[sf-lug] SF-LUG DNS ("routine" maintenance - zero outage - pre-registrar transfer)
Michael Paoli
Michael.Paoli at cal.berkeley.edu
Sun Jan 25 23:15:56 PST 2015
For those that might be interested ("follow the bouncing ball"?), here's
rather detailed, relatively (an)notated description of work / technical
details, on going through relevant DNS checks and changes, in
preparation for planned registrar transfers of the SF-LUG domains
(sf-lug.org & sf-lug.com). This is mostly to ensure smooth transition
of registrar transfer, and no hiccups from DNS not being as desired, or
as may be required (or at least quite "good enough") to make it through
that process smoothly.
// my comments on lines starting with //
// PS2='> '
// tabs converted to spaces, so, within the [] where there's nothing but
// whitespace, that's generally actually one space and one tab within
// most of the relevant DNS data, including "upstream" - notably
// authority and "glue" records:
$ date -Iseconds; (dig -t ANY sf-lug.org. +trace; dig -t ANY \
> sf-lug.com. +trace) | fgrep -i sf-lug | sed -e 's/[ ]*;.*$//;/^$/d'
2015-01-23T18:10:54-0800
sf-lug.org. 86400 IN NS ns41.worldnic.com.
sf-lug.org. 86400 IN NS ns42.worldnic.com.
sf-lug.org. 7200 IN NS ns42.worldnic.com.
sf-lug.org. 7200 IN NS ns41.worldnic.com.
sf-lug.org. 7200 IN A 208.96.15.252
sf-lug.org. 7200 IN SOA NS41.WORLDNIC.COM.
namehost.WORLDNIC.COM. 113020522 10800 3600 604800 3600
sf-lug.com. 172800 IN NS ns1.sf-lug.com.
sf-lug.com. 172800 IN NS ns2.sf-lug.com.
sf-lug.com. 86400 IN SOA ns1.sf-lug.com.
jim.well.com. 2015012200 3600 3600 1209600 10800
sf-lug.com. 86400 IN NS ns1.sf-lug.com.
sf-lug.com. 86400 IN NS ns.primate.net.
sf-lug.com. 86400 IN NS ns.tx.primate.net.
sf-lug.com. 86400 IN NS ns2.sf-lug.com.
sf-lug.com. 86400 IN A 208.96.15.252
sf-lug.com. 86400 IN MX 5 mail.sf-lug.com.
sf-lug.com. 86400 IN TXT "v=spf1 a mx -all"
//let's attack the longest TTLs we have to change first
$ echo '172800/60/60/24' | bc -l
2.00000000000000000000
//that's two days - so ... need to wait until at least 48 hours *after*
//we change that data before starting domain transfer process.
// https://www.networksolutions.com/
// Log In https://www.networksolutions.com/manage-it/index.jsp
// User ID: [redacted]
// Password: [redacted]
// [Login]
// [My Domain Names]
// To the right of sf-lug.com click [Manage]
// [Change Where Domain Points]
// Select Domain Name Server (DNS) and click [Continue]
// [Add More Name Servers]
// Name Server 1: NS1.SF-LUG.COM
// Name Server 2: NS.PRIMATE.NET
// Name Server 3: NS.TX.PRIMATE.NET
// [Continue]
// [Apply Changes]
// They indicate:
// Pointing Complete
// Note: It may take 24-48 hours for changes to update throughout the
// Internet.
$ date -Iseconds; (dig -t ANY sf-lug.com. +trace) | fgrep -i sf-lug |
> sed -e 's/[ ]*;.*$//;/^$/d'
2015-01-23T18:39:20-0800
sf-lug.com. 172800 IN NS ns1.sf-lug.com.
sf-lug.com. 172800 IN NS ns2.sf-lug.com.
sf-lug.com. 86400 IN SOA ns1.sf-lug.com.
jim.well.com. 2015012200 3600 3600 1209600 10800
sf-lug.com. 86400 IN NS ns.primate.net.
sf-lug.com. 86400 IN NS ns2.sf-lug.com.
sf-lug.com. 86400 IN NS ns1.sf-lug.com.
sf-lug.com. 86400 IN NS ns.tx.primate.net.
sf-lug.com. 86400 IN A 208.96.15.252
sf-lug.com. 86400 IN MX 5 mail.sf-lug.com.
sf-lug.com. 86400 IN TXT "v=spf1 a mx -all"
// They lie - they've not pushed it to DNS yet, so we have to wait
// however long it takes them to do that, *plus* the 48 hour TTL.
