[sf-lug] DNSSEC for SFLUG.{org,com,net}
Michael Paoli
Michael.Paoli at cal.berkeley.edu
Sat May 18 10:56:39 PDT 2019
Al Whaley,
Thanks, looks like you (I presume) got it in there and it's
operational* now:
$ delv sflug.org SOA
; fully validated
sflug.org. 85700 IN SOA ns1.sflug.org.
jim.well.com. 1557834269 10800 3600 1209600 86400
sflug.org. 85700 IN RRSIG SOA 8 2 86400
20190613114720 20190514104720 36426 sflug.org.
Xn4qLyqaM6AJkGQDsRi5ydq+AE7I0Xvlv/zPCzrFd8DyTZzTnH2nC65m
LFOuuU8dg8OM1nIMocrrXJeaNtYhUlKHoW0i/m82gdwW28JzyBa3jrVo
BXVpexl2Mnuay18snX5m5tTuqIkeUBORRMx+wzGyR7cY+8rDKR4Rxor+ UD4=
$ delv sflug.com SOA
; fully validated
sflug.com. 85704 IN SOA ns1.sflug.com.
jim.well.com. 1557834269 10800 3600 1209600 86400
sflug.com. 85704 IN RRSIG SOA 8 2 86400
20190613114720 20190514104720 20055 sflug.com.
MABcUqmMhFnUt+rM+XBsXTOeSc8MbnMA3L3pPjInubY0lvyNRZCxVtY/
pdDDqN+taaJmMQTA5EQQLAcV0TZvv2zwwjh9KeAWVPVL8Q1pSNg7y/Dv
cEkWi3CVICMyDWVEl3f3LqUqNZWj/7wMYaPKQRv/KEhfzowberf+7ye7 qF8=
$ delv sflug.net SOA
; fully validated
sflug.net. 86400 IN SOA ns1.sflug.net.
jim.well.com. 1557834269 10800 3600 1209600 86400
sflug.net. 86400 IN RRSIG SOA 8 2 86400
20190613114720 20190514104720 9573 sflug.net.
cgWlEUAZG0nO/ljeBj7buNxWE7Uuqr6MqRa6QDYMWcmSQgj95h+55tWL
p5aPAOKdiJD0B+o5teGcOwnDzIaJX2CPQ5i1VusK9SkGqnJTqHddEO1s
GynQbINnCf/DqyfcLVdKhRhFrc2CiLjmPM+9edoo8Fs3aQa1BEC353qR oGg=
$
*or will fully be, Internet-wide, notwithstanding TTLs up to 2 days.
> From: "Michael Paoli" <Michael.Paoli at cal.berkeley.edu>
> Subject: DNSSEC for SFLUG.{org,com,net}
> Date: Thu, 16 May 2019 21:11:54 -0700
> Al Whaley,
>
> We're ready to add DNSSEC for the sflug.{org,com,net} domains, at your
> earliest convenience. Or if you want to set up so myself and/or some
> select other(s) have access, we can put that in there.
>
> Note also the procedure/interface varies among registrars. Also, some
> don't take all/both types of DS records, but will take at least one
> of the two. Some also automagically get that information for the
> domain, based upon the NS server(s), and mostly just have one confirm
> it.
>
> Once in, should be fully effective for the domain in 1 or 2 days,
> depending upon the relevant TTLs for the domain.
>
> Can add these records for the respective domains:
> $ (for d in sflug.org sflug.com sflug.net; do dig @127.0.0.1 "$d".
> DNSKEY | dnssec-dsfromkey -f - "$d"; done)
> sflug.org. IN DS 55585 8 1 98A75CFA42FD409525BB4ED7341C80FA9808B342
> sflug.org. IN DS 55585 8 2
> D50AA68F2A9A19651E46070FA0A5C504F6B396FD28A1CFD97F95D6202A703D80
> sflug.com. IN DS 53530 8 1 5751BD013715760110ECEC4E7443CD32596C097D
> sflug.com. IN DS 53530 8 2
> 355263CAA896A885617AE9D6744852DEE77759878271136E3BD894A1765CA821
> sflug.net. IN DS 21535 8 1 91CB453D67DDBEE00F9E327C202EA2EB18C7FFF5
> sflug.net. IN DS 21535 8 2
> C6BF88090E6E43369180CBC3B1BABEDC27D3822E708F00F23F83D6595265692C
> $
>
> If you're not familiar, for DNSSEC, those are essentially
> delegation records from parent - effectively analog of delegating
> NS authority records.
>
> Also quite handy for quick visual fairly detailed overview of
> situation and basic troubleshooting:
> http://dnsviz.net/
>
> Anyway, please let me/us know when it's in place ... or I/we
> have access to put it in place.
>
> Thanks.
