DNS: Difference between revisions
m (clarification) |
(Add instructions for the new IPAM system) |
||
(10 intermediate revisions by 4 users not shown) | |||
Line 1: | Line 1: | ||
== IST DNS == |
== IST DNS == |
||
The University of Waterloo's DNS is managed through [ |
The University of Waterloo's DNS is managed through it's [https://ipam.private.uwaterloo.ca IP Address Management system]. IST has published some information on the [https://uwaterloo.atlassian.net/wiki/spaces/ISTKB/pages/43401052394/IP+Address+Management IST Knowledge Base]. |
||
People who have access to |
People who have access to Infoblox: |
||
* mspang |
|||
* ztseguin |
|||
⚫ | |||
* API account located in the standard syscom place |
|||
=== Managing Records === |
|||
[http://www.isc.org/software/bind BIND9] is running on [[Machine_List#caffeine|caffeine]] (master) and [[Machine_List#taurine|taurine]] (slave). We do not currently have ns1.csclub.uwaterloo.ca or similar hostnames, so refer to them by either these names or their IP addresses (129.97.134.17 and 129.97.134.34, respectively). |
|||
There are two primary types of records that are maintained: Hosts and Aliases. |
|||
''Note: Use the v4 and v6 toggles in the top left to switch between IPv4 and IPv6 networks.'' |
|||
At present, we do not host any subzones of uwaterloo.ca (IST's nameservers continue to be used for csclub.uwaterloo.ca etc.). If we wanted to do this, we would have to ask IST. |
|||
==== Add a new host ==== |
|||
As with Apache vhosts, zone changes must be made by [[Systems Committee|syscom]]. The following instructions assume that caffeine will be the primary (master) DNS server. If this is not the case, adjust the configuration directives as appropriate. |
|||
# Go to https://ipam.private.uwaterloo.ca |
|||
To create a new zone, an entry should be added in <tt>/etc/bind/named.conf.local</tt> on caffeine: |
|||
# Click on IPAM -> Networks |
|||
# Locate the appropriate network for the server |
|||
# Click on the IP address that you want to register |
|||
# Set the appropriate information |
|||
## Set the "MAC" address of the machine (''note: CSC networks don't use the IST DHCP system, so this is effectively ignored'') |
|||
## Under "IPAM to DNS replication" |
|||
### Domain: Click the grey button next to the text box and change "Inherit" to "Set". Then select the "csclub.uwaterloo.ca" domain (or other as appropriate) |
|||
### Shortname: The machine's name (e.g., caffeine) |
|||
## At the bottom |
|||
### Add "systems-committee@csclub.uwaterloo.ca" as a Technical Contact |
|||
### Select the appropriate Pol8 Classification (usually Public) |
|||
# Click "Next" |
|||
# Click "Next" |
|||
# Add any aliases for the host (these will be created as CNAME records) |
|||
# Click "OK" |
|||
Repeat the instructions for the IPv6 entry, however you may need to click the "+" to add the IP address on the network. |
|||
// Calum's site (ctdalek) |
|||
zone "ctdalek.net" { |
|||
type master; |
|||
file "/etc/bind/zones/ctdalek.net"; |
|||
}; |
|||
==== Add/remove an alias to an existing host ==== |
|||
A brief comment including the username of the member to whom the zone belongs would be appreciated. Additional configuration directives could be added, but sensible defaults are used. If the settings for zone transfers are changed, taurine must be among the allowed hosts so that it can mirror caffeine correctly. Create a corresponding entry in taurine's <tt>named.conf.local</tt> file. |
|||
* Go to https://ipam.private.uwaterloo.ca |
|||
// Calum's site (ctdalek) |
|||
* Click on IPAM -> Networks |
|||
zone "ctdalek.net" { |
|||
* Locate the appropriate network for the server |
|||
type slave; |
|||
* Click on the IP address associated with the '''destination''' server (e.g., caffeine) |
|||
file "/etc/bind/zones/ctdalek.net"; |
|||
* If you get sent to a blank list.. click the "Address" object in the breadcrumb |
|||
masters { 129.97.134.17; }; |
|||
* Click "Edit" under the ALIASES section on the screen |
|||
}; |
|||
* Click "Next" twice |
|||
* Add or remove the alias to the list |
|||
* Click "OK" |
|||
⚫ | |||
CSC hosts some authoritative dns services on ext-dns1.csclub.uwaterloo.ca (129.97.134.4/2620:101:f000:4901:c5c::4) and ext-dns2.csclub.uwaterloo.ca (129.97.18.20/2620:101:f000:7300:c5c::20). |
|||
Make sure that caffeine's IP is specified as the master. Finally, create the actual zone on caffeine (e.g. <tt>/etc/bind/zones/ctdalek.net</tt>). For example: |
|||
Current authoritative domains: |
|||
$TTL 1h |
|||
@ IN SOA caffeine.csclub.uwaterloo.ca. ctdalek.csclub.uwaterloo.ca. ( |
|||
1 ; Serial |
|||
24h ; Refresh |
|||
30m ; Retry |
|||
30d ; Expire |
|||
1h ; Minimum |
|||
) |
|||
@ IN NS caffeine.csclub.uwaterloo.ca. |
