[sf-lug] SFLUG.org

Wed Apr 10 23:10:58 PDT 2019

I've still not yet heard a consensus or approximation thereof ... yet,
that [www.]sflug.org should be the canonical (or not ... or when).
In any case, now with some config changes in place on
web server, and awaiting delegation of DNS ... once delegated,
http[s]://[www.]sflug.org/
will at least have somewhere to go:

$ curl -s -I --resolve sflug.org:80:198.144.194.238 http://sflug.org/  
| egrep -i '^(HTTP/|Location: )'
HTTP/1.1 301 Moved Permanently
Location: http://www.sf-lug.org/
$ curl -s -I --resolve sflug.org:80:2001:470:1f05:19e::3  
http://sflug.org/ | egrep -i '^(HTTP/|Location: )'
HTTP/1.1 301 Moved Permanently
Location: http://www.sf-lug.org/
$ curl -k -s -I --resolve sflug.org:443:198.144.194.238  
https://sflug.org/ | egrep -i '^(HTTP/|Location: )'
HTTP/1.1 301 Moved Permanently
Location: https://www.sf-lug.org/
$ curl -k -s -I --resolve sflug.org:443:2001:470:1f05:19e::3  
https://sflug.org/ | egrep -i '^(HTTP/|Location: )'
HTTP/1.1 301 Moved Permanently
Location: https://www.sf-lug.org/
$ dig @ns1.sf-lug.org. +norecurse +short sflug.org. NS
ns1.svlug.org.
ns.primate.net.
ns1.linuxmafia.com.
ns1.sf-lug.org.
$ dig @ns1.sf-lug.org. +norecurse +noall +answer +nottl sflug.org. A  
sflug.org. AAAA www.sflug.org. A www.sflug.org. AAAA
sflug.org.              IN      A       198.144.194.238
sflug.org.              IN      AAAA    2001:470:1f05:19e::3
www.sflug.org.          IN      A       198.144.194.238
www.sflug.org.          IN      AAAA    2001:470:1f05:19e::3
$ dig +norecurse +noall +comments +answer +nottl sflug.org. A  
sflug.org. AAAA www.sflug.org. A www.sflug.org. AAAA | sed -ne  
'/^;.*NX/p;/^;.*FAIL/p;/^;.*ANSWER:/p;/^;/d;/^$/d;p' | sort -u
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 13
$

There are also some other domains in DNS, e.g.:
[www.][ipv[46].]sflug.org
AXFR is open to all for sflug.org. from ns1.sf-lug.org.

Still don't have proper certs there ... that would be after someone
provides key(s) (securely) and cert(s), etc. ... or after DNS is delegated.

> From: "Michael Paoli" <Michael.Paoli at cal.berkeley.edu>
> Subject: SFLUG.org Re: [sf-lug] Domain administration (broken WHOIS)
> Date: Sun, 07 Apr 2019 21:02:19 -0700

>> From: Al <awsflug at sunnyside.com>
>> Subject: Re: [sf-lug] Domain administration (broken WHOIS)
>> Date: Sat, 6 Apr 2019 15:43:43 -0700
>
>> sflug.org - Rick mentioned that it was available so I grabbed it.  
>> I've learned not to wait on those things - it often doesn't end well.
>> Now I'll just sit back and listen to the conversation and wait and  
>> see if anyone actually wants to use it.  I don't need to own it.  I  
>> can
>> also "point" it somewhere.  Doesn't seem yet that there's a definite
>
> SFLUG.org ... "Of course" ...
> $ dig +noall +answer +nottl sf-lug.org. A www.sf-lug.org. A  
> sf-lug.org. AAAA www.sf-lug.org. AAAA sf-lug.com. A www.sf-lug.com.  
> A sf-lug.com. AAAA www.sf-lug.com. AAAA | sort -k 3b -k 1,1
> sf-lug.com.             IN      A       198.144.194.238
> sf-lug.org.             IN      A       198.144.194.238
> www.sf-lug.com.         IN      A       198.144.194.238
> www.sf-lug.org.         IN      A       198.144.194.238
> sf-lug.com.             IN      AAAA    2001:470:1f05:19e::3
> sf-lug.org.             IN      AAAA    2001:470:1f05:19e::3
> www.sf-lug.com.         IN      AAAA    2001:470:1f05:19e::3
> www.sf-lug.org.         IN      AAAA    2001:470:1f05:19e::3
> $
>
> It's not merely as simple as "just point DNS at ..."
> $ curl -s -I --resolve sflug.org:80:198.144.194.238  
> http://sflug.org/ | egrep -i '^(HTTP/|Location: )'
> HTTP/1.1 302 Found
> Location: http://www.balug.org/
> $ curl -6 -s -I --resolve sflug.org:80:2001:470:1f05:19e::3  
> http://sflug.org/ | egrep -i '^(HTTP/|Location: )'
> HTTP/1.1 302 Found
> Location: http://www.balug.org/
> $
>
> $ dig +noall +answer +nottl balug.org. A www.balug.org. A
> balug.org.              IN      A       198.144.194.238
> www.balug.org.          IN      A       198.144.194.238
> $
> Note that many domains go to that same IPv4 IP - even multiple go to the
> same IPv6 IP.
>
> "Of course" sometimes folks forget that with email too.  8-O
>
> Not to mention certs.
> $ curl -I --resolve sflug.org:443:198.144.194.238 https://sflug.org/
> curl: (51) SSL: no alternative certificate subject name matches  
> target host name 'sflug.org'
> $ curl -I --resolve sflug.org:443:2001:470:1f05:19e::3 https://sflug.org/
> curl: (51) SSL: no alternative certificate subject name matches  
> target host name 'sflug.org'
> $
>
> $ nmap -Pn -r -sT -p 443 --script=ssl-cert www.sf-lug.org | egrep  
> '^\| (Subject Alternative Name|Not valid after):'
> | Subject Alternative Name: DNS:*.ipv4.sf-lug.org,  
> DNS:*.ipv6.sf-lug.org, DNS:*.sf-lug.com, DNS:*.sf-lug.org,  
> DNS:sf-lug.com, DNS:sf-lug.org
> | Not valid after:  2019-05-22T10:05:40
> $
>
> I generally do letsencrypt.org issued certs.  For wildcard certs on
> that, effectively need control of DNS (need to put specific records in
> at challenge time).
>
> "Of course" y'all could always set up your own site with redirection and
> certs 'n all.  ;-)
>
> Jim Stockford - and a handful of others (myself, Grant Bowman,
> Kim Davalos, Todd Hawley) have access to edit the www.sf-lug.org site.
> So, "of course", there are, at least potentially, question(s) of who's
> got access/control of domain(s), avoiding single points of failure (at
> least as feasible), who's got access to edit site, how is it backed
> up, etc.  Some folks (myself, Jim Stockford, Grant Bowman) also all have
> access to edit the sf-lug.org (& sf-lug.com) master DNS data (and
> Jim and myself have access to update registrant
> DNS (authority/delegation, glue, DNSSEC, ...) with the registrar).
>
> Anyway, ... maybe I'll wait a bit 'till the dust settles.  :-)