Difference between revisions of "Service/Nameservers"

From Sugar Labs
Jump to navigation Jump to search
 
(22 intermediate revisions by 3 users not shown)
Line 1: Line 1:
== Hostmasters ==
+
== Administrative contact ==
  
 
To request changes to DNS records, contact <hostmaster AT sugarlabs DOT org>
 
To request changes to DNS records, contact <hostmaster AT sugarlabs DOT org>
 +
 +
== Hostmasters ==
  
 
Current hostmasters are:
 
Current hostmasters are:
  
 
* [[User:Bernie|Bernie Innocenti]]
 
* [[User:Bernie|Bernie Innocenti]]
* [[User:dogi|Stefan Unterhauser]]
+
 
* [[User:sascha_silbe|Sascha Silbe]]
+
(please use preferably the administrative address)
  
 
== Registered nameservers ==
 
== Registered nameservers ==
Line 23: Line 25:
 
!  '''ns1.sugarlabs.org'''
 
!  '''ns1.sugarlabs.org'''
 
|  lightwave
 
|  lightwave
FSF, Boston, USA
+
Sonic, Santa Rosa CA, USA
140.186.70.102
+
192.184.220.216
2002:8cba:4666::1
+
2001:5a8:601:f::216/64
 
|-
 
|-
 
|  ns2.sugarlabs.net
 
|  ns2.sugarlabs.net
 
|  sunjammer
 
|  sunjammer
 
|  FSF, Boston, USA
 
|  FSF, Boston, USA
140.186.70.53
+
208.118.235.53
2002:8cba:4635::1
+
2001:470:142:7::11
 
|-
 
|-
 
|  ns1.codewiz.org
 
|  ns1.codewiz.org
trinity
+
neo
 
|  Develer, Firenze, Italy
 
|  Develer, Firenze, Italy
83.149.158.210
+
2.228.72.10
2002:5395:9ed2::1
+
2001:b02:400:1::10
 
|}
 
|}
  
Line 51: Line 53:
 
  git clone lightwave.sugarlabs.org:/var/lib/bind/etc/bind ns
 
  git clone lightwave.sugarlabs.org:/var/lib/bind/etc/bind ns
  
Do not checkout the repository as root. Your user on [[Machine:lightwave]] needs to be in group hostmaster.
+
'''NOTE:''' Your user on [[Machine/lightwave]] needs to be in group hostmaster. Do not clone the repo on lightwave, clone it to your local host.
  
In order to make changes, you will also need the private keys for your domain. For security reasons, these
+
To push changes, you will also need the DNSSEC private keys for your domain. For security reasons, these
 
are not kept on the master DNS itself. Ask one of the other hostmasters for a copy and put it in the keys/
 
are not kept on the master DNS itself. Ask one of the other hostmasters for a copy and put it in the keys/
 
directory alongside the public keys.
 
directory alongside the public keys.
Line 62: Line 64:
  
 
* Please keep the zone files tidy, by following indentation style
 
* Please keep the zone files tidy, by following indentation style
 
 
* Add comments as needed to describe obscure records in the zone files
 
* Add comments as needed to describe obscure records in the zone files
 
 
* Remember to keep reverse zones always up to date
 
* Remember to keep reverse zones always up to date
 
+
* '''Bump the serials after each update!''' (this is done automatically by our update-zone script)
* '''Bump the serials after each update!'''
 
  
 
== Push changes back to master nameserver ==
 
== Push changes back to master nameserver ==
Line 77: Line 76:
  
 
The script does:
 
The script does:
* re-sign the zone with the DNSSEC keys
+
* bump the serial number
* commit your changes
+
* re-sign the zone with the DNSSEC private keys (which you must copy to keys/)
* push the commit to the remote repository
+
* commit your changes
 +
* push the commit to the remote repository
  
The post-receive hook to automate the rest of the procedure:
+
The post-receive hook automates the rest of the procedure:
* send a notification email to systems-logs@;
+
* send a notification email to systems-logs@
* checkout your changes to the bind configuration directory;
+
* checkout your changes to the bind configuration directory
* make BIND reload its configuration;
+
* make BIND reload its configuration
* watch BIND's log file to ensure slaves are actually transferring the changed zones.
+
* watch BIND's log file to ensure there are no errors and slaves are actually transferring the changed zones
  
== Implementation details ==
+
For other domains hosted on Sugar Labs infrastructure (such as eg. somosazucar.org) use:
  
* We use a detached working directory to allow the automatic checkout to work (see post-receive hook below). The git repository is in <code>/var/lib/bind/etc/bind.git</code> and the working directory lives in <code>/var/lib/bind/etc/bind</code>. <code>/etc/bind</code> is a symlink to the working directory (<code>/var/lib/bind/etc/bind</code>).
+
./update-zone turtleartday.org
  
* The git config file is as follows:
+
This will check the zone before pushing.
  
