1,764
edits
Changes
Jump to navigation
Jump to search
Line 1:
Line 1: − + + + − * [[User:dogi|Stefan Unterhauser]]+ − * [[User:sascha_silbe|Sascha Silbe]]+ Line 23:
Line 25: − + − + − + − + − + − + − + − + Line 47:
Line 49: − + − Do not checkout the repository as root. Your user needs to be in group hostmaster.+ + + + + Line 58:
Line 64: + + + + + + + + − + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + − * Remember to keep reverse zones always up to date+ + + − * '''Bump the serials after each update!'''+ + − == Push changes back to master nameserver ==+ + − * Commit your changes, preferably with a meaningful comment:+ − git commit -a -v+ − * Then, push your changes:+ − git push + − * We have a handy post-receive hook to automate the rest of the procedure:+ − ** send a notification email to systems-logs@; − ** checkout your changes to the bind configuration directory; − ** make BIND reload its configuration; − ** watch BIND's log file to ensure slaves are actually transferring the changed zones. − + + + − * We use a detached working directory to allow the automatic checkout to work (see post-receive hook below). The git repository is in <code>/var/lib/bind/etc/bind.git</code> and the working directory lives in <code>/var/lib/bind/etc/bind</code>. <code>/etc/bind</code> is a symlink to the working directory (<code>/var/lib/bind/etc/bind</code>).+ − + + + − [core] + − repositoryformatversion = 0+ − filemode = true+ − bare = false+ − sharedRepository = true+ − logallrefupdates = true − worktree = /etc/bind − [receive] − denycurrentbranch = ignore − − [hooks] − mailinglist = systems-logs@... − emailprefix = "[DNS] " − showrev = "git show -C %s; echo" − + − * We use a post-receive hook to checkout the zones to the local sandbox and make BIND reload them:+ + + + + + − #!/bin/bash+ − /bin/bash /usr/share/doc/git-core/contrib/hooks/post-receive-email + − git checkout -f + − tail -n0 -f /var/log/daemon.log & + − /etc/init.d/bind9 reload + − sleep 3 +
→CLI tools
== Hostmasters ==
== Administrative contact ==
To request changes to DNS records, contact <hostmaster AT sugarlabs DOT org>
To request changes to DNS records, contact <hostmaster AT sugarlabs DOT org>
== Hostmasters ==
Current hostmasters are:
Current hostmasters are:
* [[User:Bernie|Bernie Innocenti]]
* [[User:Bernie|Bernie Innocenti]]
(please use preferably the administrative address)
== Registered nameservers ==
== Registered nameservers ==
! '''ns1.sugarlabs.org'''
! '''ns1.sugarlabs.org'''
| lightwave
| lightwave
| FSF, Boston, USA
| Sonic, Santa Rosa CA, USA
| 140.186.70.102
| 192.184.220.216
| 2002:8cba:4666::1
| 2001:5a8:601:f::216/64
|-
|-
| ns2.sugarlabs.net
| ns2.sugarlabs.net
| sunjammer
| sunjammer
| FSF, Boston, USA
| FSF, Boston, USA
| 140.186.70.53
| 208.118.235.53
| 2002:8cba:4635::1
| 2001:470:142:7::11
|-
|-
| ns1.codewiz.org
| ns1.codewiz.org
| trinity
| neo
| Develer, Firenze, Italy
| Develer, Firenze, Italy
| 83.149.158.210
| 2.228.72.10
| 2002:5395:9ed2::1
| 2001:b02:400:1::10
|}
|}
== Checkout nameserver config ==
== Checkout nameserver config ==
Checkout the repository as usual:
Checkout the git repository containing the DNS zone data:
git clone lightwave.sugarlabs.org:/var/lib/bind/etc/bind ns
git clone lightwave.sugarlabs.org:/var/lib/bind/etc/bind ns
'''NOTE:''' Your user on [[Machine/lightwave]] needs to be in group hostmaster. Do not clone the repo on lightwave, clone it to your local host.
To push changes, you will also need the DNSSEC private keys for your domain. For security reasons, these
are not kept on the master DNS itself. Ask one of the other hostmasters for a copy and put it in the keys/
directory alongside the public keys.
