1,764
edits
Changes
Jump to navigation
Jump to search
Line 1:
Line 1: − Our registered nameservers are:+ + + + + + + + + + + + + + + − | aka+ − | location+ − | ns1.sugarlabs.org+ − + − + − + − + − + − + − + − + − + − |- − | ns2.auth.osuosl.org − | - − | OSU-OSL, Seattle, USA − | 140.211.166.141 − | - − − Note that ns2.auth.osuosl.org is not under our control and does not serve all our domains. − − == Hostmasters == − − * Bernie Innocenti <bernie@codewiz.org> − * (others to be added when this documentation is finished) − + − === Checkout nameserver config ===+ − To simplify merging, each hostmaster pushes to a separate branch:+ − + − git config --add remote.origin.push '+refs/heads/*:refs/remotes/USERNAME/*' − + + + + + Line 60:
Line 64: + + + + + + + + + + + + + + + + + + + + + + + + − * Add comments as needed to describe obscure records in the zone files+ + + + + + + + + + + + + + + + + + + + + + + + + − * Remember to keep reverse zones always up to date+ − * '''Bump the serials after each update!'''+ − == Push changes back to master nameserver ==+ − * First, commit your changes:+ − git commit -a+ − + + + − git pull+ − + + + − git push + − ssh root@lightwave.sugarlabs.org 'cd /var/lib/bind/etc/bind && git merge remotes/USERNAME/master' + + + + − + + + + + + + − ssh root@lightwave.sugarlabs.org 'tail -f /var/log/daemon.log & /etc/init.d/bind9 reload' + + + + + +
→CLI tools
== Administrative contact ==
To request changes to DNS records, contact <hostmaster AT sugarlabs DOT org>
== Hostmasters ==
Current hostmasters are:
* [[User:Bernie|Bernie Innocenti]]
(please use preferably the administrative address)
== Registered nameservers ==
The following nameservers are currently registered in whois records for our domains:
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
! hostname
! hostname
! aka
! location
! IPv4
! IPv4
! IPv6
! IPv6
|-
|-
! '''ns1.sugarlabs.org'''
| lightwave
| lightwave
| FSF, Boston, USA
| Sonic, Santa Rosa CA, USA
| 140.186.70.102
| 192.184.220.216
| 2002:8cba:4666::1
| 2001:5a8:601:f::216/64
|-
|-
| ns2.sugarlabs.net
| ns2.sugarlabs.net
| sunjammer
| sunjammer
| FSF, Boston
| FSF, Boston, USA
| 140.186.70.53
| 208.118.235.53
| 2002:8cba:4635::1
| 2001:470:142:7::11
|-
|-
| ns1.codewiz.org
| ns1.codewiz.org
| trinity
| neo
| Develer, Firenze, Italy
| Develer, Firenze, Italy
| 83.149.158.210
| 2.228.72.10
| 2002:5395:9ed2::1
| 2001:b02:400:1::10
|}
|}
== Editing zone data ==
== Editing zone data ==
We use distributed version control and admin scripts to arbitrate edits to the zone files and nameserver configurations.
We use distributed version control and admin scripts to arbitrate edits to the zone files and nameserver configurations.
'''DO NOT EDIT THESE FILES LOCALLY''' without first confirming with all hostmasters.
'''DO NOT EDIT THESE FILES DIRECTLY ON THE MASTER NAMESERVER, ANY CHANGES WILL BE OVERWRITTEN'''.
== Checkout nameserver config ==
Checkout the git repository containing the DNS zone data:
git clone root@lightwave.sugarlabs.org:/var/lib/bind/etc/bind ns
git clone lightwave.sugarlabs.org:/var/lib/bind/etc/bind ns
'''FIXME''': use an unprivileged group "hostmaster" rather than root.
'''NOTE:''' Your user on [[Machine/lightwave]] needs to be in group hostmaster. Do not clone the repo on lightwave, clone it to your local host.
To push changes, you will also need the DNSSEC private keys for your domain. For security reasons, these
are not kept on the master DNS itself. Ask one of the other hostmasters for a copy and put it in the keys/
directory alongside the public keys.
