[sf-lug] DNSSEC for SFLUG.{org,com,net}

Al Whaley awsflug at sunnyside.com
Fri May 17 08:38:01 PDT 2019 

Michael,
Godaddy allows directly entering the DS glue records with the usual 4 
elements as shown by your dnssec-dsfromkey output.
You should be able to see them now.  There are a few bugs.
.org works, errors on .com and .net
getting complaints about ipv6 glue address mismatch for primate on 
sflug.net and rcode refused on AAAA records (i.e. server not responding 
to sflug.net), (primate doesn't know the domain).
on sflug.com the glue record is ok, but "ns.primate.net returns REFUSED 
for sflug.com/SOA" - primate doesn't know the domain
see http://dnsviz.net/d/sflug.net/dnssec and 
https://dnssec-analyzer.verisignlabs.com/sflug.{com,net} for details.

Al


On 5/16/2019 21:11, Michael Paoli wrote:
> Al Whaley,
>
> We're ready to add DNSSEC for the sflug.{org,com,net} domains, at your
> earliest convenience.  Or if you want to set up so myself and/or some
> select other(s) have access, we can put that in there.
>
> Note also the procedure/interface varies among registrars.  Also, some
> don't take all/both types of DS records, but will take at least one
> of the two.  Some also automagically get that information for the
> domain, based upon the NS server(s), and mostly just have one confirm
> it.
>
> Once in, should be fully effective for the domain in 1 or 2 days,
> depending upon the relevant TTLs for the domain.
>
> Can add these records for the respective domains:
> $ (for d in sflug.org sflug.com sflug.net; do dig @127.0.0.1 "$d". 
> DNSKEY | dnssec-dsfromkey -f - "$d"; done)
> sflug.org. IN DS 55585 8 1 98A75CFA42FD409525BB4ED7341C80FA9808B342
> sflug.org. IN DS 55585 8 2 
> D50AA68F2A9A19651E46070FA0A5C504F6B396FD28A1CFD97F95D6202A703D80
> sflug.com. IN DS 53530 8 1 5751BD013715760110ECEC4E7443CD32596C097D
> sflug.com. IN DS 53530 8 2 
> 355263CAA896A885617AE9D6744852DEE77759878271136E3BD894A1765CA821
> sflug.net. IN DS 21535 8 1 91CB453D67DDBEE00F9E327C202EA2EB18C7FFF5
> sflug.net. IN DS 21535 8 2 
> C6BF88090E6E43369180CBC3B1BABEDC27D3822E708F00F23F83D6595265692C
> $
>
> If you're not familiar, for DNSSEC, those are essentially
> delegation records from parent - effectively analog of delegating
> NS authority records.
>
> Also quite handy for quick visual fairly detailed overview of
> situation and basic troubleshooting:
> http://dnsviz.net/
>
> Anyway, please let me/us know when it's in place ... or I/we
> have access to put it in place.
>
> Thanks.
>
>> From: "Michael Paoli" <Michael.Paoli at cal.berkeley.edu>
>> Subject: SF-LUG.INFO: Re: [sf-lug] And then there were 5: SFLUG.NET, 
>> SFLUG.COM, SFLUG, ORG, SF-LUG.COM, SF-LUG.ORG: Re: SFLUG.COM Re: 
>> SFLUG.[...] Re: SFLUG.org
>> Date: Thu, 18 Apr 2019 05:59:21 -0700
>
>> Once upon a time, at least for a while, we even had
>> SF-LUG.INFO 8-O
>>
>> $ sed -ne '/^From 
>> /,/^$/{/^[Dd][Aa][Tt][Ee]:/H;/^[Ss][Uu][Bb][Jj][Ee][Cc][Tt]: 
>> .*[Ss][Ff]-[Ll][Uu][Gg].[Ii][Nn][Ff][Oo]/H;/^$/{x;/[Ss][Ff]-[Ll][Uu][Gg].[Ii][Nn][Ff][Oo]/p;s/.*//;x;};}' 
>> sf-lug.mbox
>>
>> Date: Sat, 02 Jan 2016 20:22:38 -0800
>> Subject: [sf-lug] How sf-lug.info ended up on the Network Solutions /