>
>> From: "Michael Paoli" <Michael.Paoli at cal.berkeley.edu>
>> Subject: SF-LUG.INFO: Re: [sf-lug] And then there were 5:
>> SFLUG.NET, SFLUG.COM, SFLUG, ORG, SF-LUG.COM, SF-LUG.ORG: Re:
>> SFLUG.COM Re: SFLUG.[...] Re: SFLUG.org
>> Date: Thu, 18 Apr 2019 05:59:21 -0700
>
>> Once upon a time, at least for a while, we even had
>> SF-LUG.INFO 8-O
>>
>> $ sed -ne '/^From
>> /,/^$/{/^[Dd][Aa][Tt][Ee]:/H;/^[Ss][Uu][Bb][Jj][Ee][Cc][Tt]:
>> .*[Ss][Ff]-[Ll][Uu][Gg].[Ii][Nn][Ff][Oo]/H;/^$/{x;/[Ss][Ff]-[Ll][Uu][Gg].[Ii][Nn][Ff][Oo]/p;s/.*//;x;};}'
>> sf-lug.mbox
>>
>> Date: Sat, 02 Jan 2016 20:22:38 -0800
>> Subject: [sf-lug] How sf-lug.info ended up on the Network Solutions /
>>
>> Date: Sat, 2 Jan 2016 22:16:26 -0800
>> Subject: Re: [sf-lug] How sf-lug.info ended up on the Network Solutions /
>>
>> Date: Wed, 28 Sep 2016 23:39:21 -0700
>> Subject: [sf-lug] Bye-bye sf-lug.info.,
>>
>> Date: Thu, 29 Sep 2016 08:35:05 -0700
>> Subject: Re: [sf-lug] Bye-bye sf-lug.info.,
>>
>> Date: Fri, 30 Sep 2016 12:12:16 -0700
>> Subject: Re: [sf-lug] Bye-bye sf-lug.info.,
>>
>> Date: Tue, 11 Oct 2016 22:55:46 -0700
>> Subject: Re: [sf-lug] Bye-bye sf-lug.info.,
>> $
>>
>> So ... we had SF-LUG.INFO over range of about:
>> 2015-09-28T20:01:47Z--2016-09-28T20:01:47Z
>>
>> http://linuxmafia.com/pipermail/sf-lug/2016q1/011612.html
>> http://linuxmafia.com/pipermail/sf-lug/2016q3/012267.html
>> http://linuxmafia.com/pipermail/sf-lug/2016q3/012268.html
>> http://linuxmafia.com/pipermail/sf-lug/2016q3/012269.html
>> http://linuxmafia.com/pipermail/sf-lug/2016q4/012289.html
>>
>>> From: jim <jim at well.com>
>>> Subject: Re: [sf-lug] And then there were 5: SFLUG.NET, SFLUG.COM,
>>> SFLUG, ORG, SF-LUG.COM, SF-LUG.ORG: Re: SFLUG.COM Re: SFLUG.[...]
>>> Re: SFLUG.org
>>> Date: Sat, 13 Apr 2019 18:41:37 -0400
>>
>>>
>>> My understanding is that the .NET domain
>>> is for entities that are providing network
>>> services to the internet; if so, then .NET
>>> is inappropriate for a LUG.
>>>
>>>
>>> On 4/13/19 6:32 PM, Michael Paoli wrote:
>>>> Okay. :-)
>>>> That sounds like a "no" to SF-LUG.NET.
>>>> I'd generally think 5 is (more than) adequate.
>>>> We have, in I believe reverse chronological:
>>>> SFLUG.NET
>>>> SFLUG.COM
>>>> SFLUG.ORG
>>>> SF-LUG.COM
>>>> SF-LUG.ORG
>>>>
>>>>> From: jim <jim at well.com>
>>>>> Subject: Re: [sf-lug] And then there were 5: SFLUG.NET,
>>>>> SFLUG.COM, SFLUG, ORG, SF-LUG.COM, SF-LUG.ORG: Re: SFLUG.COM Re:
>>>>> SFLUG.[...] Re: SFLUG.org
>>>>> Date: Sat, 13 Apr 2019 18:16:17 -0400
>>>>
>>>>>
>>>>> "we" used to own SF-LUG.NET but later
>>>>> (several years ago) tho't better of it.
>>>>>
>>>>>
>>>>> On 4/13/19 3:31 AM, Michael Paoli wrote:
>>>>>> Uhm, are we done adding domains for a while now, or ... are we
>>>>>> gonna pick up
>>>>>> yet more? SF-LUG.NET also seems available, but I don't know that Jim
>>>>>> specifically suggested that ... nor up to how many domains he's willing
>>>>>> to be reimbursing folks for.
>>>>>> http://linuxmafia.com/pipermail/sf-lug/2019q2/013999.html
>>>>>> Sounds like we've already (slightly) more than covered the
>>>>>> domains Jim was
>>>>>> specifically referencing.
