[sf-lug] DNSSEC for SFLUG.{org,com,net}

Al Whaley awsflug at sunnyside.com
Sat May 18 13:23:36 PDT 2019


Michael,
Well, I got my part done, but there is a problem at ns.primate.net.
It doesn't know sflug.com or sflug.net; it only knows sflug.org.
Also a problem with mismatched IPv6 address record, which only shows 
with sflug.net IIRC - curious since those domains are not even available 
at primate.
I didn't investigate that, just reported the problems in my earlier email.

Al

On 5/18/2019 10:56, Michael Paoli wrote:
> Al Whaley,
>
> Thanks, looks like you (I presume) got it in there and it's
> operational* now:
> $ delv sflug.org SOA
> ; fully validated
> sflug.org.              85700   IN      SOA     ns1.sflug.org. 
> jim.well.com. 1557834269 10800 3600 1209600 86400
> sflug.org.              85700   IN      RRSIG   SOA 8 2 86400 
> 20190613114720 20190514104720 36426 sflug.org. 
> Xn4qLyqaM6AJkGQDsRi5ydq+AE7I0Xvlv/zPCzrFd8DyTZzTnH2nC65m 
> LFOuuU8dg8OM1nIMocrrXJeaNtYhUlKHoW0i/m82gdwW28JzyBa3jrVo 
> BXVpexl2Mnuay18snX5m5tTuqIkeUBORRMx+wzGyR7cY+8rDKR4Rxor+ UD4=
> $ delv sflug.com SOA
> ; fully validated
> sflug.com.              85704   IN      SOA     ns1.sflug.com. 
> jim.well.com. 1557834269 10800 3600 1209600 86400
> sflug.com.              85704   IN      RRSIG   SOA 8 2 86400 
> 20190613114720 20190514104720 20055 sflug.com. 
> MABcUqmMhFnUt+rM+XBsXTOeSc8MbnMA3L3pPjInubY0lvyNRZCxVtY/ 
> pdDDqN+taaJmMQTA5EQQLAcV0TZvv2zwwjh9KeAWVPVL8Q1pSNg7y/Dv 
> cEkWi3CVICMyDWVEl3f3LqUqNZWj/7wMYaPKQRv/KEhfzowberf+7ye7 qF8=
> $ delv sflug.net SOA
> ; fully validated
> sflug.net.              86400   IN      SOA     ns1.sflug.net. 
> jim.well.com. 1557834269 10800 3600 1209600 86400
> sflug.net.              86400   IN      RRSIG   SOA 8 2 86400 
> 20190613114720 20190514104720 9573 sflug.net. 
> cgWlEUAZG0nO/ljeBj7buNxWE7Uuqr6MqRa6QDYMWcmSQgj95h+55tWL 
> p5aPAOKdiJD0B+o5teGcOwnDzIaJX2CPQ5i1VusK9SkGqnJTqHddEO1s 
> GynQbINnCf/DqyfcLVdKhRhFrc2CiLjmPM+9edoo8Fs3aQa1BEC353qR oGg=
> $
>
> *or will fully be, Internet-wide, notwithstanding TTLs up to 2 days.
>
>> From: "Michael Paoli" <Michael.Paoli at cal.berkeley.edu>
>> Subject: DNSSEC for SFLUG.{org,com,net}
>> Date: Thu, 16 May 2019 21:11:54 -0700
>
>> Al Whaley,
>>
>> We're ready to add DNSSEC for the sflug.{org,com,net} domains, at your
>> earliest convenience.  Or if you want to set up so myself and/or some
>> select other(s) have access, we can put that in there.
>>
>> Note also the procedure/interface varies among registrars. Also, some
>> don't take all/both types of DS records, but will take at least one
>> of the two.  Some also automagically get that information for the
>> domain, based upon the NS server(s), and mostly just have one confirm
>> it.
>>
>> Once in, should be fully effective for the domain in 1 or 2 days,
>> depending upon the relevant TTLs for the domain.
>>
>> Can add these records for the respective domains:
>> $ (for d in sflug.org sflug.com sflug.net; do dig @127.0.0.1 "$d". 