>>
>> Date: Sat, 2 Jan 2016 22:16:26 -0800
>> Subject: Re: [sf-lug] How sf-lug.info ended up on the Network 
>> Solutions /
>>
>> Date: Wed, 28 Sep 2016 23:39:21 -0700
>> Subject: [sf-lug] Bye-bye sf-lug.info.,
>>
>> Date: Thu, 29 Sep 2016 08:35:05 -0700
>> Subject: Re: [sf-lug] Bye-bye sf-lug.info.,
>>
>> Date: Fri, 30 Sep 2016 12:12:16 -0700
>> Subject: Re: [sf-lug] Bye-bye sf-lug.info.,
>>
>> Date: Tue, 11 Oct 2016 22:55:46 -0700
>> Subject: Re: [sf-lug] Bye-bye sf-lug.info.,
>> $
>>
>> So ... we had SF-LUG.INFO over range of about:
>> 2015-09-28T20:01:47Z--2016-09-28T20:01:47Z
>>
>> http://linuxmafia.com/pipermail/sf-lug/2016q1/011612.html
>> http://linuxmafia.com/pipermail/sf-lug/2016q3/012267.html
>> http://linuxmafia.com/pipermail/sf-lug/2016q3/012268.html
>> http://linuxmafia.com/pipermail/sf-lug/2016q3/012269.html
>> http://linuxmafia.com/pipermail/sf-lug/2016q4/012289.html
>>
>>> From: jim <jim at well.com>
>>> Subject: Re: [sf-lug] And then there were 5: SFLUG.NET, SFLUG.COM, 
>>> SFLUG, ORG, SF-LUG.COM, SF-LUG.ORG: Re: SFLUG.COM Re: SFLUG.[...] 
>>> Re: SFLUG.org
>>> Date: Sat, 13 Apr 2019 18:41:37 -0400
>>
>>>
>>> My understanding is that the .NET domain
>>> is for entities that are providing network
>>> services to the internet; if so, then .NET
>>> is inappropriate for a LUG.
>>>
>>>
>>> On 4/13/19 6:32 PM, Michael Paoli wrote:
>>>> Okay. :-)
>>>> That sounds like a "no" to SF-LUG.NET.
>>>> I'd generally think 5 is (more than) adequate.
>>>> We have, in I believe reverse chronological:
>>>> SFLUG.NET
>>>> SFLUG.COM
>>>> SFLUG.ORG
>>>> SF-LUG.COM
>>>> SF-LUG.ORG
>>>>
>>>>> From: jim <jim at well.com>
>>>>> Subject: Re: [sf-lug] And then there were 5: SFLUG.NET, SFLUG.COM, 
>>>>> SFLUG, ORG, SF-LUG.COM, SF-LUG.ORG: Re: SFLUG.COM Re: SFLUG.[...] 
>>>>> Re: SFLUG.org
>>>>> Date: Sat, 13 Apr 2019 18:16:17 -0400
>>>>
>>>>>
>>>>> "we" used to own SF-LUG.NET but later
>>>>> (several years ago) tho't better of it.
>>>>>
>>>>>
>>>>> On 4/13/19 3:31 AM, Michael Paoli wrote:
>>>>>> Uhm, are we done adding domains for a while now, or ... are we 
>>>>>> gonna pick up
>>>>>> yet more?  SF-LUG.NET also seems available, but I don't know that 
>>>>>> Jim
>>>>>> specifically suggested that ... nor up to how many domains he's 
>>>>>> willing
>>>>>> to be reimbursing folks for.
>>>>>> http://linuxmafia.com/pipermail/sf-lug/2019q2/013999.html
>>>>>> Sounds like we've already (slightly) more than covered the 
>>>>>> domains Jim was
>>>>>> specifically referencing.
>>>>>>
>>>>>> Anyway, master now available for not only sflug.org.
>>>>>> but also now sflug.com. and sflug.net.:
>>>>>> ns1.sf-lug.org.:
>>>>>> 198.144.194.238
>>>>>> 2001:470:1f04:19e::2
>>>>>> Not sure where the slaves may be in the process.
>>>>>> Rick - if you want to coordinate with Al, you do also have access to
>>>>>> edit those zone masters:
>>>>>> balug-sf-lug-v2.balug.org
>>>>>> User rick may run the following commands on balug-sf-lug-v2:
>>>>>>     (root) sudoedit /etc/bind/master/sflug.org
>>>>>>     (root) /usr/sbin/rndc reload sflug.org
>>>>>>     (root) /usr/sbin/rndc notify sflug.org
>>>>>>     (root) sudoedit /etc/bind/master/sflug.com
