Page MenuHomePhabricator

codfw1dev: finish auth DNS server transition
Closed, InvalidPublic

Description

As part of T307357: Move cloud vps ns-recursor IPs to host/row-independent addressing we introduced new IP addresses for both the resolver and the auth DNS servers.

See https://gerrit.wikimedia.org/r/c/operations/dns/+/928620

However, the transition is not completed:

Until then, we may see some clients who think ns0/ns1 are still auth servers:

user@laptop:~$ dig @ns0.wikimedia.org NS codfw1dev.wikimedia.cloud
[..]
codfw1dev.wikimedia.cloud. 86400 IN	NS	ns.openstack.codfw1dev.wikimediacloud.org.

However:

user@laptop:~$ dig @ns.openstack.codfw1dev.wikimediacloud.org SOA codfw1dev.wikimedia.cloud +short
ns0.openstack.codfw1dev.wikimediacloud.org. root.wmflabs.org. 1686644138 3598 600 86400 3600
user@laptop:~$ dig @ns.openstack.codfw1dev.wikimediacloud.org NS codfw1dev.wikimedia.cloud +short
ns0.openstack.codfw1dev.wikimediacloud.org.
ns1.openstack.codfw1dev.wikimediacloud.org.
ns1.openstack.eqiad1.wikimediacloud.org.
ns0.openstack.eqiad1.wikimediacloud.org.

Related Objects

StatusSubtypeAssignedTask
Resolvedaborrero
Resolvedaborrero
Resolvedaborrero
Resolvedaborrero
Resolvedayounsi
Resolvedcmooney
ResolvedPapaul
Resolvedcmooney
Resolvedcmooney
Resolvedaborrero
Resolvedaborrero
Resolvedaborrero
Resolvedtaavi
Opencmooney
Resolvedaborrero
Opencmooney
Resolvedaborrero
Resolvedaborrero
Resolvedaborrero
Resolvedaborrero
Resolvedaborrero
ResolvedAndrew
ResolvedAndrew
ResolvedAndrew
OpenAndrew
OpenAndrew
ResolvedAndrew
Resolvedaborrero
OpenNone
OpenNone
Resolvedaborrero
Resolvedcmooney
Invalidaborrero

Event Timeline

Just found this:

aborrero@cloudservices2005-dev:~ $ sudo grep -iR ns0 /etc/powerdns/
/etc/powerdns/pdns.conf:default-soa-content=ns0.openstack.eqiad1.wikimediacloud.org
aborrero@cloudservices2005-dev:~ $ sudo grep -iR ns0 /etc/designate/
/etc/designate/pools.yaml:  - hostname: ns0.openstack.codfw1dev.wikimediacloud.org.

This may be coded in puppet after all!

Change 929697 had a related patch set uploaded (by Arturo Borrero Gonzalez; author: Arturo Borrero Gonzalez):

[operations/puppet@production] pdns_server: make default-soa-content configurable

https://gerrit.wikimedia.org/r/929697

Change 929697 merged by Arturo Borrero Gonzalez:

[operations/puppet@production] pdns_server: make default-soa-content configurable

https://gerrit.wikimedia.org/r/929697

Change 929739 had a related patch set uploaded (by Arturo Borrero Gonzalez; author: Arturo Borrero Gonzalez):

[operations/puppet@production] openstack: codfw1dev: designate: fix pdns query-local-adress

https://gerrit.wikimedia.org/r/929739

Change 929740 had a related patch set uploaded (by Arturo Borrero Gonzalez; author: Arturo Borrero Gonzalez):

[operations/puppet@production] openstack: codfw1dev: designate: listen-on only the new address

https://gerrit.wikimedia.org/r/929740

Change 929739 merged by Arturo Borrero Gonzalez:

[operations/puppet@production] openstack: codfw1dev: designate: fix pdns query-local-adress

https://gerrit.wikimedia.org/r/929739

aborrero moved this task from Doing to Next on the User-aborrero board.

The original plan was reworking mid-flight and we went back to having ns0/ns1 addresses for the hosts. This is because each DNS server is both Auth and Recursor, and each recursor instance needs a publicly reachable IPv4 address in order to, well, recurse.

So we re-introduced the per-host address.

Change 929740 abandoned by Majavah:

[operations/puppet@production] openstack: codfw1dev: designate: listen-on only the new address

Reason:

don't think this is still needed

https://gerrit.wikimedia.org/r/929740