEC details ==
  
== Push changes back to master nameserver ==
+
=== How to create keys for a new domain ===
 +
cd keys
 +
dnssec-keygen -r/dev/random -a RSASHA1 -b 1024 -n ZONE codewiz.org
 +
dnssec-keygen -r/dev/random -f KSK -a RSASHA1 -b 1280 -n ZONE codewiz.org
  
* Commit your changes, possibly with a meaningful comment:
+
(the above commands take a very long time!)
  
  git commit -a -v
+
=== How to manually sign a zone ===
 +
dnssec-signzone -o codewiz.org -K keys masters/codewiz.org.zone
 +
/etc/init.d/bind9 restart
  
* Then, push your changes:
+
=== How to publish DLV records ===
  
  git push
+
Go to dlv.isc.org and upload the two DNSKEY records for each zone, then follow the instructions to validate them.
 +
This is the end result:
  
* We have a handy post-receive hook to automate the rest of the procedure:
+
* sugarlabs.org: https://dlv.isc.org/zones/3609
** send a notification email to systems-logs@;
+
* sugarlabs.net: https://dlv.isc.org/zones/3612
** checkout your changes to the bind configuration directory;
+
* codewiz.org: https://dlv.isc.org/zones/3607
** make BIND reload its configuration;
 
** watch BIND's log file to ensure slaves are actually transferring the changed zones.
 
  
== Push changes to slaves ==
+
=== Add DS records to TLD ===
  
If you add or remove domains to the named-sugarlabs-masters.conf, you also need
+
This step must be done by the registrar.  
to synchronize named-sugarlabs-slaves.conf and propagate it to slave nameservers.
 
  
./update-named-slaves
+
I've opened a support ticket on [http://joker.com/ Joker] asking to add
 +
support for DS records. If they can't do it, we need to transfer
 +
sugarlabs.org to another registrar. At this time, the only decent choice
 +
for a DNSSEC enabled registrar is [http://name.com/ name.com].
  
FIXME: ssh keys needed for other admins
 
  
== Implementation details ==
+
=== How to validate zone data ===
  
* The git config file is as follows:
+
* Validate zone data with dig:
 +
dig +dnssec +multiline -t ns codewiz.org. @localhost | grep ad
  
  [core]
+
* Validate zone data against domain DNSKEY:
        repositoryformatversion = 0
+
  unbound-host -y 'codewiz.org. IN DNSKEY 256 3 5 AwEAAa3dS5/3fkGXuqXft2dN/UPUivGqiYzZF+jWcow8LTAnlsoYaJFB VMAlJWbC6FFI7AMjoJYpmoeDMgHd4BtVqZO2ikx5zc48CtOUHUdXs7nw fMSQoVOnplpTKH2AgyRfDqYhtosP0euyJQNZI+NiYneZb1o1Ys7PE87Y 7FamjXwV' -v codewiz.org
        filemode = true
 
        bare = false
 
        shared = true
 
        logallrefupdates = true
 
        worktree = /etc/bind
 
[receive]
 
        denycurrentbranch = ignore
 
  
  [hooks]
+
* Validate zone data against domain DS key:
        mailinglist = bernie@codewiz.org
+
unbound-host -y 'codewiz.org. IN DS 58126 5 2 96BF1964F3EA9885F5DE83DA14419F55F579A42BC18759C1B79BDE64 7587CFA8' -v  codewiz.org
        emailprefix = "[DNS] "
 
        showrev = "git show -C %s; echo"
 
  
* We use a post-receive hook to checkout the zones to the local sandbox and make BIND reload them:
+
* Validate zone data against root DNSKEY:
 +
unbound-host  -y '. DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=' -v  codewiz.org
  
#!/bin/bash
+
* Validate zone data online:
  /bin/bash /usr/share/doc/git-core/contrib/hooks/post-receive-email
+
  http://secspider.cs.ucla.edu/codewiz-org--zone.html
git checkout -f
 
tail -n0 -f /var/log/daemon.log &
 
/etc/init.d/bind9 reload
 
sleep 3
 
  
* For slightly better security, the repository lives outside the sandbox
+
=== DNSSEC tutorial ===
 +
http://www.nlnetlabs.nl/publications/dnssec_howto/index.html#x1-290003.4

Revision as of 17:16, 5 December 2017

Administrative contact

To request changes to DNS records, contact <hostmaster AT sugarlabs DOT org>

Hostmasters

Current hostmasters are:

(please use preferably the administrative address)

Registered nameservers

The following nameservers are currently registered in whois records for our domains:

hostname aka location IPv4 IPv6
ns1.sugarlabs.org lightwave MIT Media Lab, Cambridge, USA 18.85.44.64 2002:1255:2c40::1
ns2.sugarlabs.net sunjammer FSF, Boston, USA 208.118.235.53 2001:4830:134:7::11
ns1.codewiz.org trinity Develer, Firenze, Italy 83.149.158.210 2002:5395:9ed2::1

Editing zone data

We use distributed version control and admin scripts to arbitrate edits to the zone files and nameserver configurations. DO NOT EDIT THESE FILES DIRECTLY ON THE MASTER NAMESERVER, ANY CHANGES WILL BE OVERWRITTEN.

