X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=input%2Fhowto%2Fdns.mdwn;h=ca8cfe6ad9d71e44838d5d57937620858416dc05;hb=4560c210de7352f480b37ab77d1467de229b75b3;hp=f2e071fbc5edef00c96d0b33f1fcc3d48e39e95a;hpb=e9cff5dd40e11ca66db1270e678dcd2aaef67e45;p=mirror%2Fdsa-wiki.git diff --git a/input/howto/dns.mdwn b/input/howto/dns.mdwn index f2e071f..ca8cfe6 100644 --- a/input/howto/dns.mdwn +++ b/input/howto/dns.mdwn @@ -1,15 +1,39 @@ # debian.org DNS -For most zones the hidden primary is samosa, with rietz, raff and klecker -being the public facing secondaries. +For most zones the hidden primary is draghi, with ravel, senfl, klecker +and orff being the public facing secondaries. -Domain information lives in a git on samosa, and pushing to it will cause +Domain information lives in a git on draghi, and pushing to it will cause the zone to be compiled and reloaded automatically. Repository lives at -ssh://db.debian.org/git/domains.git - public read only mirror available +ssh://dns.debian.org/git/domains.git - public read only mirror available using http. Some subdomains (and when I say subdomains, I really only mean www) are served by the geodns setup on geo1, 2, and 3. They have a seperate repo -ssh://db.debian.org/git/geodomains.git and an entirely seperate workflow. +ssh://dns.debian.org/git/dsa-geodomains.git and an entirely seperate workflow. At least it's consistent. + +# DNSSEC + +Adding DNSSEC KSK and ZSK for zones is done by running +/srv/dns.debian.org/bin/maintkeydb with the following options: + +./bin/maintkeydb create both NSEC3RSASHA1 default your.ip6.arpa + +Use RSASHA1 instead of NSEC3RSASHA1 for IPv4 address space. + +After that a "; wzf: dnssec = 1" needs to be added to the zone file. + +## DLV + +In order to publish our trust anchors in the ISC DLV, add +"; dlv-submit = yes" to the zonefile, then run the dlv-submit-many script +in /org/dns.debian.org/dlv-sync. + +In order to authenticate our control of that zone to ISC you'll have to +manually add a DLV cookie to the respective zone. After adding it you either +need to wait a day or so for ISC to re-check by themselves (re-run the script +for status information) or trigger a re-check on their website. + +Once they have verified the cookie it can be removed from the zone again.