The DNS delegations for 185.15.56.0/24 https://netbox.wikimedia.org/ipam/prefixes/1/prefixes/ were previously fully delegate to designate @ eqiad1.
With the work at T341220: eqiad1: allocate public IPv4 CIDR for BGP-based virtual IP addresses we discovered we need to delegate to openstack only the few CIDRs that are truly relevant.
In particular:
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | aborrero | T296411 cloud: decide on general idea for having cloud-dedicated hardware provide service in the cloud realm & the internet | |||
| Resolved | aborrero | T297596 have cloud hardware servers in the cloud realm using a dedicated LB layer | |||
| Resolved | • taavi | T341060 openstack eqiad1: introduce cloud-private and cloudlb | |||
| Resolved | cmooney | T341063 eqiad1: introduce cloud-private support | |||
| Resolved | cmooney | T341220 eqiad1: allocate public IPv4 CIDR for BGP-based virtual IP addresses | |||
| Open | Andrew | T341338 eqiad1: fix PTR delegations for 185.15.56.0/24 |
@aborrero slightly related here we need to decide how to handle some names that netbox is currently generating, but aren't working as the manual DNS templates don't include these files.
Specifically these files exist for PTRs within 56.15.185.in-addr.arpa, but are not included in the parent:
224-27.56.15.185.in-addr.arpa
240-29.56.15.185.in-addr.arpa
The names inside these files have a mixture of network equipment managed by SRE and hosts managed by WMCS/SRE, for example:
root@dns2005:/etc/gdnsd/zones/netbox# cat 224-27.56.15.185.in-addr.arpa 237 1H IN PTR virt.cloudgw.eqiad1.wikimediacloud.org. 248 1H IN PTR irb-1104.cloudsw1-c8-eqiad.eqiad1.wikimediacloud.org.
Additionally the forward entries for these names don't work. Netbox again is generating them, these two files exist:
wikimediacloud.org-codfw
wikimediacloud.org-eqiad
root@dns2005:/etc/gdnsd/zones/netbox# head -4 wikimediacloud.org-eqiad virt.cloudgw.eqiad1 1H IN A 185.15.56.237 cloudgw1001.eqiad1 1H IN A 185.15.56.245 cloudgw1002.eqiad1 1H IN A 185.15.56.246 irb-1104.cloudsw1-c8-eqiad.eqiad1 1H IN A 185.15.56.248
But again there is no "include" for these two files in the wikimediacloud.org zone itself.
I'm wondering might it be best to add these includes? And then for as many names as possible move to managing them through Netbox, to minimise the number of manual things we have?
To clarify this a little:
185.15.56.0/24 -- to be served by nsX.wikimedia.org
185.15.56.0/25 -- to be served by designate @ eqiad1
185.15.56.160/28 -- to be served by nsX.wikimedia.org
185.15.56.224/27 -- to be served by nsX.wikimedia.org
nsX.wikimedia.org will be auth for the entire /24. We can sub-delegate the first /25 to the designate as described in RFC2317, creating a new zone there (0-25.56.15.185.in-addr.arpa) which we CNAME individual entries from 56.15.185.in-addr.arpa to on the WMF side.
Hence crossing out the last two, they're not part of the /25 we forward to designate, so automatically handled by nsX.wikimedia.org (not that you're wrong to list them).