== Edit zone data ==
== Edit zone data ==
* Please keep the zone files tidy, by following indentation style
* Please keep the zone files tidy, by following indentation style
* Add comments as needed to describe obscure records in the zone files
* Remember to keep reverse zones always up to date
* '''Bump the serials after each update!''' (this is done automatically by our update-zone script)
== Push changes back to master nameserver ==
After you edited the sugarlabs.org zone, execute this script to re-sign the zone
and push your changes to the master DNS:
* Add comments as needed to describe obscure records in the zone files
./update-sugarlabs
The script does:
* bump the serial number
* re-sign the zone with the DNSSEC private keys (which you must copy to keys/)
* commit your changes
* push the commit to the remote repository
The post-receive hook automates the rest of the procedure:
* send a notification email to systems-logs@
* checkout your changes to the bind configuration directory
* make BIND reload its configuration
* watch BIND's log file to ensure there are no errors and slaves are actually transferring the changed zones
For other domains hosted on Sugar Labs infrastructure (such as eg. somosazucar.org) use:
./update-zone turtleartday.org
This will check the zone before pushing.
== GIT repository implementation details ==
We use a detached working directory to allow the automatic checkout to work (see post-receive hook below). The git repository is in <code>/var/lib/bind/etc/bind.git</code> and the working directory lives in <code>/var/lib/bind/etc/bind</code>. <code>/etc/bind</code> is a symlink to the working directory (<code>/var/lib/bind/etc/bind</code>).
See [[Sysadmin/Autocheckout repositories]] for all the implementation details.
== DNSSEC details ==
=== How to create keys for a new domain ===
We standardized on algorithm 13 (ECDSAP256SHA256) because it's what RFC 8624 recommends and what Cloudflare uses:
cd keys
dnssec-keygen -K keys -3 -a ECDSAP256SHA256 -n ZONE codewiz.org
dnssec-keygen -K keys -3 -a ECDSAP256SHA256 -n ZONE -f KSK codewiz.org
=== How to manually sign a zone ===
Normally, you should use the update-zone script
dnssec-signzone -S -e +31536000 -K keys -d keys -o codewiz.org masters/codewiz.org.zone
systemctl restart bind9
=== Add DS records to TLD ===
This step must be performed using the interface of the registrar (I used name.com).
The data to copy is written by dnssec-signzone to the file keys/dsset-DOMAIN and looks like this:
codewiz.org. IN DS 53631 13 2 C31F7790197F0DC5CE7726F731FA55A9189289540749A68A937BFD09 797D72E6
=== How to validate zone data ===
== Implementation details ==
==== Online validators ====
* https://dnssec-analyzer.verisignlabs.com/codewiz.org
* https://dnsviz.net/d/codewiz.org/dnssec/
==== CLI tools ====
* The git config file is as follows:
* Validate zone data with dig:
dig +dnssec +multiline -t ns codewiz.org. @1.1.1.1 | grep ad
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
* Validate zone data against domain DNSKEY:
$ unbound-host -y 'codewiz.org. DNSKEY 256 3 13 IbIcUsP+G7cnSmi12BpuiMjM9LnqvDaRS+qiquGKXxH/qAuOGlODFA4E 18O1OErfu0CkFjg6JEynOG6cSR40yg==' -v codewiz.org
codewiz.org has address 209.51.188.53 (secure)
codewiz.org has IPv6 address 2001:470:142:7::11 (secure)
codewiz.org mail is handled by 10 neo.develer.net. (secure)
* /var/lib/bind/etc/bind.git/description contains the repository description "Sugar Labs DNS zone data"
* Validate zone data against a domain's DS key:
unbound-host -f keys/dsset-sugarlabs.org. -v sugarlabs.org
sugarlabs.org has address 185.199.111.153 (secure)
sugarlabs.org has address 185.199.110.153 (secure)
sugarlabs.org has no IPv6 address (secure)
sugarlabs.org mail is handled by 10 mail0.codewiz.org. (secure)
sugarlabs.org mail is handled by 20 sunjammer.sugarlabs.org. (secure)
* Validate zone data against the root DNSKEY:
unbound-host -D -v wiki.sugarlabs.org
wiki.sugarlabs.org is an alias for sunjammer.sugarlabs.org. (secure)
sunjammer.sugarlabs.org has address 209.51.188.53 (secure)
sunjammer.sugarlabs.org has IPv6 address 2001:470:142:7::11 (secure)
sunjammer.sugarlabs.org has no mail handler record (secure)