opendev/system-config
Code Issues Proposed changes
system-config/doc/source/dns.rst
Ian Wienand b0d27692de
Refactor adns variables 
Firstly, my understanding of "adns" is that it's short for
authoritative-dns; i.e. things related to our main non-recursive DNS
servers for the zones we manage.  The "a" is useful to distinguish
this from any sort of other dns services we might run for CI, etc.

The way we do this is with a "hidden" server that applies updates from
config management, which then notifies secondary public servers which
do a zone transfer from the primary.  They're all "authoritative" in
the sense they're not for general recursive queries.

As mentioned in Ibd8063e92ad7ff9ee683dcc7dfcc115a0b19dcaa, we
currently have 3 groups

 adns : the hidden primary bind server
 ns : the secondary public authoratitive servers
 dns : both of the above

This proposes a refactor into the following 3 groups

 adns-primary : hidden primary bind server
 adns-secondary : the secondary public authoritative servers
 adns : both of the above

This is meant to be a no-op; I just feel like this makes it a bit
clearer as to the "lay of the land" with these servers.  It will need
some considering of the hiera variables on bridge if we merge.

Change-Id: I9ffef52f27bd23ceeec07fe0f45f9fee08b5559a
2023-03-10 09:36:01 +11:00

1.5 KiB
Raw Blame History

title

DNS

DNS

The project runs authoritative DNS servers for any constituent projects that wish to use them.

Bind is run on a hidden master (adns01.opendev.org) which handles automatic DNSSEC zone signing. Any changes to the zone files are deployed here.

Secondary public authoritative servers run NSD and take zone transfers from the hidden primary. These are published in the NS records for the managed zones.

At a Glance

Hosts
  • adns01.opendev.org
  • ns1.opendev.org
  • ns2.opendev.org
Ansible
Projects

Adding a Zone

To add a new zone, identify an existing git repository or create a new one to hold the contents of the zone, then update :git_file:`inventory/service/group_vars/dns.yaml`.

Run:

dnssec-keygen -a RSASHA256 -b 2048 -3 example.net
dnssec-keygen -a RSASHA256 -b 2048 -3 -fk example.net

And add the resulting files to the dnssec_keys key in the group/adns.yaml private hostvars file on puppetmaster.

If you need to generate DS records for the registrar, identify which of the just-created key files is the key-signing key by examining the contents of the files and reading the comments therein, then run:

dnssec-dsfromkey -2 $KEYFILE