Opened 3 months ago

Last modified 7 weeks ago

#74 accepted Task

Set up DNS Servers and provide secondary services for tdi.

Reported by: D Delmar Davis Owned by: D Delmar Davis
Priority: Important Milestone: Make Shit Happen / Own Your Shit.
Component: Development Keywords:
Cc: Joe Dumoulin, Glen. E. Ropella

Description

In exchange for providing us with a network diverse pair of servers for secondary DNS (and?) I am setting up dns on said servers.

Ha! Well, I shut down SSH password auth. So it shouldn't have been that dangerous. Anyway, I've cloned tweedle dum to dee in Frankfurt (172.104.132.86). I figured that's a good spread, from CA to DE, if it even matters.

My intention is to host tempusdictum.com on a GitLab? page (https://tempus-dictum.gitlab.io/site/). I assume that would look something like:

*.tempusdictum.com 	A 	35.185.44.232
_gitlab-pages-verification-code.example.com 	TXT 	gitlab-pages-verification-code=<some code>

Then I'll need a MX record to continue to route mail through my current server. I have another domain name "tempESTdictum.com" that I bought just because some yahoo misspelled it one time.

tempusdictum.com MX 5 tempestdictum.com

Eventually, I'll move all the domains over to use these 2 name servers. But right now tempusdictum.com is the only one I care about. When you're ready to go live, I'll set up the GitLab? page to get the <some code> above. I assume you want to tweak the dum and dee a bit first.

Take your time. I'm in no hurry. If you want to set up your own stuff first, that's fine. I'll be revisiting all this in about 3 weeks when "cahlab.com" expires.

`

Attachments (3)

hostpapa-nameservers-tab.png (26.1 KB) - added by Glen. E. Ropella 3 months ago.
snap of the hostpapa nameserver settings tab
unexpected-error-from-status-name-server-820.png (37.0 KB) - added by Glen. E. Ropella 3 months ago.
error 820 from the ip addresses
dotster.png (223.0 KB) - added by D Delmar Davis 3 months ago.
domain name pricing.

Download all attachments as: .zip

Change History (46)

comment:1 Changed 3 months ago by Glen. E. Ropella

For Bitbucket: https://bitbucket.org/gepr/ using gepr@…

comment:2 Changed 3 months ago by D Delmar Davis

comment:3 Changed 3 months ago by D Delmar Davis

So the easiest way to transition off of your existing dns is going to be to declare your new servers as authoritative and then have them secondary what is currently on hostdaddy. Is this in the works?

comment:4 Changed 3 months ago by Glen. E. Ropella

I thought I only had to have 2 nameservers, a master and a slave. Then I could assign those as the ONLY nameservers at hostpapa.

comment:5 Changed 3 months ago by D Delmar Davis

That works. In that case you need your nameservers to be ready with the appropriate data before you assign those. (I will try to see if hoespahpar will let me scrape the data by setting up a "slave" in a bit). In the mean time I will bump up having this ready.

My first aforementioned question was trying to figure out what problem you were trying to solve.

This morning I started a proposed zone file in the git repo based on what dig/nslookup says about your current servers.

FWIW you can have as many nameservers as you like and they can all be "masters" (or "slaves") from bind's standpoint as long as they are deemed authoritative (note that authoritative does not mean accurate). I would add at least one of our nameservers to your registrar (preferably dns.suspectdevices.com. 120 IN A 198.202.31.142) if we are maintaining yours.

PS. I appolgize in advance for not using the current bind terminology for the crap embedded in our language. I will continue to use the offensive language until our culture or bind is fucking fixed (the change is documented but not coded . The configuration files still still use the type: master|slave/masters keywords and have not adapted ). PSPS I need to figure out why trac is not notifying me when you comment here.

comment:6 Changed 3 months ago by Glen. E. Ropella

OK. The current DNS is set to point to 72.249.182.31. I may change my mind and avoid using the GitLab? page, per your advice against GitLab?. So, a scrape of hostpapa would be fine, I guess. I use the wildcard so that mail.tempusdictum.com and smtp.tempusdictum.com etc all go to the base domain.

I'll add dns.suspectdevices.com at the same time I add dum and dee.

It didn't even cross my mind that master/slave is offensive. Thanks for cluing me in. I'll try to avoid it in the future.

comment:7 Changed 3 months ago by D Delmar Davis

Gitlab is fine as long as your not hosting it or trying to get it to integrate into other environments.

comment:8 Changed 3 months ago by D Delmar Davis

So we are going to have to scratch build the zones. Was worth a try.

