guix.gnu.org sub-domain

guix.gnu.org sub-domain

[Ludovic Courtès]

Hi Chris,

Chris Marusich <cmmarusich@gmail.com> skribis:

> Ludovic Courtès <ludo@gnu.org> writes:
>
>> Regarding the GNU sub-domain, as I replied to Meiyo, I’m in favor of it,
>> all we need is someone to champion setting it up.
>
> I could help with this.  Whom should I contact?

We discussed this over the last few days in Paris and Julien (roptat on
IRC) volunteered to come up with a Knot service setup for bayfront.scm.
When that’s ready, we can contact the FSF sysadmins so they delegate to
bayfront.

I’m sure Julien wouldn’t mind getting some help or insight, so please do
get in touch!

Ludo’.

Re: guix.gnu.org sub-domain

[Chris Marusich]

[-- Attachment #1: Type: text/plain, Size: 271 bytes --]

Hi Ludo,

Ludovic Courtès <ludo@gnu.org> writes:

> I’m sure Julien wouldn’t mind getting some help or insight, so please do
> get in touch!

OK, I'll speak privately with Julien about the DNS setup to avoid adding
noise to this email thread.

-- 
Chris

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: guix.gnu.org sub-domain

[Amin Bandali]

On 2018-12-15  3:20 PM, Chris Marusich wrote:
> Hi Ludo,
>
> Ludovic Courtès <ludo@gnu.org> writes:
>
>> I’m sure Julien wouldn’t mind getting some help or insight, so please do
>> get in touch!
>
> OK, I'll speak privately with Julien about the DNS setup to avoid adding
> noise to this email thread.
>
> -- 
> Chris
>

Hi Chris, Julien,

Any update on this?  I too had asked Ludo about DNS for guix.gnu.org a
couple of weeks ago, and he’d pointed me to the bayfront.scm [1] config
file, but I was swamped with work and only recently have found a bit of
free time on my hands.  While looking for information about Knot, I also
stumbled upon Julien’s configuration [2].  I was wondering if y’all were
able to spend any time on this, and if so, if you ended up committing
your progress anywhere?

Best,
amin

Footnotes:
[1]  https://git.savannah.gnu.org/cgit/guix/maintenance.git/tree/hydra/bayfront.scm

[2]  https://lepiller.eu/ma-configuration.html

guix.gnu.org sub-domain

[Ricardo Wurmus]

Hi Julien,

I just went through the list of things that we wanted to accomplish
before releasing 1.0.  One of them is the use of a guix.gnu.org
sub-domain.

Could you please let us know what the current status is regarding the
Knot DNS server configuration?

Cheers,

--
Ricardo

Re: guix.gnu.org sub-domain

[Ludovic Courtès]

Hello Julien,

Ricardo Wurmus <rekado@elephly.net> skribis:

> I just went through the list of things that we wanted to accomplish
> before releasing 1.0.  One of them is the use of a guix.gnu.org
> sub-domain.
>
> Could you please let us know what the current status is regarding the
> Knot DNS server configuration?

A friendly ping.  :-)

Thanks,
Ludo’.

Re: guix.gnu.org sub-domain

[Julien Lepiller]

Le 8 avril 2019 10:59:36 GMT+02:00, "Ludovic Courtès" <ludo@gnu.org> a écrit :
>Hello Julien,
>
>Ricardo Wurmus <rekado@elephly.net> skribis:
>
>> I just went through the list of things that we wanted to accomplish
>> before releasing 1.0.  One of them is the use of a guix.gnu.org
>> sub-domain.
>>
>> Could you please let us know what the current status is regarding the
>> Knot DNS server configuration?
>
>A friendly ping.  :-)
>
>Thanks,
>Ludo’.

I'm still unsure about how to update the certificates with the dns challenge. I found a script that could help us with updating the zone served by knot when it's configured as a master.

We could use that to update the required txt record, but we also need to make sure the change is propagated to the other server, because we don't know which server will be asked to answer the challenge.

With a further delegation of the record for the dns challenge we can have two masters, but I'm still stuck at finding a way to communicate the challenge between the two servers.

Ideas?

Re: guix.gnu.org sub-domain

[Chris Marusich]

[-- Attachment #1: Type: text/plain, Size: 1190 bytes --]

Hi Julien,

Thank you for working on this!

Julien Lepiller <julien@lepiller.eu> writes:

> I'm still unsure about how to update the certificates with the dns
> challenge. I found a script that could help us with updating the zone
> served by knot when it's configured as a master.
>
> We could use that to update the required txt record, but we also need
> to make sure the change is propagated to the other server, because we
> don't know which server will be asked to answer the challenge.
>
> With a further delegation of the record for the dns challenge we can
> have two masters, but I'm still stuck at finding a way to communicate
> the challenge between the two servers.
>
> Ideas?

Can we update the DNS dynamically [1]?  Can you share the script?

I still don't know as much about Knot as I should, but I'm surprised
that a change to the primary server's database would not be propagated
to the secondary server's database automatically.  Can you elaborate on
what goes wrong, or maybe explain (even at a high level) how I can try
reproducing the problem with cert renewal locally?

Footnotes: 
[1]  https://tools.ietf.org/html/rfc2136

-- 
Chris

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: guix.gnu.org sub-domain

[Julien Lepiller]

Le 9 avril 2019 03:48:02 GMT+02:00, Chris Marusich <cmmarusich@gmail.com> a écrit :
>Hi Julien,
>
>Thank you for working on this!
>
>Julien Lepiller <julien@lepiller.eu> writes:
>
>> I'm still unsure about how to update the certificates with the dns
>> challenge. I found a script that could help us with updating the zone
>> served by knot when it's configured as a master.
>>
>> We could use that to update the required txt record, but we also need
>> to make sure the change is propagated to the other server, because we
>> don't know which server will be asked to answer the challenge.
>>
>> With a further delegation of the record for the dns challenge we can
>> have two masters, but I'm still stuck at finding a way to communicate
>> the challenge between the two servers.
>>
>> Ideas?
>
>Can we update the DNS dynamically [1]?  Can you share the script?
>
>I still don't know as much about Knot as I should, but I'm surprised
>that a change to the primary server's database would not be propagated
>to the secondary server's database automatically.  Can you elaborate on
>what goes wrong, or maybe explain (even at a high level) how I can try
>reproducing the problem with cert renewal locally?
>
>Footnotes: 
>[1]  https://tools.ietf.org/html/rfc2136

What I found consists in using knotc to update the zone served by knot with knotc, but it only update it locally (and to slaves). So we have no issue with that method when we want to automate certs from the primary, but I don't know how to propagate the change back to the master when we ask for certs on the secondary.

I'll have a look at the rfc.