Operations grimoire/DNS

From Nasqueron Agora

DNS is provided both on Nasqueron and Hurricane Electric infrastructures.

Nasqueron primary DNS server

Knot serves our DNS records from dns-001 as ns1.nasqueron.org primary server.

Zone is then automatically submitted to Hurricane Electric as secondary servers.

Scope

ICANN Domains

Edit a zone

To update records for our DNS:

  1. Edit the relevant zone file in rOPS: roles/dns/knot/files/zones/
  2. Deploy from Complector with salt dns-001 state.apply roles/dns/knot/config
  3. Lint the zone on dns-001 with zonecheck /var/db/knot/nasqueron.org.zone
  4. Reload Knot server with service knot reload
  5. Check new record with nslookup or dig against ns1.nasqueron.org
  6. Check a little later against ns2.he.net

Hurricane Electric as primary DNS servers

Some DNS zones aren't currently hosted directly on Nasqueron.

In such case, open a task on DevCentral or reach Dorian or Dereckson for modifications.

Scope

  • IPv6 blocks (nasqueron account)
  • Most extra domains (dereckson account)

Special cases

Eglide

The eglide org domain is managed by Gandi -> reach Sandlayth for modifications

Tips

Web domains use CNAME, see CNAME for web domains (NetBox) for the full list.

Troubleshoot

Knot DNS

kzonecheck: error: failed to run semantic checks

Did you invoke kzonecheck directly on a Jinja template? If so, it can't validate it.

You can run rOPS: _tests/roles/python/dns/test_dns_zones.py through (cd _tests && make test-roles-dns), it will resolve all the pair (pillar configuration, zone file) we have in the repository and then call kzonecheck.

If you run it directly in /usr/local/etc/knot against a .zone file, there is a syntax error. Check there is no jinja like {{ identity }} in it, if so perhaps it has been copied instead of deployed through Salt.

kzonecheck: 1 missing SOA at the zone apex

The top domain of the zone is the "apex"; the SOA record needs to exist and to use '@' syntax: 

-nasqueron.org. 172800 IN SOA {{ identity }}. ops-dns.nasqueron.org. (
+@ 172800 IN SOA {{ identity }}. ops-dns.nasqueron.org. (
     2025090200 ;serial
     10800      ;refresh
     1800       ;retry
     604800     ;expire
     86400 )    ;minimum

kzonecheck: 1 missing NS at the zone apex

The top domain of the zone is the "apex". The NS records need to exist and to use '@' syntax: 

+@ 86400 IN NS {{ identity }}.
+@ 86400 IN NS ns1.he.net.
+@ 86400 IN NS ns2.he.net.
+@ 86400 IN NS ns3.he.net.
+@ 86400 IN NS ns4.he.net.
+@ 86400 IN NS ns5.he.net.
+
-nasqueron.org. 86400 IN NS {{ identity }}.
-nasqueron.org. 86400 IN NS ns1.he.net.
-nasqueron.org. 86400 IN NS ns2.he.net.
-nasqueron.org. 86400 IN NS ns3.he.net.
-nasqueron.org. 86400 IN NS ns4.he.net.
-nasqueron.org. 86400 IN NS ns5.he.net.

Useful links

Retrieved from "https://agora.nasqueron.org/index.php?title=Operations_grimoire/DNS&oldid=2049"