Project

General

Profile

tickets #59920

New DNS infrastructure for openSUSE domains

Added by stroeder 8 months ago. Updated 4 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Project work
Start date:
2020-01-01
Due date:
% Done:

100%

Estimated time:
Duration:

Description

As discussed at opensuse-heroes meeting on 2019-11-16 a new independent DNS infrastructure will be setup for openSUSE domains like opensuse.org, opensuse.de, etc.

Overall goals:

  • Project independence
  • Improve security
  • More control

History

#1 Updated by kbabioch 8 months ago

More than happy (and personally interested) to help out here.

#2 Updated by stroeder 8 months ago

  • Start date changed from 2019-11-17 to 2020-01-01

#3 Updated by lrupp 7 months ago

  • Checklist set to [ ] Setup test machines, [ ] Adjust/ check deployment, [ ] Salting setup, [ ] Run tests with test domain, [ ] Request change at Regiatrar, [ ] Sent announcements, [ ] Bring systems in production
  • Status changed from New to In Progress
  • Assignee set to lrupp
  • Priority changed from Low to Normal
  • Private changed from Yes to No

Please note that I assigned this to me as project leader/ contact person. But I definitely need some help here. Feel free to ping me directly or enhance this issue with your information.

#4 Updated by lrupp 6 months ago

First test machine is setup and running in Provo: provo-ns.infra.opensuse.org

#5 Updated by lrupp 6 months ago

  • Category set to Project work

#6 Updated by lrupp 6 months ago

  • Checklist deleted ([ ] Setup test machines, [ ] Adjust/ check deployment, [ ] Salting setup, [ ] Run tests with test domain, [ ] Request change at Regiatrar, [ ] Sent announcements, [ ] Bring systems in production)

nue-ns1.infra.opensuse.org is prepared as well.

#7 Updated by lrupp 6 months ago

  • % Done changed from 0 to 20

#8 Updated by lrupp 6 months ago

  • % Done changed from 20 to 60

ns1.opensuse.org and ns2.opensuse.org are online and answer queries for the opensuse.org domain.

left TODO:

  • define a machine outside the Nuremberg network as DNS
  • saltify the setup

#9 Updated by pjessen 6 months ago

lrupp wrote:

ns1.opensuse.org and ns2.opensuse.org are online and answer queries for the opensuse.org domain.

Cool!

left TODO:

  • define a machine outside the Nuremberg network as DNS

I guess widehat might be a good choice? otherwise I'll be happy to run a VM here.

#10 Updated by lrupp 6 months ago

pjessen wrote:

left TODO:

  • define a machine outside the Nuremberg network as DNS

I guess widehat might be a good choice? otherwise I'll be happy to run a VM here.

I'm currently thinking more about slimhat, but the idea is the same, yes. ;-)

Thanks for the offer! - Maybe we can combine this with your idea for remote monitoring?

Just one note: the hosts currently run bind (as I know bind), but I'm also happy if someone takes over and deploys (and maintains!) his favorite $DNS server on the machines.

#11 Updated by lrupp 6 months ago

JFYI: Primary security scan succeded without any issues.
Deeper application analysis still running - but I expect no real issues here as well.

#12 Updated by lrupp 6 months ago

  • Tracker changed from communication to tickets

#13 Updated by lrupp 5 months ago

The 2 machines are now listed as official primary DNS servers beside the old ones. Traffic shows no irregularities.

#14 Updated by cboltz 5 months ago

lrupp wrote:

The 2 machines are now listed as official primary DNS servers beside the old ones. Traffic shows no irregularities.

Can you please re-check this? Both whois opensuse.org and dig +trace opensuse.org still shows me only 3 *.NOVELL.COM nameservers :-(

OTOH, dig opensuse.org NS includes ns[12].o.o.

