Line 1: |
Line 1: |
− | == Hostmasters == | + | == Administrative contact == |
| | | |
| To request changes to DNS records, contact <hostmaster AT sugarlabs DOT org> | | To request changes to DNS records, contact <hostmaster AT sugarlabs DOT org> |
| + | |
| + | == Hostmasters == |
| | | |
| Current hostmasters are: | | Current hostmasters are: |
| | | |
| * [[User:Bernie|Bernie Innocenti]] | | * [[User:Bernie|Bernie Innocenti]] |
− | * [[User:dogi|Stefan Unterhauser]]
| + | |
− | * [[User:sascha_silbe|Sascha Silbe]]
| + | (please use preferably the administrative address) |
| | | |
| == Registered nameservers == | | == Registered nameservers == |
Line 23: |
Line 25: |
| ! '''ns1.sugarlabs.org''' | | ! '''ns1.sugarlabs.org''' |
| | lightwave | | | lightwave |
− | | FSF, Boston, USA | + | | Sonic, Santa Rosa CA, USA |
− | | 140.186.70.102 | + | | 192.184.220.216 |
− | | 2002:8cba:4666::1 | + | | 2001:5a8:601:f::216/64 |
| |- | | |- |
| | ns2.sugarlabs.net | | | ns2.sugarlabs.net |
| | sunjammer | | | sunjammer |
| | FSF, Boston, USA | | | FSF, Boston, USA |
− | | 140.186.70.53 | + | | 208.118.235.53 |
− | | 2002:8cba:4635::1 | + | | 2001:470:142:7::11 |
| |- | | |- |
| | ns1.codewiz.org | | | ns1.codewiz.org |
− | | trinity | + | | neo |
| | Develer, Firenze, Italy | | | Develer, Firenze, Italy |
− | | 83.149.158.210 | + | | 2.228.72.10 |
− | | 2002:5395:9ed2::1 | + | | 2001:b02:400:1::10 |
| |} | | |} |
| | | |
Line 43: |
Line 45: |
| | | |
| We use distributed version control and admin scripts to arbitrate edits to the zone files and nameserver configurations. | | We use distributed version control and admin scripts to arbitrate edits to the zone files and nameserver configurations. |
− | '''DO NOT EDIT THESE FILES LOCALLY, ANY CHANGES WILL BE OVERWRITTEN'''. | + | '''DO NOT EDIT THESE FILES DIRECTLY ON THE MASTER NAMESERVER, ANY CHANGES WILL BE OVERWRITTEN'''. |
| | | |
− | === Checkout nameserver config ===
| + | == Checkout nameserver config == |
| | | |
− | Checkout the repository as usual: | + | Checkout the git repository containing the DNS zone data: |
| | | |
| git clone lightwave.sugarlabs.org:/var/lib/bind/etc/bind ns | | git clone lightwave.sugarlabs.org:/var/lib/bind/etc/bind ns |
| | | |
− | Do not checkout the repository as root. Your user needs to be in group bind.
| + | '''NOTE:''' Your user on [[Machine/lightwave]] needs to be in group hostmaster. Do not clone the repo on lightwave, clone it to your local host. |
| + | |
| + | To push changes, you will also need the DNSSEC private keys for your domain. For security reasons, these |
| + | are not kept on the master DNS itself. Ask one of the other hostmasters for a copy and put it in the keys/ |
| + | directory alongside the public keys. |
| | | |
| == Edit zone data == | | == Edit zone data == |
Line 58: |
Line 64: |
| | | |
| * Please keep the zone files tidy, by following indentation style | | * Please keep the zone files tidy, by following indentation style |
| + | * Add comments as needed to describe obscure records in the zone files |
| + | * Remember to keep reverse zones always up to date |
| + | * '''Bump the serials after each update!''' (this is done automatically by our update-zone script) |
| + | |
| + | == Push changes back to master nameserver == |
| + | |
| + | After you edited the sugarlabs.org zone, execute this script to re-sign the zone |
| + | and push your changes to the master DNS: |
| | | |
− | * Add comments as needed to describe obscure records in the zone files | + | ./update-sugarlabs |
| + | |
| + | The script does: |
| + | * bump the serial number |
| + | * re-sign the zone with the DNSSEC private keys (which you must copy to keys/) |
| + | * commit your changes |
| + | * push the commit to the remote repository |
| + | |
| + | The post-receive hook automates the rest of the procedure: |
| + | * send a notification email to systems-logs@ |
| + | * checkout your changes to the bind configuration directory |
| + | * make BIND reload its configuration |
| + | * watch BIND's log file to ensure there are no errors and slaves are actually transferring the changed zones |
| + | |
| + | For other domains hosted on Sugar Labs infrastructure (such as eg. somosazucar.org) use: |
| + | |
| + | ./update-zone turtleartday.org |
| + | |
| + | This will check the zone before pushing. |
| + | |
| + | == GIT repository implementation details == |
| + | |
| + | We use a detached working directory to allow the automatic checkout to work (see post-receive hook below). The git repository is in <code>/var/lib/bind/etc/bind.git</code> and the working directory lives in <code>/var/lib/bind/etc/bind</code>. <code>/etc/bind</code> is a symlink to the working directory (<code>/var/lib/bind/etc/bind</code>). |
| + | |
| + | See [[Sysadmin/Autocheckout repositories]] for all the implementation details. |
| + | |
| + | == DNSSEC details == |
| + | |
| + | === How to create keys for a new domain === |
| + | |
| + | We standardized on algorithm 13 (ECDSAP256SHA256) because it's what RFC 8624 recommends and what Cloudflare uses: |
| | | |
− | * Remember to keep reverse zones always up to date
| + | cd keys |
| + | dnssec-keygen -K keys -3 -a ECDSAP256SHA256 -n ZONE codewiz.org |
| + | dnssec-keygen -K keys -3 -a ECDSAP256SHA256 -n ZONE -f KSK codewiz.org |
| | | |
− | * '''Bump the serials after each update!'''
