Operations grimoire/DNS

From Nasqueron Agora
Revision as of 09:28, 23 May 2023 by Dereckson (talk | contribs) (→‎DNS change workflow)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

📕📁📜 Old technical information :: content warning

⌛ This Nasqueron Operations Grimoire page hasn't been updated for a long time.

☣ As our infrastructure evolves quickly, there is a good chance this information is outdated or now inaccurate. Be careful and consider update it.

➡️ To assert the information is still up-to-date or not, you can check the history of the relevant role in our Operations repository.

DNS is currently not hosted directly on Nasqueron:

  • for nasqueron.org, IPv6 blocks and most domains, DNS is hosted by Hurricane Electric -> reach Dereckson for modifications
  • for eglide.org, it's managed by Gandi -> reach Sandlayth for modifications

DNS change workflow

  1. If needed, open a task, or include to an existing task you need the DNS change
  2. Reach DNS contact, ask them to comment back on the task when done

Tips

Web domains use CNAME, see CNAME for web domains (NetBox) for the full list.

Proposals to host DNS at Nasqueron

Network:

  • 172.27.27.2/28 is reserved for a primary DNS server -> we'd also need an IPv4
  • Secondary can be hosted in another datacenter, or to an external provider with zone replication (HE?)

How we want to work:

  • Git repository with the direct configuration files or YAML template to generate it
  • Web visualisation of the current zone
  • DNSSEC

Products comments:

  • We liked in the past:
    • djbdns isn't maintained anymore (fork dnbns neither)
    • Unbound, but it's not an authoritative server
  • The decision is to be analyzed amongst
    • BIND - de facto standard
    • CoreDNS - a newcomer for Kubernetes - is it suitable for non-Docker workload too? If not, we could use CoreDNS with Kubernetes subdomains, and another product for other records.
    • Knot DNS - maintained actively by CZ.NIC, the .CZ domain registry, oriented security (DNSSEC), registries are first stakeholders, but with features like DynDNS support, it's a full authoritative server
    • PowerDNS - used by various ISP

Useful links