LoCoTeamsDNSAdmin
|
Size: 4009
Comment: Created page.
|
Size: 5297
Comment: UDP is going away in favour of TCP
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| This document is intended to be a guide for LoCo DNS administrators and LoCo contacts who have access to their domains DNS key. | <<Include(LoCoMenuHeader)>> |
| Line 3: | Line 3: |
| The documentation here only applies to LoCo sites which have their domain names registered on the Noris network. | This document is intended to be a guide for LoCo DNS administrators and LoCo contacts who have access to their domain's DNS key. This system uses [[https://secure.wikimedia.org/wikipedia/en/wiki/TSIG|TSIG]] for DNS changes. |
| Line 5: | Line 5: |
| If you: | |
| Line 7: | Line 6: |
| * are a LoCo contact and would like to have the DNS of your domain or subdomain updated, | The documentation here only applies to LoCo sites which have their domain names registered on Canonical's nameservers. If you are a LoCo contact and... * would like to have the DNS of your domain or subdomain updated, |
| Line 13: | Line 16: |
| In order to make changes to a DNS entry, you must have the [[http://www.ubuntu-eu.org/?page_id=5|nsset]] script and the Perl bindings for DNS installed (package: libnet-dns-perl). | In order to make changes to a DNS entry, you must have the [[attachment:nsset]] script and the Perl bindings for DNS installed (package: `libnet-dns-perl`). == Announcements == === 2022-06-14 === By the end of this week, `loco-dns.ubuntu.com` will be migrated to a server that will no longer accept updates via UDP. In order to keep using `nsset` for updates, please download the updated version as currently attached to this page. Link to attachment: [[attachment:nsset]]; link to diff: [[https://pastebin.ubuntu.com/p/w5nmRNn5y6/|nsset.patch]] (may not apply cleanly to your local copy). If you use another tool to perform DNS updates, please consult its documentation for information on switching to TCP. |
| Line 17: | Line 30: |
| * Check that the domain is hosted on the Noris network: | * Check that the domain is hosted on Canonical's nameservers: |
| Line 20: | Line 34: |
| whois ubuntu-se.org | grep Server | $ whois ubuntu-se.org | grep Server |
| Line 26: | Line 40: |
| Name Server:DNS1.NORIS.NET Name Server:DNS2.NORIS.NET Name Server:DNS3.NORIS.NET |
Name Server:NS1.CANONICAL.COM Name Server:NS2.CANONICAL.COM Name Server:NS3.CANONICAL.COM |
| Line 31: | Line 46: |
| ...if not, then the domain isn't on the Noris network and these steps don't apply to your domain. | ...if not, then the domain isn't on Canonical's nameservers and these steps don't apply to your domain. |
| Line 36: | Line 51: |
| dig @dns1.noris.net www.site.org | $ dig @ns1.canonical.com www.site.org |
| Line 39: | Line 56: |
| For example, with www.ubuntu-se.org: | For example, with `www.ubuntu-se.org`: |
| Line 42: | Line 59: |
| dig @dns1.noris.net www.ubuntu-se.org | $ dig @ns1.canonical.com www.ubuntu-se.org |
| Line 45: | Line 64: |
| And look for the answer section (where ADD.RIS.INH.ERE is the IPv4 address of the domain): | And look for the answer section (where `ADD.RIS.INH.ERE` is the IPv4 address of the domain): |
| Line 63: | Line 82: |
| * Use nsset to do the required change; the basic syntax of this command is: | * Use [[attachment:nsset]] to do the required change; the basic syntax of this command is: |
| Line 66: | Line 85: |
| ./nsset -k secret -K main-domain-name -z main-domain-name [operation] [domain-to-change] | $ ./nsset -s loco-dns.ubuntu.com -k secret -K main-domain-name -z main-domain-name [operation] [domain-to-change] |
| Line 71: | Line 92: |
| * '''-s''' is followed by the update-host for the domain. (loco-dns.ubuntu.com) | |
| Line 72: | Line 94: |
| * '''-K''' is the domain that the key belongs to. * '''-z''' is the [[http://en.wikipedia.org/wiki/DNS_zone|DNS zone]] the domain belongs to (usually the same as the domain). |
* '''-K''' is the domain that the key belongs to. The trailing dot may be necessary but doesn't hurt. * '''-z''' is the [[http://en.wikipedia.org/wiki/DNS_zone|DNS zone]] the domain belongs to (usually the same as the domain, can be left out). * '''-D''' is needed on newer Ubuntu systems, because of an obscure bug in the Perl DNS libraries. You'll get a bunch of debug info which you may ignore. |
| Line 83: | Line 106: |
| ./nsset -k blahfoobarblahbarfooblah -K ubuntu-se.org -z ubuntu-se.org -u www.ubuntu-se.org | $ ./nsset -s loco-dns.ubuntu.com -k blahfoobarblahbarfooblah -K ubuntu-se.org. -z ubuntu-se.org -u www.ubuntu-se.org |
| Line 86: | Line 111: |
| By running this command, we are updating the DNS entry for www.ubuntu-se.org. | By running this command, we are updating the DNS entry for `www.ubuntu-se.org`. |
| Line 88: | Line 113: |
| * Specify which IP to point the domain at; say we want to point www.ubuntu-se.org at 74.125.45.100 - this is done by typing: | * Specify which IP to point the domain at; say we want to point `www.ubuntu-se.org` at `74.125.45.100` - this is done by typing: |
| Line 94: | Line 119: |
| More records (such as MX ones) can be added by pressing enter and adding them on new lines. | Additional records (such as `MX` ones) can be added by pressing enter and adding them on new lines. |
| Line 103: | Line 128: |
| dig @dns1.noris.net www.ubuntu-se.org | $ dig @ns1.canonical.com www.ubuntu-se.org |
| Line 106: | Line 132: |
| And look for the changes you made in the Answer section. However, do note that the change can take up to 48 hours to spread through all the DNS servers on the Internet. | And look for the changes you made in the Answer section. Do note that the change can take up to 48 hours to spread through all the DNS servers on the Internet. If you run multiple changes in a short time, the servers at {{{canonical.com}}} may also reply with old data for a while. |
| Line 108: | Line 134: |
| And that's all there is too it! | And that's all there is to it! |
| Line 112: | Line 138: |
| If you need any more help, please send an email to rt@ubuntu.com explaining what your doing and the details of what your problem are. | If you need any more help, please send an email to rt@ubuntu.com explaining what you are trying to do and the details of the problem you are having. ---- CategoryLoCoTeams |
|
NEXT LOCO MEETING:This document is intended to be a guide for LoCo DNS administrators and LoCo contacts who have access to their domain's DNS key. This system uses TSIG for DNS changes.
