Line 1: |
Line 1: |
− | == Hostmasters == | + | == Administrative contact == |
| | | |
| To request changes to DNS records, contact <hostmaster AT sugarlabs DOT org> | | To request changes to DNS records, contact <hostmaster AT sugarlabs DOT org> |
| + | |
| + | == Hostmasters == |
| | | |
| Current hostmasters are: | | Current hostmasters are: |
| | | |
| * [[User:Bernie|Bernie Innocenti]] | | * [[User:Bernie|Bernie Innocenti]] |
− | * [[User:dogi|Stefan Unterhauser]] | + | * [[User:Scg|Samuel Cantero]] |
| + | |
| + | (please use preferably the administrative address) |
| | | |
| == Registered nameservers == | | == Registered nameservers == |
| | | |
− | The following nameservers are currently registerted in whois records for our domains: | + | The following nameservers are currently registered in whois records for our domains: |
− | | |
− | (FIXME: this is what it should look like after the current transitional mess)
| |
| | | |
| {| class="wikitable" border="1" | | {| class="wikitable" border="1" |
Line 24: |
Line 26: |
| ! '''ns1.sugarlabs.org''' | | ! '''ns1.sugarlabs.org''' |
| | lightwave | | | lightwave |
− | | FSF, Boston, USA | + | | MIT Media Lab, Cambridge, USA |
− | | 140.186.70.102 | + | | 18.85.44.64 |
− | | 2002:8cba:4666::1 | + | | 2002:1255:2c40::1 |
| |- | | |- |
| | ns2.sugarlabs.net | | | ns2.sugarlabs.net |
| | sunjammer | | | sunjammer |
− | | FSF, Boston | + | | FSF, Boston, USA |
− | | 140.186.70.53 | + | | 208.118.235.53 |
− | | 2002:8cba:4635::1 | + | | 2001:4830:134:7::11 |
| |- | | |- |
| | ns1.codewiz.org | | | ns1.codewiz.org |
− | | trinity | + | | neo |
| | Develer, Firenze, Italy | | | Develer, Firenze, Italy |
− | | 83.149.158.210 | + | | 2.228.72.10 |
− | | 2002:5395:9ed2::1 | + | | 2001:b02:400:1::10 |
− | |-
| |
− | | ns2.auth.osuosl.org
| |
− | | -
| |
− | | OSU-OSL, Seattle, USA
| |
− | | 140.211.166.141
| |
− | | -
| |
| |} | | |} |
− |
| |
− | Note that ns2.auth.osuosl.org is not under our control and does not serve all our domains.
| |
| | | |
| == Editing zone data == | | == Editing zone data == |
| | | |
| We use distributed version control and admin scripts to arbitrate edits to the zone files and nameserver configurations. | | We use distributed version control and admin scripts to arbitrate edits to the zone files and nameserver configurations. |
− | '''DO NOT EDIT THESE FILES LOCALLY, ANY CHANGES WILL BE OVERWRITTEN'''. | + | '''DO NOT EDIT THESE FILES DIRECTLY ON THE MASTER NAMESERVER, ANY CHANGES WILL BE OVERWRITTEN'''. |
| | | |
− | === Checkout nameserver config ===
| + | == Checkout nameserver config == |
| | | |
− | Checkout the repository as usual: | + | Checkout the git repository containing the DNS zone data: |
| | | |
| git clone lightwave.sugarlabs.org:/var/lib/bind/etc/bind ns | | git clone lightwave.sugarlabs.org:/var/lib/bind/etc/bind ns |
| | | |
− | Do not checkout the repository as root. Your user needs to be in group bind. | + | Do not checkout the repository as root. Your user on [[Machine/lightwave]] needs to be in group hostmaster. |
| + | |
| + | In order to make changes, you will also need the private keys for your domain. For security reasons, these |
| + | are not kept on the master DNS itself. Ask one of the other hostmasters for a copy and put it in the keys/ |
| + | directory alongside the public keys. |
| | | |
| == Edit zone data == | | == Edit zone data == |
Line 67: |
Line 65: |
| | | |
| * Please keep the zone files tidy, by following indentation style | | * Please keep the zone files tidy, by following indentation style |
| + | * Add comments as needed to describe obscure records in the zone files |
| + | * Remember to keep reverse zones always up to date |
| + | * '''Bump the serials after each update!''' (this is done automatically by our update-zone script) |
| + | |
| + | == Push changes back to master nameserver == |
| + | |
| + | After you edited the sugarlabs.org zone, execute this script to re-sign the zone |
| + | and push your changes to the master DNS: |
| + | |
| + | ./update-sugarlabs |
| + | |
| + | The script does: |
| + | * bump the serial number |
| + | * re-sign the zone with the DNSSEC private keys (which you must copy to keys/) |
| + | * commit your changes |
| + | * push the commit to the remote repository |
| + | |
| + | The post-receive hook automates the rest of the procedure: |
| + | * send a notification email to systems-logs@ |
| + | * checkout your changes to the bind configuration directory |
| + | * make BIND reload its configuration |
| + | * watch BIND's log file to ensure there are no errors and slaves are actually transferring the changed zones |
| + | |
| + | For other domains hosted on Sugar Labs infrastructure (such as eg. somosazucar.org) use: |
| + | |
| + | ./update-zone somosazucar.org |
| + | |
| + | This will check the zone before pushing. |
| + | |
| + | == GIT repository implementation details == |
| | | |
− | * Add comments as needed to describe obscure records in the zone files
| + | We use a detached working directory to allow the automatic checkout to work (see post-receive hook below). The git repository is in <code>/var/lib/bind/etc/bind.git</code> and the working directory lives in <code>/var/lib/bind/etc/bind</code>. <code>/etc/bind</code> is a symlink to the working directory (<code>/var/lib/bind/etc/bind</code>). |
| + | |
| + | See [[Sysadmin/Autocheckout repositories]] for all the implementation details. |
| + | |
| + | == DNSSEC details == |
| + | |
| + | === How to create keys for a new domain === |
| + | cd keys |
| + | dnssec-keygen -r/dev/random -a RSASHA1 -b 1024 -n ZONE codewiz.org |
| + | dnssec-keygen -r/dev/random -f KSK -a RSASHA1 -b 1280 -n ZONE codewiz.org |
| + | |
| + | (the above commands take a very long time!) |
| + | |
| + | === How to manually sign a zone === |
| + | dnssec-signzone -o codewiz.org -K keys masters/codewiz.org.zone |
| + | /etc/init.d/bind9 restart |
| | | |
− | * Remember to keep reverse zones always up to date
| + | === How to publish DLV records === |
| | | |
− | * '''Bump the serials after each update!'''
