Service/Nameservers: Difference between revisions

(5 intermediate revisions by the same user not shown)

Line 8:

* [[User:Bernie|Bernie Innocenti]]

* [[User:Scg|Samuel Cantero]]

(please use preferably the administrative address)

Line 26:

Line 25:

! '''ns1.sugarlabs.org'''

| lightwave

| ~~MIT Media Lab~~, ~~Cambridge~~, USA

| Sonic, Santa Rosa CA, USA

| 18.85.44.64

| 192.184.220.216

| ~~2002~~:~~1255~~:~~2c40~~::1

| 2001:5a8:601:f::216/64

|-

| ns2.sugarlabs.net

Line 34:

Line 33:

| FSF, Boston, USA

| 208.118.235.53

| 2001:~~4830~~:~~134~~:7::11

| 2001:470:142:7::11

|-

| ns1.codewiz.org

Line 54:

Line 53:

git clone lightwave.sugarlabs.org:/var/lib/bind/etc/bind ns

~~Do not checkout the repository as root.~~ Your user on [[Machine/lightwave]] needs to be in group hostmaster.

'''NOTE:''' Your user on [[Machine/lightwave]] needs to be in group hostmaster. Do not clone the repo on lightwave, clone it to your local host.

~~In order to make~~ changes, you will also need the private keys for your domain. For security reasons, these

To push changes, you will also need the DNSSEC private keys for your domain. For security reasons, these

are not kept on the master DNS itself. Ask one of the other hostmasters for a copy and put it in the keys/

directory alongside the public keys.

Line 90:

Line 89:

For other domains hosted on Sugar Labs infrastructure (such as eg. somosazucar.org) use:

./update-zone ~~somosazucar~~.org

./update-zone turtleartday.org

This will check the zone before pushing.

Line 103:

Line 102:

=== How to create keys for a new domain ===

We standardized on algorithm 13 (ECDSAP256SHA256) because it's what RFC 8624 recommends and what Cloudflare uses:

cd keys

dnssec-keygen -a ~~RSASHA1 -b 1024~~ -n ZONE codewiz.org

dnssec-keygen -K keys -3 -a ECDSAP256SHA256 -n ZONE codewiz.org

dnssec-keygen -a ~~RSASHA1 -b 2048~~ -n ZONE -f KSK codewiz.org

dnssec-keygen -K keys -3 -a ECDSAP256SHA256 -n ZONE -f KSK codewiz.org

=== How to manually sign a zone ===

Line 119:

Line 121:

The data to copy is written by dnssec-signzone to the file keys/dsset-DOMAIN and looks like this:

~~codewiz.org. IN DS 7082 8 2 422B9AD0529099938BAB245BD189BBCF485A9194FC35BA3BB04894E9 C914554A~~

codewiz.org. IN DS 53631 13 2 C31F7790197F0DC5CE7726F731FA55A9189289540749A68A937BFD09 797D72E6

Line 132:

Line 133:

* Validate zone data with dig:

dig +dnssec +multiline -t ns codewiz.org. @1.1.1.1 | grep ad

;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

* Validate zone data against domain DNSKEY:

unbound-host -y 'codewiz.org. IN DNSKEY 256 3 ~~5 AwEAAa3dS5/3fkGXuqXft2dN/UPUivGqiYzZF~~+~~jWcow8LTAnlsoYaJFB VMAlJWbC6FFI7AMjoJYpmoeDMgHd4BtVqZO2ikx5zc48CtOUHUdXs7nw fMSQoVOnplpTKH2AgyRfDqYhtosP0euyJQNZI~~+~~NiYneZb1o1Ys7PE87Y 7FamjXwV~~' -v codewiz.org

$ unbound-host -y 'codewiz.org. DNSKEY 256 3 13 IbIcUsP+G7cnSmi12BpuiMjM9LnqvDaRS+qiquGKXxH/qAuOGlODFA4E 18O1OErfu0CkFjg6JEynOG6cSR40yg==' -v codewiz.org

codewiz.org has address 209.51.188.53 (secure)

codewiz.org has IPv6 address 2001:470:142:7::11 (secure)

codewiz.org mail is handled by 10 neo.develer.net. (secure)

* Validate zone data against domain DS key:

* Validate zone data against a domain's DS key:

unbound-host -~~y 'codewiz~~.org. ~~IN DS 58126 5 2 96BF1964F3EA9885F5DE83DA14419F55F579A42BC18759C1B79BDE64 7587CFA8'~~ -v codewiz.org

unbound-host -f keys/dsset-sugarlabs.org. -v sugarlabs.org

sugarlabs.org has address 185.199.111.153 (secure)

sugarlabs.org has address 185.199.110.153 (secure)

sugarlabs.org has no IPv6 address (secure)

sugarlabs.org mail is handled by 10 mail0.codewiz.org. (secure)

sugarlabs.org mail is handled by 20 sunjammer.sugarlabs.org. (secure)

* Validate zone data against root DNSKEY:

* Validate zone data against the root DNSKEY:

unbound-host -y '. DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=' -v ~~codewiz~~.org

unbound-host -D -v wiki.sugarlabs.org

wiki.sugarlabs.org is an alias for sunjammer.sugarlabs.org. (secure)

sunjammer.sugarlabs.org has address 209.51.188.53 (secure)

sunjammer.sugarlabs.org has IPv6 address 2001:470:142:7::11 (secure)

sunjammer.sugarlabs.org has no mail handler record (secure)

