Page MenuHomePhabricator

Deploy Wikidough: Experimental DNS-over-HTTPS (DoH) public resolver
Open, MediumPublic

Description

This task tracks the deployment of Wikidough, a caching, recursive DNS-over-HTTPS resolver service.

It is currently an experiment and its use is discouraged until things are stable. If you still plan on using it, your help with the testing is appreciated, but please note that things may break and features may be deprecated at any time as we work towards finalizing this project.

Documentation for this project will be updated on the Wikitech page.

Details

ProjectBranchLines +/-Subject
operations/puppetproduction+2 -2
integration/configmaster+1 -1
integration/configmaster+7 -1
operations/homer/publicmaster+1 -0
operations/homer/publicmaster+1 -0
operations/homer/publicmaster+2 -0
operations/homer/publicmaster+1 -0
operations/puppetproduction+3 -1
operations/homer/publicmaster+1 -0
operations/puppetproduction+1 -0
operations/puppetproduction+5 -3
operations/puppetproduction+1 -0
operations/dnsmaster+38 -1
operations/puppetproduction+7 -2
operations/puppetproduction+1 -1
operations/puppetproduction+5 -0
operations/puppetproduction+12 -0
operations/puppetproduction+1 -1
operations/puppetproduction+6 -0
operations/puppetproduction+33 -0
operations/puppetproduction+1 -1
operations/puppetproduction+12 -0
operations/puppetproduction+8 -8
operations/puppetproduction+9 -0
operations/puppetproduction+13 -2
operations/puppetproduction+2 -2
operations/puppetproduction+31 -5
operations/puppetproduction+2 -0
operations/puppetproduction+6 -4
operations/puppetproduction+1 -0
operations/puppetproduction+2 -2
operations/puppetproduction+80 -32
operations/puppetproduction+10 -5
operations/puppetproduction+6 -0
operations/puppetproduction+16 -5
operations/puppetproduction+6 -6
operations/puppetproduction+2 -2
operations/puppetproduction+26 -0
operations/puppetproduction+7 -1
operations/puppetproduction+3 -0
operations/puppetproduction+61 -18
operations/puppetproduction+2 -2
operations/puppetproduction+8 -0
operations/puppetproduction+6 -0
operations/puppetproduction+2 -0
operations/puppetproduction+20 -21
operations/puppetproduction+36 -15
operations/puppetproduction+6 -2
operations/puppetproduction+3 -3
operations/puppetproduction+60 -15
operations/puppetproduction+18 -4
operations/puppetproduction+15 -4
operations/puppetproduction+7 -0
operations/puppetproduction+9 -1
operations/puppetproduction+23 -5
operations/puppetproduction+5 -0
operations/puppetproduction+55 -1
operations/puppetproduction+7 -0
operations/puppetproduction+1 -0
operations/puppetproduction+15 -1
Show related patches Customize query in gerrit

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes

Change 618349 had a related patch set uploaded (by Ssingh; owner: Ssingh):
[operations/puppet@production] aptrepo: add a component for pdns-recursor

https://gerrit.wikimedia.org/r/618349

Change 618349 merged by Ssingh:
[operations/puppet@production] aptrepo: add a component for pdns-recursor

https://gerrit.wikimedia.org/r/618349

Mentioned in SAL (#wikimedia-operations) [2020-08-04T18:55:17Z] <sukhe> upload pdns-recursor_4.3.3-1~deb10u1 to apt.wm.o (buster) - T252132

Change 618591 had a related patch set uploaded (by Ssingh; owner: Ssingh):
[operations/puppet@production] wikidough: enable QNAME minimisation for the dnsrecursor module

https://gerrit.wikimedia.org/r/618591

Change 618591 merged by Ssingh:
[operations/puppet@production] wikidough: enable QNAME minimisation for the dnsrecursor module

https://gerrit.wikimedia.org/r/618591

Change 620730 had a related patch set uploaded (by Ssingh; owner: Ssingh):
[operations/puppet@production] wikidough: increase TCP connection limits for dnsrecursor

https://gerrit.wikimedia.org/r/620730

Change 620730 merged by Ssingh:
[operations/puppet@production] wikidough: increase TCP connection limits for dnsrecursor

