From 9ef4be570cabae53cc239c11437c37b3914db721 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20Kone=C4=8Dn=C3=BD?= Date: Wed, 18 Aug 2021 14:48:06 +0200 Subject: [PATCH] Review dns SOP MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michal Konečný --- modules/sysadmin_guide/nav.adoc | 2 +- modules/sysadmin_guide/pages/dns.adoc | 104 ++++++++++---------------- 2 files changed, 40 insertions(+), 66 deletions(-) diff --git a/modules/sysadmin_guide/nav.adoc b/modules/sysadmin_guide/nav.adoc index 4b9ca28..2f2628d 100644 --- a/modules/sysadmin_guide/nav.adoc +++ b/modules/sysadmin_guide/nav.adoc @@ -21,7 +21,7 @@ ** xref:datanommer.adoc[datanommer - SOP] ** xref:debuginfod.adoc[Fedora Debuginfod Service - SOP] ** xref:departing-admin.adoc[Departing admin - SOP] -** xref:dns.adoc[dns - SOP in review ] +** xref:dns.adoc[DNS repository for fedoraproject - SOP] ** xref:docs.fedoraproject.org.adoc[docs.fedoraproject.org - SOP in review ] ** xref:fas-notes.adoc[fas-notes - SOP in review ] ** xref:fas-openid.adoc[fas-openid - SOP in review ] diff --git a/modules/sysadmin_guide/pages/dns.adoc b/modules/sysadmin_guide/pages/dns.adoc index ba2c2fe..b685f48 100644 --- a/modules/sysadmin_guide/pages/dns.adoc +++ b/modules/sysadmin_guide/pages/dns.adoc @@ -24,34 +24,17 @@ ns02.iad2.fedoraproject.org:: == Contents -[arabic] -. Contact Information -. Troubleshooting, Resolution and Maintenance - -____ -[arabic] -. DNS update -. Adding a new zone -____ - -[arabic, start=3] -. GeoDNS - -____ -[arabic] -. Non geodns fedoraproject.org IPs -. Adding and removing countries -. IP Country Mapping -____ - -[arabic, start=4] -. resolv.conf - -____ -[arabic] -. Phoenix -. Non-Phoenix -____ +* <<_contact_information>> +* <<_troubleshooting_resolution_and_maintenance>> +** <<_check_out_the_dns_repository>> +** <<_adding_a_new_host>> +** <<_editing_the_domains>> +** <<_dns_update>> +** <<_adding_a_new_zone>> +* <<_geodns>> +** <<_adding_and_removing_countries>> +** <<_ip_country_mapping>> +* <<_resolv_conf>> == Contact Information @@ -66,9 +49,9 @@ Servers::: Purpose::: Provides DNS to our users -Troubleshooting, Resolution and Maintenance +== Troubleshooting, Resolution and Maintenance -== Check out the DNS repository +=== Check out the DNS repository You can get the dns repository from `/srv/git/dns` on `batcave01`: @@ -76,12 +59,12 @@ You can get the dns repository from `/srv/git/dns` on `batcave01`: $ git clone /srv/git/dns .... -== Adding a new Host +=== Adding a new Host Adding a new host requires to add it to DNS and to ansible, see new-hosts.rst for the details. -== Editing the domain(s) +=== Editing the domain(s) We have three domains which needs to be able to change on demand for proxy rotation/removal: @@ -99,25 +82,21 @@ If you need to edit a domain that is NOT In the above list: update the serial), save it. If you need to edit one of the domains in the above list: (replace -fedoraproject.org with the domain from above) +fedoraproject.org with the domain from above): * if you need to add/change a host in fedoraproject.org that is not '@' or 'wildcard' then: ** edit fedoraproject.org.template ** make your changes -** {blank} -+ -do not edit the serial or anything surrounded by \{\{ }} unless you:: - REALLY know what you are doing. -* {blank} -+ -if you need to only add/remove a proxy during an outage or due to:: - networking issue then run: -- `./zone-template fedoraproject.org.cfg disable ip [ip] [ip]`:: +** do not edit the serial or anything surrounded by \{\{ }} unless you +REALLY know what you are doing. +* if you need to only add/remove a proxy during an outage or due to networking +issue then run: +** `./zone-template fedoraproject.org.cfg disable ip [ip] [ip]`:: to disable the ip of the proxy you want removed. -- `./zone-template fedoraproject.org.cfg enable ip [ip] [ip]`:: +** `./zone-template fedoraproject.org.cfg enable ip [ip] [ip]`:: reverses the disable -- `./zone-template