[core]
+
== GIT repository implementation details ==
        repositoryformatversion = 0
 
        filemode = true
 
        bare = false
 
        sharedRepository = true
 
        logallrefupdates = true
 
        worktree = /etc/bind
 
[receive]
 
        denycurrentbranch = ignore
 
 
[hooks]
 
        mailinglist = systems-logs@...
 
        emailprefix = "[DNS] "
 
        showrev = "git show -C %s; echo"
 
  
* /var/lib/bind/etc/bind.git/description contains the repository description "Sugar Labs DNS zone data"
+
We use a detached working directory to allow the automatic checkout to work (see post-receive hook below). The git repository is in <code>/var/lib/bind/etc/bind.git</code> and the working directory lives in <code>/var/lib/bind/etc/bind</code>. <code>/etc/bind</code> is a symlink to the working directory (<code>/var/lib/bind/etc/bind</code>).
* We use a post-receive hook to checkout the zones to the local sandbox and make BIND reload them:
 
 
 
#!/bin/bash
 
/bin/bash /usr/share/doc/git-core/contrib/hooks/post-receive-email
 
git checkout -f
 
tail -n0 -f /var/log/daemon.log &
 
/etc/init.d/bind9 reload
 
sleep 3
 
  
 +
See [[Sysadmin/Autocheckout repositories]] for all the implementation details.
  
 
== DNSSEC details ==
 
== DNSSEC details ==
  
 
=== How to create keys for a new domain ===
 
=== How to create keys for a new domain ===
dnssec-keygen -r/dev/random -a RSASHA1 -b 1024 -n ZONE codewiz.org
 
dnssec-keygen -r/dev/random -f KSK -a RSASHA1 -b 1280 -n ZONE codewiz.org
 
  
=== How to manually sign a zone ===
+
We standardized on algorithm 13 (ECDSAP256SHA256) because it's what RFC 8624 recommends and what Cloudflare uses:
dnssec-signzone -o codewiz.org -K keys masters/codewiz.org.zone
 
/etc/init.d/bind9 restart
 
  
=== How to publish DLV records ===
+
cd keys
 +
dnssec-keygen -K keys -3 -a ECDSAP256SHA256 -n ZONE codewiz.org
 +
dnssec-keygen -K keys -3 -a ECDSAP256SHA256 -n ZONE -f KSK codewiz.org
  
Go to dlv.isc.org and upload the two DNSKEY records for each zone, then follow the instructions to validate them.
+
=== How to manually sign a zone ===
This is the end result:
+
Normally, you should use the update-zone script
  
* sugarlabs.org: https://dlv.isc.org/zones/3609
+
dnssec-signzone -S -e +31536000 -K keys -d keys -o codewiz.org masters/codewiz.org.zone
* sugarlabs.net: https://dlv.isc.org/zones/3612
+
systemctl restart bind9
* codewiz.org: https://dlv.isc.org/zones/3607
 
  
 
=== Add DS records to TLD ===
 
=== Add DS records to TLD ===
  
This step must be done by the registrar.  
+
This step must be performed using the interface of the registrar (I used name.com).
  
I've opened a support ticket on [http://joker.com/ Joker] asking to add
+
The data to copy is written by dnssec-signzone to the file keys/dsset-DOMAIN and looks like this:
support for DS records. If they can't do it, we need to transfer
 
sugarlabs.org to another registrar. At this time, the only decent choice
 
for a DNSSEC enabled registrar is [http://name.com/ name.com].
 