|||
@ IN NS taurine.csclub.uwaterloo.ca. |
|||
@ IN A 129.97.134.17 |
|||
@ IN MX 10 aspmx.l.google.com. |
|||
mail IN CNAME ghs.google.com. |
|||
* csclub.cloud |
|||
A few things to note here. caffeine should be specified as the primary nameserver in the SOA record, and the member's csclub email address (with @ replaced by .) should be used as the contact. The serial can be any unsigned 32-bit integer, but it must increase when the zone is updated. The two most common conventions are to simply count upwards, or to use the current date (in yyyymmdd format). We can have a long refresh time because caffeine will notify taurine when the zone has changed (long before the refresh timeout). Finally, the nameservers should include caffeine and taurine at a minimum. |
|||
* uwaterloo.club |
|||
* csclub.uwaterloo.ca: A script (/opt/bindify/update-dns on dns1) runs every 10 minutes to populate this zone from the IPAM records. |
|||
Those DNS servers are also recursive for machines located on the University network. |
|||
To have BIND9 reload all configuration, run <tt>sudo rndc reload</tt> on caffeine (and on taurine, if you've modified configuration there). '''You should do this after adding a new zone on any nameserver (including slaves).''' |
|||
=== Updating records === |
|||
If you've modified a zone, run <tt>sudo rndc reload ctdalek.net</tt> (or whatever the zone is). This does not shutdown the DNS server, so this helps minimize service interruptions. Finally, reloading the zone on caffeine causes it to automatically notify taurine to initiate a zone transfer. As a result, modifying a zone on caffeine does not require any action to be taken on taurine. |
|||
If you manually update a record in the dns1 container (somewhere in /etc/bind), make sure you also update the serial number for the SOA record for the corresponding zone. Then, run <code>rndc reload</code>. |
|||
== Miscellaneous == |
== Miscellaneous == |
Latest revision as of 18:00, 16 March 2024
IST DNS
The University of Waterloo's DNS is managed through it's IP Address Management system. IST has published some information on the IST Knowledge Base.
People who have access to Infoblox:
- ztseguin
- API account located in the standard syscom place
Managing Records
There are two primary types of records that are maintained: Hosts and Aliases.
Note: Use the v4 and v6 toggles in the top left to switch between IPv4 and IPv6 networks.
Add a new host
- Go to https://ipam.private.uwaterloo.ca
- Click on IPAM -> Networks
- Locate the appropriate network for the server
- Click on the IP address that you want to register
- Set the appropriate information
- Set the "MAC" address of the machine (note: CSC networks don't use the IST DHCP system, so this is effectively ignored)
- Under "IPAM to DNS replication"
- Domain: Click the grey button next to the text box and change "Inherit" to "Set". Then select the "csclub.uwaterloo.ca" domain (or other as appropriate)
- Shortname: The machine's name (e.g., caffeine)
- At the bottom
- Add "systems-committee@csclub.uwaterloo.ca" as a Technical Contact
- Select the appropriate Pol8 Classification (usually Public)
- Click "Next"
- Click "Next"
- Add any aliases for the host (these will be created as CNAME records)
- Click "OK"
Repeat the instructions for the IPv6 entry, however you may need to click the "+" to add the IP address on the network.
Add/remove an alias to an existing host
- Go to https://ipam.private.uwaterloo.ca
- Click on IPAM -> Networks
- Locate the appropriate network for the server
- Click on the IP address associated with the destination server (e.g., caffeine)
- If you get sent to a blank list.. click the "Address" object in the breadcrumb
- Click "Edit" under the ALIASES section on the screen
- Click "Next" twice
- Add or remove the alias to the list
- Click "OK"
CSC DNS
CSC hosts some authoritative dns services on ext-dns1.csclub.uwaterloo.ca (129.97.134.4/2620:101:f000:4901:c5c::4) and ext-dns2.csclub.uwaterloo.ca (129.97.18.20/2620:101:f000:7300:c5c::20).
Current authoritative domains:
- csclub.cloud
- uwaterloo.club
- csclub.uwaterloo.ca: A script (/opt/bindify/update-dns on dns1) runs every 10 minutes to populate this zone from the IPAM records.
Those DNS servers are also recursive for machines located on the University network.
Updating records
If you manually update a record in the dns1 container (somewhere in /etc/bind), make sure you also update the serial number for the SOA record for the corresponding zone. Then, run rndc reload
.
Miscellaneous
LOC Records
If we really cared, we might add a LOC record for csclub.uwaterloo.ca.
SSHFP
We could look into SSHFP records. Apparently OpenSSH supports these. (Discussion moved to Talk:DNS.)