DNS

The project runs authoritative DNS servers for any constituent projects that wish to use them.

Bind is run on a hidden master (adns02.opendev.org) which handles automatic DNSSEC zone signing. Any changes to the zone files are deployed here.

Secondary public authoritative servers run NSD and take zone transfers from the hidden primary. These are published in the NS records for the managed zones.

At a Glance

Hosts:

• adns02.opendev.org

• ns03.opendev.org

• ns04.opendev.org

Ansible:

• system-config: inventory/service/group_vars/adns.yaml

• system-config: inventory/service/group_vars/adns-primary.yaml

• system-config: inventory/service/group_vars/adns-secondary.yaml

Projects:

• https://www.nlnetlabs.nl/projects/nsd/

• https://www.isc.org/downloads/bind/doc/

Adding a Zone

To add a new zone, identify an existing git repository or create a new one to hold the contents of the zone, then update system-config: inventory/service/group_vars/dns.yaml.

Run:

dnssec-keygen -a RSASHA256 -b 2048 -3 example.net
dnssec-keygen -a RSASHA256 -b 2048 -3 -fk example.net

And add the resulting files to the dnssec_keys key in the group/adns.yaml private hostvars file on puppetmaster.

If you need to generate DS records for the registrar, identify which of the just-created key files is the key-signing key by examining the contents of the files and reading the comments therein, then run:

dnssec-dsfromkey -2 $KEYFILE