Opened 2 years ago
Closed 15 months ago
#74 closed Reminder (Don't Care)
Set up DNS Servers and provide secondary services for tdi.
| Reported by: | D Delmar Davis | Owned by: | D Delmar Davis |
|---|---|---|---|
| Priority: | Important | Milestone: | Make Shit Happen / Own Your Shit. |
| Component: | Development | Keywords: | |
| Cc: | Joe Dumoulin, Glen. E. Ropella |
Description
In exchange for providing us with a network diverse pair of servers for secondary DNS (and?) I am setting up dns on said servers.
Ha! Well, I shut down SSH password auth. So it shouldn't have been that dangerous. Anyway, I've cloned tweedle dum to dee in Frankfurt (172.104.132.86). I figured that's a good spread, from CA to DE, if it even matters.
My intention is to host tempusdictum.com on a GitLab? page (https://tempus-dictum.gitlab.io/site/). I assume that would look something like:
*.tempusdictum.com A 35.185.44.232 _gitlab-pages-verification-code.example.com TXT gitlab-pages-verification-code=<some code>
Then I'll need a MX record to continue to route mail through my current server. I have another domain name "tempESTdictum.com" that I bought just because some yahoo misspelled it one time.
tempusdictum.com MX 5 tempestdictum.comEventually, I'll move all the domains over to use these 2 name servers. But right now tempusdictum.com is the only one I care about. When you're ready to go live, I'll set up the GitLab? page to get the <some code> above. I assume you want to tweak the dum and dee a bit first.
Take your time. I'm in no hurry. If you want to set up your own stuff first, that's fine. I'll be revisiting all this in about 3 weeks when "cahlab.com" expires.
`
Attachments (3)
Change History (52)
comment:1 Changed 2 years ago by
comment:2 Changed 2 years ago by
Set up a stub https://bitbucket.org/suspectdevicesadmin/dnsserversetup/src/master/ I will have questions.
comment:3 Changed 2 years ago by
So the easiest way to transition off of your existing dns is going to be to declare your new servers as authoritative and then have them secondary what is currently on hostdaddy. Is this in the works?
comment:4 Changed 2 years ago by
I thought I only had to have 2 nameservers, a master and a slave. Then I could assign those as the ONLY nameservers at hostpapa.
comment:5 Changed 2 years ago by
That works. In that case you need your nameservers to be ready with the appropriate data before you assign those. (I will try to see if hoespahpar will let me scrape the data by setting up a "slave" in a bit). In the mean time I will bump up having this ready.
My first aforementioned question was trying to figure out what problem you were trying to solve.
This morning I started a proposed zone file in the git repo based on what dig/nslookup says about your current servers.
FWIW you can have as many nameservers as you like and they can all be "masters" (or "slaves") from bind's standpoint as long as they are deemed authoritative (note that authoritative does not mean accurate). I would add at least one of our nameservers to your registrar (preferably dns.suspectdevices.com. 120 IN A 198.202.31.142) if we are maintaining yours.
PS. I appolgize in advance for not using the current bind terminology for the crap embedded in our language. I will continue to use the offensive language until our culture or bind is fucking fixed (the change is documented but not coded . The configuration files still still use the type: master|slave/masters keywords and have not adapted ). PSPS I need to figure out why trac is not notifying me when you comment here.
comment:6 Changed 2 years ago by
OK. The current DNS is set to point to 72.249.182.31. I may change my mind and avoid using the GitLab? page, per your advice against GitLab?. So, a scrape of hostpapa would be fine, I guess. I use the wildcard so that mail.tempusdictum.com and smtp.tempusdictum.com etc all go to the base domain.
I'll add dns.suspectdevices.com at the same time I add dum and dee.
It didn't even cross my mind that master/slave is offensive. Thanks for cluing me in. I'll try to avoid it in the future.
comment:7 Changed 2 years ago by
Gitlab is fine as long as your not hosting it or trying to get it to integrate into other environments.
comment:8 Changed 2 years ago by
So we are going to have to scratch build the zones. Was worth a try.
