[sf-lug] DNSSEC for SFLUG.{org,com,net}

Michael Paoli Michael.Paoli at cal.berkeley.edu
Thu May 16 21:11:54 PDT 2019 

Al Whaley,

We're ready to add DNSSEC for the sflug.{org,com,net} domains, at your
earliest convenience.  Or if you want to set up so myself and/or some
select other(s) have access, we can put that in there.

Note also the procedure/interface varies among registrars.  Also, some
don't take all/both types of DS records, but will take at least one
of the two.  Some also automagically get that information for the
domain, based upon the NS server(s), and mostly just have one confirm
it.

Once in, should be fully effective for the domain in 1 or 2 days,
depending upon the relevant TTLs for the domain.

Can add these records for the respective domains:
$ (for d in sflug.org sflug.com sflug.net; do dig @127.0.0.1 "$d".  
DNSKEY | dnssec-dsfromkey -f - "$d"; done)
sflug.org. IN DS 55585 8 1 98A75CFA42FD409525BB4ED7341C80FA9808B342
sflug.org. IN DS 55585 8 2  
D50AA68F2A9A19651E46070FA0A5C504F6B396FD28A1CFD97F95D6202A703D80
sflug.com. IN DS 53530 8 1 5751BD013715760110ECEC4E7443CD32596C097D
sflug.com. IN DS 53530 8 2  
355263CAA896A885617AE9D6744852DEE77759878271136E3BD894A1765CA821
sflug.net. IN DS 21535 8 1 91CB453D67DDBEE00F9E327C202EA2EB18C7FFF5
sflug.net. IN DS 21535 8 2  
C6BF88090E6E43369180CBC3B1BABEDC27D3822E708F00F23F83D6595265692C
$

If you're not familiar, for DNSSEC, those are essentially
delegation records from parent - effectively analog of delegating
NS authority records.

Also quite handy for quick visual fairly detailed overview of
situation and basic troubleshooting:
http://dnsviz.net/

Anyway, please let me/us know when it's in place ... or I/we
have access to put it in place.

Thanks.

> From: "Michael Paoli" <Michael.Paoli at cal.berkeley.edu>
> Subject: SF-LUG.INFO: Re: [sf-lug] And then there were 5: SFLUG.NET,  
> SFLUG.COM, SFLUG, ORG, SF-LUG.COM, SF-LUG.ORG: Re: SFLUG.COM Re:  
> SFLUG.[...] Re: SFLUG.org
> Date: Thu, 18 Apr 2019 05:59:21 -0700