// Also, they did *not* ask for the "glue" record for ns1.sf-lug.com.
// which is needed - we'll have to see if they still use the existing
// glue record they have for that (which would be fine, as it's
// unchanged), or if we need to get them to (re)add the glue record for
// that. However, the two other NS servers for that domain don't
// depend upon such "glue" record, so we're okay for those (and at
// minimum 2 out of 3 will be working ... which is still better than
// sf-lug.com. was for months with one of its two NS servers down).
// Let's proceed to sf-lug.org
// [My Products & Services]
// [My Domain Names]
// Here, since sf-lug.org has DNS hosted by
// networksolutions.com/web.com/worldnic.com, we'll look at that DNS
// data, to see if there's anything we care about that I'm not already
// well aware of (they won't let us pull the zone, so have to look in
// their GUI to see all of the DNS setting they have hosted - at least
// if even that will show us).
// Select sf-lug.org (checkbox to left)
// [Edit DNS]
// [Manage Advanced DNS Records]
// We then see they show us:
// IP Address (A Records)
// Host TTL Numeric IP
// www 7200 208.96.15.252
// @ (None) 7200 208.96.15.252
// * (All Others) 7200 208.96.15.252
// Mail Servers (MX Records) help
// sf-lug.org
// Host Aliases (CNAME Records) Help
// Alias a domain name for another domain.
// No CNAME Records.
// Edit CNAME Records
// Text (TXT Records) Help
// SPF (Sender Policy Framework) records can be entered as TXT record.
// No TXT Records.
// Edit TXT Records
// Service (SRV Records) Help
// No SRV Records.
// I was unaware of the wildcard record, they have for us:
$ dig @ns41.worldnic.com. -t A '*.sf-lug.org.' +noall +answer | sed \
> -e 's/[ ]*;.*$//;/^$/d'
*.sf-lug.org. 7200 IN A 208.96.15.252
// We don't have that:
$ dig @208.96.15.252 -t A '*.sf-lug.org.' | fgrep NX
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 55939
$ dig @ns41.worldnic.com. -t MX 'sf-lug.org.' +noall +answer | sed -e \
> 's/[ ]*;.*$//;/^$/d'
$ dig @ns41.worldnic.com. -t MX 'sf-lug.org.'
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @ns41.worldnic.com. -t MX sf-lug.org.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29727
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;sf-lug.org. IN MX
;; AUTHORITY SECTION:
sf-lug.org. 3600 IN SOA NS41.WORLDNIC.COM.
namehost.WORLDNIC.COM. 113020522 10800 3600 604800 3600
;; Query time: 93 msec
;; SERVER: 207.204.40.121#53(207.204.40.121)
;; WHEN: Fri Jan 23 19:03:04 2015
;; MSG SIZE rcvd: 90
// ... what the heck, their GUI says they have MX record, but it is
// *not* in DNS ... so, we're okay on that one, as we've likewise not
// put in an MX record:
$ dig @208.96.15.252 -t MX 'sf-lug.org.'
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @208.96.15.252 -t MX sf-lug.org.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50351
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;sf-lug.org. IN MX
;; AUTHORITY SECTION:
sf-lug.org. 3600 IN SOA ns1.sf-lug.org.
jim.well.com. 113020524 10800 3600 604800 3600
;; Query time: 16 msec
;; SERVER: 208.96.15.252#53(208.96.15.252)
;; WHEN: Fri Jan 23 19:04:35 2015
;; MSG SIZE rcvd: 80
// So ... we just need to add the wildcard ...