Jun 25 20:00:01 kernigan named[1567]: transfer of 'tempusdictum.com/IN' from 45.79.179.230#53: failed while receiving responses: NOTAU Jun 25 20:00:01 kernigan named[1567]: transfer of 'tempusdictum.com/IN' from 45.79.179.230#53: Transfer status: NOTAUTH ... Jun 25 20:00:02 kernigan named[1567]: transfer of 'tempusdictum.com/IN' from 66.228.51.37#53: failed while receiving responses: NOTAUT Jun 25 20:00:02 kernigan named[1567]: transfer of 'tempusdictum.com/IN' from 66.228.51.37#53: Transfer status: NOTAUTH
Oh well..
comment:9 Changed 2 years ago by
| Status: | assigned → accepted |
|---|
Built a zone file to reflect what is currently out there.
https://bitbucket.org/suspectdevicesadmin/dnsserversetup/src/master/zones/tdi.hosts
Also added it to the very much in progress doc.
https://bitbucket.org/suspectdevicesadmin/dnsserversetup/src/master/
May restructure the repo to seperate out the primary and secondary configurations. Not sure if git should drive or if the work should be done on the primary server and then pushed to the repo. Also migrated dns.suspectdevices.com to kernigan (our debian buster container) so there will be 3 of a kind.
comment:10 Changed 2 years ago by
Glen,
It would be helpfull if the two servers 172.104.132.86,45.33.61.113 had fqdns. Can you define those for tempusdictum.com?
dee.tempusdictum.com as well as dum,dns?,and ns?, all resolve to the same place (tempus-dictum.gitlab.io).
D
Changed 2 years ago by
| Attachment: | hostpapa-nameservers-tab.png added |
|---|
snap of the hostpapa nameserver settings tab
comment:11 Changed 2 years ago by
I don't understand the question. Above is a snap of the hostpapa nameserver setting tab. My intention was to set the the 1st nameserver to dee and the second one to dum. Then, I presumed everyone would get the ip addresses from dee or dum.
I thought that meant dee and dum would tell everyone what xyz.tempusdictum.com points to. That means, if we wanted dee.tempusdictum.com and dum.tempusdictum.com, you'd write that in the BIND config.
comment:12 Changed 2 years ago by
In the next tab over (dns zone editor) you should define them so they will exist and be easy to reference while we work on them.
Also if you could give us a look at that tab I could set the initial zones to match.
comment:13 Changed 2 years ago by
Right. But that's what started this whole thing. That DNS Zone Editor does not work. And in order to add those 2 entries, I have to open a ticket with hostpapa. Every ticket takes 3-4 days because the 1st response is "Edit the entry with the DNS Zone Editor". Then I respond with "I did. It doesn't work." Then they respond with "Give me the entries you want and we'll do it." Then I do that. Then they respond with "We've made the entry. It'll take awhile to propogate out." Then I show them a "$dig @ns1.hostpapa.com" showing the entry hasn't been made in their nameserver. Then ... and only then ... an actual person from the data center responds showing me that the change is actually made. Then it takes a day to percolate out to the rest of the net.
That's why I want my own nameservers. I could transfer the domain again to a competent service. But I've got 240 something days before it expires on this one.
If you want, I'll start that process again. I presume the entries I request will be:
ns1.tempusdictum.com A 172.104.132.86
ns2.tempusdictum.com A 45.33.61.113
comment:14 Changed 2 years ago by
Wow.
That sounds like a lot of businesses I have worked with over the years and the reason I originally went with dotster (since for the first decade I could go to vantucky with a baseball bat). I won't ask you to see what happens if you choose the custom name servers to see if it wont let your keep theirs and add the new ones since that sounds like just another opportunity for them to fuck up.
So... we will carry on.
In the mean time I already defined dee&dum.suspectdevices.com and cnamed them to deens and dumns (fine alternatives to M/S P/S terminology IMHO :). as well as dns[3-4].suspectdevices.com. You can use those names to define the authoritative servers if you like.
I will add those to the soa record of the zone file on bitbucket and configure dee to serve it. (and for dum, and kernigan to secondary)
Changed 2 years ago by
| Attachment: | unexpected-error-from-status-name-server-820.png added |
|---|
error 820 from the ip addresses
comment:16 Changed 2 years ago by
I think I'll just move the domain. I wanted to wait until closer to expiration to avoid losing that little bit of money. But hostpapa is too painful.
comment:17 Changed 2 years ago by
Ok well dee is set up to serve what is in the master zone file. And the secondaries are set up to pull from dee.
https://bitbucket.org/suspectdevicesadmin/dnsserversetup/src/master/zones/tdi.hosts
You should change the name servers to point to them before disengaging from hostpapa.