>>>>>>     (root) /usr/sbin/rndc reload sflug.com
>>>>>>     (root) /usr/sbin/rndc notify sflug.com
>>>>>>     (root) sudoedit /etc/bind/master/sflug.net
>>>>>>     (root) /usr/sbin/rndc reload sflug.net
>>>>>>     (root) /usr/sbin/rndc notify sflug.net
>>>>>> E.g. if Al wants to provide additional slave(s) - and maybe we don't
>>>>>> want to "pester" Aaron to add slave(s) for yet 2 more domains.
>>>>>> I was also thinking we might want to (also) use puck.nether.net.
>>>>>> for slave services on some of these domains.
>>>>>>
>>>>>> Note also: Webserver knows about sflug.org, but thus far knows 
>>>>>> nothing
>>>>>> about sflug.com nor sflug.net.
>>>>>> Also DNSSEC ... the zones are set up for that ... for the newer 
>>>>>> ones,
>>>>>> notably sflug.com and sflug.net - we'll want to wait a bit before
>>>>>> putting in the (DS) delegation data for that - notably TTLs - 
>>>>>> want any
>>>>>> negative caching, etc. to first expire, lest we bust DNSSEC by 
>>>>>> putting
>>>>>> it in "too fast".
>>>>>> Anyway, it's set up with BIND9's in-line signing - so serials 
>>>>>> served by
>>>>>> DNS may be slightly ahead of what's in master zone files,
>>>>>> and one should use seconds since the epoch - that's how I have bind
>>>>>> configured to sign 'em.  The masters also generally have handy 
>>>>>> bit 'o
>>>>>> comment around that: date +%s
>>>>>> With GNU date, that'll get 'ya seconds since the epoch.
>>>>>>
>>>>>>> From: Al <awsflug at sunnyside.com>
>>>>>>> Subject: Re: [sf-lug] SFLUG.COM Re: SFLUG.[...] Re: SFLUG.org
>>>>>>> Date: Fri, 12 Apr 2019 08:00:22 -0700
>>>>>>
>>>>>>> FYI I've set sflug.{org,net,com} into a group.
>>>>>>>
>>>>>>> On 4/12/2019 07:47, Michael Paoli wrote:
>>>>>>>> Rick - thanks on the offers.
>>>>>>>>
>>>>>>>> Added to the "queue" ... but my queue overfloweth, and it will 
>>>>>>>> never
>>>>>>>> /all/ get done.  I'll likely pick it up sometime after SFLUG.ORG
>>>>>>>> has actually been delegated and/or after when I've gotten some
>>>>>>>> higher priority BerkeleyLUG.com tasks moved further along.
>>>>>>>>
>>>>>>>> In the meantime, I don't see any particular need to rush on 
>>>>>>>> SFLUG.COM ...
>>>>>>>> it's not like something used significantly - or even at all - by
>>>>>>>> SF-LUG suddenly broke and needs fixin', or there's been some great
>>>>>>>> need to SFLUG.COM operational for SF-LUG.  Anyway, shall get 
>>>>>>>> around
>>>>>>>> to it, ... just may take a bit (later this month? next month?).
>>>>>>>>
>>>>>>>>> From: "Rick Moen" <rick at linuxmafia.com>
>>>>>>>>> Subject: Re: [sf-lug] SFLUG.COM Re: SFLUG.[...] Re: SFLUG.org
>>>>>>>>> Date: Thu, 11 Apr 2019 23:23:50 -0700
>>>>>>>>
>>>>>>>>> Quoting Michael Paoli (Michael.Paoli at cal.berkeley.edu):
>>>>>>>>>
>>>>>>>>>> And ... I'm guestimating Al has snapped up SFLUG.COM.
>>>>>>>>> [...]
>>>>>>>>>> Yep:
>>>>>>>>>> Registrant Name: Al Whaley
>>>>>>>>>
>>>>>>>>> Well, same secondary DNS offer is on the plate: Let me know 
>>>>>>>>> when/if
>>>>>>>>> ns1.linuxmafia.com and ns1.svlug.org can AXFR it, and I'll set 
>>>>>>>>> that up
>>>>>>>>> in a flash.  Assuming you want.
>

More information about the sf-lug mailing list