Jun 25 20:00:01 kernigan named[1567]: transfer of 'tempusdictum.com/IN' from 45.79.179.230#53: failed while receiving responses: NOTAU
Jun 25 20:00:01 kernigan named[1567]: transfer of 'tempusdictum.com/IN' from 45.79.179.230#53: Transfer status: NOTAUTH
...
Jun 25 20:00:02 kernigan named[1567]: transfer of 'tempusdictum.com/IN' from 66.228.51.37#53: failed while receiving responses: NOTAUT
Jun 25 20:00:02 kernigan named[1567]: transfer of 'tempusdictum.com/IN' from 66.228.51.37#53: Transfer status: NOTAUTH

Oh well..

comment:9 Changed 3 months ago by D Delmar Davis

Status: assignedaccepted

Built a zone file to reflect what is currently out there.

https://bitbucket.org/suspectdevicesadmin/dnsserversetup/src/master/zones/tdi.hosts

Also added it to the very much in progress doc.

https://bitbucket.org/suspectdevicesadmin/dnsserversetup/src/master/

May restructure the repo to seperate out the primary and secondary configurations. Not sure if git should drive or if the work should be done on the primary server and then pushed to the repo. Also migrated dns.suspectdevices.com to kernigan (our debian buster container) so there will be 3 of a kind.

comment:10 Changed 3 months ago by D Delmar Davis

Glen,

It would be helpfull if the two servers 172.104.132.86,45.33.61.113 had fqdns. Can you define those for tempusdictum.com?

dee.tempusdictum.com as well as dum,dns?,and ns?, all resolve to the same place (tempus-dictum.gitlab.io).

D

Changed 3 months ago by Glen. E. Ropella

snap of the hostpapa nameserver settings tab

comment:11 Changed 3 months ago by Glen. E. Ropella

I don't understand the question. Above is a snap of the hostpapa nameserver setting tab. My intention was to set the the 1st nameserver to dee and the second one to dum. Then, I presumed everyone would get the ip addresses from dee or dum.

I thought that meant dee and dum would tell everyone what xyz.tempusdictum.com points to. That means, if we wanted dee.tempusdictum.com and dum.tempusdictum.com, you'd write that in the BIND config.

comment:12 Changed 3 months ago by D Delmar Davis

In the next tab over (dns zone editor) you should define them so they will exist and be easy to reference while we work on them.
Also if you could give us a look at that tab I could set the initial zones to match.

comment:13 Changed 3 months ago by Glen. E. Ropella

Right. But that's what started this whole thing. That DNS Zone Editor does not work. And in order to add those 2 entries, I have to open a ticket with hostpapa. Every ticket takes 3-4 days because the 1st response is "Edit the entry with the DNS Zone Editor". Then I respond with "I did. It doesn't work." Then they respond with "Give me the entries you want and we'll do it." Then I do that. Then they respond with "We've made the entry. It'll take awhile to propogate out." Then I show them a "$dig @ns1.hostpapa.com" showing the entry hasn't been made in their nameserver. Then ... and only then ... an actual person from the data center responds showing me that the change is actually made. Then it takes a day to percolate out to the rest of the net.

That's why I want my own nameservers. I could transfer the domain again to a competent service. But I've got 240 something days before it expires on this one.

If you want, I'll start that process again. I presume the entries I request will be:

ns1.tempusdictum.com A 172.104.132.86
ns2.tempusdictum.com A 45.33.61.113

comment:14 Changed 3 months ago by D Delmar Davis

Wow.

That sounds like a lot of businesses I have worked with over the years and the reason I originally went with dotster (since for the first decade I could go to vantucky with a baseball bat). I won't ask you to see what happens if you choose the custom name servers to see if it wont let your keep theirs and add the new ones since that sounds like just another opportunity for them to fuck up.

So... we will carry on.

In the mean time I already defined dee&dum.suspectdevices.com and cnamed them to deens and dumns (fine alternatives to M/S P/S terminology IMHO :). as well as dns[3-4].suspectdevices.com. You can use those names to define the authoritative servers if you like.

I will add those to the soa record of the zone file on bitbucket and configure dee to serve it. (and for dum, and kernigan to secondary)

Last edited 3 months ago by D Delmar Davis (previous) (diff)

comment:15 Changed 3 months ago by Glen. E. Ropella

When I try to assign them as IP addresses, I get an error 820.

