tickets #59920
closedNew DNS infrastructure for openSUSE domains
100%
Description
As discussed at opensuse-heroes meeting on 2019-11-16 a new independent DNS infrastructure will be setup for openSUSE domains like opensuse.org, opensuse.de, etc.
Overall goals:
- Project independence
- Improve security
- More control
Updated by kbabioch over 5 years ago
More than happy (and personally interested) to help out here.
Updated by stroeder over 5 years ago
- Start date changed from 2019-11-17 to 2020-01-01
Updated by lrupp over 5 years ago
- Checklist item changed from to [ ] Setup test machines, [ ] Adjust/ check deployment, [ ] Salting setup, [ ] Run tests with test domain, [ ] Request change at Regiatrar, [ ] Sent announcements, [ ] Bring systems in production
- Status changed from New to In Progress
- Assignee set to lrupp
- Priority changed from Low to Normal
- Private changed from Yes to No
Please note that I assigned this to me as project leader/ contact person. But I definitely need some help here. Feel free to ping me directly or enhance this issue with your information.
Updated by lrupp over 5 years ago
First test machine is setup and running in Provo: provo-ns.infra.opensuse.org
Updated by lrupp over 5 years ago
- Checklist item changed from [ ] Setup test machines, [ ] Adjust/ check deployment, [ ] Salting setup, [ ] Run tests with test domain, [ ] Request change at Regiatrar, [ ] Sent announcements, [ ] Bring systems in production to
nue-ns1.infra.opensuse.org is prepared as well.
Updated by lrupp over 5 years ago
- % Done changed from 20 to 60
ns1.opensuse.org and ns2.opensuse.org are online and answer queries for the opensuse.org domain.
left TODO:
- define a machine outside the Nuremberg network as DNS
- saltify the setup
Updated by pjessen over 5 years ago
lrupp wrote:
ns1.opensuse.org and ns2.opensuse.org are online and answer queries for the opensuse.org domain.
Cool!
left TODO:
- define a machine outside the Nuremberg network as DNS
I guess widehat might be a good choice? otherwise I'll be happy to run a VM here.
Updated by lrupp over 5 years ago
pjessen wrote:
left TODO:
- define a machine outside the Nuremberg network as DNS
I guess widehat might be a good choice? otherwise I'll be happy to run a VM here.
I'm currently thinking more about slimhat, but the idea is the same, yes. ;-)
Thanks for the offer! - Maybe we can combine this with your idea for remote monitoring?
Just one note: the hosts currently run bind (as I know bind), but I'm also happy if someone takes over and deploys (and maintains!) his favorite $DNS server on the machines.
Updated by lrupp over 5 years ago
JFYI: Primary security scan succeded without any issues.
Deeper application analysis still running - but I expect no real issues here as well.
Updated by lrupp over 5 years ago
- Tracker changed from communication to tickets
Updated by lrupp over 5 years ago
The 2 machines are now listed as official primary DNS servers beside the old ones. Traffic shows no irregularities.
Updated by cboltz over 5 years ago
lrupp wrote:
The 2 machines are now listed as official primary DNS servers beside the old ones. Traffic shows no irregularities.
Can you please re-check this? Both whois opensuse.org and dig +trace opensuse.org still shows me only 3 *.NOVELL.COM nameservers :-(
OTOH, dig opensuse.org NS includes ns[12].o.o.
I'm not a DNS expert, but I'd expect the same result for all methods I tried ;-)
Updated by lrupp over 5 years ago
cboltz wrote:
Can you please re-check this? Both
whois opensuse.organddig +trace opensuse.orgstill shows me only 3*.NOVELL.COMnameservers :-(
You query the registrar - and this is indeed the (more or less only) open topic. The registrar for the domain needs to change the DNS entries that are listed at IANA.
~> whois opensuse.org
Domain Name: OPENSUSE.ORG
Registry Domain ID: D106812357-LROR
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2019-08-15T18:09:34Z
Creation Date: 2005-07-05T18:49:38Z
Registry Expiry Date: 2020-07-05T18:49:38Z
Registrar Registration Expiration Date:
Registrar: MarkMonitor Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740
Reseller:
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Registrant Organization: SUSE Software Solutions Germany GmbH
Registrant State/Province: Bavaria
Registrant Country: DE
Name Server: NSPRV2.NOVELL.COM
Name Server: NSPRV1.NOVELL.COM
Name Server: NSHOU1.NOVELL.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form https://www.icann.org/wicf/)
OTOH,
dig opensuse.org NSincludesns[12].o.o.
This is what the zone file of the opensuse.org contains:
~> dig @nsprv1.novell.com opensuse.org NS
;; ANSWER SECTION:
opensuse.org. 300 IN NS ns1.opensuse.org.
opensuse.org. 300 IN NS nsprv1.novell.com.
opensuse.org. 300 IN NS nsprv2.novell.com.
opensuse.org. 300 IN NS ns2.opensuse.org.
opensuse.org. 300 IN NS nshou1.novell.com.
So we need "someone", who drives the changes on the registration side now.
I hope, this answers your question?
Updated by cboltz over 5 years ago
Thanks! Yes, that answers my questions - I only wonder who this "someone" could be ;-)
Updated by lrupp over 5 years ago
- % Done changed from 60 to 80
JFYI: Now we have ns4.opensuse.org up and running as well.
https://progress.opensuse.org/projects/opensuse-admin-wiki/wiki/DNS has a graphical overview.
Updated by lrupp about 5 years ago
ns3.opensuse.org is ready, but a firewall in front currently prevents the internet from accessing it.
Ticket is open....
I also started a discussion to replace the registrar's DNS entries with openSUSE ones. Meeting about this will hopefully happen this month.
Updated by lrupp about 5 years ago
As it looks like MF-IT needs again some ages to react, I decided not to wait and instead work on the DNS at QSC. After some conversation, I can happily say that we got an IPv6 submit for all servers at QSC!
So I decided to do some renaming (for consistency) and renamed qsc-ns4.infra.opensuse.org to qsc-ns3.infra.opensuse.org and finally we have now:
-
ns3.opensuse.org => ns4.opensuse.org (the Provo machine)
-
ns4.opensuse.org => ns3.opensuse.org (the machine at QSC)
~> host ns3.opensuse.org
ns3.opensuse.org has address 62.146.92.204
ns3.opensuse.org has IPv6 address 2a01:138:a004::204
While this means that we will probably not have a DNS server in USA, we now have at least 3 DNS server in Europe - all dual-stacked with IPv4 and IPv6 addresses.
Updated by lrupp about 5 years ago
- % Done changed from 80 to 90
OK: ns4.opensuse.org is also online and answering queries.
Next switch (this time including glue records) for opensuse.org, opensuse.de and opensuse.fr domains is scheduled for today in the European afternoon...
(we are very, very close... :-)
Updated by lrupp about 5 years ago
- Status changed from In Progress to Closed
- % Done changed from 90 to 100
Closing here: Registrar entries have been moved, ns{1,2,3}.opensuse.org are masters for opensuse.org, opensuse.de and opensuse.fr.
DNS Management is done in the openSUSE Heroes FreeIPA instance. Technical details are described in the admin-wiki here in Redmine.