The documentation here only applies to LoCo sites which have their domain names registered on Canonical's nameservers.
If you are a LoCo contact and...
- would like to have the DNS of your domain or subdomain updated,
- don't have the key for your domain and wish to have it,
- would like to have both of the above done,
...please email a GnuPG-signed message to rt@ubuntu.com with the request. In the case of an update please specify which IP address the new domain should have.
In order to make changes to a DNS entry, you must have the nsset script and the Perl bindings for DNS installed (package: libnet-dns-perl).
Announcements
2022-06-14
By the end of this week, loco-dns.ubuntu.com will be migrated to a server that will no longer accept updates via UDP.
In order to keep using nsset for updates, please download the updated version as currently attached to this page. Link to attachment: nsset; link to diff: nsset.patch (may not apply cleanly to your local copy).
If you use another tool to perform DNS updates, please consult its documentation for information on switching to TCP.
Steps to take
- Check that the domain is hosted on Canonical's nameservers:
$ whois ubuntu-se.org | grep Server
- This should display something like:
Name Server:NS1.CANONICAL.COM Name Server:NS2.CANONICAL.COM Name Server:NS3.CANONICAL.COM
- ..if not, then the domain isn't on Canonical's nameservers and these steps don't apply to your domain.
- Write down which IP the domain is currently pointing at - this is just in case something wrong happens and we want to revert back as soon as possible. This can be done with:
$ dig @ns1.canonical.com www.site.org
For example, with www.ubuntu-se.org:
$ dig @ns1.canonical.com www.ubuntu-se.org
And look for the answer section (where ADD.RIS.INH.ERE is the IPv4 address of the domain):
;; ANSWER SECTION: www.ubuntu-se.org. 3600 IN A ADD.RIS.INH.ERE
- Open up the file which contains the key for your domain, it should be something like this:
key ubuntu-se.org. {
algorithm hmac-md5;
secret "blahfoobarblahbarfooblah";
};Where the text after secret is the secret key for the domain name.
Use nsset to do the required change; the basic syntax of this command is:
$ ./nsset -s loco-dns.ubuntu.com -k secret -K main-domain-name -z main-domain-name [operation] [domain-to-change]
- Where:
-s is followed by the update-host for the domain. (loco-dns.ubuntu.com)
-k is followed by the secret key of the domain.
-K is the domain that the key belongs to. The trailing dot may be necessary but doesn't hurt.
-z is the DNS zone the domain belongs to (usually the same as the domain, can be left out).
-D is needed on newer Ubuntu systems, because of an obscure bug in the Perl DNS libraries. You'll get a bunch of debug info which you may ignore.
[operation] may be one of:
-a - add a new DNS entry for a subdomain.
-u - update a DNS entry for a subdomain.
-d - delete a DNS entry for a subdomain.
And finally [domain-to-change] is the subdomain to apply the change to.
For example:
$ ./nsset -s loco-dns.ubuntu.com -k blahfoobarblahbarfooblah -K ubuntu-se.org. -z ubuntu-se.org -u www.ubuntu-se.org
By running this command, we are updating the DNS entry for www.ubuntu-se.org.
Specify which IP to point the domain at; say we want to point www.ubuntu-se.org at 74.125.45.100 - this is done by typing:
A 74.125.45.100
Additional records (such as MX ones) can be added by pressing enter and adding them on new lines.
When you're finish with the changes you've made, press Ctrl-D. If all the changes were correct NOERROR will be displayed by the script, if not, an error will be be shown.
If you have made a mistake with a number and wish to stop the change, just press Ctrl-C and rerun the script.
- Check that the change was applied to the DNS server. This can be done by running this command once more:
$ dig @ns1.canonical.com www.ubuntu-se.org
And look for the changes you made in the Answer section. Do note that the change can take up to 48 hours to spread through all the DNS servers on the Internet. If you run multiple changes in a short time, the servers at canonical.com may also reply with old data for a while.
And that's all there is to it!
I need help with something
If you need any more help, please send an email to rt@ubuntu.com explaining what you are trying to do and the details of the problem you are having.
LoCoTeamsDNSAdmin (last edited 2024-02-25 14:45:51 by popey)