@@ Line 8: / Line 8: @@
 * [[User:Bernie|Bernie Innocenti]]
-* [[User:Scg|Samuel Cantero]]
 (please use preferably the administrative address)
@@ Line 26: / Line 25: @@
 !  '''ns1.sugarlabs.org'''
 |  lightwave
-|  MIT Media Lab, Cambridge, USA
+|  Sonic, Santa Rosa CA, USA
-|  18.85.44.64
+|  192.184.220.216
-|  2002:1255:2c40::1
+|  2001:5a8:601:f::216/64
 |-
 |  ns2.sugarlabs.net
@@ Line 34: / Line 33: @@
 |  FSF, Boston, USA
 |  208.118.235.53
-|  2001:4830:134:7::11
+|  2001:470:142:7::11
 |-
 |  ns1.codewiz.org
@@ Line 54: / Line 53: @@
   git clone lightwave.sugarlabs.org:/var/lib/bind/etc/bind ns
-Do not checkout the repository as root. Your user on [[Machine/lightwave]] needs to be in group hostmaster.
+'''NOTE:''' Your user on [[Machine/lightwave]] needs to be in group hostmaster. Do not clone the repo on lightwave, clone it to your local host.
-In order to make changes, you will also need the private keys for your domain. For security reasons, these
+To push changes, you will also need the DNSSEC private keys for your domain. For security reasons, these
 are not kept on the master DNS itself. Ask one of the other hostmasters for a copy and put it in the keys/
 directory alongside the public keys.
@@ Line 90: / Line 89: @@
 For other domains hosted on Sugar Labs infrastructure (such as eg. somosazucar.org) use:
-  ./update-zone somosazucar.org
+  ./update-zone turtleartday.org
 This will check the zone before pushing.
@@ Line 103: / Line 102: @@
 === How to create keys for a new domain ===
+We standardized on algorithm 13 (ECDSAP256SHA256) because it's what RFC 8624 recommends and what Cloudflare uses:
   cd keys
-  dnssec-keygen -a RSASHA1 -b 1024 -n ZONE codewiz.org
+  dnssec-keygen -K keys -3 -a ECDSAP256SHA256 -n ZONE codewiz.org
-  dnssec-keygen -a RSASHA1 -b 2048 -n ZONE -f KSK codewiz.org
+  dnssec-keygen -K keys -3 -a ECDSAP256SHA256 -n ZONE -f KSK codewiz.org
 === How to manually sign a zone ===
@@ Line 119: / Line 121: @@
 The data to copy is written by dnssec-signzone to the file keys/dsset-DOMAIN and looks like this:
-  codewiz.org.            IN DS 7082 8 2 422B9AD0529099938BAB245BD189BBCF485A9194FC35BA3BB04894E9 C914554A
    codewiz.org.            IN DS 53631 13 2 C31F7790197F0DC5CE7726F731FA55A9189289540749A68A937BFD09 797D72E6
@@ Line 132: / Line 133: @@
 * Validate zone data with dig:
   dig +dnssec +multiline -t ns codewiz.org. @1.1.1.1 | grep ad
+ ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
 * Validate zone data against domain DNSKEY:
-  unbound-host -y 'codewiz.org. IN DNSKEY 256 3 5 AwEAAa3dS5/3fkGXuqXft2dN/UPUivGqiYzZF+jWcow8LTAnlsoYaJFB VMAlJWbC6FFI7AMjoJYpmoeDMgHd4BtVqZO2ikx5zc48CtOUHUdXs7nw fMSQoVOnplpTKH2AgyRfDqYhtosP0euyJQNZI+NiYneZb1o1Ys7PE87Y 7FamjXwV' -v codewiz.org
+  $ unbound-host -y 'codewiz.org. DNSKEY 256 3 13 IbIcUsP+G7cnSmi12BpuiMjM9LnqvDaRS+qiquGKXxH/qAuOGlODFA4E 18O1OErfu0CkFjg6JEynOG6cSR40yg==' -v codewiz.org
+ codewiz.org has address 209.51.188.53 (secure)
+ codewiz.org has IPv6 address 2001:470:142:7::11 (secure)
+ codewiz.org mail is handled by 10 neo.develer.net. (secure)
-* Validate zone data against domain DS key:
+* Validate zone data against a domain's DS key:
-  unbound-host  -y 'codewiz.org. IN DS 58126 5 2 96BF1964F3EA9885F5DE83DA14419F55F579A42BC18759C1B79BDE64 7587CFA8' -v  codewiz.org
+  unbound-host -f keys/dsset-sugarlabs.org. -v sugarlabs.org
+ sugarlabs.org has address 185.199.111.153 (secure)
+ sugarlabs.org has address 185.199.110.153 (secure)
+ sugarlabs.org has no IPv6 address (secure)
+  sugarlabs.org mail is handled by 10 mail0.codewiz.org. (secure)
+ sugarlabs.org mail is handled by 20 sunjammer.sugarlabs.org. (secure)
-* Validate zone data against root DNSKEY:
+* Validate zone data against the root DNSKEY:
-  unbound-host  -y '. DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=' -v  codewiz.org
+  unbound-host -D -v wiki.sugarlabs.org
+ wiki.sugarlabs.org is an alias for sunjammer.sugarlabs.org. (secure)
+  sunjammer.sugarlabs.org has address 209.51.188.53 (secure)
+ sunjammer.sugarlabs.org has IPv6 address 2001:470:142:7::11 (secure)
+ sunjammer.sugarlabs.org has no mail handler record (secure)