tickets #161846
openRework qsc-ns3
0%
Description
These nameservers should be migrated away from the manually configured named/bind setup to a PowerDNS stack (authoritative for public facing and recursor for internal requests) similar to what is already done with prg-ns{1,2} and hel{1,2}. To prepare for network segmentation in these locations it might be a good opportunity to split the internal and public facing services to separate machines and to remove named/bind installations from machines which shouldn't run their own nameserver (ipx-proxy, stonehat).
This will unify the setup and allow us to fully cover the DNS setup with a streamlined Salt configuration.
During the DC migration, when this was originally discussed, a few options for backend replication were discussed, and some were theoretically evaluated before it was decided to only implement the new stack in Prague for now and to postpone qsc-ns3/provo-ns for a future improvement. The traditional AXFR approach might be better to replace with a database/file replication, considerations are keeping DNSSEC in tact and potentially allowing for multi-master operation (i.e. be able to modify DNS records when connectivity to Prague is lost - currently it's exclusively possible from chip.i.o.o).
Updated by crameleon 4 months ago
- Blocked by tickets #160221: Refactor Nuremberg/IPX networking added
Updated by crameleon 3 months ago
- Related to tickets #165872: DNSSEC error reported to opensuse.com.br added
Updated by crameleon 4 days ago
- Subject changed from Rework provo-ns/qsc-ns3 to Rework qsc-ns3
The provo-ns machine no longer exists since the US DC migration, we will build the nameservers in SLC using the new design to begin with. This only leaves for refactoring of the secondaries in NUE, and I will make a separate task for the bigger global refactoring related to replication.
Updated by crameleon 4 days ago
- Related to tickets #173515: Refactor DNS zone transfers to replication added