tickets #59920
New DNS infrastructure for openSUSE domains
100%
Description
As discussed at opensuse-heroes meeting on 2019-11-16 a new independent DNS infrastructure will be setup for openSUSE domains like opensuse.org, opensuse.de, etc.
Overall goals:
- Project independence
- Improve security
- More control
History
#1
Updated by kbabioch over 3 years ago
Updated by More than happy (and personally interested) to help out here.
#2
Updated by stroeder over 3 years ago
Updated by - Start date changed from 2019-11-17 to 2020-01-01
#3
Updated by lrupp over 3 years ago
Updated by - Checklist item changed from to [ ] Setup test machines, [ ] Adjust/ check deployment, [ ] Salting setup, [ ] Run tests with test domain, [ ] Request change at Regiatrar, [ ] Sent announcements, [ ] Bring systems in production
- Status changed from New to In Progress
- Assignee set to lrupp
- Priority changed from Low to Normal
- Private changed from Yes to No
Please note that I assigned this to me as project leader/ contact person. But I definitely need some help here. Feel free to ping me directly or enhance this issue with your information.
#4
Updated by lrupp over 3 years ago
First test machine is setup and running in Provo: provo-ns.infra.opensuse.org
#5
Updated by lrupp over 3 years ago
- Category set to Project work
#6
Updated by lrupp over 3 years ago
- Checklist item changed from [ ] Setup test machines, [ ] Adjust/ check deployment, [ ] Salting setup, [ ] Run tests with test domain, [ ] Request change at Regiatrar, [ ] Sent announcements, [ ] Bring systems in production to
nue-ns1.infra.opensuse.org is prepared as well.
#7
Updated by lrupp over 3 years ago
- % Done changed from 0 to 20
#8
Updated by lrupp over 3 years ago
- % Done changed from 20 to 60
ns1.opensuse.org and ns2.opensuse.org are online and answer queries for the opensuse.org domain.
left TODO:
- define a machine outside the Nuremberg network as DNS
- saltify the setup
#9
Updated by pjessen over 3 years ago
Updated by lrupp wrote:
ns1.opensuse.org and ns2.opensuse.org are online and answer queries for the opensuse.org domain.
Cool!
left TODO:
- define a machine outside the Nuremberg network as DNS
I guess widehat might be a good choice? otherwise I'll be happy to run a VM here.
#10
Updated by lrupp over 3 years ago
pjessen wrote:
left TODO:
- define a machine outside the Nuremberg network as DNS
I guess widehat might be a good choice? otherwise I'll be happy to run a VM here.
I'm currently thinking more about slimhat, but the idea is the same, yes. ;-)
Thanks for the offer! - Maybe we can combine this with your idea for remote monitoring?
Just one note: the hosts currently run bind (as I know bind), but I'm also happy if someone takes over and deploys (and maintains!) his favorite $DNS server on the machines.
#11
Updated by lrupp over 3 years ago
JFYI: Primary security scan succeded without any issues.
Deeper application analysis still running - but I expect no real issues here as well.
#12
Updated by lrupp over 3 years ago
- Tracker changed from communication to tickets
#13
Updated by lrupp over 3 years ago
The 2 machines are now listed as official primary DNS servers beside the old ones. Traffic shows no irregularities.
#14
Updated by cboltz over 3 years ago
Updated by lrupp wrote:
The 2 machines are now listed as official primary DNS servers beside the old ones. Traffic shows no irregularities.
Can you please re-check this? Both whois opensuse.org and dig +trace opensuse.org still shows me only 3 *.NOVELL.COM nameservers :-(
OTOH, dig opensuse.org NS includes ns[12].o.o.
I'm not a DNS expert, but I'd expect the same result for all methods I tried ;-)
#15
Updated by lrupp over 3 years ago
cboltz wrote:
Can you please re-check this? Both
whois opensuse.organddig +trace opensuse.orgstill shows me only 3*.NOVELL.COMnameservers :-(
You query the registrar - and this is indeed the (more or less only) open topic. The registrar for the domain needs to change the DNS entries that are listed at IANA.
