[sf-lug] sf-lug.net & sf-lug.com ready for DNS delegation & slaves, etc. (was: Re: Got domains? (sf-lug.{net, com} ...?))

Michael Paoli Michael.Paoli at cal.berkeley.edu
Thu Sep 12 21:20:30 PDT 2019


Al & Rick,

DNS master for sf-lug.net & sf-lug.net.com is ready for slaves.
Master IPs: 198.144.194.238 2001:470:1f05:19e::3
(each domain/zone has one master, two IPs each - one IPv4, one IPv6)
I've presumed for slaves - let me & Al know if this should be
adjusted at all:
Al:
sf-lug.net.             IN      NS      ns0.sunnyside.com.
sf-lug.net.             IN      NS      ns1.sunnyside.com.
sf-lug.com.             IN      NS      ns0.sunnyside.com.
sf-lug.com.             IN      NS      ns1.sunnyside.com.
Rick:
sf-lug.net.             IN      NS      ns1.linuxmafia.com.
sf-lug.net.             IN      NS      ns1.svlug.org.
sf-lug.com.             IN      NS      ns1.linuxmafia.com.
sf-lug.com.             IN      NS      ns1.svlug.org.
Any IP can snag the zones - so I don't need to be notified of
client/slave IPs doing so or changes in those IP addresses.
There will be some TTL adjustments to come
(most notably 3600 --> 172800), and possible other adjustments.

Al,
delegaging sf-lug.net & sf-lug.com + DNSSEC, etc.:
"glue":
ns0.sf-lug.net.         IN      A       198.144.194.238
ns0.sf-lug.net.         IN      AAAA    2001:470:1f05:19e::3
ns0.sf-lug.com.         IN      A       198.144.194.238
ns0.sf-lug.com.         IN      AAAA    2001:470:1f05:19e::3
NS (presumed, unless I/we hear otherwise):
sf-lug.net.             IN      NS      ns0.sf-lug.net.
sf-lug.net.             IN      NS      ns0.sunnyside.com.
sf-lug.net.             IN      NS      ns1.sunnyside.com.
sf-lug.net.             IN      NS      ns1.linuxmafia.com.
sf-lug.net.             IN      NS      ns1.svlug.org.
sf-lug.com.             IN      NS      ns0.sf-lug.com.
sf-lug.com.             IN      NS      ns0.sunnyside.com.
sf-lug.com.             IN      NS      ns1.sunnyside.com.
sf-lug.com.             IN      NS      ns1.linuxmafia.com.
sf-lug.com.             IN      NS      ns1.svlug.org.
DNSSEC:
sf-lug.net. IN DS 32389 8 1 D214E3209D6F9216D027A98DA262487BAE996686
sf-lug.net. IN DS 32389 8 2  
214959109C03B656C589C053EE8E20F4EE185A79B490D9AEB51CB30334D4CAFC
sf-lug.com. IN DS 33646 8 1 B7EA594BF6F0C4A2E44E737FEC45E31B8928C6BA
sf-lug.com. IN DS 33646 8 2  
D3504F37A787E36E8A41922DF5C4E8EDD9C5C9A46343B1064EB7C70DA1E41297
SOA RNAME:
$ (for d in sf-lug.net sf-lug.com; do dig @127.0.0.1 +noall +answer  
+nottl +norecurse +multiline "$d". SOA | head -n 1 | awk '{print  
$5;}'; done) | sort -u
Michael\.Paoli.cal.berkeley.edu.
$
Let me know if you want some other email contact (e.g. yours) there,
rather than mine.