// Also, we have:
$ dig @208.96.15.252 -t A 'mail.sf-lug.org.' +noall +answer | sed -e \
> 's/[ ]*;.*$//;/^$/d'
mail.sf-lug.org. 7200 IN A 208.96.15.252
// ... we'll also remove that as it's redundant with their wildcard
// record
# hostname && pwd -P
sflug
/etc/bind/master
# rlog -r1.4 sf-lug.org
RCS file: RCS/sf-lug.org,v
Working file: sf-lug.org
head: 1.4
branch:
locks: strict
access list:
symbolic names:
keyword substitution: kv
total revisions: 4; selected revisions: 1
description:
sf-lug.org
----------------------------
revision 1.4
date: 2015/01/24 03:10:22; author: root; state: Exp; lines: +2 -2
added wildcard to match DNS we're taking over,
removed mail - redundant with above
=============================================================================
# rcsdiff -r1.3 -r1.4 sf-lug.org
===================================================================
RCS file: RCS/sf-lug.org,v
retrieving revision 1.3
retrieving revision 1.4
diff -r1.3 -r1.4
5c5
< 113020524; SERIAL
---
> 113020525; SERIAL
20c20
< mail IN A 208.96.15.252
---
> * IN A 208.96.15.252
#
$ dig @208.96.15.252 -t A '*.sf-lug.org.' +noall +answer | sed -e \
> 's/[ ]*;.*$//;/^$/d'
*.sf-lug.org. 7200 IN A 208.96.15.252
dig @208.96.15.252 -t SOA 'sf-lug.org.' +short
ns1.sf-lug.org. jim.well.com. 113020525 10800 3600 604800 3600
// Now we're ready to change upstream DNS, continuing with Network
// Solutions / Web.com ...
// [My Products & Services]
// [My Domain Names]
// To the right of sf-lug.org click [Manage]
// [Change Where Domain Points]
// Select Domain Name Server (DNS) and click [Continue]
// [Add More Name Servers]
// Name Server 1: NS1.SF-LUG.ORG
// Name Server 2: NS.PRIMATE.NET
// Name Server 3: NS.TX.PRIMATE.NET
// [Continue]
// [Apply Changes]
// They indicate:
// Pointing Complete
// Note: It may take 24-48 hours for changes to update throughout the
// Internet.
$ date -Iseconds; (dig -t ANY sf-lug.org. +trace) | fgrep -i sf-lug |
> sed -e 's/[ ]*;.*$//;/^$/d'
2015-01-23T19:23:41-0800
sf-lug.org. 86400 IN NS ns41.worldnic.com.
sf-lug.org. 86400 IN NS ns42.worldnic.com.
sf-lug.org. 7200 IN A 208.96.15.252
sf-lug.org. 7200 IN NS ns41.worldnic.com.
sf-lug.org. 7200 IN SOA ns41.worldnic.com.
namehost.worldnic.com. 113020522 10800 3600 604800 3600
sf-lug.org. 7200 IN NS ns42.worldnic.com.
// They lie - they've not pushed it to DNS yet, so we have to wait
// however long it takes them to do that, *plus* the 24 hour TTL.
// Also, they did *not* ask for the "glue" record for ns1.sf-lug.org.
// which is needed - they'll need that (maybe they'll pick that up from
// one of our other nameservers?) - or we might have to explicitly tell
// them to add that. However, the two other NS servers for that domain
// don't depend upon such "glue" record, so we're okay for those (and at
// minimum 2 out of 3 will be working ... which is still better than
// sf-lug.com. was for months with one of its two NS servers down).
//
// So, at present, we need to wait for them to push out the DNS changes,
// if they omit needed "glue" records we'll have to tell them to add
// those, once all that's done, we'll also have to wait the TTL time,
// then after that, we're free to start registrar transfer process.
// And, waiting a bit later, we have ...
