Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Connection test authoritive NS issues #1176

Open
1 of 11 tasks
bwbroersma opened this issue Nov 14, 2023 · 2 comments · May be fixed by #1182
Open
1 of 11 tasks

Connection test authoritive NS issues #1176

bwbroersma opened this issue Nov 14, 2023 · 2 comments · May be fixed by #1182
Assignees
@bwbroersma
Labels
infrastructure-docker

Comments

@bwbroersma
Copy link
Collaborator

bwbroersma commented Nov 14, 2023
edited

Connection test DNS issues, see DNSViz and/or Zonemaster for test-ns-signed.internet.nl.

  • remove old DS record (id=25189) - update: removed 2024-01-19, see DNSViz
  • mismatched PTR result (cannot solve this, unless NS would change from ns.test-ns-signed.internet.nl to internet.nl. - which could be done?
  • revert the 'Simplify NS setup for test-ns-signed', or actually use the main domain as NS? (internet.nl, since this also fixes the PTR), I prefer the latter, see previous and next point 
    $ dig +noall +nottlid +authority @ns1.sidnlabs.nl NS test-ns-signed.internet.nl
test-ns-signed.internet.nl. IN	NS	proloprod.internet.nl.
$ dig +noall +nottlid +answer @proloprod.internet.nl NS test-ns-signed.internet.nl
test-ns-signed.internet.nl. IN	NS	ns.test-ns-signed.internet.nl.
  • currently ns.test-ns-signed.internet.nl has no MX, SPF, etc., actually testing it in the web test gave reason to open these issues:
  • upgrade from 1024 RSA to at least 2048 RSA (8), or 512 bits ECDSA P-256 (13)? (needs another DS update)
    Change algorithm to -a ECDSAP256SHA256 or add -b 2048:

    Internet.nl/docker/unbound/entrypoint.sh

    Lines 22 to 23 in 7bb8f53

    ldns-keygen -k -a RSASHA256 test-ns-signed.$CONN_TEST_DOMAIN > ns_keytag.$CONN_TEST_DOMAIN
    ldns-keygen -k -a RSASHA256 test-ns6-signed.$CONN_TEST_DOMAIN > ns6_keytag.$CONN_TEST_DOMAIN
    • add option to supply private keys via env for easier deployment (less deploy-DNS roundtrips)
  • Disable recursor in config of test-ns-signed
  • Fix SOA MNAME
  • Remove incorrect comment? Since the zone file is not used twice:

    Internet.nl/docker/unbound/test-ns.zone.template

    Line 1 in 7bb8f53

    ; Zone used for both ipv4+ipv6 and ipv6 only delegation

    Maybe create test-ns6.zone.template based on test-ns.zone.template with awk? (but it's a bit cryptic, maybe explicitly repeat the ns-label, so a much simpler sed -r '/^ns\t+A\t/d' test-ns.zone.template > test-ns6.zone.template would suffice) 
    $ awk '$1=="ns"{ns=1;next}ns==1{print"ns"$0;ns=0;next}{print}' test-ns.zone.template > test-ns6.zone.template
@bwbroersma bwbroersma added infrastructure-docker discuss Requires further team discussion and decisions labels Nov 14, 2023
bwbroersma added a commit to bwbroersma/Internet.nl that referenced this issue Nov 14, 2023
@bwbroersma
Disable recursor in config of authoritative NS test-ns-signed
fd72334 
Partly fixes internetstandards#1176

Signed-off-by: Benjamin W. Broersma <bw@broersma.com>
@bwbroersma bwbroersma linked a pull request Nov 14, 2023 that will close this issue
Draft
mxsasha pushed a commit to bwbroersma/Internet.nl that referenced this issue Nov 15, 2023
@bwbroersma @mxsasha
Disable recursor in config of authoritative NS test-ns-signed
99771b5 
Partly fixes internetstandards#1176

Signed-off-by: Benjamin W. Broersma <bw@broersma.com>
@baknu
Copy link
Contributor

baknu commented Nov 28, 2023

Hi @gthess, do you have any remarks/suggestions regarding the above? Thanks.

@gthess
Copy link
Collaborator

gthess commented Dec 5, 2023

For the old DS, algo update and SOA fix I agree. For the rest, and given that this is a test domain, I don't see a reason to care. For the disable recursor issue I have commented in the PR.

@bwbroersma bwbroersma removed the discuss Requires further team discussion and decisions label Mar 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bwbroersma bwbroersma

Labels
infrastructure-docker
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

WIP Disable recursor in config of authoritative NS test-ns-signed bwbroersma/Internet.nl
3 participants
@bwbroersma @baknu @gthess