Review dns SOP

Signed-off-by: Michal Konečný <mkonecny@redhat.com>

modules/sysadmin_guide/nav.adoc

@@ -21,7 +21,7 @@
 ** xref:datanommer.adoc[datanommer - SOP]
 ** xref:debuginfod.adoc[Fedora Debuginfod Service - SOP]
 ** xref:departing-admin.adoc[Departing admin - SOP]
-** xref:dns.adoc[dns - SOP in review ]
+** xref:dns.adoc[DNS repository for fedoraproject - SOP]
 ** xref:docs.fedoraproject.org.adoc[docs.fedoraproject.org - SOP in review ]
 ** xref:fas-notes.adoc[fas-notes - SOP in review ]
 ** xref:fas-openid.adoc[fas-openid - SOP in review ]

modules/sysadmin_guide/pages/dns.adoc

@@ -24,34 +24,17 @@ ns02.iad2.fedoraproject.org::
 
 == Contents
 
-[arabic]
+* <<_contact_information>>
-. Contact Information
+* <<_troubleshooting_resolution_and_maintenance>>
-. Troubleshooting, Resolution and Maintenance
+** <<_check_out_the_dns_repository>>
-
+** <<_adding_a_new_host>>
-____
+** <<_editing_the_domains>>
-[arabic]
+** <<_dns_update>>
-. DNS update
+** <<_adding_a_new_zone>>
-. Adding a new zone
+* <<_geodns>>
-____
+** <<_adding_and_removing_countries>>
-
+** <<_ip_country_mapping>>
-[arabic, start=3]
+* <<_resolv_conf>>
-. GeoDNS
-
-____
-[arabic]
-. Non geodns fedoraproject.org IPs
-. Adding and removing countries
-. IP Country Mapping
-____
-
-[arabic, start=4]
-. resolv.conf
-
-____
-[arabic]
-. Phoenix
-. Non-Phoenix
-____
 
 == Contact Information
 
@@ -66,9 +49,9 @@ Servers:::
 Purpose:::
   Provides DNS to our users
 
-Troubleshooting, Resolution and Maintenance
+== Troubleshooting, Resolution and Maintenance
 
-== Check out the DNS repository
+=== Check out the DNS repository
 
 You can get the dns repository from `/srv/git/dns` on `batcave01`:
 
@@ -76,12 +59,12 @@ You can get the dns repository from `/srv/git/dns` on `batcave01`:
 $ git clone /srv/git/dns
 ....
 
-== Adding a new Host
+=== Adding a new Host
 
 Adding a new host requires to add it to DNS and to ansible, see
 new-hosts.rst for the details.
 
-== Editing the domain(s)
+=== Editing the domain(s)
 
 We have three domains which needs to be able to change on demand for
 proxy rotation/removal:
@@ -99,25 +82,21 @@ If you need to edit a domain that is NOT In the above list:
 update the serial), save it.
 
 If you need to edit one of the domains in the above list: (replace
-fedoraproject.org with the domain from above)
+fedoraproject.org with the domain from above):
 
 * if you need to add/change a host in fedoraproject.org that is not '@'
 or 'wildcard' then:
 ** edit fedoraproject.org.template
 ** make your changes
-** {blank}
+** do not edit the serial or anything surrounded by \{\{ }} unless you
-+
+REALLY know what you are doing.
-do not edit the serial or anything surrounded by \{\{ }} unless you::
+* if you need to only add/remove a proxy during an outage or due to networking
-  REALLY know what you are doing.
+issue then run:
-* {blank}
+** `./zone-template fedoraproject.org.cfg disable ip [ip] [ip]`::
-+
-if you need to only add/remove a proxy during an outage or due to::
-  networking issue then run:
-- `./zone-template fedoraproject.org.cfg disable ip [ip] [ip]`::
   to disable the ip of the proxy you want removed.
-- `./zone-template fedoraproject.org.cfg enable ip [ip] [ip]`::
+** `./zone-template fedoraproject.org.cfg enable ip [ip] [ip]`::
   reverses the disable
-- `./zone-template fedoraproject.org.cfg reset`::
+** `./zone-template fedoraproject.org.cfg reset`::
   will reset to all ips enabled.
 * if you want to add an all new proxy as '@' or 'wildcard' for
 fedoraproject.org:
@@ -129,9 +108,9 @@ fedoraproject.org:
 
 When complete run:
 
-____
+....
 git add . git commit -a -m 'description of your change here'
-____
+....
 