How long do you plan on keeping these servers? (Looking at making the secondaries from suspectdevices authoritative)
comment:18 Changed 2 years ago by
Hostpapa responded to a ticket saying they can set up the name servers for me, as usual. I'll see where that conversation goes. I told them to use dee.tempusdictum.com as the ns1, dum as ns2, and dns.suspectdevices.com as ns3.
I also found out that linode offers DNS:
https://www.linode.com/products/dns-manager/
But it's not clear how much that'll cost, probably less than running 2 small VMs. So, if things get set up, I'll keep dee and dum running for awhile. I'm also considering dumping both RimuHosting? (where tempusdictum.com currently points) and DirectSpace? (where cahlab.com and agent-based-modeling.com point) and moving to linode. So, maybe dee and dum will take on hosting roles.
comment:19 Changed 2 years ago by
Ok afik dee is set up the way the dns is currently (except for the wildcards. I can add the wildcards though I have never used them myself.) So if you make it and the secondaries authoritative we should be ok. The current model is to pull from the private repo since bitbucket will require us to set up an account to push any changes. It's not a huge task to add an httpd server to handle a post comit hook however I prefer to keep my hands on until everything settles.
Also if you decide that a while is longer than a year or two we should consider adding your servers to our ansible pets which get updated whenever either ubuntu (or now debian) notifies us that updates are available. I know that we are supposed to treat our systems like cattle but I am one to prefer pets where you care about them and you pay attention to them.
comment:21 Changed 2 years ago by
OK. I tried to edit the tdi.hosts to look like what GitLab? expects (cf https://docs.gitlab.com/ee/user/project/pages/custom_domains_ssl_tls_certification/).
comment:23 Changed 2 years ago by
Also added tempestdictum.com to named.conf.local (references the same zone file), as well as configuring the secondaries.
And updated the documentation. Gotta go sort packages in the heat now.
comment:24 Changed 2 years ago by
OK. I finally managed to get a working DNS entry, but not on hostpapa. It's on name-services.com. So, now when I go to tempusdictum.com the GitLab pages show up. I can't set the name servers to dee and dum. So, I intend to transfer all my domains off hostpapa. I remember you recommended dotster a long time ago. I used them. But they seemed expensive. So I stopped using them. Is dotster your only recommendation? If so, how much does it cost per year, per domain?
comment:26 Changed 2 years ago by
But I have been paying 15 a year per domain and havent really had many complaints.
comment:28 Changed 2 years ago by
"Need"? No. But I still want my own name servers. I just *can't* assign them with Hostpapa. Now I need to transfer the domain to a registrar that allows me to use my own name servers. I think I'll go with dynadot for these. But hostpapa didn't send me the transfer code when I requested it. So, I imagine there'll be yet another round of support tickets to get that done. Pfft.
comment:29 Changed 23 months ago by
So, as expected, another round on a ticket with hostpapa showed that they (or I?) never set the contact information for the domains after canvashost.com was acquired by hostpapa.com. My original provider was hostpond.com, which was located in Sellwood just south of Portland proper. Anyway, now ICANN will put a 60 day lock on the domains, after which I can move them willy nilly. So I won't need dee and dum for another 2 months. But my plan is to move some services (email and/or web hosting) to a Linode hosted machine at some point. Maybe dee or dum can do that double duty someday.
comment:30 Changed 23 months ago by
Well, They are ready when you are. I will hold off making them authoritative for my domains until they are actually in production.
In the mean time I will apply any patches that my debian canary (kernigan) lets me know about.
Cheers.
comment:31 Changed 23 months ago by
Excellent. Thanks so much. I owe you at least some beer. We have an all lager brewery walking distance from the house here in Oly ... which explains that spare tire around my waist.
comment:32 Changed 22 months ago by
Updated all 3 servers.
Notice this update included a kernel upgrade. This did not cause any problems with Kernigan, however,
I did not reboot dee and dum as I do not have console access nor an established maintenance window.
