system-config/doc/source/dns.rst

:title: DNS

.. _dns:

DNS
###

The project runs authoritative DNS servers for any constituent
projects that wish to use them.

Bind is run on a hidden master (`adns02.opendev.org`) which handles
automatic DNSSEC zone signing.  Any changes to the zone files are
deployed here.

Secondary public authoritative servers run NSD and take zone transfers
from the hidden primary.  These are published in the NS records for
the managed zones.

At a Glance
===========

:Hosts:
  * adns02.opendev.org
  * ns03.opendev.org
  * ns04.opendev.org
:Ansible:
  * :git_file:`inventory/service/group_vars/adns.yaml`
  * :git_file:`inventory/service/group_vars/adns-primary.yaml`
  * :git_file:`inventory/service/group_vars/adns-secondary.yaml`
:Projects:
  * https://www.nlnetlabs.nl/projects/nsd/
  * https://www.isc.org/downloads/bind/doc/

Adding a Zone
=============

To add a new zone, identify an existing git repository or create a new
one to hold the contents of the zone, then update
:git_file:`inventory/service/group_vars/dns.yaml`.

Run::

  dnssec-keygen -a RSASHA256 -b 2048 -3 example.net
  dnssec-keygen -a RSASHA256 -b 2048 -3 -fk example.net

And add the resulting files to the `dnssec_keys` key in the
`group/adns.yaml` private hostvars file on puppetmaster.

If you need to generate DS records for the registrar, identify which
of the just-created key files is the key-signing key by examining the
contents of the files and reading the comments therein, then run::

  dnssec-dsfromkey -2 $KEYFILE
Add dns servers Change-Id: I32b0d846cbbaad5755d3d1c47d303b7cdf34f749 Depends-On: Ic92726dc341af5802ad803d239bd547ef5068043 Story: 2001382 Task: 6090 2017-12-12 13:20:36 -08:00			`:title: DNS`

			`.. _dns:`

			`DNS`
			`###`

			`The project runs authoritative DNS servers for any constituent`
Refactor adns variables Firstly, my understanding of "adns" is that it's short for authoritative-dns; i.e. things related to our main non-recursive DNS servers for the zones we manage. The "a" is useful to distinguish this from any sort of other dns services we might run for CI, etc. The way we do this is with a "hidden" server that applies updates from config management, which then notifies secondary public servers which do a zone transfer from the primary. They're all "authoritative" in the sense they're not for general recursive queries. As mentioned in Ibd8063e92ad7ff9ee683dcc7dfcc115a0b19dcaa, we currently have 3 groups adns : the hidden primary bind server ns : the secondary public authoratitive servers dns : both of the above This proposes a refactor into the following 3 groups adns-primary : hidden primary bind server adns-secondary : the secondary public authoritative servers adns : both of the above This is meant to be a no-op; I just feel like this makes it a bit clearer as to the "lay of the land" with these servers. It will need some considering of the hiera variables on bridge if we merge. Change-Id: I9ffef52f27bd23ceeec07fe0f45f9fee08b5559a 2023-03-09 15:01:45 +11:00			`projects that wish to use them.`

Remove old DNS servers Remove adns1/ns1/ns2 which are no longer in use. Switch the primary master to adns02; the secondaries ns03/ns04 will now update from there. Change-Id: I700a514dd2b72b2632e8d0668251f52907008d44 Depends-On: https://review.opendev.org/c/opendev/zone-opendev.org/+/880709 2023-04-18 17:02:54 +10:00			Bind is run on a hidden master (`adns02.opendev.org`) which handles
Refactor adns variables Firstly, my understanding of "adns" is that it's short for authoritative-dns; i.e. things related to our main non-recursive DNS servers for the zones we manage. The "a" is useful to distinguish this from any sort of other dns services we might run for CI, etc. The way we do this is with a "hidden" server that applies updates from config management, which then notifies secondary public servers which do a zone transfer from the primary. They're all "authoritative" in the sense they're not for general recursive queries. As mentioned in Ibd8063e92ad7ff9ee683dcc7dfcc115a0b19dcaa, we currently have 3 groups adns : the hidden primary bind server ns : the secondary public authoratitive servers dns : both of the above This proposes a refactor into the following 3 groups adns-primary : hidden primary bind server adns-secondary : the secondary public authoritative servers adns : both of the above This is meant to be a no-op; I just feel like this makes it a bit clearer as to the "lay of the land" with these servers. It will need some considering of the hiera variables on bridge if we merge. Change-Id: I9ffef52f27bd23ceeec07fe0f45f9fee08b5559a 2023-03-09 15:01:45 +11:00			`automatic DNSSEC zone signing. Any changes to the zone files are`
			`deployed here.`

			`Secondary public authoritative servers run NSD and take zone transfers`
			`from the hidden primary. These are published in the NS records for`
			`the managed zones.`
Add dns servers Change-Id: I32b0d846cbbaad5755d3d1c47d303b7cdf34f749 Depends-On: Ic92726dc341af5802ad803d239bd547ef5068043 Story: 2001382 Task: 6090 2017-12-12 13:20:36 -08:00
			`At a Glance`
			`===========`