>> DNSKEY | dnssec-dsfromkey -f - "$d"; done)
>> sflug.org. IN DS 55585 8 1 98A75CFA42FD409525BB4ED7341C80FA9808B342
>> sflug.org. IN DS 55585 8 2 
>> D50AA68F2A9A19651E46070FA0A5C504F6B396FD28A1CFD97F95D6202A703D80
>> sflug.com. IN DS 53530 8 1 5751BD013715760110ECEC4E7443CD32596C097D
>> sflug.com. IN DS 53530 8 2 
>> 355263CAA896A885617AE9D6744852DEE77759878271136E3BD894A1765CA821
>> sflug.net. IN DS 21535 8 1 91CB453D67DDBEE00F9E327C202EA2EB18C7FFF5
>> sflug.net. IN DS 21535 8 2 
>> C6BF88090E6E43369180CBC3B1BABEDC27D3822E708F00F23F83D6595265692C
>> $
>>
>> If you're not familiar, for DNSSEC, those are essentially
>> delegation records from parent - effectively analog of delegating
>> NS authority records.
>>
>> Also quite handy for quick visual fairly detailed overview of
>> situation and basic troubleshooting:
>> http://dnsviz.net/
>>
>> Anyway, please let me/us know when it's in place ... or I/we
>> have access to put it in place.
>>
>> Thanks.
>>
>>> From: "Michael Paoli" <Michael.Paoli at cal.berkeley.edu>
>>> Subject: SF-LUG.INFO: Re: [sf-lug] And then there were 5: SFLUG.NET, 
>>> SFLUG.COM, SFLUG, ORG, SF-LUG.COM, SF-LUG.ORG: Re: SFLUG.COM Re: 
>>> SFLUG.[...] Re: SFLUG.org
>>> Date: Thu, 18 Apr 2019 05:59:21 -0700
>>
>>> Once upon a time, at least for a while, we even had
>>> SF-LUG.INFO 8-O
>>>
>>> $ sed -ne '/^From 
>>> /,/^$/{/^[Dd][Aa][Tt][Ee]:/H;/^[Ss][Uu][Bb][Jj][Ee][Cc][Tt]: 
>>> .*[Ss][Ff]-[Ll][Uu][Gg].[Ii][Nn][Ff][Oo]/H;/^$/{x;/[Ss][Ff]-[Ll][Uu][Gg].[Ii][Nn][Ff][Oo]/p;s/.*//;x;};}' 
>>> sf-lug.mbox
>>>
>>> Date: Sat, 02 Jan 2016 20:22:38 -0800
>>> Subject: [sf-lug] How sf-lug.info ended up on the Network Solutions /
>>>
>>> Date: Sat, 2 Jan 2016 22:16:26 -0800
>>> Subject: Re: [sf-lug] How sf-lug.info ended up on the Network 
>>> Solutions /
>>>
>>> Date: Wed, 28 Sep 2016 23:39:21 -0700
>>> Subject: [sf-lug] Bye-bye sf-lug.info.,
>>>
>>> Date: Thu, 29 Sep 2016 08:35:05 -0700
>>> Subject: Re: [sf-lug] Bye-bye sf-lug.info.,
>>>
>>> Date: Fri, 30 Sep 2016 12:12:16 -0700
>>> Subject: Re: [sf-lug] Bye-bye sf-lug.info.,
>>>
>>> Date: Tue, 11 Oct 2016 22:55:46 -0700
>>> Subject: Re: [sf-lug] Bye-bye sf-lug.info.,
>>> $
>>>
>>> So ... we had SF-LUG.INFO over range of about:
>>> 2015-09-28T20:01:47Z--2016-09-28T20:01:47Z
>>>
>>> http://linuxmafia.com/pipermail/sf-lug/2016q1/011612.html
>>> http://linuxmafia.com/pipermail/sf-lug/2016q3/012267.html
>>> http://linuxmafia.com/pipermail/sf-lug/2016q3/012268.html
>>> http://linuxmafia.com/pipermail/sf-lug/2016q3/012269.html
>>> http://linuxmafia.com/pipermail/sf-lug/2016q4/012289.html
>>>
>>>> From: jim <jim at well.com>
>>>> Subject: Re: [sf-lug] And then there were 5: SFLUG.NET, SFLUG.COM, 
>>>> SFLUG, ORG, SF-LUG.COM, SF-LUG.ORG: Re: SFLUG.COM Re: SFLUG.[...] 