These are folks (in addition to myself) having access to be able
to alter the DNS zone master data (Al - let me know if you want to get
set up for this too):
# hostname; (for user in grantbow jstockford rick; do echo  
"$user"$(sed -ne  
"s/^$user"':[^:]*:[^:]*:[^:]*:\([^:,]*\)[:,].*$/:\1/p' /etc/passwd);  
sudo -l -U "$user" | sed -ne '/^User [^ ][^ ]* may run/,$p'; done) |  
grep -v '/su -'
balug-sf-lug-v2.balug.org
grantbow:Grant Bowman
User grantbow may run the following commands on balug-sf-lug-v2:
     (root) sudoedit /etc/bind/master/sf-lug.org, /usr/sbin/rndc  
reload sf-lug.org, /usr/sbin/rndc notify sf-lug.org, sudoedit  
/etc/bind/master/sflug.com, /usr/sbin/rndc reload sflug.com,  
/usr/sbin/rndc notify sflug.com, sudoedit /etc/bind/master/sflug.net,  
/usr/sbin/rndc reload sflug.net, /usr/sbin/rndc notify sflug.net,  
sudoedit /etc/bind/master/sflug.org, /usr/sbin/rndc reload sflug.org,  
/usr/sbin/rndc notify sflug.org, sudoedit /etc/bind/master/sf-lug.net,  
/usr/sbin/rndc reload sf-lug.net, /usr/sbin/rndc notify sf-lug.net,  
sudoedit /etc/bind/master/sf-lug.com, /usr/sbin/rndc reload  
sf-lug.com, /usr/sbin/rndc notify sf-lug.com
jstockford:Jim Stockford
User jstockford may run the following commands on balug-sf-lug-v2:
     (root) sudoedit /etc/bind/master/sf-lug.org, /usr/sbin/rndc  
reload sf-lug.org, /usr/sbin/rndc notify sf-lug.org, sudoedit  
/etc/bind/master/sflug.com, /usr/sbin/rndc reload sflug.com,  
/usr/sbin/rndc notify sflug.com, sudoedit /etc/bind/master/sflug.net,  
/usr/sbin/rndc reload sflug.net, /usr/sbin/rndc notify sflug.net,  
sudoedit /etc/bind/master/sflug.org, /usr/sbin/rndc reload sflug.org,  
/usr/sbin/rndc notify sflug.org, sudoedit /etc/bind/master/sf-lug.net,  
/usr/sbin/rndc reload sf-lug.net, /usr/sbin/rndc notify sf-lug.net,  
sudoedit /etc/bind/master/sf-lug.com, /usr/sbin/rndc reload  
sf-lug.com, /usr/sbin/rndc notify sf-lug.com
rick:Rick Moen
User rick may run the following commands on balug-sf-lug-v2:
     (root) sudoedit /etc/bind/master/sf-lug.org, /usr/sbin/rndc  
reload sf-lug.org, /usr/sbin/rndc notify sf-lug.org, sudoedit  
/etc/bind/master/sflug.com, /usr/sbin/rndc reload sflug.com,  
/usr/sbin/rndc notify sflug.com, sudoedit /etc/bind/master/sflug.net,  
/usr/sbin/rndc reload sflug.net, /usr/sbin/rndc notify sflug.net,  
sudoedit /etc/bind/master/sflug.org, /usr/sbin/rndc reload sflug.org,  
/usr/sbin/rndc notify sflug.org, sudoedit /etc/bind/master/sf-lug.net,  
/usr/sbin/rndc reload sf-lug.net, /usr/sbin/rndc notify sf-lug.net,  
sudoedit /etc/bind/master/sf-lug.com, /usr/sbin/rndc reload  
sf-lug.com, /usr/sbin/rndc notify sf-lug.com
#

The http[s] redirects for [www.]sf-lug.{net,com}
should be operational once DNS in place,
notwithstanding TLS(/"SSL") cert not yet covering
those names on https - I expect to have proper matching certs in place
for those by not later than
2019-11-06T09:03:58Z

Thanks all.

> From: "Michael Paoli" <Michael.Paoli at cal.berkeley.edu>
> To: "Al Whaley" <awsflug at sunnyside.com>
> Cc: SF-LUG <sf-lug at linuxmafia.com>
> Subject: Re: Got domains? (sf-lug.{net,com} ...?)
> Date: Wed, 11 Sep 2019 09:45:57 -0700

