X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=input%2Fdsablog%2F2014%2FThe_Debian_DNS_universe.mdwn;h=85513aa86a3027b5e3135be4e32436b3a7fd2a1e;hb=1c478d33af37a52517332c34a328065dd39a5760;hp=c35f6594caec77811706dd72d632195605191fe7;hpb=6e779daeedd472b38ce9f1fa9878486c507bff18;p=mirror%2Fdsa-wiki.git diff --git a/input/dsablog/2014/The_Debian_DNS_universe.mdwn b/input/dsablog/2014/The_Debian_DNS_universe.mdwn index c35f659..85513aa 100644 --- a/input/dsablog/2014/The_Debian_DNS_universe.mdwn +++ b/input/dsablog/2014/The_Debian_DNS_universe.mdwn @@ -3,18 +3,18 @@ # Abstract I recently moved our primary nameserver from `orff.debian.org`, which is -an aging blade in Greeze, to a VM on one of our ganeti clusters. In the -process I rediscovered a lot about our DNS infrastructure. In this post -I will describe the many sources of information and how it all comes +an aging blade in Greece, to a VM on one of our ganeti clusters. In the +process, I rediscovered a lot about our DNS infrastructure. In this post, +I will describe the many sources of information and how they all come together. # Introduction The [Domain Name System][DNS] is the hierarchical database and query protocol that is in use on the Internet today to map hostnames to IP -addresses, the reverse thereof, lookup relevant servers for certain -services such as mail, and a gazillion other things. Management and -authority in the DNS is split into different zones, subtrees of the +addresses, to map the reverse thereof, to lookup relevant servers for +certain services such as mail, and a gazillion other things. Management +and authority in the DNS is split into different zones, subtrees of the global tree of domain names. Debian currently has a bit over a score of zones. The two most @@ -42,7 +42,7 @@ The data we put into DNS comes from a wide range of different systems: mail in LDAP (`mXRecord` LDAP attribute, DNS `MX` record type). * LDAP also has some specs on computers, which we put into each host's `HINFO` record, mainly because we can and we are old-school. - * Last not least, LDAP also has each host's public ssh key, which we + * Last but not least, LDAP also has each host's public ssh key, which we extract into [SSHFP][rfc4255] records for DNS. * LDAP also has per-user information. Users of debian infrastructure can attach limited DNS elements as `dnsZoneEntry` attributes to their @@ -55,8 +55,8 @@ The data we put into DNS comes from a wide range of different systems: # Debian's auto-dns and geo setup -We try to provide the best service we can. As such, our goal is that -for instance user access to [`www`][www] or [`bugs`][bugs] should always +We try to provide the best service we can. As such, our goal is that, +for instance, user access to [`www`][www] or [`bugs`][bugs] should always work. These services are, thus, provided by more than one machine on the Internet. @@ -94,7 +94,7 @@ The auto-dns system produces two kinds of output: # Tying it all together -![The Debian DNS Rube Goldberg Machine.](../debian-dns.png) +![The Debian DNS Rube Goldberg Machine.](/Pics/blog/2014/debian-dns.png) Figure 1: The Debian DNS Rube Goldberg Machine. @@ -124,13 +124,14 @@ only will it warn us if an expiring key is still in the DSset, it can also prevent it from getting expired by issuing timly updates of the keys metadata. -# Relevant Git repositories: +# Relevant Git repositories * [domains] * [auto-dns] * [mini-nag] * [dns-helpers] * [puppet] +* [nagioschecks] [^ldap]: `ldapsearch -h db.debian.org -x -ZZ -b dc=debian,dc=org -LLL 'host=master'` @@ -152,5 +153,6 @@ keys metadata. [mini-nag]: http://anonscm.debian.org/gitweb/?p=mirror/dsa-mini-nag.git;a=tree [dns-helpers]: http://anonscm.debian.org/gitweb/?p=mirror/dns-helpers.git;a=tree [static]: http://anonscm.debian.org/gitweb/?p=mirror/dsa-auto-dns.git;a=blob;f=services/static.debian.org.service;hb=HEAD +[nagioschecks]: http://anonscm.debian.org/gitweb/?p=mirror/dsa-nagios.git;a=tree;f=dsa-nagios-checks/checks;hb=HEAD -- Peter Palfrader