  
 +
  codewiz.org.            IN DS 53631 13 2 C31F7790197F0DC5CE7726F731FA55A9189289540749A68A937BFD09 797D72E6
  
 
=== How to validate zone data ===
 
=== How to validate zone data ===
 +
 +
==== Online validators ====
 +
* https://dnssec-analyzer.verisignlabs.com/codewiz.org
 +
* https://dnsviz.net/d/codewiz.org/dnssec/
 +
 +
==== CLI tools ====
  
 
* Validate zone data with dig:
 
* Validate zone data with dig:
  dig +dnssec +multiline -t ns codewiz.org. @localhost | grep ad
+
  dig +dnssec +multiline -t ns codewiz.org. @1.1.1.1 | grep ad
 +
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
  
 
* Validate zone data against domain DNSKEY:
 
* Validate zone data against domain DNSKEY:
  unbound-host -y 'codewiz.org. IN DNSKEY 256 3 5 AwEAAa3dS5/3fkGXuqXft2dN/UPUivGqiYzZF+jWcow8LTAnlsoYaJFB VMAlJWbC6FFI7AMjoJYpmoeDMgHd4BtVqZO2ikx5zc48CtOUHUdXs7nw fMSQoVOnplpTKH2AgyRfDqYhtosP0euyJQNZI+NiYneZb1o1Ys7PE87Y 7FamjXwV' -v codewiz.org
+
  $ unbound-host -y 'codewiz.org. DNSKEY 256 3 13 IbIcUsP+G7cnSmi12BpuiMjM9LnqvDaRS+qiquGKXxH/qAuOGlODFA4E 18O1OErfu0CkFjg6JEynOG6cSR40yg==' -v codewiz.org
 
+
  codewiz.org has address 209.51.188.53 (secure)
* Validate zone data against domain DS key:
+
  codewiz.org has IPv6 address 2001:470:142:7::11 (secure)
  unbound-host  -y 'codewiz.org. IN DS 58126 5 2 96BF1964F3EA9885F5DE83DA14419F55F579A42BC18759C1B79BDE64 7587CFA8' -v codewiz.org  
+
  codewiz.org mail is handled by 10 neo.develer.net. (secure)
 
 
* Validate zone data against root DNSKEY:
 
unbound-host  -y '. DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=' -v codewiz.org
 
  
* Validate zone data online:
+
* Validate zone data against a domain's DS key:
  http://secspider.cs.ucla.edu/codewiz-org--zone.html
+
  unbound-host -f keys/dsset-sugarlabs.org. -v sugarlabs.org
 +
sugarlabs.org has address 185.199.111.153 (secure)
 +
sugarlabs.org has address 185.199.110.153 (secure)
 +
sugarlabs.org has no IPv6 address (secure)
 +
sugarlabs.org mail is handled by 10 mail0.codewiz.org. (secure)
 +
sugarlabs.org mail is handled by 20 sunjammer.sugarlabs.org. (secure)
  
=== DNSSEC tutorial ===
+
* Validate zone data against the root DNSKEY:
http://www.nlnetlabs.nl/publications/dnssec_howto/index.html#x1-290003.4
+
unbound-host -D -v wiki.sugarlabs.org
 +
wiki.sugarlabs.org is an alias for sunjammer.sugarlabs.org. (secure)
 +
sunjammer.sugarlabs.org has address 209.51.188.53 (secure)
 +
sunjammer.sugarlabs.org has IPv6 address 2001:470:142:7::11 (secure)
 +
sunjammer.sugarlabs.org has no mail handler record (secure)

Latest revision as of 14:35, 15 July 2023

Administrative contact

To request changes to DNS records, contact <hostmaster AT sugarlabs DOT org>

Hostmasters

Current hostmasters are:

(please use preferably the administrative address)

Registered nameservers

The following nameservers are currently registered in whois records for our domains:

hostname aka location IPv4 IPv6
ns1.sugarlabs.org lightwave Sonic, Santa Rosa CA, USA 192.184.220.216 2001:5a8:601:f::216/64
ns2.sugarlabs.net sunjammer FSF, Boston, USA 208.118.235.53 2001:470:142:7::11
ns1.codewiz.org neo Develer, Firenze, Italy 2.228.72.10 2001:b02:400:1::10

Editing zone data

We use distributed version control and admin scripts to arbitrate edits to the zone files and nameserver configurations. DO NOT EDIT THESE FILES DIRECTLY ON THE MASTER NAMESERVER, ANY CHANGES WILL BE OVERWRITTEN.