 It is important to commit this before running the do-domains script as
 it makes it easier to track the changes.
@@ -178,7 +157,7 @@ $ sudo rbac-playbook update_dns.yml
 this will pull from the git tree, update all of the zones and reload the
 name server.
 
-== DNS update
+=== DNS update
 
 DNS config files are ansible managed on batcave01.
 
@@ -199,7 +178,7 @@ dig:
 dig @ns01.fedoraproject.org fedoraproject.org
 ....
 
-== Adding a new zone
+=== Adding a new zone
 
 First name the zone and generate new set of keys for it. Run this on
 ns01. Note it could take SEVERAL minutes to run:
@@ -224,14 +203,13 @@ Then copy the created .key and .private files to the private git repo
 ....
 /usr/sbin/dnssec-keygen -a RSASHA1 -b 1024 -n ZONE $domain.org
 /usr/sbin/dnssec-keygen -a RSASHA1 -b 2048 -n ZONE -f KSK $domain.org
-....
+
-*** {blank}
+- put the files this generates into /srv/privatekeys/dnssec on batcave01
-+
+  - edit the do-domains file in this dir and your domain to the
-put the files this generates into /srv/privatekeys/dnssec on batcave01::
-  **** edit the do-domains file in this dir and your domain to the
   signed_domains entry at the top
-  **** edit the zone you just created and add the contents of the .key
+  - edit the zone you just created and add the contents of the .key
   files to the bottom of the zone
+....
 
 If this is a subdomain of fedoraproject.org:
 
@@ -276,7 +254,6 @@ near the EU, or NA would get directed to any random set. (South Africa
 for example doesn't get directed to any particular server).
 
 [IMPORTANT]
-.Important
 ====
 Don't forget to increase the serial number in the fedoraproject.org zone
 file. Even if you're making a change to one of the geodns IPs. There is
@@ -284,7 +261,6 @@ only one serial number for all setups and that serial number is in the
 fedoraproject.org zone.
 ====
 [NOTE]
-.Note
 ====
 Non geodns fedoraproject.org IPs If you're adding as server that is just
 in one location, and isn't going to get geodns balanced. Just add that
@@ -316,7 +292,6 @@ at `/var/named/chroot/etc/GeoIP.acl` is generated by the `GeoIP.sh`
 script (that script is in ansible).
 
 [WARNING]
-.Warning
 ====
 This is known to be a less efficient means of doing geodns than the
 patched version from kernel.org. We're using this version at the moment
@@ -332,21 +307,20 @@ of search based relative names. Below is a list of what a resolv.conf
 should look like.
 
 [IMPORTANT]
-.Important
 ====
 Any machine that is not on our vpn or has not yet joined the vpn should
-_link:[NOT] have the vpn.fedoraproject.org search until after it has
+*NOT* have the vpn.fedoraproject.org search until after it has
 been added to the vpn (if it ever does)
 ====
-Phoenix::
+iad2::
 ....
-search phx2.fedoraproject.org vpn.fedoraproject.org fedoraproject.org
+search iad2.fedoraproject.org vpn.fedoraproject.org fedoraproject.org
 ....
-Phoenix in the QA network:::
+iad2 in the QA network:::
 ....
-search qa.fedoraproject.org vpn.fedoraproject.org phx2.fedoraproject.org fedoraproject.org
+search qa.fedoraproject.org vpn.fedoraproject.org iad2.fedoraproject.org fedoraproject.org
 ....
-Non-Phoenix::
+Non-iad2::
 ....
 search vpn.fedoraproject.org fedoraproject.org
 ....
@@ -354,5 +328,5 @@ search vpn.fedoraproject.org fedoraproject.org
 The idea here is that we can, when need be, setup local domains to
 contact instead of having to go over the VPN directly but still have
 sane configs. For example if we tell the proxy server to hit "app1" and
-that box is in PHX, it will go directly to app1, if its not, it will go
+that box is in _iad2_, it will go directly to app1, if its not, it will go
 over the vpn to app1.