how to update DNS resource records

updating standard resource records

For most zones, the hidden primary DNS server is denis, with RcodeZero, Netnod and easyDNS providing public-facing secondary servers.

Zone files are managed via a git repository. Pushing commits into the git repository will invoke a post-commit hook that causes the recompilation and reload of the zone files.

Some subdomains (specifically www.debian.org; previously security.debian.org) are served by the autodns/geodns setup on geo{1,2,3}. Their zone files are managed by a separate git repository.

Note that denis runs both bind - for generating and serving our zones - and unbound - as the local resolver. unbound listens on localhost, with bind answering queries @denis.debian.org (locally, or from the secondaries).

updating DNSSEC records

When nagios complains about impending DS expiry, find the new key in /srv/dns.debian.org/var/keys/$zone/dsset and add it at the registrar (gandi) for forward zones, or ask the parent zone operator to add it (for reverse zones); the UBC IPv4 reverse zone (16.87.209.in-addr.arpa) is delegated to DSA at ARIN, and so we can manage the keys directly. Leave the old one in place for a day or so, after checking that dnsviz.net is happy with the new key. For the debian.org and 29.172.in-addr.arpa zones, also update the trust anchors in puppet.

fixing expired signatures

If DNSVIZ indicates that some signatures have expired, stop bind on denis, remove all of the generated files from /srv/dns.debian.org/var/generated/$zone (leaving just the zone file itself and the serial) and force a zone update so that the serial is bumped. This will force bind to re-sign the zone. Finally, restart bind and re-check the signatures.

untrusted anchors on newly boostrapped systems

If a host was puppetized less than 30 days before the debian.org trust anchor was replaced, it will not yet have had time to have bootstrapped trust in the new anchor. Checking /var/lib/unbound/debian.org.key on the host will reveal that the new anchor is still in the "ADDPEND" state.

To resolve this, stop unbound, replace the key with the file from Puppet, and start the service again.