> Al,
>
> Thanks.  I'll take you up on option 1/one for those two domains then.
>
> I'm guestimaging having my bits of it done sometime between now and
> end of next week (no shortage of other stuff goin' on too - including
> even other [L]UG stuff).  I'll update on relevant bits (notably
> when I'm ready for you to take any relevant next steps).
>
> Thanks.
>
>> From: "Al Whaley" <awsflug at sunnyside.com>
>> Subject: Re: Got domains? (sf-lug.{net,com} ...?) ... DNS slaves ...
>> Date: Tue, 10 Sep 2019 10:54:09 -0700
>
>> Mike,
>> I like option 1.  I'm happy to second.  I have set up the sf*lug.*  
>> domains to all draw characteristics from the same profile, so I can  
>> change the DNS servers  in the profile instead of the domains and  
>> right now they all switch to that profile immediately.
>> So for all the domains I have registered the name server list at .com is:
>> ns.primate.net
>> ns1.linuxmafia.com
>> NS1.SVLUG.ORG
>> NS1.SF-LUG.ORG
>>
>> I agree about multiple access to the registration data.  It might  
>> take making a different Godaddy account, since Godaddy has removed  
>> their functionality to allow other (free or not) accounts to have  
>> access to certain domains.  Godaddy doesn't allow multiple contacts  
>> in the registration data that I know of, but perhaps some other  
>> registrar is more appropriate.
>>
>> I have an auto-renewal script that's pretty good for letsencrypt -  
>> install and forget.  You're welcome to it.  Works for the whole set  
>> for https:, email, etc.
>>
>> I also like stability.
>> Al
>>
>> On 9/9/2019 21:49, Michael Paoli wrote:
>>> Al,
>>>
>>> How 'bout your (perhaps along with some other(s)) choice:
>>>
>>> For the domains (notably presently the non-canonical)
>>> sf-lug.NET and sf-lug.COM
>>>
>>> Can go one of two (general) routes/ways ... your choice (matters not
>>> much to me):
>>>
>>> First of all, there's a (presumed) general objective, that the
>>> non-canonicals suitably HTTP 301 redirect to the canonical,
>>> e.g.:
>>> http[s]://[www.]non-canonical/whatever... --> 301 -->
>>> http[s]://www.sf-lug.org/whatever...
>>> With protocol (http or https) (and port) remaining same,
>>> and pathname portion (whatever...) remaining same - likewise including
>>> any query portion, anchor, etc., and with proper recognized CA signed
>>> cert(s) installed for https://[www.]non-canonical/whatever...
>>> That (presumably) being the case,
>>> two general options on how to proceed on each such domain (and each
>>> domains can be decided independently):
>>>
>>> Option one:
>>> delegate me as DNS master (including "glue"):
>>> NON-CANONICAL.       IN   NS     ns0.NON-CANONICAL.
>>> ns0.NON-CANONICAL.   IN   A      198.144.194.238
>>> ns0.NON-CANONICAL.   IN   AAAA   2001:470:1f05:19e::3
>>> and then I'll:
>>> o set up DNS master
>>> o provide DNSSEC data to activate DNSSEC (typically installed via
>>> registrar interface(s) to install into delegating authority DNS)
>>> o arrange for DNS slaves (you're certainly welcome to volunteer for
>>> that!)
>>> o set up sudo access so appropriate SF-LUG folks can also update DNS
>>> master zone file data (feel free to volunteer if you want to be
>>> added to the folks that have such access)
>>> o set up the relevant http[s] redirects from non-canonical to canonical
>>> o set up and maintain the relevant TLS(/"SSL") cert(s) for https on the
>>> above (note that I may not add those until I get around to my <90
>>> day update/replacement cycle - for (my) efficiency, I tend to
>>> renew/replace all my certs right around the same time)
>>> o periodically backup the relevant data (folks can also volunteer to
>>> be yet another set of backup(s) for various SF-LUG data, if they
>>> so wish).
>>>
>>> Option two:
>>> You and/or other(s) can effectively provide that functionality (would
>>> mostly look the same to users - unless they particularly
>>> "peek under the hood" (look at various technical details) the
>>> differences would/should be effectively transparent to most users:
>>> o set up DNS, including master(s) and if/as applicable, slave(s)
>>> (I and/or others can also volunteer to provide slave services)
>>> o optionally implement DNSSEC
>>> o optionally set up access so additional appropriate SF-LUG folks can
>>> update/alter/maintain the relevant DNS (including master zone data).
>>> o set up the relevant http[s] redirects from non-canonical to canonical
>>> o set up and maintain the relevant TLS(/"SSL") cert(s) for https on the
>>> above
>>> o periodically backup the relevant data (if relevant access is made