$ date -Iseconds; (dig -t ANY sf-lug.org. +trace; dig -t ANY \
> sf-lug.com. +trace) | fgrep -i sf-lug | sed -e 's/[ ]*;.*$//;/^$/d'
2015-01-23T19:43:02-0800
sf-lug.org. 86400 IN NS ns1.sf-lug.org.
sf-lug.org. 86400 IN NS ns.tx.primate.net.
sf-lug.org. 86400 IN NS ns.primate.net.
sf-lug.org. 7200 IN SOA ns1.sf-lug.org.
jim.well.com. 113020525 10800 3600 604800 3600
sf-lug.org. 7200 IN A 208.96.15.252
sf-lug.org. 7200 IN NS ns.tx.primate.net.
sf-lug.org. 7200 IN NS ns1.sf-lug.org.
sf-lug.org. 7200 IN NS ns.primate.net.
sf-lug.com. 172800 IN NS ns1.sf-lug.com.
sf-lug.com. 172800 IN NS ns.primate.net.
sf-lug.com. 172800 IN NS ns.tx.primate.net.
sf-lug.com. 86400 IN SOA ns1.sf-lug.com.
jim.well.com. 2015012200 3600 3600 1209600 10800
sf-lug.com. 86400 IN NS ns2.sf-lug.com.
sf-lug.com. 86400 IN NS ns.primate.net.
sf-lug.com. 86400 IN NS ns.tx.primate.net.
sf-lug.com. 86400 IN NS ns1.sf-lug.com.
sf-lug.com. 86400 IN A 208.96.15.252
sf-lug.com. 86400 IN MX 5 mail.sf-lug.com.
sf-lug.com. 86400 IN TXT "v=spf1 a mx -all"
// That's looking relatively good. Are the needed "glue" records in
// place? If so, we're probably done on that, if not we need to tell
// NetworkSolutions/Web.com the "glue" records.
$ dig @$(dig -t NS com. +short | head -n 1) -t A ns1.sf-lug.com. \
> +noall +norecurse +additional | fgrep -i sf-lug | sed -e \
> 's/[ ]*;.*$//;/^$/d'
ns1.sf-lug.com. 172800 IN A 208.96.15.252
$ dig @$(dig -t NS org. +short | head -n 1) -t A ns1.sf-lug.org. \
> +noall +norecurse +additional | fgrep -i sf-lug | sed -e \
> 's/[ ]*;.*$//;/^$/d'
ns1.sf-lug.org. 86400 IN A 208.96.15.252
// Glue looks good - will recheck after TTL to ensure it still looks
// good - looks like in this case we didn't need to explicitly tell the
// registrar (I'm guessing they pulled it from the other NS servers or
// used the existing data where they already had it).
// Also, not trying to have too many balls up in the air through these
// changes. Did earlier add new slaves downstream from 208.96.15.252, and
// removed the one that was still down at the time (though left it in
// also-notify). Can readd it back in later - but much simpler to do that
// after registrar transfer is completed, and certainly don't want to do it
// while that stuff is in progress.
// So, we check back in on DNS again > 2015-01-25T19:43:02-0800, and see
// where we're at then, and confirm if all still looks good to proceed to
// registrar transfer process. We'll also want to check registrant domain
// expiration date/time information - certainly don't want to be doing any
// of the transfer too close to any upcoming domain expirations.
// So, ... we check again, more than 48 hours later (past the longest
// applicable TTL), and we have:
$ date -Iseconds; (dig -t ANY sf-lug.org. +trace; dig -t ANY \
> sf-lug.com. +trace) | fgrep -i sf-lug | sed -e 's/[ ]*;.*$//;/^$/d'
2015-01-25T22:01:41-0800
sf-lug.org. 86400 IN NS ns.tx.primate.net.
sf-lug.org. 86400 IN NS ns.primate.net.
sf-lug.org. 86400 IN NS ns1.sf-lug.org.
sf-lug.org. 7200 IN NS ns.primate.net.
sf-lug.org. 7200 IN NS ns1.sf-lug.org.
sf-lug.org. 7200 IN NS ns.tx.primate.net.
sf-lug.org. 7200 IN A 208.96.15.252
sf-lug.org. 7200 IN SOA ns1.sf-lug.org.
jim.well.com. 113020525 10800 3600 604800 3600
sf-lug.com. 172800 IN NS ns.primate.net.
