1,764
edits
Changes
Jump to navigation
Jump to search
Line 1:
Line 1: − + + + − + − * [[User:sascha_silbe|Sascha Silbe]]+ + Line 23:
Line 26: − + − + − + − + − + − + − + − + Line 51:
Line 54: − + Line 62:
Line 65: − − − + − Line 77:
Line 77: − * re-sign the zone with the DNSSEC keys+ − * commit your changes+ − * push the commit to the remote repository+ + − + − * send a notification email to systems-logs@;+ − * checkout your changes to the bind configuration directory;+ − * make BIND reload its configuration;+ − * watch BIND's log file to ensure slaves are actually transferring the changed zones.+ − == Implementation details ==+ − * We use a detached working directory to allow the automatic checkout to work (see post-receive hook below). The git repository is in <code>/var/lib/bind/etc/bind.git</code> and the working directory lives in <code>/var/lib/bind/etc/bind</code>. <code>/etc/bind</code> is a symlink to the working directory (<code>/var/lib/bind/etc/bind</code>).+ − * The git config file is as follows:+ − [core]+ − repositoryformatversion = 0 − filemode = true − bare = false − sharedRepository = true − logallrefupdates = true − worktree = /etc/bind − [receive] − denycurrentbranch = ignore − − [hooks] − mailinglist = systems-logs@... − emailprefix = "[DNS] " − showrev = "git show -C %s; echo" − * /var/lib/bind/etc/bind.git/description contains the repository description "Sugar Labs DNS zone data"+ − * We use a post-receive hook to checkout the zones to the local sandbox and make BIND reload them: − − #!/bin/bash − /bin/bash /usr/share/doc/git-core/contrib/hooks/post-receive-email − git checkout -f − tail -n0 -f /var/log/daemon.log & − /etc/init.d/bind9 reload − sleep 3 + + + + + + + + + + + + + + + + + + + + + + + + Line 144:
Line 148: + + +
Update addresses of ns1.codewiz.org
== Hostmasters ==
== Administrative contact ==
To request changes to DNS records, contact <hostmaster AT sugarlabs DOT org>
To request changes to DNS records, contact <hostmaster AT sugarlabs DOT org>
== Hostmasters ==
Current hostmasters are:
Current hostmasters are:
* [[User:Bernie|Bernie Innocenti]]
* [[User:Bernie|Bernie Innocenti]]
* [[User:dogi|Stefan Unterhauser]]
* [[User:Scg|Samuel Cantero]]
(please use preferably the administrative address)
== Registered nameservers ==
== Registered nameservers ==
! '''ns1.sugarlabs.org'''
! '''ns1.sugarlabs.org'''
| lightwave
| lightwave
| FSF, Boston, USA
| MIT Media Lab, Cambridge, USA
| 140.186.70.102
| 18.85.44.64
| 2002:8cba:4666::1
| 2002:1255:2c40::1
|-
|-
| ns2.sugarlabs.net
| ns2.sugarlabs.net
| sunjammer
| sunjammer
| FSF, Boston, USA
| FSF, Boston, USA
| 140.186.70.53
| 208.118.235.53
| 2002:8cba:4635::1
| 2001:4830:134:7::11
|-
|-
| ns1.codewiz.org
| ns1.codewiz.org
| trinity
| neo
| Develer, Firenze, Italy
| Develer, Firenze, Italy
| 83.149.158.210
| 2.228.72.10
| 2002:5395:9ed2::1
| 2001:b02:400:1::10
|}
|}
git clone lightwave.sugarlabs.org:/var/lib/bind/etc/bind ns
git clone lightwave.sugarlabs.org:/var/lib/bind/etc/bind ns
Do not checkout the repository as root. Your user on [[Machine:lightwave]] needs to be in group hostmaster.
Do not checkout the repository as root. Your user on [[Machine/lightwave]] needs to be in group hostmaster.
In order to make changes, you will also need the private keys for your domain. For security reasons, these
In order to make changes, you will also need the private keys for your domain. For security reasons, these
* Please keep the zone files tidy, by following indentation style
* Please keep the zone files tidy, by following indentation style
* Add comments as needed to describe obscure records in the zone files
* Add comments as needed to describe obscure records in the zone files
* Remember to keep reverse zones always up to date
* Remember to keep reverse zones always up to date
* '''Bump the serials after each update!''' (this is done automatically by our update-zone script)
* '''Bump the serials after each update!'''
== Push changes back to master nameserver ==
== Push changes back to master nameserver ==
The script does:
The script does:
* bump the serial number
* re-sign the zone with the DNSSEC private keys (which you must copy to keys/)
* commit your changes
* push the commit to the remote repository
The post-receive hook to automate the rest of the procedure:
The post-receive hook automates the rest of the procedure:
* send a notification email to systems-logs@
* checkout your changes to the bind configuration directory
* make BIND reload its configuration
* watch BIND's log file to ensure there are no errors and slaves are actually transferring the changed zones
For other domains hosted on Sugar Labs infrastructure (such as eg. somosazucar.org) use:
./update-zone somosazucar.org
This will check the zone before pushing.
== GIT repository implementation details ==
We use a detached working directory to allow the automatic checkout to work (see post-receive hook below). The git repository is in <code>/var/lib/bind/etc/bind.git</code> and the working directory lives in <code>/var/lib/bind/etc/bind</code>. <code>/etc/bind</code> is a symlink to the working directory (<code>/var/lib/bind/etc/bind</code>).
See [[Sysadmin/Autocheckout repositories]] for all the implementation details.
== DNSSEC details ==
== DNSSEC details ==
=== How to create keys for a new domain ===
=== How to create keys for a new domain ===
cd keys
dnssec-keygen -r/dev/random -a RSASHA1 -b 1024 -n ZONE codewiz.org
dnssec-keygen -r/dev/random -a RSASHA1 -b 1024 -n ZONE codewiz.org
dnssec-keygen -r/dev/random -f KSK -a RSASHA1 -b 1280 -n ZONE codewiz.org
dnssec-keygen -r/dev/random -f KSK -a RSASHA1 -b 1280 -n ZONE codewiz.org
(the above commands take a very long time!)
=== How to manually sign a zone ===
=== How to manually sign a zone ===
dnssec-signzone -o codewiz.org -K keys masters/codewiz.org.zone
/etc/init.d/bind9 restart
=== How to publish DLV records ===
Go to dlv.isc.org and upload the two DNSKEY records for each zone, then follow the instructions to validate them.
This is the end result:
* sugarlabs.org: https://dlv.isc.org/zones/3609
* sugarlabs.net: https://dlv.isc.org/zones/3612
* codewiz.org: https://dlv.isc.org/zones/3607
=== Add DS records to TLD ===
This step must be done by the registrar.
I've opened a support ticket on [http://joker.com/ Joker] asking to add
support for DS records. If they can't do it, we need to transfer
sugarlabs.org to another registrar. At this time, the only decent choice
for a DNSSEC enabled registrar is [http://name.com/ name.com].
* Validate zone data online:
* Validate zone data online:
http://secspider.cs.ucla.edu/codewiz-org--zone.html
http://secspider.cs.ucla.edu/codewiz-org--zone.html
=== DNSSEC tutorial ===
http://www.nlnetlabs.nl/publications/dnssec_howto/index.html#x1-290003.4