== Edit zone data ==
== Edit zone data ==
* Please keep the zone files tidy, by following indentation style
* Please keep the zone files tidy, by following indentation style
* Add comments as needed to describe obscure records in the zone files
* Remember to keep reverse zones always up to date
* '''Bump the serials after each update!''' (this is done automatically by our update-zone script)
== Push changes back to master nameserver ==
After you edited the sugarlabs.org zone, execute this script to re-sign the zone
and push your changes to the master DNS:
./update-sugarlabs
The script does:
* bump the serial number
* re-sign the zone with the DNSSEC private keys (which you must copy to keys/)
* commit your changes
* push the commit to the remote repository
The post-receive hook automates the rest of the procedure:
* send a notification email to systems-logs@
* checkout your changes to the bind configuration directory
* make BIND reload its configuration
* watch BIND's log file to ensure there are no errors and slaves are actually transferring the changed zones
For other domains hosted on Sugar Labs infrastructure (such as eg. somosazucar.org) use:
./update-zone turtleartday.org
This will check the zone before pushing.
== GIT repository implementation details ==
We use a detached working directory to allow the automatic checkout to work (see post-receive hook below). The git repository is in <code>/var/lib/bind/etc/bind.git</code> and the working directory lives in <code>/var/lib/bind/etc/bind</code>. <code>/etc/bind</code> is a symlink to the working directory (<code>/var/lib/bind/etc/bind</code>).
See [[Sysadmin/Autocheckout repositories]] for all the implementation details.
== DNSSEC details ==
=== How to create keys for a new domain ===
We standardized on algorithm 13 (ECDSAP256SHA256) because it's what RFC 8624 recommends and what Cloudflare uses:
cd keys
dnssec-keygen -K keys -3 -a ECDSAP256SHA256 -n ZONE codewiz.org
dnssec-keygen -K keys -3 -a ECDSAP256SHA256 -n ZONE -f KSK codewiz.org
=== How to manually sign a zone ===
Normally, you should use the update-zone script
dnssec-signzone -S -e +31536000 -K keys -d keys -o codewiz.org masters/codewiz.org.zone
systemctl restart bind9
=== Add DS records to TLD ===
This step must be performed using the interface of the registrar (I used name.com).
The data to copy is written by dnssec-signzone to the file keys/dsset-DOMAIN and looks like this:
codewiz.org. IN DS 53631 13 2 C31F7790197F0DC5CE7726F731FA55A9189289540749A68A937BFD09 797D72E6
=== How to validate zone data ===
* Update from remote to resolve conflicts, if any:
==== Online validators ====
* https://dnssec-analyzer.verisignlabs.com/codewiz.org
* https://dnsviz.net/d/codewiz.org/dnssec/
==== CLI tools ====
* We push to our own branches and then merge into the sandbox:
* Validate zone data with dig:
dig +dnssec +multiline -t ns codewiz.org. @1.1.1.1 | grep ad
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
* Validate zone data against domain DNSKEY:
$ unbound-host -y 'codewiz.org. DNSKEY 256 3 13 IbIcUsP+G7cnSmi12BpuiMjM9LnqvDaRS+qiquGKXxH/qAuOGlODFA4E 18O1OErfu0CkFjg6JEynOG6cSR40yg==' -v codewiz.org
codewiz.org has address 209.51.188.53 (secure)
codewiz.org has IPv6 address 2001:470:142:7::11 (secure)
codewiz.org mail is handled by 10 neo.develer.net. (secure)
* Now reload the nameserver configuration, checking for errors:
* Validate zone data against a domain's DS key:
unbound-host -f keys/dsset-sugarlabs.org. -v sugarlabs.org
sugarlabs.org has address 185.199.111.153 (secure)
sugarlabs.org has address 185.199.110.153 (secure)
sugarlabs.org has no IPv6 address (secure)
sugarlabs.org mail is handled by 10 mail0.codewiz.org. (secure)
sugarlabs.org mail is handled by 20 sunjammer.sugarlabs.org. (secure)
* Validate zone data against the root DNSKEY:
unbound-host -D -v wiki.sugarlabs.org
wiki.sugarlabs.org is an alias for sunjammer.sugarlabs.org. (secure)
sunjammer.sugarlabs.org has address 209.51.188.53 (secure)
sunjammer.sugarlabs.org has IPv6 address 2001:470:142:7::11 (secure)
sunjammer.sugarlabs.org has no mail handler record (secure)