I'm not a DNS expert, but I'd expect the same result for all methods I tried ;-)

#15 Updated by lrupp 5 months ago

cboltz wrote:

Can you please re-check this? Both whois opensuse.org and dig +trace opensuse.org still shows me only 3 *.NOVELL.COM nameservers :-(

You query the registrar - and this is indeed the (more or less only) open topic. The registrar for the domain needs to change the DNS entries that are listed at IANA.

~> whois opensuse.org

Domain Name: OPENSUSE.ORG
Registry Domain ID: D106812357-LROR
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2019-08-15T18:09:34Z
Creation Date: 2005-07-05T18:49:38Z
Registry Expiry Date: 2020-07-05T18:49:38Z
Registrar Registration Expiration Date:
Registrar: MarkMonitor Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740
Reseller:
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Registrant Organization: SUSE Software Solutions Germany GmbH
Registrant State/Province: Bavaria
Registrant Country: DE
Name Server: NSPRV2.NOVELL.COM
Name Server: NSPRV1.NOVELL.COM
Name Server: NSHOU1.NOVELL.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form https://www.icann.org/wicf/)

OTOH, dig opensuse.org NS includes ns[12].o.o.

This is what the zone file of the opensuse.org contains:

~> dig @nsprv1.novell.com opensuse.org NS 

;; ANSWER SECTION:
opensuse.org.           300     IN      NS      ns1.opensuse.org.
opensuse.org.           300     IN      NS      nsprv1.novell.com.
opensuse.org.           300     IN      NS      nsprv2.novell.com.
opensuse.org.           300     IN      NS      ns2.opensuse.org.
opensuse.org.           300     IN      NS      nshou1.novell.com.

So we need "someone", who drives the changes on the registration side now.
I hope, this answers your question?

#16 Updated by cboltz 5 months ago

Thanks! Yes, that answers my questions - I only wonder who this "someone" could be ;-)

#17 Updated by lrupp 5 months ago

  • % Done changed from 60 to 80

JFYI: Now we have ns4.opensuse.org up and running as well.

https://progress.opensuse.org/projects/opensuse-admin-wiki/wiki/DNS has a graphical overview.

#18 Updated by lrupp 5 months ago

ns3.opensuse.org is ready, but a firewall in front currently prevents the internet from accessing it.

Ticket is open....

I also started a discussion to replace the registrar's DNS entries with openSUSE ones. Meeting about this will hopefully happen this month.

#19 Updated by lrupp 4 months ago

As it looks like MF-IT needs again some ages to react, I decided not to wait and instead work on the DNS at QSC. After some conversation, I can happily say that we got an IPv6 submit for all servers at QSC!

So I decided to do some renaming (for consistency) and renamed qsc-ns4.infra.opensuse.org to qsc-ns3.infra.opensuse.org and finally we have now:

  • ns3.opensuse.org => ns4.opensuse.org (the Provo machine)
  • ns4.opensuse.org => ns3.opensuse.org (the machine at QSC)

    ~> host ns3.opensuse.org
    ns3.opensuse.org has address 62.146.92.204
    ns3.opensuse.org has IPv6 address 2a01:138:a004::204

While this means that we will probably not have a DNS server in USA, we now have at least 3 DNS server in Europe - all dual-stacked with IPv4 and IPv6 addresses.

#20 Updated by lrupp 4 months ago

  • % Done changed from 80 to 90

OK: ns4.opensuse.org is also online and answering queries.

Next switch (this time including glue records) for opensuse.org, opensuse.de and opensuse.fr domains is scheduled for today in the European afternoon...

(we are very, very close... :-)

#21 Updated by lrupp 4 months ago

  • Status changed from In Progress to Closed
  • % Done changed from 90 to 100

Closing here: Registrar entries have been moved, ns{1,2,3}.opensuse.org are masters for opensuse.org, opensuse.de and opensuse.fr.
DNS Management is done in the openSUSE Heroes FreeIPA instance. Technical details are described in the admin-wiki here in Redmine.

Also available in: Atom PDF