Checkout nameserver config

Checkout the git repository containing the DNS zone data:

git clone lightwave.sugarlabs.org:/var/lib/bind/etc/bind ns

NOTE: Your user on Machine/lightwave needs to be in group hostmaster. Do not clone the repo on lightwave, clone it to your local host.

To push changes, you will also need the DNSSEC private keys for your domain. For security reasons, these are not kept on the master DNS itself. Ask one of the other hostmasters for a copy and put it in the keys/ directory alongside the public keys.

Edit zone data

Guidelines for editing zones:

  • Please keep the zone files tidy, by following indentation style
  • Add comments as needed to describe obscure records in the zone files
  • Remember to keep reverse zones always up to date
  • Bump the serials after each update! (this is done automatically by our update-zone script)

Push changes back to master nameserver

After you edited the sugarlabs.org zone, execute this script to re-sign the zone and push your changes to the master DNS:

./update-sugarlabs

The script does:

  • bump the serial number
  • re-sign the zone with the DNSSEC private keys (which you must copy to keys/)
  • commit your changes
  • push the commit to the remote repository

The post-receive hook automates the rest of the procedure:

  • send a notification email to systems-logs@
  • checkout your changes to the bind configuration directory
  • make BIND reload its configuration
  • watch BIND's log file to ensure there are no errors and slaves are actually transferring the changed zones

For other domains hosted on Sugar Labs infrastructure (such as eg. somosazucar.org) use:

./update-zone turtleartday.org

This will check the zone before pushing.

GIT repository implementation details

We use a detached working directory to allow the automatic checkout to work (see post-receive hook below). The git repository is in /var/lib/bind/etc/bind.git and the working directory lives in /var/lib/bind/etc/bind. /etc/bind is a symlink to the working directory (/var/lib/bind/etc/bind).

See Sysadmin/Autocheckout repositories for all the implementation details.

DNSSEC details

How to create keys for a new domain

We standardized on algorithm 13 (ECDSAP256SHA256) because it's what RFC 8624 recommends and what Cloudflare uses:

cd keys
dnssec-keygen -K keys -3 -a ECDSAP256SHA256 -n ZONE codewiz.org
dnssec-keygen -K keys -3 -a ECDSAP256SHA256 -n ZONE -f KSK codewiz.org

How to manually sign a zone

Normally, you should use the update-zone script

dnssec-signzone -S -e +31536000 -K keys -d keys -o codewiz.org masters/codewiz.org.zone
systemctl restart bind9

Add DS records to TLD

This step must be performed using the interface of the registrar (I used name.com).

The data to copy is written by dnssec-signzone to the file keys/dsset-DOMAIN and looks like this:

 codewiz.org.            IN DS 53631 13 2 C31F7790197F0DC5CE7726F731FA55A9189289540749A68A937BFD09 797D72E6

How to validate zone data

Online validators

CLI tools

  • Validate zone data with dig:
dig +dnssec +multiline -t ns codewiz.org. @1.1.1.1 | grep ad
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
  • Validate zone data against domain DNSKEY:
$ unbound-host -y 'codewiz.org. DNSKEY 256 3 13 IbIcUsP+G7cnSmi12BpuiMjM9LnqvDaRS+qiquGKXxH/qAuOGlODFA4E 18O1OErfu0CkFjg6JEynOG6cSR40yg==' -v codewiz.org
codewiz.org has address 209.51.188.53 (secure)
codewiz.org has IPv6 address 2001:470:142:7::11 (secure)
codewiz.org mail is handled by 10 neo.develer.net. (secure)
  • Validate zone data against a domain's DS key:
unbound-host -f keys/dsset-sugarlabs.org. -v sugarlabs.org
sugarlabs.org has address 185.199.111.153 (secure)
sugarlabs.org has address 185.199.110.153 (secure)
sugarlabs.org has no IPv6 address (secure)
sugarlabs.org mail is handled by 10 mail0.codewiz.org. (secure)
sugarlabs.org mail is handled by 20 sunjammer.sugarlabs.org. (secure)
  • Validate zone data against the root DNSKEY:
unbound-host -D -v wiki.sugarlabs.org
wiki.sugarlabs.org is an alias for sunjammer.sugarlabs.org. (secure)
sunjammer.sugarlabs.org has address 209.51.188.53 (secure)
sunjammer.sugarlabs.org has IPv6 address 2001:470:142:7::11 (secure)
sunjammer.sugarlabs.org has no mail handler record (secure)