Operations grimoire/DNS: Difference between revisions
From Nasqueron Agora
(Created page with "DNS is currently not hosted directly on Nasqueron: * for nasqueron.org, IPv6 blocks and most domains, DNS is hosted by Hurricane Electric -> reach Dereckson for modifications * for eglide.org, it's managed by Gandi -> reach Sandlayth for modifications == DNS change workflow == # If needed, open a task, or include to an existing task you need the DNS change # Reach DNS contact, ask them to comment back on the task when done == Proposals to host DNS at Nasqueron == Net...") |
|||
Line 7: | Line 7: | ||
# If needed, open a task, or include to an existing task you need the DNS change | # If needed, open a task, or include to an existing task you need the DNS change | ||
# Reach DNS contact, ask them to comment back on the task when done | # Reach DNS contact, ask them to comment back on the task when done | ||
=== Tips === | |||
Web domains use CNAME, see [https://netbox.nasqueron.org/ipam/services/?filter=web-domains-cname CNAME for web domains] (NetBox) for the full list. | |||
== Proposals to host DNS at Nasqueron == | == Proposals to host DNS at Nasqueron == |
Latest revision as of 09:28, 23 May 2023
DNS is currently not hosted directly on Nasqueron:
- for nasqueron.org, IPv6 blocks and most domains, DNS is hosted by Hurricane Electric -> reach Dereckson for modifications
- for eglide.org, it's managed by Gandi -> reach Sandlayth for modifications
DNS change workflow
- If needed, open a task, or include to an existing task you need the DNS change
- Reach DNS contact, ask them to comment back on the task when done
Tips
Web domains use CNAME, see CNAME for web domains (NetBox) for the full list.
Proposals to host DNS at Nasqueron
Network:
- 172.27.27.2/28 is reserved for a primary DNS server -> we'd also need an IPv4
- Secondary can be hosted in another datacenter, or to an external provider with zone replication (HE?)
How we want to work:
- Git repository with the direct configuration files or YAML template to generate it
- Web visualisation of the current zone
- DNSSEC
Products comments:
- We liked in the past:
- djbdns isn't maintained anymore (fork dnbns neither)
- Unbound, but it's not an authoritative server
- The decision is to be analyzed amongst
- BIND - de facto standard
- CoreDNS - a newcomer for Kubernetes - is it suitable for non-Docker workload too? If not, we could use CoreDNS with Kubernetes subdomains, and another product for other records.
- Knot DNS - maintained actively by CZ.NIC, the .CZ domain registry, oriented security (DNSSEC), registries are first stakeholders, but with features like DynDNS support, it's a full authoritative server
- PowerDNS - used by various ISP
Useful links
- CNAME for web domains (NetBox)