>>>>>>
>>>>>> Anyway, master now available for not only sflug.org.
>>>>>> but also now sflug.com. and sflug.net.:
>>>>>> ns1.sf-lug.org.:
>>>>>> 198.144.194.238
>>>>>> 2001:470:1f04:19e::2
>>>>>> Not sure where the slaves may be in the process.
>>>>>> Rick - if you want to coordinate with Al, you do also have access to
>>>>>> edit those zone masters:
>>>>>> balug-sf-lug-v2.balug.org
>>>>>> User rick may run the following commands on balug-sf-lug-v2:
>>>>>> (root) sudoedit /etc/bind/master/sflug.org
>>>>>> (root) /usr/sbin/rndc reload sflug.org
>>>>>> (root) /usr/sbin/rndc notify sflug.org
>>>>>> (root) sudoedit /etc/bind/master/sflug.com
>>>>>> (root) /usr/sbin/rndc reload sflug.com
>>>>>> (root) /usr/sbin/rndc notify sflug.com
>>>>>> (root) sudoedit /etc/bind/master/sflug.net
>>>>>> (root) /usr/sbin/rndc reload sflug.net
>>>>>> (root) /usr/sbin/rndc notify sflug.net
>>>>>> E.g. if Al wants to provide additional slave(s) - and maybe we don't
>>>>>> want to "pester" Aaron to add slave(s) for yet 2 more domains.
>>>>>> I was also thinking we might want to (also) use puck.nether.net.
>>>>>> for slave services on some of these domains.
>>>>>>
>>>>>> Note also: Webserver knows about sflug.org, but thus far knows nothing
>>>>>> about sflug.com nor sflug.net.
>>>>>> Also DNSSEC ... the zones are set up for that ... for the newer ones,
>>>>>> notably sflug.com and sflug.net - we'll want to wait a bit before
>>>>>> putting in the (DS) delegation data for that - notably TTLs - want any
>>>>>> negative caching, etc. to first expire, lest we bust DNSSEC by putting
>>>>>> it in "too fast".
>>>>>> Anyway, it's set up with BIND9's in-line signing - so serials served by
>>>>>> DNS may be slightly ahead of what's in master zone files,
>>>>>> and one should use seconds since the epoch - that's how I have bind
>>>>>> configured to sign 'em. The masters also generally have handy bit 'o
>>>>>> comment around that: date +%s
>>>>>> With GNU date, that'll get 'ya seconds since the epoch.
>>>>>>
>>>>>>> From: Al <awsflug at sunnyside.com>
>>>>>>> Subject: Re: [sf-lug] SFLUG.COM Re: SFLUG.[...] Re: SFLUG.org
>>>>>>> Date: Fri, 12 Apr 2019 08:00:22 -0700
>>>>>>
>>>>>>> FYI I've set sflug.{org,net,com} into a group.
>>>>>>>
>>>>>>> On 4/12/2019 07:47, Michael Paoli wrote:
>>>>>>>> Rick - thanks on the offers.
>>>>>>>>
>>>>>>>> Added to the "queue" ... but my queue overfloweth, and it will never
>>>>>>>> /all/ get done. I'll likely pick it up sometime after SFLUG.ORG
>>>>>>>> has actually been delegated and/or after when I've gotten some
>>>>>>>> higher priority BerkeleyLUG.com tasks moved further along.
>>>>>>>>
>>>>>>>> In the meantime, I don't see any particular need to rush on
>>>>>>>> SFLUG.COM ...
>>>>>>>> it's not like something used significantly - or even at all - by
>>>>>>>> SF-LUG suddenly broke and needs fixin', or there's been some great
>>>>>>>> need to SFLUG.COM operational for SF-LUG. Anyway, shall get around
>>>>>>>> to it, ... just may take a bit (later this month? next month?).
>>>>>>>>
>>>>>>>>> From: "Rick Moen" <rick at linuxmafia.com>
>>>>>>>>> Subject: Re: [sf-lug] SFLUG.COM Re: SFLUG.[...] Re: SFLUG.org
>>>>>>>>> Date: Thu, 11 Apr 2019 23:23:50 -0700
>>>>>>>>
>>>>>>>>> Quoting Michael Paoli (Michael.Paoli at cal.berkeley.edu):
>>>>>>>>>
>>>>>>>>>> And ... I'm guestimating Al has snapped up SFLUG.COM.
>>>>>>>>> [...]
>>>>>>>>>> Yep:
>>>>>>>>>> Registrant Name: Al Whaley
>>>>>>>>>
>>>>>>>>> Well, same secondary DNS offer is on the plate: Let me know when/if
>>>>>>>>> ns1.linuxmafia.com and ns1.svlug.org can AXFR it, and I'll
>>>>>>>>> set that up
>>>>>>>>> in a flash. Assuming you want.
More information about the sf-lug
mailing list