Changed 3 months ago by Glen. E. Ropella

error 820 from the ip addresses

comment:16 Changed 3 months ago by Glen. E. Ropella

I think I'll just move the domain. I wanted to wait until closer to expiration to avoid losing that little bit of money. But hostpapa is too painful.

comment:17 Changed 3 months ago by D Delmar Davis

Ok well dee is set up to serve what is in the master zone file. And the secondaries are set up to pull from dee.

https://bitbucket.org/suspectdevicesadmin/dnsserversetup/src/master/zones/tdi.hosts

You should change the name servers to point to them before disengaging from hostpapa.
How long do you plan on keeping these servers? (Looking at making the secondaries from suspectdevices authoritative)

comment:18 Changed 3 months ago by Glen. E. Ropella

Hostpapa responded to a ticket saying they can set up the name servers for me, as usual. I'll see where that conversation goes. I told them to use dee.tempusdictum.com as the ns1, dum as ns2, and dns.suspectdevices.com as ns3.

I also found out that linode offers DNS:
https://www.linode.com/products/dns-manager/
But it's not clear how much that'll cost, probably less than running 2 small VMs. So, if things get set up, I'll keep dee and dum running for awhile. I'm also considering dumping both RimuHosting? (where tempusdictum.com currently points) and DirectSpace? (where cahlab.com and agent-based-modeling.com point) and moving to linode. So, maybe dee and dum will take on hosting roles.

comment:19 Changed 3 months ago by D Delmar Davis

Ok afik dee is set up the way the dns is currently (except for the wildcards. I can add the wildcards though I have never used them myself.) So if you make it and the secondaries authoritative we should be ok. The current model is to pull from the private repo since bitbucket will require us to set up an account to push any changes. It's not a huge task to add an httpd server to handle a post comit hook however I prefer to keep my hands on until everything settles.

Also if you decide that a while is longer than a year or two we should consider adding your servers to our ansible pets which get updated whenever either ubuntu (or now debian) notifies us that updates are available. I know that we are supposed to treat our systems like cattle but I am one to prefer pets where you care about them and you pay attention to them.

comment:20 Changed 3 months ago by D Delmar Davis

And I added ns3 to the zone file.

comment:21 Changed 3 months ago by Glen. E. Ropella

OK. I tried to edit the tdi.hosts to look like what GitLab? expects (cf https://docs.gitlab.com/ee/user/project/pages/custom_domains_ssl_tls_certification/).

comment:22 Changed 3 months ago by D Delmar Davis

Corrected the serial# pulled to dee and reloaded.

comment:23 Changed 3 months ago by D Delmar Davis

Also added tempestdictum.com to named.conf.local (references the same zone file), as well as configuring the secondaries.
And updated the documentation. Gotta go sort packages in the heat now.

Last edited 3 months ago by D Delmar Davis (previous) (diff)

comment:24 Changed 3 months ago by Glen. E. Ropella

OK. I finally managed to get a working DNS entry, but not on hostpapa. It's on name-services.com. So, now when I go to tempusdictum.com the GitLab pages show up. I can't set the name servers to dee and dum. So, I intend to transfer all my domains off hostpapa. I remember you recommended dotster a long time ago. I used them. But they seemed expensive. So I stopped using them. Is dotster your only recommendation? If so, how much does it cost per year, per domain?

Last edited 3 months ago by D Delmar Davis (previous) (diff)

Changed 3 months ago by D Delmar Davis

Attachment: dotster.png added

domain name pricing.

comment:25 Changed 3 months ago by D Delmar Davis

Its gotten extremely market driven of late..

comment:26 Changed 3 months ago by D Delmar Davis

But I have been paying 15 a year per domain and havent really had many complaints.

comment:27 Changed 2 months ago by D Delmar Davis

And so you don't need these set up?

comment:28 Changed 2 months ago by Glen. E. Ropella

"Need"? No. But I still want my own name servers. I just *can't* assign them with Hostpapa. Now I need to transfer the domain to a registrar that allows me to use my own name servers. I think I'll go with dynadot for these. But hostpapa didn't send me the transfer code when I requested it. So, I imagine there'll be yet another round of support tickets to get that done. Pfft.

