Project

General

Profile

Bug #16232

Run a nameserver for the {amnesia,tails}.boum.org sub-zones

Added by intrigeri 5 months ago. Updated 3 days ago.

Status:
In Progress
Priority:
Elevated
Assignee:
Category:
Infrastructure
Target version:
Start date:
12/18/2018
Due date:
% Done:

30%

Spent time:
QA Check:
Dev Needed
Feature Branch:
Type of work:
Sysadmin
Blueprint:
Starter:
Affected tool:

Description

… so our mirror admins can keep controlling it once boum.org's NS has migrated to its new home.

Then:


Related issues

Blocks Tails - Feature #13284: Core work: Sysadmin (Adapt our infrastructure) Confirmed 06/30/2017
Blocked by Tails - Feature #15513: Switch to the puppetlabs/mysql module Resolved 04/09/2018

Associated revisions

Revision 26f74088 (diff)
Added by intrigeri 5 months ago

Document the new DNS service (refs: #16232)

History

#1 Updated by intrigeri 5 months ago

  • Blocks Feature #13284: Core work: Sysadmin (Adapt our infrastructure) added

#2 Updated by intrigeri 5 months ago

  • Subject changed from Run a nameserver for the amnesia.boum.org sub-zone to Run a nameserver for the {amnesia,tails}.boum.org sub-zones

While we're at it, it'll be super cheap to also manage tails.b.o sub-zone ourselves, so we can make changes there without asking A/I. Let me know if there's a problem with that.

#3 Updated by intrigeri 5 months ago

  • Description updated (diff)

#4 Updated by groente 5 months ago

primary is up and running, we still need a secondary.

#5 Updated by intrigeri 5 months ago

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 30
  • merge the 2 mirrors.git somehow

Done.

  • adapt mirror team scripts if needed
  • update mirror team doc

Done locally, will push once we are actually authoritative for amnesia.b.o.

#6 Updated by groente 5 months ago

  • Blocked by Feature #15513: Switch to the puppetlabs/mysql module added

#7 Updated by intrigeri 5 months ago

  • Description updated (diff)

#8 Updated by intrigeri 5 months ago

  • Description updated (diff)

NS switched, updated doc pushed.

#9 Updated by intrigeri 5 months ago

  • Description updated (diff)

#10 Updated by intrigeri 5 months ago

  • Description updated (diff)

#11 Updated by intrigeri 5 months ago

  • Assignee changed from intrigeri to groente
  • QA Check set to Ready for QA

Monitoring added, see commits from today that reference this ticket's ID.

#12 Updated by groente 5 months ago

  • Priority changed from High to Elevated
  • QA Check changed from Ready for QA to Dev Needed

waiting for blockers before deploying a secondary

#13 Updated by intrigeri 4 months ago

Is there a way we get a secondary without blocking on #15513? See the DDoS thread on our sysadmin team list for details.

#14 Updated by groente 4 months ago

intrigeri wrote:

Is there a way we get a secondary without blocking on #15513? See the DDoS thread on our sysadmin team list for details.

not really, replication has to be done through the mysql backend.

#15 Updated by intrigeri 4 months ago

The upcoming DNS flag day came to my attention. According to https://dnsflagday.net/ our domain will still work after the flag day but a few EDNS compliance issues are raised: https://ednscomp.isc.org/ednscomp/3819fdd0ca. I don't know enough about this topic to tell how bad the impact is and how to fix it.

#16 Updated by anonym 4 months ago

  • Target version changed from Tails_3.12 to Tails_3.13

#17 Updated by intrigeri 4 months ago

  • Description updated (diff)

#15513 deployed, so with this blocker out of the way, here you may now:

  • review my changes (doc & monitoring) mentioned above
  • drop our temporary hacks i.e. hard reset the powerdns module to some upstream version (after checking that the re-enabled mysql-related code will indeed do what we want :)
  • set up the secondary (where?)

#18 Updated by geb 3 months ago

Hi,

intrigeri wrote:

The upcoming DNS flag day came to my attention. According to https://dnsflagday.net/ our domain will still work after the flag day but a few EDNS compliance issues are raised: https://ednscomp.isc.org/ednscomp/3819fdd0ca. I don't know enough about this topic to tell how bad the impact is and how to fix it.

