436f956140
Remove adns1/ns1/ns2 which are no longer in use. Switch the primary master to adns02; the secondaries ns03/ns04 will now update from there. Change-Id: I700a514dd2b72b2632e8d0668251f52907008d44 Depends-On: https://review.opendev.org/c/opendev/zone-opendev.org/+/880709
1.5 KiB
- title
-
DNS
DNS
The project runs authoritative DNS servers for any constituent projects that wish to use them.
Bind is run on a hidden master (adns02.opendev.org) which handles automatic DNSSEC zone signing. Any changes to the zone files are deployed here.
Secondary public authoritative servers run NSD and take zone transfers from the hidden primary. These are published in the NS records for the managed zones.
At a Glance
- Hosts
-
- adns02.opendev.org
- ns03.opendev.org
- ns04.opendev.org
- Ansible
- Projects
Adding a Zone
To add a new zone, identify an existing git repository or create a new one to hold the contents of the zone, then update :git_file:`inventory/service/group_vars/dns.yaml`.
Run:
dnssec-keygen -a RSASHA256 -b 2048 -3 example.net
dnssec-keygen -a RSASHA256 -b 2048 -3 -fk example.netAnd add the resulting files to the dnssec_keys key in the group/adns.yaml private hostvars file on puppetmaster.
If you need to generate DS records for the registrar, identify which of the just-created key files is the key-signing key by examining the contents of the files and reading the comments therein, then run:
dnssec-dsfromkey -2 $KEYFILE