Operations grimoire/DNS: Difference between revisions

DNS is currently not hosted directly on Nasqueron:

• for nasqueron.org, IPv6 blocks and most domains, DNS is hosted by Hurricane Electric -> reach Dereckson for modifications
• for eglide.org, it's managed by Gandi -> reach Sandlayth for modifications

Knot DNS is currently being installed in our servers by Dorian, to act as primary server. Content of the zones will be stored in operation repository.

DNS change workflow

1. If needed, open a task, or include to an existing task you need the DNS change
2. Reach DNS contact, ask them to comment back on the task when done

Tips

Web domains use CNAME, see CNAME for web domains (NetBox) for the full list.

Proposals to host DNS at Nasqueron

Network:

• 172.27.27.2/28 is reserved for a primary DNS server -> we'd also need an IPv4
• Secondary can be hosted in another datacenter, or to an external provider with zone replication (HE?)

How we want to work:

• Git repository with the direct configuration files or YAML template to generate it
• Web visualisation of the current zone
• DNSSEC

Products comments:

• We liked in the past:
  • djbdns isn't maintained anymore (fork dnbns neither)
  • Unbound, but it's not an authoritative server
• The decision is to be analyzed amongst
  • BIND - de facto standard
  • CoreDNS - a newcomer for Kubernetes - is it suitable for non-Docker workload too? If not, we could use CoreDNS with Kubernetes subdomains, and another product for other records.
  • Knot DNS - maintained actively by CZ.NIC, the .CZ domain registry, oriented security (DNSSEC), registries are first stakeholders, but with features like DynDNS support, it's a full authoritative server
  • PowerDNS - used by various ISP

Troubleshoot

Knot DNS

kzonecheck: error: failed to run semantic checks

Did you invoke kzonecheck directly on a Jinja template? If so, it can't validate it.

You can run rOPS: _tests/roles/python/dns/test_dns_zones.py through (cd _tests && make test-roles-dns), it will resolve all the pair (pillar configuration, zone file) we have in the repository and then call kzonecheck.

If you run it directly in /usr/local/etc/knot against a .zone file, there is a syntax error. Check there is no jinja like Template:Identity in it, if so perhaps it has been copied instead of deployed through Salt.

kzonecheck: 1 missing SOA at the zone apex

The top domain of the zone is the "apex"; the SOA record needs to exist and to use '@' syntax:

-nasqueron.org. 172800 IN SOA {{ identity }}. ops-dns.nasqueron.org. (
+@ 172800 IN SOA {{ identity }}. ops-dns.nasqueron.org. (
     2025090200 ;serial
     10800      ;refresh
     1800       ;retry
     604800     ;expire
     86400 )    ;minimum

kzonecheck: 1 missing NS at the zone apex

The top domain of the zone is the "apex". The NS records need to exist and to use '@' syntax:

+@ 86400 IN NS {{ identity }}.
+@ 86400 IN NS ns1.he.net.
+@ 86400 IN NS ns2.he.net.
+@ 86400 IN NS ns3.he.net.
+@ 86400 IN NS ns4.he.net.
+@ 86400 IN NS ns5.he.net.
+
-nasqueron.org. 86400 IN NS {{ identity }}.
-nasqueron.org. 86400 IN NS ns1.he.net.
-nasqueron.org. 86400 IN NS ns2.he.net.
-nasqueron.org. 86400 IN NS ns3.he.net.
-nasqueron.org. 86400 IN NS ns4.he.net.
-nasqueron.org. 86400 IN NS ns5.he.net.

Useful links

• CNAME for web domains (NetBox)