			`:Hosts:`
Remove old DNS servers Remove adns1/ns1/ns2 which are no longer in use. Switch the primary master to adns02; the secondaries ns03/ns04 will now update from there. Change-Id: I700a514dd2b72b2632e8d0668251f52907008d44 Depends-On: https://review.opendev.org/c/opendev/zone-opendev.org/+/880709 2023-04-18 17:02:54 +10:00			`* adns02.opendev.org`
			`* ns03.opendev.org`
			`* ns04.opendev.org`
Update DNS documentation This reflects the new ansible-only opendev dns servers. Change-Id: I26bda9f6618f8af49a7dfb61981af8640582b7cf 2019-01-28 09:55:48 -08:00			`:Ansible:`
Refactor adns variables Firstly, my understanding of "adns" is that it's short for authoritative-dns; i.e. things related to our main non-recursive DNS servers for the zones we manage. The "a" is useful to distinguish this from any sort of other dns services we might run for CI, etc. The way we do this is with a "hidden" server that applies updates from config management, which then notifies secondary public servers which do a zone transfer from the primary. They're all "authoritative" in the sense they're not for general recursive queries. As mentioned in Ibd8063e92ad7ff9ee683dcc7dfcc115a0b19dcaa, we currently have 3 groups adns : the hidden primary bind server ns : the secondary public authoratitive servers dns : both of the above This proposes a refactor into the following 3 groups adns-primary : hidden primary bind server adns-secondary : the secondary public authoritative servers adns : both of the above This is meant to be a no-op; I just feel like this makes it a bit clearer as to the "lay of the land" with these servers. It will need some considering of the hiera variables on bridge if we merge. Change-Id: I9ffef52f27bd23ceeec07fe0f45f9fee08b5559a 2023-03-09 15:01:45 +11:00			* :git_file:`inventory/service/group_vars/adns.yaml`
			* :git_file:`inventory/service/group_vars/adns-primary.yaml`
			* :git_file:`inventory/service/group_vars/adns-secondary.yaml`
Add dns servers Change-Id: I32b0d846cbbaad5755d3d1c47d303b7cdf34f749 Depends-On: Ic92726dc341af5802ad803d239bd547ef5068043 Story: 2001382 Task: 6090 2017-12-12 13:20:36 -08:00			`:Projects:`
			`* https://www.nlnetlabs.nl/projects/nsd/`
Update DNS documentation This reflects the new ansible-only opendev dns servers. Change-Id: I26bda9f6618f8af49a7dfb61981af8640582b7cf 2019-01-28 09:55:48 -08:00			`* https://www.isc.org/downloads/bind/doc/`
Add dns servers Change-Id: I32b0d846cbbaad5755d3d1c47d303b7cdf34f749 Depends-On: Ic92726dc341af5802ad803d239bd547ef5068043 Story: 2001382 Task: 6090 2017-12-12 13:20:36 -08:00
			`Adding a Zone`
			`=============`

Update DNS documentation This reflects the new ansible-only opendev dns servers. Change-Id: I26bda9f6618f8af49a7dfb61981af8640582b7cf 2019-01-28 09:55:48 -08:00			`To add a new zone, identify an existing git repository or create a new`
			`one to hold the contents of the zone, then update`
Split inventory into multiple dirs and move hostvars Make inventory/service for service-specific things, including the groups.yaml group definitions, and inventory/base for hostvars related to the base system, including the list of hosts. Move the exisitng host_vars into inventory/service, since most of them are likely service-specific. Move group_vars/all.yaml into base/group_vars as almost all of it is related to base things, with the execption of the gerrit public key. A followup patch will move host-specific values into equivilent files in inventory/base. This should let us override hostvars in gate jobs. It should also allow us to do better file matchers - and to be able to organize our playbooks move if we want to. Depends-On: https://review.opendev.org/731583 Change-Id: Iddf57b5be47c2e9de16b83a1bc83bee25db995cf 2020-05-26 15:46:41 -05:00			:git_file:`inventory/service/group_vars/dns.yaml`.
Add dns servers Change-Id: I32b0d846cbbaad5755d3d1c47d303b7cdf34f749 Depends-On: Ic92726dc341af5802ad803d239bd547ef5068043 Story: 2001382 Task: 6090 2017-12-12 13:20:36 -08:00
Add an authoritative hidden master This runs bind as a hidden master nameserver so we can do all the keysigning there, and then use nsd (or bind) as public authoritative slaves. Change-Id: Ifb2ad109103051fa13c4af1c7be1ca0ae98bb1a1 2017-12-15 16:20:56 -08:00			`Run::`

			`dnssec-keygen -a RSASHA256 -b 2048 -3 example.net`
			`dnssec-keygen -a RSASHA256 -b 2048 -3 -fk example.net`

			And add the resulting files to the `dnssec_keys` key in the
Update DNS documentation This reflects the new ansible-only opendev dns servers. Change-Id: I26bda9f6618f8af49a7dfb61981af8640582b7cf 2019-01-28 09:55:48 -08:00			`group/adns.yaml` private hostvars file on puppetmaster.
Add an authoritative hidden master This runs bind as a hidden master nameserver so we can do all the keysigning there, and then use nsd (or bind) as public authoritative slaves. Change-Id: Ifb2ad109103051fa13c4af1c7be1ca0ae98bb1a1 2017-12-15 16:20:56 -08:00
docs: add info on generating DS records Change-Id: Ie826e2c7b099d4dec5b778b1267f7b5c5a0a6bba 2018-11-21 09:51:20 -08:00			`If you need to generate DS records for the registrar, identify which`
Update DNS documentation This reflects the new ansible-only opendev dns servers. Change-Id: I26bda9f6618f8af49a7dfb61981af8640582b7cf 2019-01-28 09:55:48 -08:00			`of the just-created key files is the key-signing key by examining the`
			`contents of the files and reading the comments therein, then run::`
docs: add info on generating DS records Change-Id: Ie826e2c7b099d4dec5b778b1267f7b5c5a0a6bba 2018-11-21 09:51:20 -08:00
			`dnssec-dsfromkey -2 $KEYFILE`