[tech] UCC DNS - quovadis.ucc.asn.au, LE certificates for UCC proxmox hosts, and zonemake.py updates
Mark Tearle
mtearle at ucc.asn.au
Fri Mar 26 19:25:09 AWST 2021
Hi folks
I've been meaning to send an update continuing on from below
* octoDNS patches have been merged, just waiting on a release to happen from the upstream
* Looked at how to do the CI and I think I now know how to do it
* Implemented a solution for LE certs with DNS challenges for firewalled hosts - see below about quovadis
* Implemented user database caching in zonemake.py and is running on mooneye
Next steps:
* Build development VMs for rebuilding UCC internal DNS server infrastructure (mooneye) - both authoritative and resolver
* Implement CI for UCC DNS
On quovadis,
* Provides an API to update _acme_challenge DNS entries (delegated via a CNAME in the ucc.machines / zonemake.py setup)
* Uses desec.io to host a zone that can be updated via an API for the challenges
* Has an example certbot helper script
https://quovadis.ucc.asn.au/quovadis/
Code is in the UCC gitlab - https://gitlab.ucc.asn.au/UCC/quovadis/
[MSH] this should help out with the certs that you wanted for evil.ucc.asn.au
The above is probably a bit of a crappy explanation of what it does, and how it works, poke me in person for a better one.
Cheers,
Mark
--
Mark Tearle <mtearle at ucc.asn.au>
On Thu, 14 Jan 2021, at 9:38 PM, Mark Tearle wrote:
> Hi folks
>
> This evenings update:
> * ucc.asn.au is now synced from ucc.machines and zonemake.py to Cloudflare
> * Will need to chat with [MPT] about a couple of things that might need cleaning up
> Next steps are:
> * Ensure octoDNS patches get merged upstream and use upstream version installed under /usr/local/octodns (for LOC and Null SRV records)
> * Migrate this into some form of CI arrangement based off git
> * Work out and implement solution for LE certs with DNS challenges
> * Rebuild UCC internal DNS server infrastructure (mooneye) - both authoritative and resolver
> Changes should start becoming easier from now on in :) Let me know if I've broken anything ...
>
> Cheers,
> Mark
> --
>
> Mark Tearle <mtearle at ucc.asn.au>
>
>
> On Sat, 5 Dec 2020, at 11:54 PM, Mark Tearle wrote:
>> Hi folks
>>
>> This evening's update:
>> * Audit ucc.gu.uwa.edu.au and ucc.asn.au for the necessary changes needed in ucc.machines for syncing to Cloudflare
>> * making OctoDNS work under Python 3.9 ( https://github.com/github/octodns/pull/632 ) - Pull request has been merged
>> * fix zonemake.py to naturally sort the keys in the octoDNS YAML output
>> * discovered problem with NULL SRV records ( https://github.com/github/octodns/issues/640 )
>> * temporarily commented out open.ucc.gu.uwa.edu.au and v.ucc.gu.uwa.edu.au subdomains (will discuss with [MPT] )
>> * Made backups before syncing
>> * Add config under /usr/local/octodns (in the script and config directory) for ucc.gu.uwa.edu.au and ucc.asn.au
>> * Sync'd ucc.gu.uwa.edu.au up to Cloudflare
>> * Reviewed changes with audit script afterwards
>> Next steps are:
>> * Repeat above similary for ucc.asn.au once NULL SRV bug is tracked down
>> * Ensure octoDNS patches get merged upstream and use upstream version installed under /usr/local/octodns
>> * Migrate this into some form of CI arrangement based off git
>> * Work out solution for LE certs with DNS challenges
>> * Rebuild UCC internal DNS server infrastructure (mooneye) - both authoritative and resolver
>>
>> Cheers
>> Mark
>> --
>> Mark Tearle <mtearle at tearle.com>
>>
>>
>>
>> On Tue, 1 Dec 2020, at 9:39 PM, Mark Tearle wrote:
>>> Hi folks
>>>
>>> I've been working on providing the ability to sync from our local DNS config with appropriate changes up to Cloudflare.
>>>
>>> To date this has involved the following:
>>> * hacking zonemake.py to output a YAML file for each zone, adding tags, and config to reflect proxying scenarios
>>> * writing a quick audit script to work out what changes would be needed to ucc.machines in advance of the sync
>>> * hacking zonemake.py to output a YAML file in the form OctoDNS requires
>>> * making OctoDNS work under Python 3.9 ( https://github.com/github/octodns/pull/632 )
>>> * making OctoDNS support LOC records ( https://github.com/github/octodns/pull/635 )
>>> * writing a quick script on mooneye - /usr/local/octodns/update-ucc-cloudflare.sh - to run the necessary octoDNS commands to do the sync
>>> Currently only ucc.guild.uwa.edu.au is being synced. /usr/local/octodns/update-ucc-cloudflare.sh currently points at my local development installation of octoDNS
>>>
>>> Next steps are:
>>> * Audit ucc.gu.uwa.edu.au and ucc.asn.au for the necessary changes needed in ucc.machines for syncing to Cloudflare
>>> * Make liberal backups before syncing
>>> * Add config under /usr/local/octodns (in the script and config directory) for ucc.gu.uwa.edu.au and ucc.asn.au
>>> * Sync these up to Cloudflare
>>> * Review changes with audit script afterwards
>>> * Ensure octoDNS patches get merged upstream and use upstream version installed under /usr/local/octodns
>>> * Migrate this into some form of CI arrangement based off git
>>> * Work out solution for LE certs with DNS challenges
>>> * Rebuild UCC internal DNS server infrastructure (mooneye) - both authoritative and resolver
>>>
>>> Happy to explain in more detail over a video chat, or IRC, or over pizza when I'm in Perth
>>>
>>> Cheers,
>>> Mark
>>> --
>>> Mark Tearle <mtearle at ucc.asn.au>
>>>
>>> _______________________________________________
>>> List Archives: http://lists.ucc.asn.au/pipermail/tech
>>>
>>> Unsubscribe here: https://lists.ucc.gu.uwa.edu.au/mailman/options/tech/mtearle%40ucc.gu.uwa.edu.au
>>>
>>
>
> _______________________________________________
> List Archives: http://lists.ucc.asn.au/pipermail/tech
>
> Unsubscribe here: https://lists.ucc.gu.uwa.edu.au/mailman/options/tech/mtearle%40ucc.gu.uwa.edu.au
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ucc.gu.uwa.edu.au/pipermail/tech/attachments/20210326/ab43992d/attachment.htm>
More information about the tech
mailing list