comment:29 Changed 2 months ago by Glen. E. Ropella

So, as expected, another round on a ticket with hostpapa showed that they (or I?) never set the contact information for the domains after canvashost.com was acquired by hostpapa.com. My original provider was hostpond.com, which was located in Sellwood just south of Portland proper. Anyway, now ICANN will put a 60 day lock on the domains, after which I can move them willy nilly. So I won't need dee and dum for another 2 months. But my plan is to move some services (email and/or web hosting) to a Linode hosted machine at some point. Maybe dee or dum can do that double duty someday.

comment:30 Changed 2 months ago by D Delmar Davis

Well, They are ready when you are. I will hold off making them authoritative for my domains until they are actually in production.
In the mean time I will apply any patches that my debian canary (kernigan) lets me know about.

Cheers.

comment:31 Changed 2 months ago by Glen. E. Ropella

Excellent. Thanks so much. I owe you at least some beer. We have an all lager brewery walking distance from the house here in Oly ... which explains that spare tire around my waist.

comment:32 Changed 8 weeks ago by D Delmar Davis

Updated all 3 servers.
Notice this update included a kernel upgrade. This did not cause any problems with Kernigan, however,
I did not reboot dee and dum as I do not have console access nor an established maintenance window.

`
apticron report [Sun, 25 Jul 2021 13:47:05 -0700]
========================================================================

apticron has detected that some packages need upgrading on:

kernigan
[ 198.202.31.142 ]

The following packages are currently pending an upgrade:

krb5-locales 1.17-3+deb10u2
libgssapi-krb5-2 1.17-3+deb10u2
libk5crypto3 1.17-3+deb10u2
libkrb5-3 1.17-3+deb10u2
libkrb5support0 1.17-3+deb10u2

========================================================================

Package Details:

apt-listchanges: Reading changelogs...
apt-listchanges: Changelogs


--- Changes for krb5 (krb5-locales libgssapi-krb5-2 libk5crypto3 libkrb5-3 libkrb5support0) ---
krb5 (1.17-3+deb10u2) buster-security; urgency=high

  • Import upstream patch for CVE-2021-36222, Closes: #991365

-- Benjamin Kaduk <kaduk@…> Thu, 22 Jul 2021 18:11:15 -0700

========================================================================

You can perform the upgrade by issuing the command:

apt-get dist-upgrade

as root on kernigan

--
`

comment:33 Changed 8 weeks ago by Glen. E. Ropella

If you sign up as a user on linode, I should be able to give you console access.

comment:34 Changed 8 weeks ago by D Delmar Davis

At which point I would own the box and we might have to discuss much more beer :)
I keep track of when an update touches the kernel or initrd so there are no suprises when reboots do occur.
My personal feeling is its your box, you boot it. But, I am flexible here. I will look at linode when I get off the clock.

Last edited 8 weeks ago by D Delmar Davis (previous) (diff)

comment:35 Changed 8 weeks ago by D Delmar Davis

They want a credit card for the free account. I guess we will coordinate reboots so if things go south you can go to the virtual server room.
:)

comment:36 Changed 8 weeks ago by Glen. E. Ropella

That's fine with me. You can do a $ sudo reboot, which is what I did. But if you send me the email address you'd want to use, I think I can invite you to my linode account without you entering your own card number. I'm fine either way. Thanks.

comment:37 Changed 8 weeks ago by D Delmar Davis

Cool! go ahead and use don@…

comment:38 Changed 8 weeks ago by Glen. E. Ropella

Sorry. "don" was taken. I had to use "dondd". Stupid usernames. Don't run up my bill! 8D

comment:39 Changed 8 weeks ago by D Delmar Davis

I am in a give us your cc info loop with them so I cant use that email address.

I cant event open a ticket.

MOTHER FUCKERS!

You tell them your sysadmin is not impressed.

Also ddavis or delmar is preferred nowadays don is for family.

comment:40 Changed 8 weeks ago by Glen. E. Ropella

[sigh] OK. I added you as ddelmardavis@…. If that doesn't work, we'll fall back on within VM reboots or only me with access to the console.

comment:41 Changed 7 weeks ago by D Delmar Davis

Thanks. I will make sure I can connect later today.

comment:42 Changed 7 weeks ago by D Delmar Davis

I just talked to their customer service. All new accounts require credit card info. Will have to notify you when its time to reboot.

comment:43 Changed 7 weeks ago by Glen. E. Ropella

That seems a little ... capitalist. Thanks.

Note: See TracTickets for help on using tickets.