>>>> Re: SFLUG.org
>>>> Date: Sat, 13 Apr 2019 18:41:37 -0400
>>>
>>>>
>>>> My understanding is that the .NET domain
>>>> is for entities that are providing network
>>>> services to the internet; if so, then .NET
>>>> is inappropriate for a LUG.
>>>>
>>>>
>>>> On 4/13/19 6:32 PM, Michael Paoli wrote:
>>>>> Okay. :-)
>>>>> That sounds like a "no" to SF-LUG.NET.
>>>>> I'd generally think 5 is (more than) adequate.
>>>>> We have, in I believe reverse chronological:
>>>>> SFLUG.NET
>>>>> SFLUG.COM
>>>>> SFLUG.ORG
>>>>> SF-LUG.COM
>>>>> SF-LUG.ORG
>>>>>
>>>>>> From: jim <jim at well.com>
>>>>>> Subject: Re: [sf-lug] And then there were 5: SFLUG.NET, 
>>>>>> SFLUG.COM, SFLUG, ORG, SF-LUG.COM, SF-LUG.ORG: Re: SFLUG.COM Re: 
>>>>>> SFLUG.[...] Re: SFLUG.org
>>>>>> Date: Sat, 13 Apr 2019 18:16:17 -0400
>>>>>
>>>>>>
>>>>>> "we" used to own SF-LUG.NET but later
>>>>>> (several years ago) tho't better of it.
>>>>>>
>>>>>>
>>>>>> On 4/13/19 3:31 AM, Michael Paoli wrote:
>>>>>>> Uhm, are we done adding domains for a while now, or ... are we 
>>>>>>> gonna pick up
>>>>>>> yet more?  SF-LUG.NET also seems available, but I don't know 
>>>>>>> that Jim
>>>>>>> specifically suggested that ... nor up to how many domains he's 
>>>>>>> willing
>>>>>>> to be reimbursing folks for.
>>>>>>> http://linuxmafia.com/pipermail/sf-lug/2019q2/013999.html
>>>>>>> Sounds like we've already (slightly) more than covered the 
>>>>>>> domains Jim was
>>>>>>> specifically referencing.
>>>>>>>
>>>>>>> Anyway, master now available for not only sflug.org.
>>>>>>> but also now sflug.com. and sflug.net.:
>>>>>>> ns1.sf-lug.org.:
>>>>>>> 198.144.194.238
>>>>>>> 2001:470:1f04:19e::2
>>>>>>> Not sure where the slaves may be in the process.
>>>>>>> Rick - if you want to coordinate with Al, you do also have 
>>>>>>> access to
>>>>>>> edit those zone masters:
>>>>>>> balug-sf-lug-v2.balug.org
>>>>>>> User rick may run the following commands on balug-sf-lug-v2:
>>>>>>>     (root) sudoedit /etc/bind/master/sflug.org
>>>>>>>     (root) /usr/sbin/rndc reload sflug.org
>>>>>>>     (root) /usr/sbin/rndc notify sflug.org
>>>>>>>     (root) sudoedit /etc/bind/master/sflug.com
>>>>>>>     (root) /usr/sbin/rndc reload sflug.com
>>>>>>>     (root) /usr/sbin/rndc notify sflug.com
>>>>>>>     (root) sudoedit /etc/bind/master/sflug.net
>>>>>>>     (root) /usr/sbin/rndc reload sflug.net
>>>>>>>     (root) /usr/sbin/rndc notify sflug.net
>>>>>>> E.g. if Al wants to provide additional slave(s) - and maybe we 
>>>>>>> don't
>>>>>>> want to "pester" Aaron to add slave(s) for yet 2 more domains.
