From bf6ea14e54acbda6bc45df5d1a7039533c6ce475 Mon Sep 17 00:00:00 2001 From: Luca Filipozzi Date: Wed, 5 Mar 2014 10:31:07 +0000 Subject: [PATCH] start of changes --- input/howto/dns.mdwn | 46 +++++++++++----------------------- input/howto/new-machine.creole | 2 +- input/index.mdwn | 8 +++--- 3 files changed, 19 insertions(+), 37 deletions(-) diff --git a/input/howto/dns.mdwn b/input/howto/dns.mdwn index ca8cfe6..aa14a29 100644 --- a/input/howto/dns.mdwn +++ b/input/howto/dns.mdwn @@ -1,39 +1,21 @@ -# debian.org DNS +# how to update DNS resource records -For most zones the hidden primary is draghi, with ravel, senfl, klecker -and orff being the public facing secondaries. +## updating standard resource records -Domain information lives in a git on draghi, and pushing to it will cause -the zone to be compiled and reloaded automatically. Repository lives at -ssh://dns.debian.org/git/domains.git - public read only mirror available -using http. +For most zones, the hidden primary DNS server is denis, with ravel, senfl, +klecker and orff being the public-facing secondary DNS servers. -Some subdomains (and when I say subdomains, I really only mean www) are -served by the geodns setup on geo1, 2, and 3. They have a seperate repo -ssh://dns.debian.org/git/dsa-geodomains.git and an entirely seperate workflow. +Zone files are managed via a [git repository][1]. Pushing commits into the git +repository will invoke a post-commit hook that causes the recompilation and +reload of the zone files. -At least it's consistent. +Some subdomains (specifically www.debian.org and security.debian.org) are +served by the autodns/geodns setup on geo{1,2,3}. Their zone files are managed +by a separate [git repository][2]. -# DNSSEC +## updating DNSSEC records -Adding DNSSEC KSK and ZSK for zones is done by running -/srv/dns.debian.org/bin/maintkeydb with the following options: +TODO -./bin/maintkeydb create both NSEC3RSASHA1 default your.ip6.arpa - -Use RSASHA1 instead of NSEC3RSASHA1 for IPv4 address space. - -After that a "; wzf: dnssec = 1" needs to be added to the zone file. - -## DLV - -In order to publish our trust anchors in the ISC DLV, add -"; dlv-submit = yes" to the zonefile, then run the dlv-submit-many script -in /org/dns.debian.org/dlv-sync. - -In order to authenticate our control of that zone to ISC you'll have to -manually add a DLV cookie to the respective zone. After adding it you either -need to wait a day or so for ISC to re-check by themselves (re-run the script -for status information) or trigger a re-check on their website. - -Once they have verified the cookie it can be removed from the zone again. +[1]: ssh://git@ubergit.debian.org/dsa/domains +[2]: ssh://git@ubergit.debian.org/dsa/auto-dns diff --git a/input/howto/new-machine.creole b/input/howto/new-machine.creole index cd5bbe8..542d1c7 100644 --- a/input/howto/new-machine.creole +++ b/input/howto/new-machine.creole @@ -1,4 +1,4 @@ -== setup/integrate a new machine == += how to add a new machine = Note: this has recently been changed to rely more on [[puppet|howto/puppet-setup]]. If stuff breaks fix it. diff --git a/input/index.mdwn b/input/index.mdwn index a478d97..9aa9b96 100644 --- a/input/index.mdwn +++ b/input/index.mdwn @@ -1,8 +1,8 @@ # Debian System Administrators -The Debian System Debian Administrator team (DSA) is responsible for +The Debian System Debian Administration (DSA) team is responsible for Debian's infrastructure. This wiki is focussed on system administration -documention, primarily in the form of HOWTOs, for the team. +documention, primarily in the form of HOWTOs, for users and administrators. To contact us, mail debian-admin@lists.debian.org. @@ -35,8 +35,8 @@ ticket. ## documentation for team members -* [[howto/dns]] -* [[howto/new-machine]]: how to add a machine +* [how to update dns resource records](howto/dns) +* [how to add a new machine](howto/new-machine) * [[howto/decomission]]: how to decomission a machine * [[howto/puppet-setup]] * [[howto/upgrade-to-lenny]] -- 2.20.1