opendev/system-config
Code Issues Proposed changes
5e43926b5e
system-config/doc/source/dns.rst
Monty Taylor 83ced7f6e6 Split inventory into multiple dirs and move hostvars 
Make inventory/service for service-specific things, including the
groups.yaml group definitions, and inventory/base for hostvars
related to the base system, including the list of hosts.

Move the exisitng host_vars into inventory/service, since most of
them are likely service-specific. Move group_vars/all.yaml into
base/group_vars as almost all of it is related to base things,
with the execption of the gerrit public key.

A followup patch will move host-specific values into equivilent
files in inventory/base.

This should let us override hostvars in gate jobs. It should also
allow us to do better file matchers - and to be able to organize
our playbooks move if we want to.

Depends-On: https://review.opendev.org/731583
Change-Id: Iddf57b5be47c2e9de16b83a1bc83bee25db995cf
2020-06-04 07:44:36 -05:00

45 lines
1.1 KiB
ReStructuredText
Raw Blame History

:title: DNS
.. _dns:
DNS
###
The project runs authoritative DNS servers for any constituent
projects that wish to use them. The servers run Bind on a hidden
master which handles automatic DNSSEC zone signing while the public
authoritative servers run NSD.
At a Glance
===========
:Hosts:
* ns1.opendev.org
* ns2.opendev.org
:Ansible:
* :git_file:`inventory/service/group_vars/dns.yaml`
:Projects:
* https://www.nlnetlabs.nl/projects/nsd/
* https://www.isc.org/downloads/bind/doc/
Adding a Zone
=============
To add a new zone, identify an existing git repository or create a new
one to hold the contents of the zone, then update
:git_file:`inventory/service/group_vars/dns.yaml`.
Run::
dnssec-keygen -a RSASHA256 -b 2048 -3 example.net
dnssec-keygen -a RSASHA256 -b 2048 -3 -fk example.net
And add the resulting files to the `dnssec_keys` key in the
`group/adns.yaml` private hostvars file on puppetmaster.
If you need to generate DS records for the registrar, identify which
of the just-created key files is the key-signing key by examining the
contents of the files and reading the comments therein, then run::
dnssec-dsfromkey -2 $KEYFILE
View Git Blame Copy Permalink