[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: DNS delegation
Re: DNS delegation
Fri, 15 Mar 2019 13:49:57 +0100
Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)
Julien Lepiller <address@hidden> skribis:
> Le 2019-03-13 16:00, Ludovic Courtès a écrit :
>> Hi Julien,
>> Julien Lepiller <address@hidden> skribis:
>>> we've already discussed that multiple times, we'd like to have a DNS
>>> delegation for guix.gnu.org, so that we can manage the zone ourselves
>>> without having to rely too much on fsf sysadmins.
>>> Here is a patch (untested) that aims at doing that. I've configured
>>> bayfront and berlin to be DNS authoritative servers. bayfront is the
>>> master (it is the one that needs to be updated when a change
>>> happens in
>>> the zone), and berlin is set as slave (it will automatically follow
>>> changes in bayfront). I've enabled dnssec on bayfront, since it's the
>>> one that's going to sign the zone, and transfer signatures to its
>> Cool, thanks for working on it!
>>> Currently the zone (in modules/sysadmin/dns.scm) is incomplete. What
>>> needs to be there?
>> I guess we’d need to have roughly the same entries as we currently have
>> on guix.info, so what you wrote is a good start and we can always
>>> From 331a85e469579c02a3fc338a6fb0bade3916c666 Mon Sep 17 00:00:00 2001
>>> From: Julien Lepiller <address@hidden>
>>> Date: Mon, 4 Mar 2019 22:00:22 +0100
>>> Subject: [PATCH] hydra: Add dns services for guix.gnu.org.
>>> * hydra/bayfront.scm (services): Add knot-service.
>>> * hydra/berlin.scm (services): Add knot-service.
>>> * hydra/modules/sysadmin/dns.scm: New file.
>> So it looks like this does the work on the Guix side.
>> We now need to get the gnu.org admins to delegate to both bayfront and
>> berlin, is that correct? Anything else we need to do?
> I didn't think too much about it, but we need to host the website
> (guix.gnu.org) somewhere and configure a vhost/server block accordingly,
Yes, but that’s once DNS is appropriately set up. I was asking about
what needs to be done to complete the DNS setup.
> unless gnu.org/software/guix stays the official website?
I think gnu.org/s/guix would redirect to guix.gnu.org, which would be
bayfront+berlin. The issue that remains to be addressed in this context
is how to get Certbot to properly renew the certificate given that
guix.gnu.org points to two different machines. IIRC you and others had
found a solution, but I don’t remember what it was and it needs to be
actually implemented. :-)