Checkout nameserver config

Checkout the git repository containing the DNS zone data: 

git clone lightwave.sugarlabs.org:/var/lib/bind/etc/bind ns

Do not checkout the repository as root. Your user on Machine/lightwave needs to be in group hostmaster.

In order to make changes, you will also need the private keys for your domain. For security reasons, these are not kept on the master DNS itself. Ask one of the other hostmasters for a copy and put it in the keys/ directory alongside the public keys.

Edit zone data

Guidelines for editing zones:

  • Please keep the zone files tidy, by following indentation style
  • Add comments as needed to describe obscure records in the zone files
  • Remember to keep reverse zones always up to date
  • Bump the serials after each update! (this is done automatically by our update-zone script)

Push changes back to master nameserver

After you edited the sugarlabs.org zone, execute this script to re-sign the zone and push your changes to the master DNS: 

./update-sugarlabs

The script does:

  • bump the serial number
  • re-sign the zone with the DNSSEC private keys (which you must copy to keys/)
  • commit your changes
  • push the commit to the remote repository

The post-receive hook automates the rest of the procedure:

  • send a notification email to systems-logs@
  • checkout your changes to the bind configuration directory
  • make BIND reload its configuration
  • watch BIND's log file to ensure there are no errors and slaves are actually transferring the changed zones

For other domains hosted on Sugar Labs infrastructure (such as eg. somosazucar.org) use: 

./update-zone somosazucar.org

This will check the zone before pushing.

GIT repository implementation details

We use a detached working directory to allow the automatic checkout to work (see post-receive hook below). The git repository is in /var/lib/bind/etc/bind.git and the working directory lives in /var/lib/bind/etc/bind. /etc/bind is a symlink to the working directory (/var/lib/bind/etc/bind).

See Sysadmin/Autocheckout repositories for all the implementation details.

DNSSEC details

How to create keys for a new domain

cd keys
dnssec-keygen -r/dev/random -a RSASHA1 -b 1024 -n ZONE codewiz.org
dnssec-keygen -r/dev/random -f KSK -a RSASHA1 -b 1280 -n ZONE codewiz.org

(the above commands take a very long time!)

How to manually sign a zone

dnssec-signzone -o codewiz.org -K keys masters/codewiz.org.zone
/etc/init.d/bind9 restart

How to publish DLV records

Go to dlv.isc.org and upload the two DNSKEY records for each zone, then follow the instructions to validate them. This is the end result:

Add DS records to TLD

This step must be done by the registrar.

I've opened a support ticket on Joker asking to add support for DS records. If they can't do it, we need to transfer sugarlabs.org to another registrar. At this time, the only decent choice for a DNSSEC enabled registrar is name.com.


How to validate zone data

  • Validate zone data with dig:
dig +dnssec +multiline -t ns codewiz.org. @localhost | grep ad
  • Validate zone data against domain DNSKEY:
unbound-host -y 'codewiz.org. IN DNSKEY 256 3 5 AwEAAa3dS5/3fkGXuqXft2dN/UPUivGqiYzZF+jWcow8LTAnlsoYaJFB VMAlJWbC6FFI7AMjoJYpmoeDMgHd4BtVqZO2ikx5zc48CtOUHUdXs7nw fMSQoVOnplpTKH2AgyRfDqYhtosP0euyJQNZI+NiYneZb1o1Ys7PE87Y 7FamjXwV' -v codewiz.org
  • Validate zone data against domain DS key:
unbound-host  -y 'codewiz.org. IN DS 58126 5 2 96BF1964F3EA9885F5DE83DA14419F55F579A42BC18759C1B79BDE64 7587CFA8' -v  codewiz.org
  • Validate zone data against root DNSKEY:
unbound-host  -y '. DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=' -v  codewiz.org
  • Validate zone data online:
http://secspider.cs.ucla.edu/codewiz-org--zone.html

DNSSEC tutorial

http://www.nlnetlabs.nl/publications/dnssec_howto/index.html#x1-290003.4

Retrieved from "https://wiki.sugarlabs.org/index.php?title=Service/Nameservers&oldid=101054"