I also gave a look, and pinged a friend about that. His response let me think that its a bug in the test tool itself, and that there is no problem in the Tails nameserver :

Strange. Unlike what the above URL says, there is no SOA:

% dig +nocookie +norec +noad +edns=1 +noednsneg soa tails.boum.org @198.252.153.59

<<>> DiG 9.11.5-P1-1-Debian <<>> +nocookie +norec +noad +edns=1 +noednsneg soa tails.boum.org @198.252.153.59
;; global options: +cmd
;; Got answer:
;; >>HEADER<< opcode: QUERY, status: BADVERS, id: 47257
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1680
;; QUESTION SECTION:
;tails.boum.org. IN SOA

;; Query time: 134 msec
;; SERVER: 198.252.153.59#53(198.252.153.59)
;; WHEN: Mon Feb 04 09:02:09 UTC 2019
;; MSG SIZE rcvd: 43

The "problem" also exists for other powerdns installs, for instance powerdns.net https://ednscomp.isc.org/ednscomp/56b28c9733. I'll try to report the issue asap.

#19 Updated by geb 3 months ago

geb wrote:

intrigeri wrote:

The upcoming DNS flag day came to my attention. According to https://dnsflagday.net/ our domain will still work after the flag day but a few EDNS compliance issues are raised: https://ednscomp.isc.org/ednscomp/3819fdd0ca. I don't know enough about this topic to tell how bad the impact is and how to fix it.

I also gave a look, and pinged a friend about that. His response let me think that its a bug in the test tool itself, and that there is no problem in the Tails nameserver
[...]
The "problem" also exists for other powerdns installs, for instance powerdns.net https://ednscomp.isc.org/ednscomp/56b28c9733. I'll try to report the issue asap.

Done: https://gitlab.isc.org/isc-projects/DNS-Compliance-Testing/issues/34

#20 Updated by geb 3 months ago

geb wrote:

geb wrote:

intrigeri wrote:

The upcoming DNS flag day came to my attention. According to https://dnsflagday.net/ our domain will still work after the flag day but a few EDNS compliance issues are raised: https://ednscomp.isc.org/ednscomp/3819fdd0ca. I don't know enough about this topic to tell how bad the impact is and how to fix it.

I also gave a look, and pinged a friend about that. His response let me think that its a bug in the test tool itself, and that there is no problem in the Tails nameserver
[...]
The "problem" also exists for other powerdns installs, for instance powerdns.net https://ednscomp.isc.org/ednscomp/56b28c9733. I'll try to report the issue asap.

Done: https://gitlab.isc.org/isc-projects/DNS-Compliance-Testing/issues/34

Apparently,

#21 Updated by groente 3 months ago

  • Assignee changed from groente to intrigeri
  • QA Check changed from Dev Needed to Info Needed

we haven't really decided where to deploy the secondary yet. ecours seems to me the most sensible place, what do you think?

#22 Updated by intrigeri 3 months ago

  • Assignee changed from intrigeri to groente
  • QA Check changed from Info Needed to Dev Needed

we haven't really decided where to deploy the secondary yet. ecours seems to me the most sensible place, what do you think?

In terms of network & geographical diversity, sure, among the systems we're already running it's the most sensible option.

Regarding security, I don't remember if we've made any special choice in ecours' setup that would make it unsuitable for hosting our DNS; putting aside "running a PHP webapp" exposed to the Internet, I think it's OK. One should check that we didn't give icinga2/icingaweb2 full control over MariaDB there.

Finally, regarding resources:

  • I assume DNS won't take much CPU, even with a MySQL backend.
  • We already run MariaDB.
  • There's a little bit of RAM left, not much when Puppet is running though. Might be a bit tight.
  • There's tons of free space in the PV.
  • We need to check what's the upstream firewalling setup. E.g. we're not allowed to make outgoing DNS queries. Perhaps we need to get an exception to accept incoming DNS queries.

#23 Updated by CyrilBrulebois 2 months ago

  • Target version changed from Tails_3.13 to Tails_3.14

#24 Updated by CyrilBrulebois 3 days ago

  • Target version changed from Tails_3.14 to Tails_3.15

Also available in: Atom PDF