| + | === How to manually sign a zone === |
| + | Normally, you should use the update-zone script |
| | | |
− | == Push changes back to master nameserver ==
| + | dnssec-signzone -S -e +31536000 -K keys -d keys -o codewiz.org masters/codewiz.org.zone |
| + | systemctl restart bind9 |
| | | |
− | * Commit your changes, preferably with a meaningful comment:
| + | === Add DS records to TLD === |
| | | |
− | git commit -a -v
| + | This step must be performed using the interface of the registrar (I used name.com). |
| | | |
− | * Then, push your changes:
| + | The data to copy is written by dnssec-signzone to the file keys/dsset-DOMAIN and looks like this: |
| | | |
− | git push | + | codewiz.org. IN DS 53631 13 2 C31F7790197F0DC5CE7726F731FA55A9189289540749A68A937BFD09 797D72E6 |
| | | |
− | * We have a handy post-receive hook to automate the rest of the procedure:
| + | === How to validate zone data === |
− | ** send a notification email to systems-logs@;
| |
− | ** checkout your changes to the bind configuration directory;
| |
− | ** make BIND reload its configuration;
| |
− | ** watch BIND's log file to ensure slaves are actually transferring the changed zones.
| |
| | | |
− | == Implementation details == | + | ==== Online validators ==== |
| + | * https://dnssec-analyzer.verisignlabs.com/codewiz.org |
| + | * https://dnsviz.net/d/codewiz.org/dnssec/ |
| | | |
− | * We use a detached working directory to allow the automatic checkout to work (see post-receive hook below). The git repository is in <code>/var/lib/bind/etc/bind.git</code> and the working directory lives in <code>/var/lib/bind/etc/bind</code>. <code>/etc/bind</code> is a symlink to the working directory (<code>/var/lib/bind/etc/bind</code>).
| + | ==== CLI tools ==== |
| | | |
− | * The git config file is as follows: | + | * Validate zone data with dig: |
| + | dig +dnssec +multiline -t ns codewiz.org. @1.1.1.1 | grep ad |
| + | ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 |
| | | |
− | [core] | + | * Validate zone data against domain DNSKEY: |
− | repositoryformatversion = 0
| + | $ unbound-host -y 'codewiz.org. DNSKEY 256 3 13 IbIcUsP+G7cnSmi12BpuiMjM9LnqvDaRS+qiquGKXxH/qAuOGlODFA4E 18O1OErfu0CkFjg6JEynOG6cSR40yg==' -v codewiz.org |
− | filemode = true
| + | codewiz.org has address 209.51.188.53 (secure) |
− | bare = false
| + | codewiz.org has IPv6 address 2001:470:142:7::11 (secure) |
− | sharedRepository = true
| + | codewiz.org mail is handled by 10 neo.develer.net. (secure) |
− | logallrefupdates = true
| |
− | worktree = /etc/bind
| |
− | [receive] | |
− | denycurrentbranch = ignore
| |
− | | |
− | [hooks] | |
− | mailinglist = systems-logs@...
| |
− | emailprefix = "[DNS] "
| |
− | showrev = "git show -C %s; echo"
| |
| | | |
− | * /var/lib/bind/etc/bind.git/description contains the repository description "Sugar Labs DNS zone data" | + | * Validate zone data against a domain's DS key: |
− | * We use a post-receive hook to checkout the zones to the local sandbox and make BIND reload them:
| + | unbound-host -f keys/dsset-sugarlabs.org. -v sugarlabs.org |
| + | sugarlabs.org has address 185.199.111.153 (secure) |
| + | sugarlabs.org has address 185.199.110.153 (secure) |
| + | sugarlabs.org has no IPv6 address (secure) |
| + | sugarlabs.org mail is handled by 10 mail0.codewiz.org. (secure) |
| + | sugarlabs.org mail is handled by 20 sunjammer.sugarlabs.org. (secure) |
| | | |
− | #!/bin/bash
| + | * Validate zone data against the root DNSKEY: |
− | /bin/bash /usr/share/doc/git-core/contrib/hooks/post-receive-email | + | unbound-host -D -v wiki.sugarlabs.org |
− | git checkout -f | + | wiki.sugarlabs.org is an alias for sunjammer.sugarlabs.org. (secure) |
− | tail -n0 -f /var/log/daemon.log & | + | sunjammer.sugarlabs.org has address 209.51.188.53 (secure) |
− | /etc/init.d/bind9 reload | + | sunjammer.sugarlabs.org has IPv6 address 2001:470:142:7::11 (secure) |
− | sleep 3 | + | sunjammer.sugarlabs.org has no mail handler record (secure) |