Managing DNSSEC signed zone files

The following zone files are currently being managed with the dns.git repository hosted on puppetmaster01-back at /git/dns.git.

  1. gnome.org
  2. guadec.org
  3. gnomehispano.org
  4. gnomehispano.es
  5. guadec.es
  6. gimp.org
  7. gimp.net
  8. gtk.org

Updating DNS Zone files

Updates to the following zone files must be processed as follow:

  1. Login to nsd01.gnome.org. Make sure to read these instructions first.

  2. git clone /srv/dns
  3. Do your modifications on dns/master/gnome.org (No need to bump the S/N for the zone, do-domains will do that for us automatically)

  4. Fix your path: export PATH="$PATH:/usr/sbin"

  5. Run the do-domains script at the toplevel of the dns git module

  6. Commit to git by following the on-screen instructions.
  7. ansible-playbook -i inventory/ral3_rhel8 --limit nsd playbooks/ral3_rhel8.yml

Adding new ZONE files

  1. Login to nsd01.gnome.org.

  2. cd /srv/dnssec-keys
  3. copy the zone file you want to create a key for on CWD
  4. Run /usr/sbin/dnssec-keygen -a RSASHA1 -b 1024 -n ZONE $zone_file_name ; /usr/sbin/dnssec-keygen -a RSASHA1 -b 2048 -n ZONE -f KSK $zone_file_name
  5. Edit the zone you just created and add the contents of the .key files to the bottom of the zone. (i.e cat K$zone_file_name*.key >> $zone_file_name)

  6. Add the new zone file on signed_zones on the do-domains script.

  7. Commit everything to the DNS tree, push your changes.
  8. Append the domain to https://gitlab.gnome.org/Infrastructure/ansible/-/blob/master/roles/nsd/vars/master.yml and https://gitlab.gnome.org/Infrastructure/ansible/-/blob/master/roles/nsd/vars/slave.yml

  9. Push your changes to Ansible.
  10. ansible-playbook -i inventory/ral3_rhel8 --limit nsd playbooks/ral3_rhel8.yml

Verify if the domain has DNSSEC enabled

  1. dig . DNSKEY | grep -Ev '^($|;)' > root.keys

  2. dig +sigchase +trusted-key=./root.keys gnome.org. A | cat -n

Adding and verifying SSHFP entries

  1. Run the following command on the target machine: ssh-keygen -r $(hostname --fqdn) -f /etc/ssh/ssh_host_rsa_key.pub

  2. Copy the output under the SSHFP area of the target DNS zone file.

  3. Follow the steps outlined on the Updating DNS Zone files how to above to process the update.

  4. Verify the SSHFP entry with either dig SSHFP $target_subdomain.gnome.org or with ssh -oVerifyHostKeyDNS=yes -v $target_subdomain.gnome.org

Infrastructure/SOP/DNSSECZoneUpdates (last edited 2022-02-22 13:40:00 by AndreaVeri)