>>>>>>> I was also thinking we might want to (also) use puck.nether.net.
>>>>>>> for slave services on some of these domains.
>>>>>>>
>>>>>>> Note also: Webserver knows about sflug.org, but thus far knows 
>>>>>>> nothing
>>>>>>> about sflug.com nor sflug.net.
>>>>>>> Also DNSSEC ... the zones are set up for that ... for the newer 
>>>>>>> ones,
>>>>>>> notably sflug.com and sflug.net - we'll want to wait a bit before
>>>>>>> putting in the (DS) delegation data for that - notably TTLs - 
>>>>>>> want any
>>>>>>> negative caching, etc. to first expire, lest we bust DNSSEC by 
>>>>>>> putting
>>>>>>> it in "too fast".
>>>>>>> Anyway, it's set up with BIND9's in-line signing - so serials 
>>>>>>> served by
>>>>>>> DNS may be slightly ahead of what's in master zone files,
>>>>>>> and one should use seconds since the epoch - that's how I have bind
>>>>>>> configured to sign 'em.  The masters also generally have handy 
>>>>>>> bit 'o
>>>>>>> comment around that: date +%s
>>>>>>> With GNU date, that'll get 'ya seconds since the epoch.
>>>>>>>
>>>>>>>> From: Al <awsflug at sunnyside.com>
>>>>>>>> Subject: Re: [sf-lug] SFLUG.COM Re: SFLUG.[...] Re: SFLUG.org
>>>>>>>> Date: Fri, 12 Apr 2019 08:00:22 -0700
>>>>>>>
>>>>>>>> FYI I've set sflug.{org,net,com} into a group.
>>>>>>>>
>>>>>>>> On 4/12/2019 07:47, Michael Paoli wrote:
>>>>>>>>> Rick - thanks on the offers.
>>>>>>>>>
>>>>>>>>> Added to the "queue" ... but my queue overfloweth, and it will 
>>>>>>>>> never
>>>>>>>>> /all/ get done.  I'll likely pick it up sometime after SFLUG.ORG
>>>>>>>>> has actually been delegated and/or after when I've gotten some
>>>>>>>>> higher priority BerkeleyLUG.com tasks moved further along.
>>>>>>>>>
>>>>>>>>> In the meantime, I don't see any particular need to rush on 
>>>>>>>>> SFLUG.COM ...
>>>>>>>>> it's not like something used significantly - or even at all - by
>>>>>>>>> SF-LUG suddenly broke and needs fixin', or there's been some 
>>>>>>>>> great
>>>>>>>>> need to SFLUG.COM operational for SF-LUG.  Anyway, shall get 
>>>>>>>>> around
>>>>>>>>> to it, ... just may take a bit (later this month? next month?).
>>>>>>>>>
>>>>>>>>>> From: "Rick Moen" <rick at linuxmafia.com>
>>>>>>>>>> Subject: Re: [sf-lug] SFLUG.COM Re: SFLUG.[...] Re: SFLUG.org
>>>>>>>>>> Date: Thu, 11 Apr 2019 23:23:50 -0700
>>>>>>>>>
>>>>>>>>>> Quoting Michael Paoli (Michael.Paoli at cal.berkeley.edu):
>>>>>>>>>>
>>>>>>>>>>> And ... I'm guestimating Al has snapped up SFLUG.COM.
>>>>>>>>>> [...]
>>>>>>>>>>> Yep:
>>>>>>>>>>> Registrant Name: Al Whaley
>>>>>>>>>>
>>>>>>>>>> Well, same secondary DNS offer is on the plate: Let me know 
>>>>>>>>>> when/if
>>>>>>>>>> ns1.linuxmafia.com and ns1.svlug.org can AXFR it, and I'll 
>>>>>>>>>> set that up
>>>>>>>>>> in a flash.  Assuming you want.
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linuxmafia.com/pipermail/sf-lug/attachments/20190518/f33390f2/attachment-0001.html>


More information about the sf-lug mailing list