From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= Subject: Re: DNS delegation Date: Fri, 15 Mar 2019 13:49:57 +0100 Message-ID: <87r2b85mkq.fsf@gnu.org> References: <20190304223229.2a239785@lepiller.eu> <875zsm6cq5.fsf@gnu.org> <262438111cdbe3863cdea431dedcad36@lepiller.eu> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <262438111cdbe3863cdea431dedcad36@lepiller.eu> (Julien Lepiller's message of "Wed, 13 Mar 2019 16:28:19 +0100") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Julien Lepiller Cc: guix-devel@gnu.org, guix-sysadmin@gnu.org Hi Julien, Julien Lepiller skribis: > Le 2019-03-13 16:00, Ludovic Court=C3=A8s a =C3=A9crit=C2=A0: >> Hi Julien, >> >> Julien Lepiller skribis: >> >>> we've already discussed that multiple times, we'd like to have a DNS >>> delegation for guix.gnu.org, so that we can manage the zone ourselves >>> without having to rely too much on fsf sysadmins. >>> >>> Here is a patch (untested) that aims at doing that. I've configured >>> bayfront and berlin to be DNS authoritative servers. bayfront is the >>> master (it is the one that needs to be updated when a change >>> happens in >>> the zone), and berlin is set as slave (it will automatically follow >>> changes in bayfront). I've enabled dnssec on bayfront, since it's the >>> one that's going to sign the zone, and transfer signatures to its >>> slave. >> >> Cool, thanks for working on it! >> >>> Currently the zone (in modules/sysadmin/dns.scm) is incomplete. What >>> needs to be there? >> >> I guess we=E2=80=99d need to have roughly the same entries as we current= ly have >> on guix.info, so what you wrote is a good start and we can always >> adjust >> later. >> >>> From 331a85e469579c02a3fc338a6fb0bade3916c666 Mon Sep 17 00:00:00 2001 >>> From: Julien Lepiller >>> Date: Mon, 4 Mar 2019 22:00:22 +0100 >>> Subject: [PATCH] hydra: Add dns services for guix.gnu.org. >>> >>> * hydra/bayfront.scm (services): Add knot-service. >>> * hydra/berlin.scm (services): Add knot-service. >>> * hydra/modules/sysadmin/dns.scm: New file. >> >> So it looks like this does the work on the Guix side. >> >> We now need to get the gnu.org admins to delegate to both bayfront and >> berlin, is that correct? Anything else we need to do? > > I didn't think too much about it, but we need to host the website > (guix.gnu.org) somewhere and configure a vhost/server block accordingly, Yes, but that=E2=80=99s once DNS is appropriately set up. I was asking abo= ut what needs to be done to complete the DNS setup. > unless gnu.org/software/guix stays the official website? I think gnu.org/s/guix would redirect to guix.gnu.org, which would be bayfront+berlin. The issue that remains to be addressed in this context is how to get Certbot to properly renew the certificate given that guix.gnu.org points to two different machines. IIRC you and others had found a solution, but I don=E2=80=99t remember what it was and it needs to = be actually implemented. :-) Thoughts? Ludo=E2=80=99.