> Once upon a time, at least for a while, we even had
> SF-LUG.INFO 8-O
>
> $ sed -ne '/^From  
> /,/^$/{/^[Dd][Aa][Tt][Ee]:/H;/^[Ss][Uu][Bb][Jj][Ee][Cc][Tt]:  
> .*[Ss][Ff]-[Ll][Uu][Gg].[Ii][Nn][Ff][Oo]/H;/^$/{x;/[Ss][Ff]-[Ll][Uu][Gg].[Ii][Nn][Ff][Oo]/p;s/.*//;x;};}'  
> sf-lug.mbox
>
> Date: Sat, 02 Jan 2016 20:22:38 -0800
> Subject: [sf-lug] How sf-lug.info ended up on the Network Solutions /
>
> Date: Sat, 2 Jan 2016 22:16:26 -0800
> Subject: Re: [sf-lug] How sf-lug.info ended up on the Network Solutions /
>
> Date: Wed, 28 Sep 2016 23:39:21 -0700
> Subject: [sf-lug] Bye-bye sf-lug.info.,
>
> Date: Thu, 29 Sep 2016 08:35:05 -0700
> Subject: Re: [sf-lug] Bye-bye sf-lug.info.,
>
> Date: Fri, 30 Sep 2016 12:12:16 -0700
> Subject: Re: [sf-lug] Bye-bye sf-lug.info.,
>
> Date: Tue, 11 Oct 2016 22:55:46 -0700
> Subject: Re: [sf-lug] Bye-bye sf-lug.info.,
> $
>
> So ... we had SF-LUG.INFO over range of about:
> 2015-09-28T20:01:47Z--2016-09-28T20:01:47Z
>
> http://linuxmafia.com/pipermail/sf-lug/2016q1/011612.html
> http://linuxmafia.com/pipermail/sf-lug/2016q3/012267.html
> http://linuxmafia.com/pipermail/sf-lug/2016q3/012268.html
> http://linuxmafia.com/pipermail/sf-lug/2016q3/012269.html
> http://linuxmafia.com/pipermail/sf-lug/2016q4/012289.html
>
>> From: jim <jim at well.com>
>> Subject: Re: [sf-lug] And then there were 5: SFLUG.NET, SFLUG.COM,  
>> SFLUG, ORG, SF-LUG.COM, SF-LUG.ORG: Re: SFLUG.COM Re: SFLUG.[...]  
>> Re: SFLUG.org
>> Date: Sat, 13 Apr 2019 18:41:37 -0400
>
>>
>> My understanding is that the .NET domain
>> is for entities that are providing network
>> services to the internet; if so, then .NET
>> is inappropriate for a LUG.
>>
>>
>> On 4/13/19 6:32 PM, Michael Paoli wrote:
>>> Okay. :-)
>>> That sounds like a "no" to SF-LUG.NET.
>>> I'd generally think 5 is (more than) adequate.
>>> We have, in I believe reverse chronological:
>>> SFLUG.NET
>>> SFLUG.COM
>>> SFLUG.ORG
>>> SF-LUG.COM
>>> SF-LUG.ORG
>>>
>>>> From: jim <jim at well.com>
>>>> Subject: Re: [sf-lug] And then there were 5: SFLUG.NET,  
>>>> SFLUG.COM, SFLUG, ORG, SF-LUG.COM, SF-LUG.ORG: Re: SFLUG.COM Re:  
>>>> SFLUG.[...] Re: SFLUG.org
>>>> Date: Sat, 13 Apr 2019 18:16:17 -0400
>>>
>>>>
>>>> "we" used to own SF-LUG.NET but later
>>>> (several years ago) tho't better of it.
>>>>
>>>>
>>>> On 4/13/19 3:31 AM, Michael Paoli wrote:
>>>>> Uhm, are we done adding domains for a while now, or ... are we  
>>>>> gonna pick up
>>>>> yet more?  SF-LUG.NET also seems available, but I don't know that Jim
>>>>> specifically suggested that ... nor up to how many domains he's willing
>>>>> to be reimbursing folks for.
>>>>> http://linuxmafia.com/pipermail/sf-lug/2019q2/013999.html
>>>>> Sounds like we've already (slightly) more than covered the  
>>>>> domains Jim was
>>>>> specifically referencing.
>>>>>
>>>>> Anyway, master now available for not only sflug.org.
>>>>> but also now sflug.com. and sflug.net.:
>>>>> ns1.sf-lug.org.:
>>>>> 198.144.194.238
>>>>> 2001:470:1f04:19e::2
>>>>> Not sure where the slaves may be in the process.
>>>>> Rick - if you want to coordinate with Al, you do also have access to
>>>>> edit those zone masters:
>>>>> balug-sf-lug-v2.balug.org
>>>>> User rick may run the following commands on balug-sf-lug-v2:
>>>>>     (root) sudoedit /etc/bind/master/sflug.org
>>>>>     (root) /usr/sbin/rndc reload sflug.org
>>>>>     (root) /usr/sbin/rndc notify sflug.org
>>>>>     (root) sudoedit /etc/bind/master/sflug.com
>>>>>     (root) /usr/sbin/rndc reload sflug.com
>>>>>     (root) /usr/sbin/rndc notify sflug.com
>>>>>     (root) sudoedit /etc/bind/master/sflug.net
>>>>>     (root) /usr/sbin/rndc reload sflug.net
>>>>>     (root) /usr/sbin/rndc notify sflug.net
>>>>> E.g. if Al wants to provide additional slave(s) - and maybe we don't
>>>>> want to "pester" Aaron to add slave(s) for yet 2 more domains.
>>>>> I was also thinking we might want to (also) use puck.nether.net.
>>>>> for slave services on some of these domains.
>>>>>
>>>>> Note also: Webserver knows about sflug.org, but thus far knows nothing
>>>>> about sflug.com nor sflug.net.
>>>>> Also DNSSEC ... the zones are set up for that ... for the newer ones,
>>>>> notably sflug.com and sflug.net - we'll want to wait a bit before
>>>>> putting in the (DS) delegation data for that - notably TTLs - want any
>>>>> negative caching, etc. to first expire, lest we bust DNSSEC by putting
>>>>> it in "too fast".
>>>>> Anyway, it's set up with BIND9's in-line signing - so serials served by
>>>>> DNS may be slightly ahead of what's in master zone files,
>>>>> and one should use seconds since the epoch - that's how I have bind
>>>>> configured to sign 'em.  The masters also generally have handy bit 'o
>>>>> comment around that: date +%s
>>>>> With GNU date, that'll get 'ya seconds since the epoch.
>>>>>
>>>>>> From: Al <awsflug at sunnyside.com>
>>>>>> Subject: Re: [sf-lug] SFLUG.COM Re: SFLUG.[...] Re: SFLUG.org
>>>>>> Date: Fri, 12 Apr 2019 08:00:22 -0700
>>>>>
>>>>>> FYI I've set sflug.{org,net,com} into a group.
>>>>>>
>>>>>> On 4/12/2019 07:47, Michael Paoli wrote:
>>>>>>> Rick - thanks on the offers.
>>>>>>>
>>>>>>> Added to the "queue" ... but my queue overfloweth, and it will never
>>>>>>> /all/ get done.  I'll likely pick it up sometime after SFLUG.ORG
>>>>>>> has actually been delegated and/or after when I've gotten some
>>>>>>> higher priority BerkeleyLUG.com tasks moved further along.
>>>>>>>
>>>>>>> In the meantime, I don't see any particular need to rush on  
>>>>>>> SFLUG.COM ...
>>>>>>> it's not like something used significantly - or even at all - by
>>>>>>> SF-LUG suddenly broke and needs fixin', or there's been some great
>>>>>>> need to SFLUG.COM operational for SF-LUG.  Anyway, shall get around
>>>>>>> to it, ... just may take a bit (later this month?  next month?).
>>>>>>>
>>>>>>>> From: "Rick Moen" <rick at linuxmafia.com>
>>>>>>>> Subject: Re: [sf-lug] SFLUG.COM Re: SFLUG.[...] Re: SFLUG.org
>>>>>>>> Date: Thu, 11 Apr 2019 23:23:50 -0700
>>>>>>>
>>>>>>>> Quoting Michael Paoli (Michael.Paoli at cal.berkeley.edu):
>>>>>>>>
>>>>>>>>> And ... I'm guestimating Al has snapped up SFLUG.COM.
>>>>>>>> [...]
>>>>>>>>> Yep:
>>>>>>>>> Registrant Name: Al Whaley
>>>>>>>>
>>>>>>>> Well, same secondary DNS offer is on the plate:  Let me know when/if
>>>>>>>> ns1.linuxmafia.com and ns1.svlug.org can AXFR it, and I'll set that up
>>>>>>>> in a flash.  Assuming you want.

More information about the sf-lug mailing list