sf-lug.com. 172800 IN NS ns.tx.primate.net.
sf-lug.com. 172800 IN NS ns1.sf-lug.com.
sf-lug.com. 86400 IN NS ns2.sf-lug.com.
sf-lug.com. 86400 IN NS ns.primate.net.
sf-lug.com. 86400 IN NS ns1.sf-lug.com.
sf-lug.com. 86400 IN NS ns.tx.primate.net.
sf-lug.com. 86400 IN A 208.96.15.252
sf-lug.com. 86400 IN MX 5 mail.sf-lug.com.
sf-lug.com. 86400 IN TXT "v=spf1 a mx -all"
sf-lug.com. 86400 IN SOA ns1.sf-lug.com.
jim.well.com. 2015012200 3600 3600 1209600 10800
// Basically looks good, the one bit that should change - at least for
// now - is pull out ns2.sf-lug.com. - so it's consistent with upstream
// (we can readd it again later, after registrar transfer - but in the
// meantime probably better and cleaner to have both consistent).
// Also, I'm not presently particularly concerned about removing that
// record and then proceeding, despite the TTL, as ns2.sf-lug.com. is
// still/again functional slave, and it's also on the "also-notify" list
// from the master, so it will still get updated. But before tweaking
// that, let's recheck "glue" records.
$ dig @$(dig -t NS com. +short | head -n 1) -t A ns1.sf-lug.com. \
> +noall +norecurse +additional | fgrep -i sf-lug | sed -e \
> 's/[ ]*;.*$//;/^$/d'
ns1.sf-lug.com. 172800 IN A 208.96.15.252
$ dig @$(dig -t NS org. +short | head -n 1) -t A ns1.sf-lug.org. \
> +noall +norecurse +additional | fgrep -i sf-lug | sed -e \
> 's/[ ]*;.*$//;/^$/d'
ns1.sf-lug.org. 86400 IN A 208.96.15.252
// "glue" records still look fine, let's tweak ("temporarily" remove)
// ns2.sf-lug.com. until we're all well done and past the registrar
// transfer stuff.
# hostname && pwd -P && rlog -r1.7 sf-lug.com && rcsdiff -r1.6 \
> sf-lug.com
sflug
/etc/bind/master
RCS file: RCS/sf-lug.com,v
Working file: sf-lug.com
head: 1.7
branch:
locks: strict
access list:
symbolic names:
keyword substitution: kv
total revisions: 7; selected revisions: 1
description:
sf-lug.com
----------------------------
revision 1.7
date: 2015/01/26 06:21:23; author: root; state: Exp; lines: +3 -3
"temporarily" removed (commented out) ns2 for now,
to be consistent with upstream/authority, prior to registrar transfer
=============================================================================
===================================================================
RCS file: RCS/sf-lug.com,v
retrieving revision 1.6
diff -r1.6 sf-lug.com
5c5
< 2015012200 ; SERIAL
---
> 2015012500 ; SERIAL
15c15
< IN NS ns2 ; linuxmafia.com. Rick Moen
rick at linuxmafia.com rick at deirdre.net 1-650-283-7902
---
> ; IN NS ns2 ; linuxmafia.com. Rick Moen
> rick at linuxmafia.com rick at deirdre.net 1-650-283-7902
28c28
< ns2 IN A 198.144.195.186 ; linuxmafia.com. Rick Moen
rick at linuxmafia.com rick at deirdre.net 1-650-283-7902
---
> ;ns2 IN A 198.144.195.186 ; linuxmafia.com. Rick Moen
> rick at linuxmafia.com rick at deirdre.net 1-650-283-7902
#
// and rechecking our also-notify includes 198.144.195.186:
$ hostname && pwd -P && grep 'inc.*local' named.conf
sflug
/etc/bind
include "/etc/bind/named.conf.local";
$ sed -ne '11,22p' named.conf.local
zone "sf-lug.com" IN {
type master;
allow-transfer {
any; # nothing here worth hiding / ease slave setups
# 198.144.195.186; # ns2.sf-lug.com. / linuxmafia.com.
# 127/8; # localdomain (as a
diagnostic/test aid)
};
also-notify {
198.144.194.12; # ns.primate.net.