| + | Go to dlv.isc.org and upload the two DNSKEY records for each zone, then follow the instructions to validate them. |
| + | This is the end result: |
| | | |
− | == Push changes back to master nameserver ==
| + | * sugarlabs.org: https://dlv.isc.org/zones/3609 |
| + | * sugarlabs.net: https://dlv.isc.org/zones/3612 |
| + | * codewiz.org: https://dlv.isc.org/zones/3607 |
| | | |
− | * Commit your changes, preferably with a meaningful comment:
| + | === Add DS records to TLD === |
| | | |
− | git commit -a -v
| + | This step must be done by the registrar. |
| | | |
− | * Then, push your changes:
| + | I've opened a support ticket on [http://joker.com/ Joker] asking to add |
| + | support for DS records. If they can't do it, we need to transfer |
| + | sugarlabs.org to another registrar. At this time, the only decent choice |
| + | for a DNSSEC enabled registrar is [http://name.com/ name.com]. |
| | | |
− | git push
| |
| | | |
− | * We have a handy post-receive hook to automate the rest of the procedure:
| + | === How to validate zone data === |
− | ** send a notification email to systems-logs@;
| |
− | ** checkout your changes to the bind configuration directory;
| |
− | ** make BIND reload its configuration;
| |
− | ** watch BIND's log file to ensure slaves are actually transferring the changed zones.
| |
| | | |
− | == Implementation details ==
| + | * Validate zone data with dig: |
| + | dig +dnssec +multiline -t ns codewiz.org. @localhost | grep ad |
| | | |
− | * We use a detached working directory to allow the automatic checkout to work (see post-receive hook below). The git repository is in <code>/var/lib/bind/etc/bind.git</code> and the working directory lives in <code>/var/lib/bind/etc/bind</code>. <code>/etc/bind</code> is a symlink to the working directory (<code>/var/lib/bind/etc/bind</code>). | + | * Validate zone data against domain DNSKEY: |
| + | unbound-host -y 'codewiz.org. IN DNSKEY 256 3 5 AwEAAa3dS5/3fkGXuqXft2dN/UPUivGqiYzZF+jWcow8LTAnlsoYaJFB VMAlJWbC6FFI7AMjoJYpmoeDMgHd4BtVqZO2ikx5zc48CtOUHUdXs7nw fMSQoVOnplpTKH2AgyRfDqYhtosP0euyJQNZI+NiYneZb1o1Ys7PE87Y 7FamjXwV' -v codewiz.org |
| | | |
− | * The git config file is as follows: | + | * Validate zone data against domain DS key: |
| + | unbound-host -y 'codewiz.org. IN DS 58126 5 2 96BF1964F3EA9885F5DE83DA14419F55F579A42BC18759C1B79BDE64 7587CFA8' -v codewiz.org |
| | | |
− | [core]
| + | * Validate zone data against root DNSKEY: |
− | repositoryformatversion = 0
| + | unbound-host -y '. DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=' -v codewiz.org |
− | filemode = true
| |
− | bare = false
| |
− | sharedRepository = true
| |
− | logallrefupdates = true
| |
− | worktree = /etc/bind
| |
− | [receive] | |
− | denycurrentbranch = ignore
| |
− | | |
− | [hooks]
| |
− | mailinglist = systems-logs@...
| |
− | emailprefix = "[DNS] "
| |
− | showrev = "git show -C %s; echo"
| |
| | | |
− | * /var/lib/bind/etc/bind.git/description contains the repository description "Sugar Labs DNS zone data" | + | * Validate zone data online: |
− | * We use a post-receive hook to checkout the zones to the local sandbox and make BIND reload them:
| + | http://secspider.cs.ucla.edu/codewiz-org--zone.html |
| | | |
− | #!/bin/bash
| + | === DNSSEC tutorial === |
− | /bin/bash /usr/share/doc/git-core/contrib/hooks/post-receive-email
| + | http://www.nlnetlabs.nl/publications/dnssec_howto/index.html#x1-290003.4 |
− | git checkout -f
| |
− | tail -n0 -f /var/log/daemon.log &
| |
− | /etc/init.d/bind9 reload
| |
− | sleep 3
| |