tickets #59920

New DNS infrastructure for openSUSE domains

Added by stroeder 3 months ago. Updated 7 days ago.

Status:In ProgressStart date:01/01/2020
Priority:NormalDue date:
Assignee:lrupp% Done:

80%

Category:Project work
Target version:-
Duration:

Description

As discussed at opensuse-heroes meeting on 2019-11-16 a new independent DNS infrastructure will be setup for openSUSE domains like opensuse.org, opensuse.de, etc.

Overall goals:
* Project independence
* Improve security
* More control

History

#1 Updated by kbabioch 3 months ago

More than happy (and personally interested) to help out here.

#2 Updated by stroeder 3 months ago

  • Start date changed from 17/11/2019 to 01/01/2020

#3 Updated by lrupp 3 months ago

  • Checklist set to [ ] Setup test machines, [ ] Adjust/ check deployment, [ ] Salting setup, [ ] Run tests with test domain, [ ] Request change at Regiatrar, [ ] Sent announcements, [ ] Bring systems in production
  • Status changed from New to In Progress
  • Assignee set to lrupp
  • Priority changed from Low to Normal
  • Private changed from Yes to No

Please note that I assigned this to me as project leader/ contact person. But I definitely need some help here. Feel free to ping me directly or enhance this issue with your information.

#4 Updated by lrupp 2 months ago

First test machine is setup and running in Provo: provo-ns.infra.opensuse.org

#5 Updated by lrupp about 1 month ago

  • Category set to Project work

#6 Updated by lrupp about 1 month ago

  • Checklist deleted ([ ] Setup test machines, [ ] Adjust/ check deployment, [ ] Salting setup, [ ] Run tests with test domain, [ ] Request change at Regiatrar, [ ] Sent announcements, [ ] Bring systems in production)

nue-ns1.infra.opensuse.org is prepared as well.

#7 Updated by lrupp about 1 month ago

  • % Done changed from 0 to 20

#8 Updated by lrupp about 1 month ago

  • % Done changed from 20 to 60

ns1.opensuse.org and ns2.opensuse.org are online and answer queries for the opensuse.org domain.

left TODO:
* define a machine outside the Nuremberg network as DNS
* saltify the setup

#9 Updated by pjessen about 1 month ago

lrupp wrote:

ns1.opensuse.org and ns2.opensuse.org are online and answer queries for the opensuse.org domain.

Cool!

left TODO:

* define a machine outside the Nuremberg network as DNS

I guess widehat might be a good choice? otherwise I'll be happy to run a VM here.

#10 Updated by lrupp about 1 month ago

pjessen wrote:

left TODO:

* define a machine outside the Nuremberg network as DNS


I guess widehat might be a good choice? otherwise I'll be happy to run a VM here.

I'm currently thinking more about slimhat, but the idea is the same, yes. ;-)

Thanks for the offer! - Maybe we can combine this with your idea for remote monitoring?

Just one note: the hosts currently run bind (as I know bind), but I'm also happy if someone takes over and deploys (and maintains!) his favorite $DNS server on the machines.

#11 Updated by lrupp about 1 month ago

JFYI: Primary security scan succeded without any issues.
Deeper application analysis still running - but I expect no real issues here as well.

#12 Updated by lrupp about 1 month ago

  • Tracker changed from communication to tickets

#13 Updated by lrupp about 1 month ago

The 2 machines are now listed as official primary DNS servers beside the old ones. Traffic shows no irregularities.

#14 Updated by cboltz about 1 month ago

lrupp wrote:

The 2 machines are now listed as official primary DNS servers beside the old ones. Traffic shows no irregularities.

Can you please re-check this? Both whois opensuse.org and dig +trace opensuse.org still shows me only 3 *.NOVELL.COM nameservers :-(

OTOH, dig opensuse.org NS includes ns[12].o.o.

I'm not a DNS expert, but I'd expect the same result for all methods I tried ;-)

#15 Updated by lrupp about 1 month ago

cboltz wrote:

Can you please re-check this? Both whois opensuse.org and dig +trace opensuse.org still shows me only 3 *.NOVELL.COM nameservers :-(

You query the registrar - and this is indeed the (more or less only) open topic. The registrar for the domain needs to change the DNS entries that are listed at IANA.

~> whois opensuse.org

Domain Name: OPENSUSE.ORG
Registry Domain ID: D106812357-LROR
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2019-08-15T18:09:34Z
Creation Date: 2005-07-05T18:49:38Z
Registry Expiry Date: 2020-07-05T18:49:38Z
Registrar Registration Expiration Date:
Registrar: MarkMonitor Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740
Reseller:
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Registrant Organization: SUSE Software Solutions Germany GmbH
Registrant State/Province: Bavaria
Registrant Country: DE
Name Server: NSPRV2.NOVELL.COM
Name Server: NSPRV1.NOVELL.COM
Name Server: NSHOU1.NOVELL.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form https://www.icann.org/wicf/)

OTOH, dig opensuse.org NS includes ns[12].o.o.

This is what the zone file of the opensuse.org contains:

~> dig @nsprv1.novell.com opensuse.org NS 

;; ANSWER SECTION:
opensuse.org.           300     IN      NS      ns1.opensuse.org.
opensuse.org.           300     IN      NS      nsprv1.novell.com.
opensuse.org.           300     IN      NS      nsprv2.novell.com.
opensuse.org.           300     IN      NS      ns2.opensuse.org.
opensuse.org.           300     IN      NS      nshou1.novell.com.

So we need "someone", who drives the changes on the registration side now.
I hope, this answers your question?

#16 Updated by cboltz about 1 month ago

Thanks! Yes, that answers my questions - I only wonder who this "someone" could be ;-)

#17 Updated by lrupp 24 days ago

  • % Done changed from 60 to 80

JFYI: Now we have ns4.opensuse.org up and running as well.

https://progress.opensuse.org/projects/opensuse-admin-wiki/wiki/DNS has a graphical overview.

#18 Updated by lrupp 13 days ago

ns3.opensuse.org is ready, but a firewall in front currently prevents the internet from accessing it.

Ticket is open....

I also started a discussion to replace the registrar's DNS entries with openSUSE ones. Meeting about this will hopefully happen this month.

#19 Updated by lrupp 7 days ago

As it looks like MF-IT needs again some ages to react, I decided not to wait and instead work on the DNS at QSC. After some conversation, I can happily say that we got an IPv6 submit for all servers at QSC!

So I decided to do some renaming (for consistency) and renamed qsc-ns4.infra.opensuse.org to qsc-ns3.infra.opensuse.org and finally we have now:

  • ns3.opensuse.org => ns4.opensuse.org (the Provo machine)
  • ns4.opensuse.org => ns3.opensuse.org (the machine at QSC)

    ~> host ns3.opensuse.org
    ns3.opensuse.org has address 62.146.92.204
    ns3.opensuse.org has IPv6 address 2a01:138:a004::204

While this means that we will probably not have a DNS server in USA, we now have at least 3 DNS server in Europe - all dual-stacked with IPv4 and IPv6 addresses.

Also available in: Atom PDF