DSA/ Debian System Administrators' Blog
Martin Zobel-Helas Howto mess up the Debian Project homepage

I recently blogged about the GeoDNS setup we plan for security.debian.org. Even though all DSA team members agree that the GeoDNS setup for security.debian.org should come alive as soon as possible, we still fear to break an important service like security.d.o.

Yesterday I decided without further ado to float a trial balloon and converted DNS entries for the Debian Project homepage to our GeoDNS setup. While doing so, we found out that some part of our automatic deployment scripts still need to be adjusted to serve more than one subdomain of the project.

That setup is live for about eighteen hours now, and the project homepage now resolves it IPs via GeoDNS. For now, we are using senfl.d.o for Northern America, www.de.debian.org and www.debian.at for Europe and klecker.d.o for the rest of the world. From what I can see from GeoDNS logs, it seems to work fine, and the load stays reasonably low, so after a short test period we might add additional services like security.debian.org to GeoDNS.

Posted 2009-07-02
Martin Zobel-Helas Setting up GeoDNS for security.debian.org

DSA is currently playing around with a patched version of bind9 (based on a patch we received from kernel.org people) to implement GeoDNS for security.debian.org. You might have noticed that we currently have a round robin list of up to seven hosts in the security.debian.org rotation. Depending on time and luck your apt currently might pick a host which is located half around the globe for you, resulting in sometimes really slow download rates.

Idea

The current idea is to only present a list of security mirrors to you which are located on the continent you live on. We are aware that this won't work for all continents at the moment. For this reason we are also currently moving machines around the globe.

How to test

The easiest way for you to test is using bind9's dig command.

When trying from Germany one should get:

zobel@lunar:~% dig -ttxt +short security.geo.debian.org
"Europe view"

When trying from US one should get:

zobel@gluck:~% dig -ttxt +short security.geo.debian.org
"North America view"

Technique

The patch we used for bind9 uses libgeoip and MaxMind's GeoLite Country database. This patch was necessary to get bind to play nicely.

As we don't want to break security.debian.org at this stage of our testing, we decided to add a new subdomain security.geo.debian.org with which we are currently playing.

Having an ACL for EU defining all the countries belonging to the European Subcontinent, a config sniplet for security.debian.org's zone looks like this:

// Europe
acl EU {
        country_AD;
        country_AL;
        country_AT;
        country_AX;
        country_BA;
        country_BE;
        country_BG;
        country_BY;
        country_CH;
        country_CZ;
        country_DE;
        country_DK;
        country_EE;
        country_ES;
        country_FI;
        country_FO;
    ...
}

view "EU" {
        match-clients {
                EU;
        };
        zone "security.geo.debian.org" {
                type master;
                file "/etc/bind/zones/security.debian.org.EU.zone";
                notify no;
        };
};

To be sure we don't miss any contries, we added an additional view default, to catch what we didn't catch with the country codes:

view "other" {
        match-clients { any; };
        zone "security.geo.debian.org" {
                type master;
                file "/etc/bind/db.security.debian.org";
                notify no;
        };
};
Posted 2009-06-21