https://gerrit.wikimedia.org/r/620730

Change 623630 had a related patch set uploaded (by Ssingh; owner: Ssingh):
[operations/puppet@production] wikidough: add an option to set the landing page

https://gerrit.wikimedia.org/r/623630

Change 623630 merged by Ssingh:
[operations/puppet@production] wikidough: add an option to set the landing page

https://gerrit.wikimedia.org/r/623630

Mentioned in SAL (#wikimedia-operations) [2020-09-23T16:37:23Z] <sukhe> upload dnsdist_1.4.0-1~deb10u2 to apt.wm.o (buster) - T252132

Change 629434 had a related patch set uploaded (by Ssingh; owner: Ssingh):
[operations/puppet@production] hieradata: update preferred cipher suite order for Wikidough

https://gerrit.wikimedia.org/r/629434

Change 629434 merged by Ssingh:
[operations/puppet@production] hieradata: update preferred cipher suite order for Wikidough

https://gerrit.wikimedia.org/r/629434

Change 632735 had a related patch set uploaded (by Ssingh; owner: Ssingh):
[operations/puppet@production] wikidough: enable OCSP stapling in dnsdist

https://gerrit.wikimedia.org/r/632735

Change 632735 merged by Ssingh:
[operations/puppet@production] wikidough: enable OCSP stapling in dnsdist

https://gerrit.wikimedia.org/r/632735

Change 649674 had a related patch set uploaded (by Ssingh; owner: Ssingh):
[operations/puppet@production] dnsdist: respond to qtype=ANY queries with NOTIMP

https://gerrit.wikimedia.org/r/649674

Change 649674 merged by Ssingh:
[operations/puppet@production] dnsdist: respond to qtype=ANY queries with NOTIMP

https://gerrit.wikimedia.org/r/649674

Change 650532 had a related patch set uploaded (by Ssingh; owner: Ssingh):
[operations/puppet@production] dnsdist: update configuration variables in dnsdist.conf

https://gerrit.wikimedia.org/r/650532

Change 650532 merged by Ssingh:
[operations/puppet@production] dnsdist: update configuration variables in dnsdist.conf

https://gerrit.wikimedia.org/r/650532

Change 654275 had a related patch set uploaded (by Ssingh; owner: Ssingh):
[operations/puppet@production] dnsdist: allow custom headers in the HTTP response and enable HSTS

https://gerrit.wikimedia.org/r/654275

Change 654275 merged by Ssingh:
[operations/puppet@production] dnsdist: allow custom headers in the HTTP response and enable HSTS

https://gerrit.wikimedia.org/r/654275

Mentioned in SAL (#wikimedia-operations) [2021-01-13T16:39:51Z] <sukhe> upload pdns-recursor_4.4.2-2wm1 to apt.wm.o (buster) - T252132

Mentioned in SAL (#wikimedia-operations) [2021-02-01T17:10:07Z] <sukhe> upload dnsdist_1.5.1-3wm1 to apt.wm.o (buster) - T252132

Change 660868 had a related patch set uploaded (by Ssingh; owner: Ssingh):
[operations/puppet@production] wikidough: update description for role

https://gerrit.wikimedia.org/r/660868

Change 660868 merged by Ssingh:
[operations/puppet@production] wikidough: update description for role

https://gerrit.wikimedia.org/r/660868

Change 685030 had a related patch set uploaded (by Ssingh; author: Ssingh):

[operations/puppet@production] wikidough: add nrpe::monitor_service

https://gerrit.wikimedia.org/r/685030

Change 685571 had a related patch set uploaded (by Ssingh; author: Ssingh):

[operations/puppet@production] aptrepo: add a component for knot-dnsutils

https://gerrit.wikimedia.org/r/685571

Change 685800 had a related patch set uploaded (by Jbond; author: John Bond):

[operations/puppet@production] P:wikidough: Add tcp connect checks for DoH and DTLS

https://gerrit.wikimedia.org/r/685800

Change 685030 abandoned by Ssingh:

[operations/puppet@production] wikidough: add nrpe::monitor_service

Reason:

https://gerrit.wikimedia.org/r/c/operations/puppet/ /685800/

https://gerrit.wikimedia.org/r/685030

Change 685823 had a related patch set uploaded (by Ssingh; author: Ssingh):

[operations/puppet@production] nagios_common: add check_tcp_ssl

https://gerrit.wikimedia.org/r/685823

Change 685823 merged by Ssingh:

[operations/puppet@production] nagios_common: add check_tcp_ssl

https://gerrit.wikimedia.org/r/685823

Change 686534 had a related patch set uploaded (by Jbond; author: John Bond):

[operations/puppet@production] O:nagios_common: drop -c/-w they are not what i thought

https://gerrit.wikimedia.org/r/686534

Change 686534 merged by Jbond:

[operations/puppet@production] O:nagios_common: drop -c/-w they are not what i thought

https://gerrit.wikimedia.org/r/686534

Change 685800 merged by Ssingh:

[operations/puppet@production] P:wikidough: Add TCP connect check for DoH and DoT

https://gerrit.wikimedia.org/r/685800

Change 686622 had a related patch set uploaded (by Ssingh; author: Ssingh):

[operations/puppet@production] nagios_common: add check_https_url_custom_ip

https://gerrit.wikimedia.org/r/686622

Change 686625 had a related patch set uploaded (by Ssingh; author: Ssingh):

[operations/puppet@production] wikidough: use check_https_url_custom_ip for DoH check

https://gerrit.wikimedia.org/r/686625

Change 686622 merged by Ssingh:

[operations/puppet@production] nagios_common: add check_https_url_custom_ip

https://gerrit.wikimedia.org/r/686622

Change 686625 merged by Ssingh:

[operations/puppet@production] wikidough: use check_https_url_custom_ip for DoH check

https://gerrit.wikimedia.org/r/686625

Change 688336 had a related patch set uploaded (by Ssingh; author: Ssingh):

[operations/puppet@production] wikidough: lookup domain and IP from hiera

https://gerrit.wikimedia.org/r/688336

Change 688336 merged by Ssingh:

[operations/puppet@production] wikidough: lookup domain and IP from hiera

https://gerrit.wikimedia.org/r/688336

Change 692625 had a related patch set uploaded (by Ssingh; author: Ssingh):

[operations/dns@master] Add zone for wikimedia-dns.org (Wikidough)

https://gerrit.wikimedia.org/r/692625

With the current automation and logic in the generation script, adding just the IP would create this file, that is far from ideal:

diff --git a/org-global b/org-global
new file mode 100644
index 0000000..84245bb
--- /dev/null
+++ b/org-global
@@ -0,0 +1 @@
+wikimedia-dns                            1H IN A 185.71.138.138

It's far from ideal because it could be included in a single place and ofc as soon as we would have another first level domani (example.org) its IPs would endup in the same file, making it not INCLUD-able in the places we'd need.

I also need to check why it's not creating the reverse zone but that's another problem.

In light of this, to unblock @ssingh I'd suggest to go the manual way for now and dig a bit more on how we can map this into our workflow.

@BBlack @ayounsi @cmooney: do you have any thoughts?

I've updated https://netbox.wikimedia.org/ipam/ip-addresses/8539/ to set the DNS as manual for now so that it doesn't gets auto-generated.

Change 692625 merged by Ssingh:

[operations/dns@master] Add zone for wikimedia-dns.org (Wikidough)

https://gerrit.wikimedia.org/r/692625

Change 685571 abandoned by Ssingh:

[operations/puppet@production] aptrepo: add a component for knot-dnsutils

Reason:

this change is no longer required

https://gerrit.wikimedia.org/r/685571

Change 693210 had a related patch set uploaded (by Ssingh; author: Ssingh):

[operations/puppet@production] acme_chief: add certificates for wikimedia-dns.org

https://gerrit.wikimedia.org/r/693210

Change 693210 merged by Ssingh:

[operations/puppet@production] acme_chief: add certificates for wikimedia-dns.org

https://gerrit.wikimedia.org/r/693210

Change 697942 had a related patch set uploaded (by Ssingh; author: Ssingh):