fedoraproject.org.cfg reset`:: +** `./zone-template fedoraproject.org.cfg reset`:: will reset to all ips enabled. * if you want to add an all new proxy as '@' or 'wildcard' for fedoraproject.org: @@ -129,9 +108,9 @@ fedoraproject.org: When complete run: -____ +.... git add . git commit -a -m 'description of your change here' -____ +.... It is important to commit this before running the do-domains script as it makes it easier to track the changes. @@ -178,7 +157,7 @@ $ sudo rbac-playbook update_dns.yml this will pull from the git tree, update all of the zones and reload the name server. -== DNS update +=== DNS update DNS config files are ansible managed on batcave01. @@ -199,7 +178,7 @@ dig: dig @ns01.fedoraproject.org fedoraproject.org .... -== Adding a new zone +=== Adding a new zone First name the zone and generate new set of keys for it. Run this on ns01. Note it could take SEVERAL minutes to run: @@ -224,14 +203,13 @@ Then copy the created .key and .private files to the private git repo .... /usr/sbin/dnssec-keygen -a RSASHA1 -b 1024 -n ZONE $domain.org /usr/sbin/dnssec-keygen -a RSASHA1 -b 2048 -n ZONE -f KSK $domain.org -.... -*** {blank} -+ -put the files this generates into /srv/privatekeys/dnssec on batcave01:: - **** edit the do-domains file in this dir and your domain to the + +- put the files this generates into /srv/privatekeys/dnssec on batcave01 + - edit the do-domains file in this dir and your domain to the signed_domains entry at the top - **** edit the zone you just created and add the contents of the .key + - edit the zone you just created and add the contents of the .key files to the bottom of the zone +.... If this is a subdomain of fedoraproject.org: @@ -276,7 +254,6 @@ near the EU, or NA would get directed to any random set. (South Africa for example doesn't get directed to any particular server). [IMPORTANT] -.Important ==== Don't forget to increase the serial number in the fedoraproject.org zone file. Even if you're making a change to one of the geodns IPs. There is @@ -284,7 +261,6 @@ only one serial number for all setups and that serial number is in the fedoraproject.org zone. ==== [NOTE] -.Note ==== Non geodns fedoraproject.org IPs If you're adding as server that is just in one location, and isn't going to get geodns balanced. Just add that @@ -316,7 +292,6 @@ at `/var/named/chroot/etc/GeoIP.acl` is generated by the `GeoIP.sh` script (that script is in ansible). [WARNING] -.Warning ==== This is known to be a less efficient means of doing geodns than the patched version from kernel.org. We're using this version at the moment @@ -332,21 +307,20 @@ of search based relative names. Below is a list of what a resolv.conf should look like. [IMPORTANT] -.Important ==== Any machine that is not on our vpn or has not yet joined the vpn should -_link:[NOT] have the vpn.fedoraproject.org search until after it has +*NOT* have the vpn.fedoraproject.org search until after it has been added to the vpn (if it ever does) ==== -Phoenix:: +iad2:: .... -search phx2.fedoraproject.org vpn.fedoraproject.org fedoraproject.org +search iad2.fedoraproject.org vpn.fedoraproject.org fedoraproject.org .... -Phoenix in the QA network::: +iad2 in the QA network::: .... -search qa.fedoraproject.org vpn.fedoraproject.org phx2.fedoraproject.org fedoraproject.org +search qa.fedoraproject.org vpn.fedoraproject.org iad2.fedoraproject.org fedoraproject.org .... -Non-Phoenix:: +Non-iad2:: .... search vpn.fedoraproject.org fedoraproject.org .... @@ -354,5 +328,5 @@ search vpn.fedoraproject.org fedoraproject.org The idea here is that we can, when need be, setup local domains to contact instead of having to go over the VPN directly but still have sane configs. For example if we tell the proxy server to hit "app1" and -that box is in PHX, it will go directly to app1, if its not, it will go +that box is in _iad2_, it will go directly to app1, if its not, it will go over the vpn to app1.