Line 1: |
Line 1: |
− | == Hostmasters == | + | == Administrative contact == |
| | | |
| To request changes to DNS records, contact <hostmaster AT sugarlabs DOT org> | | To request changes to DNS records, contact <hostmaster AT sugarlabs DOT org> |
| + | |
| + | == Hostmasters == |
| | | |
| Current hostmasters are: | | Current hostmasters are: |
| | | |
| * [[User:Bernie|Bernie Innocenti]] | | * [[User:Bernie|Bernie Innocenti]] |
− | * [[User:dogi|Stefan Unterhauser]] | + | * [[User:Scg|Samuel Cantero]] |
− | * [[User:sascha_silbe|Sascha Silbe]]
| + | |
| + | (please use preferably the administrative address) |
| | | |
| == Registered nameservers == | | == Registered nameservers == |
Line 23: |
Line 26: |
| ! '''ns1.sugarlabs.org''' | | ! '''ns1.sugarlabs.org''' |
| | lightwave | | | lightwave |
− | | FSF, Boston, USA | + | | MIT Media Lab, Cambridge, USA |
− | | 140.186.70.102 | + | | 18.85.44.64 |
− | | 2002:8cba:4666::1 | + | | 2002:1255:2c40::1 |
| |- | | |- |
| | ns2.sugarlabs.net | | | ns2.sugarlabs.net |
| | sunjammer | | | sunjammer |
| | FSF, Boston, USA | | | FSF, Boston, USA |
− | | 140.186.70.53 | + | | 208.118.235.53 |
− | | 2002:8cba:4635::1 | + | | 2001:4830:134:7::11 |
| |- | | |- |
| | ns1.codewiz.org | | | ns1.codewiz.org |
− | | trinity | + | | neo |
| | Develer, Firenze, Italy | | | Develer, Firenze, Italy |
− | | 83.149.158.210 | + | | 2.228.72.10 |
− | | 2002:5395:9ed2::1 | + | | 2001:b02:400:1::10 |
| |} | | |} |
| | | |
Line 51: |
Line 54: |
| git clone lightwave.sugarlabs.org:/var/lib/bind/etc/bind ns | | git clone lightwave.sugarlabs.org:/var/lib/bind/etc/bind ns |
| | | |
− | Do not checkout the repository as root. Your user on [[Machine:lightwave]] needs to be in group hostmaster. | + | Do not checkout the repository as root. Your user on [[Machine/lightwave]] needs to be in group hostmaster. |
| | | |
| In order to make changes, you will also need the private keys for your domain. For security reasons, these | | In order to make changes, you will also need the private keys for your domain. For security reasons, these |
Line 62: |
Line 65: |
| | | |
| * Please keep the zone files tidy, by following indentation style | | * Please keep the zone files tidy, by following indentation style |
− |
| |
| * Add comments as needed to describe obscure records in the zone files | | * Add comments as needed to describe obscure records in the zone files |
− |
| |
| * Remember to keep reverse zones always up to date | | * Remember to keep reverse zones always up to date |
− | | + | * '''Bump the serials after each update!''' (this is done automatically by our update-zone script) |
− | * '''Bump the serials after each update!''' | |
| | | |
| == Push changes back to master nameserver == | | == Push changes back to master nameserver == |
Line 77: |
Line 77: |
| | | |
| The script does: | | The script does: |
− | * re-sign the zone with the DNSSEC keys
| + | * bump the serial number |
− | * commit your changes
| + | * re-sign the zone with the DNSSEC private keys (which you must copy to keys/) |
− | * push the commit to the remote repository
| + | * commit your changes |
| + | * push the commit to the remote repository |
| | | |
− | The post-receive hook to automate the rest of the procedure: | + | The post-receive hook automates the rest of the procedure: |
− | * send a notification email to systems-logs@;
| + | * send a notification email to systems-logs@ |
− | * checkout your changes to the bind configuration directory;
| + | * checkout your changes to the bind configuration directory |
− | * make BIND reload its configuration;
| + | * make BIND reload its configuration |
− | * watch BIND's log file to ensure slaves are actually transferring the changed zones.