[operations/puppet@production] acme_chief: authorize doh300* hosts for Wikidough

https://gerrit.wikimedia.org/r/697942

Change 697942 merged by Ssingh:

[operations/puppet@production] acme_chief: authorize doh300* hosts for Wikidough

https://gerrit.wikimedia.org/r/697942

Change 698162 had a related patch set uploaded (by Ssingh; author: Ssingh):

[operations/homer/public@master] Add doh5001 to BGP anycast in eqsin

https://gerrit.wikimedia.org/r/698162

Change 698162 merged by jenkins-bot:

[operations/homer/public@master] Add doh5001 to BGP anycast in eqsin

https://gerrit.wikimedia.org/r/698162

Change 698206 had a related patch set uploaded (by Ayounsi; author: Ayounsi):

[operations/puppet@production] Add 185.71.138.0/24 to network::external

https://gerrit.wikimedia.org/r/698206

Change 698206 merged by Ayounsi:

[operations/puppet@production] Add 185.71.138.0/24 to network::external and diffscan

https://gerrit.wikimedia.org/r/698206

Mentioned in SAL (#wikimedia-operations) [2021-06-09T06:25:59Z] <XioNoX> Add 185.71.138.0/24 to network::external and diffscan - T252132

Change 698971 had a related patch set uploaded (by Ssingh; author: Ssingh):

[operations/homer/public@master] Add doh4001 to BGP anycast in eqsin

https://gerrit.wikimedia.org/r/698971

Change 698971 merged by jenkins-bot:

[operations/homer/public@master] Add doh4001 to BGP anycast in ulsfo

https://gerrit.wikimedia.org/r/698971

Change 699217 had a related patch set uploaded (by Ssingh; author: Ssingh):

[operations/homer/public@master] Add doh1001 and doh1002 to BGP anycast in eqiad

https://gerrit.wikimedia.org/r/699217

Change 699217 merged by jenkins-bot:

[operations/homer/public@master] Add doh1001 and doh1002 to BGP anycast in eqiad

https://gerrit.wikimedia.org/r/699217

Change 710358 had a related patch set uploaded (by Ssingh; author: Ssingh):

[operations/homer/public@master] Add doh5002 to BGP anycast in eqsin

https://gerrit.wikimedia.org/r/710358

Change 710358 merged by jenkins-bot:

[operations/homer/public@master] Add doh5002 to BGP anycast in eqsin

https://gerrit.wikimedia.org/r/710358

Change 712400 had a related patch set uploaded (by Ssingh; author: Ssingh):

[operations/homer/public@master] Add doh4002 to BGP anycast in ulsfo

https://gerrit.wikimedia.org/r/712400

Change 712400 merged by jenkins-bot:

[operations/homer/public@master] Add doh4002 to BGP anycast in ulsfo

https://gerrit.wikimedia.org/r/712400

Mentioned in SAL (#wikimedia-operations) [2021-08-13T18:43:23Z] <bblack> reprepro: uploaded gdnsd-3.8.0-1~wmf1 to buster-wikimedia - T252132

Change 712990 had a related patch set uploaded (by BBlack; author: BBlack):

[integration/config@master] operations-dnslint: create version 0.0.12

https://gerrit.wikimedia.org/r/712990

Change 712991 had a related patch set uploaded (by BBlack; author: BBlack):

[integration/config@master] operations-dnslist: bump to 0.0.12

https://gerrit.wikimedia.org/r/712991

Change 712990 merged by jenkins-bot:

[integration/config@master] operations-dnslint: create version 0.0.12

https://gerrit.wikimedia.org/r/712990

Change 712991 merged by jenkins-bot:

[integration/config@master] operations-dnslint: bump to 0.0.12

https://gerrit.wikimedia.org/r/712991

Change 725036 had a related patch set uploaded (by Ssingh; author: Ssingh):

[operations/puppet@production] wikidough: switch to LE's alternative chain

https://gerrit.wikimedia.org/r/725036

Change 725036 merged by Ssingh:

[operations/puppet@production] wikidough: switch to LE's alternative chain

https://gerrit.wikimedia.org/r/725036