CAcert DNS zones
Find a file
2022-10-23 13:33:43 +02:00
.gitignore Implement update-zones.py to update zones from git 2022-10-23 08:02:52 +00:00
6.1.6.0.8.b.7.0.1.0.0.2.ip6.arpa manual import from ns1.cacert.org 2022-10-23 10:41:58 +02:00
224-27.225.154.213.in-addr.arpa manual import from ns1.cacert.org 2022-10-23 10:41:58 +02:00
cacert.com Add AAAA RR for cacert.com and cacert.net 2022-10-23 11:57:46 +02:00
cacert.net Add AAAA RR for cacert.com and cacert.net 2022-10-23 11:57:46 +02:00
cacert.org manual import from ns1.cacert.org 2022-10-23 10:41:58 +02:00
import_zone Add import_zone script from NS2 2022-09-15 17:11:31 +02:00
README.md Add README.md with usage documentation 2022-10-23 13:33:43 +02:00
update-zones.py Use git branch -D for reference_branch 2022-10-23 08:02:52 +00:00

CAcert DNS zones

CAcert runs its own public DNS nameservers on ns1 and ns2 in its BIT datacenter rack in Ede.

We use PowerDNS installed on Debian systems.

This repository contains a Python script update-zones.py that is used for updating DNS information from this Git repository.

The canonical URL for this repository is https://code.cacert.org/critical/dns-zones.git.

Prerequisites

The server certificate for https://code.cacert.org/ needs to be trusted. Therefore the CAcert root CA certificate needs to be put into /usr/local/share/ca-certificates and hast to be registered as trusted by running

update-ca-certificates

The update-zones.py script needs git, pdnsutil and python3. We only use the Python 3 standard library and no external dependencies. The script uses /usr/lib/sendmail to send change mails. Mail sending has been tested with ssmtp and exim4.

To make sure that all these prerequisites are met, you may run

apt install python3 ca-certificates pdns-server git mail-transport-agent

Cloning the repository

The git configuration on ns1 and ns2 has been adapted to allow remembering the credentials to clone the repository. A separate user pdnssync has been setup to allow cloning the repository.

This repository is meant to be cloned on the CAcert DNS servers ns1 and ns2.

cd ~
git config --global credential.helper store
git config --global pull.ff only
git clone https://code.cacert.org/critical/dns-zones.git

Credentials will only be asked for the initial clone. The credential helper records them in in ~/.git-credentials.

Updating zones

The user running the update needs read access to the configuration in /etc/powerdns (either member of the pdns group or root).

$ cd ~/dns-zones
$ git pull
$ ./update-zones.py

The update-zones.py tracks the local status in a branch (default 'provisioned') that is updated when

  • a) zone changes have been applied
  • b) the running PowerDNS is responsible as secondary nameserver

The update-zones.py script should be run on both nameservers.