X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=input%2Fhowto%2Fdns.mdwn;h=41a8de673e1d71b00252354b8f9117520fea722e;hb=f55f6d8abaa34259c955131f7c1464babe58b6b4;hp=ca8cfe6ad9d71e44838d5d57937620858416dc05;hpb=b9b288023886bb645860c430d1852dd2516c4881;p=mirror%2Fdsa-wiki.git diff --git a/input/howto/dns.mdwn b/input/howto/dns.mdwn index ca8cfe6..41a8de6 100644 --- a/input/howto/dns.mdwn +++ b/input/howto/dns.mdwn @@ -1,39 +1,25 @@ -# debian.org DNS +# how to update DNS resource records -For most zones the hidden primary is draghi, with ravel, senfl, klecker -and orff being the public facing secondaries. +## updating standard resource records -Domain information lives in a git on draghi, and pushing to it will cause -the zone to be compiled and reloaded automatically. Repository lives at -ssh://dns.debian.org/git/domains.git - public read only mirror available -using http. +For most zones, the hidden primary DNS server is denis, with RcodeZero, Netnod +and easyDNS providing public-facing secondary servers. -Some subdomains (and when I say subdomains, I really only mean www) are -served by the geodns setup on geo1, 2, and 3. They have a seperate repo -ssh://dns.debian.org/git/dsa-geodomains.git and an entirely seperate workflow. +Zone files are managed via a [git repository][1]. Pushing commits into the git +repository will invoke a post-commit hook that causes the recompilation and +reload of the zone files. -At least it's consistent. +Some subdomains (specifically www.debian.org and security.debian.org) are +served by the autodns/geodns setup on geo{1,2,3}. Their zone files are managed +by a separate [git repository][2]. -# DNSSEC +## updating DNSSEC records -Adding DNSSEC KSK and ZSK for zones is done by running -/srv/dns.debian.org/bin/maintkeydb with the following options: +When nagios complains about impending DS expiry, find the new key in +/srv/dns.debian.org/var/keys/$zone/dsset and add it at the registrar's (gandi). +Leave the old one in place for a day or so, after checking that dnsviz.net is +happy with the new key. For the debian.org and 29.172.in-addr.arpa zones, also +update the trust anchors in puppet. -./bin/maintkeydb create both NSEC3RSASHA1 default your.ip6.arpa - -Use RSASHA1 instead of NSEC3RSASHA1 for IPv4 address space. - -After that a "; wzf: dnssec = 1" needs to be added to the zone file. - -## DLV - -In order to publish our trust anchors in the ISC DLV, add -"; dlv-submit = yes" to the zonefile, then run the dlv-submit-many script -in /org/dns.debian.org/dlv-sync. - -In order to authenticate our control of that zone to ISC you'll have to -manually add a DLV cookie to the respective zone. After adding it you either -need to wait a day or so for ISC to re-check by themselves (re-run the script -for status information) or trigger a re-check on their website. - -Once they have verified the cookie it can be removed from the zone again. +[1]: ssh://git@ubergit.debian.org/dsa/domains +[2]: ssh://git@ubergit.debian.org/dsa/auto-dns