>>> available, additional folk(s) may volunteer to also backup this data)
>>>
>>> And, as I'm sure Rick would be inclined to point out, would be good
>>> on the registrar's whois data for the registrant, to have multiple
>>> independent person's names and email addresses in there, "just in case"
>>> (avoid single points of failure); and I'd be inclined to also say, may
>>> depend upon the registrar and what tools/capabilities they make
>>> available, but many have capabilities to add additional person(s) with
>>> access, and may have various granularity controls on that access, e.g.
>>> just be able to change DNS related data, or "everything" except
>>> accessing or using stored credit/debit billing data, or "everything" -
>>> particulars/capabilities vary by registrar.
>>>
>>> I'll also add (probably/hopefully mostly goes without saying - but to
>>> cover the bases), best not to be willy-nilly flippin' stuff back 'n
>>> forth, e.g. (especially majorly) switching between such options, adding
>>> domains, then dropping them, etc.  All such changes burn resources,
>>> and excessively/unnecessarily doing so, or even more so - folks also
>>> tend to get annoyed when their volunteered resources (e.g. time) are
>>> callously disregarded and effectively or much wasted because they're
>>> "free" - folks can always choose to do *other* things with their
>>> valuable limited resources.
>>>
>>> And thanks for all your work on this!  :-)
>>>
>>>> From: "Al Whaley" <awsflug at sunnyside.com>
>>>> Subject: Re: Got domains? (sf-lug.{net,com} ...?) ... DNS slaves ...
>>>> Date: Sun, 8 Sep 2019 20:27:30 -0700
>>>
>>>> It's not my impression that anyone in the actual sf-lug meeting  
>>>> group care all that much, so I suppose we could set these
>>>> other domains up or we could for now just ignore them.
>>>> I'm certainly willing to slave DNS for them or other domains.
>>>>
>>>> On 9/8/2019 17:47, Michael Paoli wrote:
>>>>> Well, ... suppose I could set up DNS master & http[s] redirects ...
>>>>> "again" in the case of sf-lug.com ... and
>>>>> "new" in the case of sf-lug.net
>>>>> Wanna offer DNS slaves for such?
>>>>>
>>>>> ... or someone(s) else could do all that and set up suitable
>>>>> redirects, ... sf-lug.org thus far still being the canonical 'n
>>>>> all that.
>>>>>
>>>>> Let me know how you'd like to proceed.
>>>>>
>>>>> Also, while I'm thinking about DNS slaves, ... looking/hoping for
>>>>> some that are more responsive to NOTIFY events than puck.nether.net.
>>>>> Great that puck.nether.net is free and quite available, and basically
>>>>> self-serve to set up, but becomes rather annoying when I'm doing
>>>>> DNS verifications for SSL certs, and I'm trying to get all the relevant
>>>>> records into authoritative DNS in sufficiently timely manner. Also a
>>>>> pain when the back-ends of it are effectively "hidden", and I may see
>>>>> most current S/N from its public IPs one moment, and somewhat older
>>>>> zone serial #s and data later from same IP(s) ... so makes it harder
>>>>> to know when it's fully "given up" the older data (short of any
>>>>> guarantees on DNS TTLs themselves ... but I've got rather long
>>>>> time on the negative caching, so I don't want a "miss" when things first
>>>>> check for those (unique random) DNS entries).
>>>>>
>>>>>> From: "Al Whaley" <awsflug at sunnyside.com>
>>>>>> Subject: Re: Got domains? (sf-lug.{net,com} ...?)
>>>>>> Date: Sun, 8 Sep 2019 08:17:16 -0700
>>>>>
>>>>>> Michael,
>>>>>> Guilty.
>>>>>> Probably unnecessary, but what the heck.
>>>>>> Let me know if you have any DNSSEC entries.
>>>>>> Al
>>>>>>
>>>>>> On 9/7/2019 21:39, Michael Paoli wrote:
>>>>>>> Hmmm, got domains?
>>>>>>>
>>>>>>> I notice (and somebody else had noticed) ...
>>>>>>> $ whois sf-lug.net | fgrep Date:
>>>>>>> Updated Date: 2019-09-03T23:38:29Z
>>>>>>> Creation Date: 2019-09-03T23:38:28Z
>>>>>>> Registry Expiry Date: 2020-09-03T23:38:28Z
>>>>>>> Updated Date: 2019-09-03T23:38:29Z
>>>>>>> Creation Date: 2019-09-03T23:38:28Z
>>>>>>> Registrar Registration Expiration Date: 2020-09-03T23:38:28Z
>>>>>>> $
>>>>>>>
>>>>>>> $ whois sf-lug.com | fgrep Date:
>>>>>>> Updated Date: 2019-09-07T21:52:41Z
>>>>>>> Creation Date: 2019-09-07T18:09:17Z
>>>>>>> Registry Expiry Date: 2020-09-07T18:09:17Z
>>>>>>> Updated Date: 2019-09-07T21:52:40Z
>>>>>>> Creation Date: 2019-09-07T18:09:17Z
>>>>>>> Registrar Registration Expiration Date: 2020-09-07T18:09:17Z
>>>>>>> $
>>>>>>>
>>>>>>> references/excerpts:
>>>>>>> whois(1)
>>>>>>> https://www.balug.org/wiki/doku.php?id=sf-lug:resources_etc




More information about the sf-lug mailing list