`
apticron report [Sun, 25 Jul 2021 13:47:05 -0700]
========================================================================
apticron has detected that some packages need upgrading on:
kernigan
[ 198.202.31.142 ]
The following packages are currently pending an upgrade:
krb5-locales 1.17-3+deb10u2
libgssapi-krb5-2 1.17-3+deb10u2
libk5crypto3 1.17-3+deb10u2
libkrb5-3 1.17-3+deb10u2
libkrb5support0 1.17-3+deb10u2
========================================================================
Package Details:
apt-listchanges: Reading changelogs...
apt-listchanges: Changelogs
--- Changes for krb5 (krb5-locales libgssapi-krb5-2 libk5crypto3 libkrb5-3 libkrb5support0) ---
krb5 (1.17-3+deb10u2) buster-security; urgency=high
- Import upstream patch for CVE-2021-36222, Closes: #991365
-- Benjamin Kaduk <kaduk@…> Thu, 22 Jul 2021 18:11:15 -0700
========================================================================
You can perform the upgrade by issuing the command:
apt-get dist-upgrade
as root on kernigan
--
`
comment:33 Changed 22 months ago by
If you sign up as a user on linode, I should be able to give you console access.
comment:34 Changed 22 months ago by
At which point I would own the box and we might have to discuss much more beer :)
I keep track of when an update touches the kernel or initrd so there are no suprises when reboots do occur.
My personal feeling is its your box, you boot it. But, I am flexible here. I will look at linode when I get off the clock.
comment:35 Changed 22 months ago by
They want a credit card for the free account. I guess we will coordinate reboots so if things go south you can go to the virtual server room.
:)
comment:36 Changed 22 months ago by
That's fine with me. You can do a $ sudo reboot, which is what I did. But if you send me the email address you'd want to use, I think I can invite you to my linode account without you entering your own card number. I'm fine either way. Thanks.
comment:38 Changed 22 months ago by
Sorry. "don" was taken. I had to use "dondd". Stupid usernames. Don't run up my bill! 8D
comment:39 Changed 22 months ago by
I am in a give us your cc info loop with them so I cant use that email address.
I cant event open a ticket.
MOTHER FUCKERS!
You tell them your sysadmin is not impressed.
Also ddavis or delmar is preferred nowadays don is for family.
comment:40 Changed 22 months ago by
[sigh] OK. I added you as ddelmardavis@…. If that doesn't work, we'll fall back on within VM reboots or only me with access to the console.
comment:42 Changed 22 months ago by
I just talked to their customer service. All new accounts require credit card info. Will have to notify you when its time to reboot.
comment:44 Changed 19 months ago by
Glen,
Last update included a new kernel. You will wanna reboot dee and dum sometime. Didn't have any problems on kernigan.
D
Calculating upgrade... Done The following NEW packages will be installed: linux-image-4.19.0-18-amd64 The following packages will be upgraded: base-files bind9 bind9-doc bind9-host bind9utils debconf debconf-i18n distro-info-data dnsutils krb5-locales libbind9-161 libdns-export1104 libdns1104 libgssapi-krb5-2 libirs161 libisc-export1100 libisc1100 libisccc161 libisccfg163 libk5crypto3 libkrb5-3 libkrb5support0 liblwres161 linux-image-amd64 python3-debconf tzdata 26 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 56.4 MB of archives. After this operation, 270 MB of additional disk space will be used. Do you want to continue? [Y/n] y
comment:46 Changed 19 months ago by
| Owner: | D Delmar Davis deleted |
|---|---|
| Status: | accepted → assigned |
| Type: | Task → Reminder |
need a limbo state....
comment:47 Changed 19 months ago by
| Owner: | set to D Delmar Davis |
|---|---|
| Status: | assigned → accepted |
comment:48 Changed 17 months ago by
Update. I transferred tempusdictum.com to Google domains (because I got tired of looking for a more ethical registrar and they seem overall technically competent). But then when I tried to use dee and dum as name servers, they rejected them. I can't figure out why. I'm weary of trying to do this. Maybe I should give up on the idea of having my own custom dns servers?
comment:49 Changed 15 months ago by
| Resolution: | → Don't Care |
|---|---|
| Status: | accepted → closed |
I am assuming you killed the servers since they were unavailable the last round of updates.
You lost me at Google domains. I am going to close this out.
For Bitbucket: https://bitbucket.org/gepr/ using gepr@…