~> whois opensuse.org Domain Name: OPENSUSE.ORG Registry Domain ID: D106812357-LROR Registrar WHOIS Server: whois.markmonitor.com Registrar URL: http://www.markmonitor.com Updated Date: 2019-08-15T18:09:34Z Creation Date: 2005-07-05T18:49:38Z Registry Expiry Date: 2020-07-05T18:49:38Z Registrar Registration Expiration Date: Registrar: MarkMonitor Inc. Registrar IANA ID: 292 Registrar Abuse Contact Email: abusecomplaints@markmonitor.com Registrar Abuse Contact Phone: +1.2083895740 Reseller: Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Registrant Organization: SUSE Software Solutions Germany GmbH Registrant State/Province: Bavaria Registrant Country: DE Name Server: NSPRV2.NOVELL.COM Name Server: NSPRV1.NOVELL.COM Name Server: NSHOU1.NOVELL.COM DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form https://www.icann.org/wicf/)
OTOH,
dig opensuse.org NSincludesns[12].o.o.
This is what the zone file of the opensuse.org contains:
~> dig @nsprv1.novell.com opensuse.org NS ;; ANSWER SECTION: opensuse.org. 300 IN NS ns1.opensuse.org. opensuse.org. 300 IN NS nsprv1.novell.com. opensuse.org. 300 IN NS nsprv2.novell.com. opensuse.org. 300 IN NS ns2.opensuse.org. opensuse.org. 300 IN NS nshou1.novell.com.
So we need "someone", who drives the changes on the registration side now.
I hope, this answers your question?
#16
Updated by cboltz over 3 years ago
Thanks! Yes, that answers my questions - I only wonder who this "someone" could be ;-)
#17
Updated by lrupp over 3 years ago
- % Done changed from 60 to 80
JFYI: Now we have ns4.opensuse.org up and running as well.
https://progress.opensuse.org/projects/opensuse-admin-wiki/wiki/DNS has a graphical overview.
#18
Updated by lrupp over 3 years ago
ns3.opensuse.org is ready, but a firewall in front currently prevents the internet from accessing it.
Ticket is open....
I also started a discussion to replace the registrar's DNS entries with openSUSE ones. Meeting about this will hopefully happen this month.
#19
Updated by lrupp over 3 years ago
As it looks like MF-IT needs again some ages to react, I decided not to wait and instead work on the DNS at QSC. After some conversation, I can happily say that we got an IPv6 submit for all servers at QSC!
So I decided to do some renaming (for consistency) and renamed qsc-ns4.infra.opensuse.org to qsc-ns3.infra.opensuse.org and finally we have now:
- ns3.opensuse.org => ns4.opensuse.org (the Provo machine)
ns4.opensuse.org => ns3.opensuse.org (the machine at QSC)
~> host ns3.opensuse.org
ns3.opensuse.org has address 62.146.92.204
ns3.opensuse.org has IPv6 address 2a01:138:a004::204
While this means that we will probably not have a DNS server in USA, we now have at least 3 DNS server in Europe - all dual-stacked with IPv4 and IPv6 addresses.
#20
Updated by lrupp over 3 years ago
- % Done changed from 80 to 90
OK: ns4.opensuse.org is also online and answering queries.
Next switch (this time including glue records) for opensuse.org, opensuse.de and opensuse.fr domains is scheduled for today in the European afternoon...
(we are very, very close... :-)
#21
Updated by lrupp over 3 years ago
- Status changed from In Progress to Closed
- % Done changed from 90 to 100
Closing here: Registrar entries have been moved, ns{1,2,3}.opensuse.org are masters for opensuse.org, opensuse.de and opensuse.fr.
DNS Management is done in the openSUSE Heroes FreeIPA instance. Technical details are described in the admin-wiki here in Redmine.