knilsson
/
dns-zones
forked from critical/dns-zones
1
0
Fork 0
Code Pull Requests Activity
CAcert DNS zones
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
137 Commits
2 Branches
2 Tags
248 KiB
Python 89%
DIGITAL Command Language 11%
 
 
main
add-secure1-alias-for-www1
manual-import
import-from-svn
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'main'
${ noResults }
Go to file
Kim Nilsson d09d38a794 Disable DKIM records 
Disabling DKIM as email/lists servers do not currently sign outgoing emails with DKIM. If they are ever updated with DKIM support in the future, please enable DKIM again. Perhaps, it'll be necessary to create new DKIM records, and not just enable the old.
 		1 month ago
.gitignore Implement update-zones.py to update zones from git 2 years ago
6.1.6.0.8.b.7.0.1.0.0.2.ip6.arpa Add IPv6 PTR records 11 months ago
224-27.225.154.213.in-addr.arpa Fix reverse DNS for infra02 11 months ago
README.md Add README.md with usage documentation 2 years ago
cacert.com Add AAAA RR for cacert.com and cacert.net 2 years ago
cacert.net Add AAAA RR for cacert.com and cacert.net 2 years ago
cacert.org Disable DKIM records 1 month ago
update-zones.py Add support for secondary nameservers 2 years ago

README.md

CAcert DNS zones

CAcert runs its own public DNS nameservers on ns1 and ns2 in its BIT datacenter rack in Ede.

We use PowerDNS installed on Debian systems.

This repository contains a Python script update-zones.py that is used for updating DNS information from this Git repository.

The canonical URL for this repository is https://code.cacert.org/critical/dns-zones.git.

Prerequisites

The server certificate for https://code.cacert.org/ needs to be trusted. Therefore the CAcert root CA certificate needs to be put into /usr/local/share/ca-certificates and hast to be registered as trusted by running

update-ca-certificates

The update-zones.py script needs git, pdnsutil and python3. We only use the Python 3 standard library and no external dependencies. The script uses /usr/lib/sendmail to send change mails. Mail sending has been tested with ssmtp and exim4.

To make sure that all these prerequisites are met, you may run

apt install python3 ca-certificates pdns-server git mail-transport-agent

Cloning the repository

The git configuration on ns1 and ns2 has been adapted to allow remembering the credentials to clone the repository. A separate user pdnssync has been setup to allow cloning the repository.

This repository is meant to be cloned on the CAcert DNS servers ns1 and ns2.

cd ~
git config --global credential.helper store
git config --global pull.ff only
git clone https://code.cacert.org/critical/dns-zones.git

Credentials will only be asked for the initial clone. The credential helper records them in in ~/.git-credentials.

Updating zones

The user running the update needs read access to the configuration in /etc/powerdns (either member of the pdns group or root).

$ cd ~/dns-zones
$ git pull
$ ./update-zones.py

The update-zones.py tracks the local status in a branch (default 'provisioned') that is updated when

  • a) zone changes have been applied
  • b) the running PowerDNS is responsible as secondary nameserver

The update-zones.py script should be run on both nameservers.