| + | * watch BIND's log file to ensure there are no errors and slaves are actually transferring the changed zones |
| | | |
− | == Implementation details ==
| + | For other domains hosted on Sugar Labs infrastructure (such as eg. somosazucar.org) use: |
| | | |
− | * We use a detached working directory to allow the automatic checkout to work (see post-receive hook below). The git repository is in <code>/var/lib/bind/etc/bind.git</code> and the working directory lives in <code>/var/lib/bind/etc/bind</code>. <code>/etc/bind</code> is a symlink to the working directory (<code>/var/lib/bind/etc/bind</code>).
| + | ./update-zone somosazucar.org |
| | | |
− | * The git config file is as follows:
| + | This will check the zone before pushing. |
| | | |
− | [core]
| + | == GIT repository implementation details == |
− | repositoryformatversion = 0
| |
− | filemode = true
| |
− | bare = false
| |
− | sharedRepository = true
| |
− | logallrefupdates = true
| |
− | worktree = /etc/bind
| |
− | [receive]
| |
− | denycurrentbranch = ignore
| |
− |
| |
− | [hooks]
| |
− | mailinglist = systems-logs@...
| |
− | emailprefix = "[DNS] "
| |
− | showrev = "git show -C %s; echo"
| |
| | | |
− | * /var/lib/bind/etc/bind.git/description contains the repository description "Sugar Labs DNS zone data"
| + | We use a detached working directory to allow the automatic checkout to work (see post-receive hook below). The git repository is in <code>/var/lib/bind/etc/bind.git</code> and the working directory lives in <code>/var/lib/bind/etc/bind</code>. <code>/etc/bind</code> is a symlink to the working directory (<code>/var/lib/bind/etc/bind</code>). |
− | * We use a post-receive hook to checkout the zones to the local sandbox and make BIND reload them:
| |
− | | |
− | #!/bin/bash
| |
− | /bin/bash /usr/share/doc/git-core/contrib/hooks/post-receive-email
| |
− | git checkout -f
| |
− | tail -n0 -f /var/log/daemon.log &
| |
− | /etc/init.d/bind9 reload
| |
− | sleep 3
| |
| | | |
| + | See [[Sysadmin/Autocheckout repositories]] for all the implementation details. |
| | | |
| == DNSSEC details == | | == DNSSEC details == |
| | | |
| === How to create keys for a new domain === | | === How to create keys for a new domain === |
| + | cd keys |
| dnssec-keygen -r/dev/random -a RSASHA1 -b 1024 -n ZONE codewiz.org | | dnssec-keygen -r/dev/random -a RSASHA1 -b 1024 -n ZONE codewiz.org |
| dnssec-keygen -r/dev/random -f KSK -a RSASHA1 -b 1280 -n ZONE codewiz.org | | dnssec-keygen -r/dev/random -f KSK -a RSASHA1 -b 1280 -n ZONE codewiz.org |
| + | |
| + | (the above commands take a very long time!) |
| | | |
| === How to manually sign a zone === | | === How to manually sign a zone === |
| + | dnssec-signzone -o codewiz.org -K keys masters/codewiz.org.zone |
| + | /etc/init.d/bind9 restart |
| + | |
| + | === How to publish DLV records === |
| + | |
| + | Go to dlv.isc.org and upload the two DNSKEY records for each zone, then follow the instructions to validate them. |
| + | This is the end result: |
| + | |
| + | * sugarlabs.org: https://dlv.isc.org/zones/3609 |
| + | * sugarlabs.net: https://dlv.isc.org/zones/3612 |
| + | * codewiz.org: https://dlv.isc.org/zones/3607 |
| + | |
| + | === Add DS records to TLD === |
| + | |
| + | This step must be done by the registrar. |
| + | |
| + | I've opened a support ticket on [http://joker.com/ Joker] asking to add |
| + | support for DS records. If they can't do it, we need to transfer |
| + | sugarlabs.org to another registrar. At this time, the only decent choice |
| + | for a DNSSEC enabled registrar is [http://name.com/ name.com]. |
| | | |
| | | |
Line 144: |
Line 148: |
| * Validate zone data online: | | * Validate zone data online: |
| http://secspider.cs.ucla.edu/codewiz-org--zone.html | | http://secspider.cs.ucla.edu/codewiz-org--zone.html |
| + | |
| + | === DNSSEC tutorial === |
| + | http://www.nlnetlabs.nl/publications/dnssec_howto/index.html#x1-290003.4 |