2001:470:1f04:51a::2; # ns.primate.net.
72.249.38.88; # ns.tx.primate.net.
198.144.195.186; # linuxmafia.com.
$
// I typically omitted showing the nameserver reloads after the
// configuration file changes, e.g.:
// # (cd / && umask 022 && service bind9 reload)
// Take them as implied. :-)
// And checking:
$ dig @208.96.15.252 -t SOA sf-lug.com. +short
ns1.sf-lug.com. jim.well.com. 2015012500 3600 3600 1209600 10800
$ dig @208.96.15.252 -t ANY ns2.sf-lug.com. | fgrep NX
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 19260
$ dig @208.96.15.252 -t NS sf-lug.com. | fgrep -i ns2
$
// And we can even check our also notify not-presently delegated "lame"
// server has picked up the updates (notably for anything that still
// hits it for DNS before TTL has expired, and before we get done all
// the registrar transfer stuff and add it back in):
$ dig @198.144.195.186 -t SOA sf-lug.com. +short
ns1.sf-lug.com. jim.well.com. 2015012500 3600 3600 1209600 10800
// So ... DNS now looks quite sufficiently set for us to proceed to
// registrar transfer steps ... except we should check registrar domain
// expiration dates/times first ...
$ 2>&1 whois -H sf-lug.org | fgrep -i expir
Registry Expiry Date: 2015-07-02T21:17:47Z
$ 2>&1 whois -H sf-lug.com | fgrep -i expir | fgrep 20
Expiration Date: 02-jul-2015
Registrar Registration Expiration Date: 2015-07-02T04:00:00Z
$
// That's sufficiently far in future, so we should be fine for starting
// the process for registrar transfer (presuming also registrant contact
// details and email and such are correct and current)
>>>>>>> On 01/06/2015 01:58 AM, Michael Paoli wrote:
>>>>>>>> For sf-lug.com
>>>>>>>> You'll want to update those to:
>>>>>>>> Name Server 1: NS1.SF-LUG.COM
>>>>>>>> Name Server 2: NS.PRIMATE.NET
>>>>>>>> Name Server 3: NS.TX.PRIMATE.NET
>>>>>>>> Looks like Network Solutions may not automatically ask you for the
>>>>>>>> "glue" records. For NS.PRIMATE.NET and NS.TX.PRIMATE.NET they
>>>>>>>> aren't needed, and for NS1.SF-LUG.COM, it already has the
>>>>>>>> "glue" record
>>>>>>>> in place, so you probably don't need to tell it that
>>>>>>>> information again.
>>>>>>>> For sf-lug.org, things are rather similar, but you need to start by
>>>>>>>> changing its entries to no longer point at
>>>>>>>> "Network Solutions Name Servers", you'll need to put in:
>>>>>>>> Name Server 1: NS1.SF-LUG.ORG
>>>>>>>> Name Server 2: NS.PRIMATE.NET
>>>>>>>> Name Server 3: NS.TX.PRIMATE.NET
>>>>>>>>>>>>>>> From: "Michael Paoli" <Michael.Paoli at cal.berkeley.edu>
>>>>>>>>>>>>>>> Subject: SF-LUG - DNS
>>>>>>>>>>>>>>> Date: Sat, 15 Mar 2014 10:00:47 -0700
>>>>>>>>>>>>>>> $ dig -t NS sf-lug.org. +short
>>>>>>>>>>>>>>> ns42.worldnic.com.
>>>>>>>>>>>>>>> ns41.worldnic.com.
>>>>>>>>>>>>>>> $
>>>>>>>>>>>>>>> For sf-lug.org., looks like you have those at some
>>>>>>>>>>>>>>> registrar or hosting
>>>>>>>>>>>>>>> provider. You'll need to use whatever their procedures
>>>>>>>>>>>>>>> are to update
>>>>>>>>>>>>>>> those.
More information about the sf-lug
mailing list