To make this work we need to:
Change 936246 had a related patch set uploaded (by Arturo Borrero Gonzalez; author: Arturo Borrero Gonzalez):
[operations/dns@master] templates: add 56.15.185.in-addr.arpa
Change 936247 had a related patch set uploaded (by Arturo Borrero Gonzalez; author: Arturo Borrero Gonzalez):
[operations/dns@master] wikimediacloud.org: include netbox-generated records
Change 936247 abandoned by Arturo Borrero Gonzalez:
[operations/dns@master] wikimediacloud.org: include netbox-generated records
Reason:
folded with the parent change https://gerrit.wikimedia.org/r/c/operations/dns/+/936246
Change 936257 had a related patch set uploaded (by Arturo Borrero Gonzalez; author: Arturo Borrero Gonzalez):
[operations/dns@master] templates/56.15.185.in-addr.arpa: delegate 185.15.56.0/25 to designate @ eqiad1
Change 936246 merged by Arturo Borrero Gonzalez:
[operations/dns@master] wikimediacloud.org: add netbox includes
Change 936257 merged by Arturo Borrero Gonzalez:
[operations/dns@master] templates/56.15.185.in-addr.arpa: delegate 185.15.56.0/25 to designate @ eqiad1
TODO here:
Change 998401 had a related patch set uploaded (by Majavah; author: Majavah):
[operations/puppet@production] openstack: overhaul the floating IP updater
Change 998404 had a related patch set uploaded (by Majavah; author: Majavah):
[operations/dns@master] templates/56.15.185.in-addr.arpa: add missing includes
Change 998404 merged by Majavah:
[operations/dns@master] templates/56.15.185.in-addr.arpa: add missing includes
Change 998401 merged by Majavah:
[operations/puppet@production] openstack: overhaul the floating IP updater
With the patch I just deployed the new-style DNS records are live. It seems to work great:
taavi@runko:~ $ dig -x 185.15.56.66 @ns0.wikimedia.org ; <<>> DiG 9.19.19-1-Debian <<>> -x 185.15.56.66 @ns0.wikimedia.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19317 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 69cc3b8178500ea0e4e7560b8fb7ca73 (good) ;; QUESTION SECTION: ;66.56.15.185.in-addr.arpa. IN PTR ;; ANSWER SECTION: 66.56.15.185.in-addr.arpa. 3600 IN CNAME 66.0-25.56.15.185.in-addr.arpa. ;; Query time: 148 msec ;; SERVER: 208.80.154.238#53(ns0.wikimedia.org) (UDP) ;; WHEN: Wed Feb 14 16:26:57 EET 2024 ;; MSG SIZE rcvd: 96 taavi@runko:~ $ dig PTR 66.0-25.56.15.185.in-addr.arpa. @ns0.wikimedia.org ; <<>> DiG 9.19.19-1-Debian <<>> PTR 66.0-25.56.15.185.in-addr.arpa. @ns0.wikimedia.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46454 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: a838c1a1542af5d48c2d412fd98066e1 (good) ;; QUESTION SECTION: ;66.0-25.56.15.185.in-addr.arpa. IN PTR ;; AUTHORITY SECTION: 0-25.56.15.185.in-addr.arpa. 3600 IN NS ns0.openstack.eqiad1.wikimediacloud.org. 0-25.56.15.185.in-addr.arpa. 3600 IN NS ns1.openstack.eqiad1.wikimediacloud.org. ;; Query time: 148 msec ;; SERVER: 208.80.154.238#53(ns0.wikimedia.org) (UDP) ;; WHEN: Wed Feb 14 16:27:05 EET 2024 ;; MSG SIZE rcvd: 150 taavi@runko:~ $ dig PTR 66.0-25.56.15.185.in-addr.arpa. @ns1.openstack.eqiad1.wikimediacloud.org. ; <<>> DiG 9.19.19-1-Debian <<>> PTR 66.0-25.56.15.185.in-addr.arpa. @ns1.openstack.eqiad1.wikimediacloud.org. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65099 ;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;66.0-25.56.15.185.in-addr.arpa. IN PTR ;; ANSWER SECTION: 66.0-25.56.15.185.in-addr.arpa. 120 IN PTR instance-tools-sgebastion-10.tools.wmcloud.org. 66.0-25.56.15.185.in-addr.arpa. 120 IN PTR login.tools.wmflabs.org. 66.0-25.56.15.185.in-addr.arpa. 120 IN PTR login-buster.toolforge.org. 66.0-25.56.15.185.in-addr.arpa. 120 IN PTR instance-tools-sgebastion-10.tools.wmflabs.org. 66.0-25.56.15.185.in-addr.arpa. 120 IN PTR bastion.toolforge.org. ;; Query time: 148 msec ;; SERVER: 185.15.56.163#53(ns1.openstack.eqiad1.wikimediacloud.org.) (UDP) ;; WHEN: Wed Feb 14 16:27:10 EET 2024 ;; MSG SIZE rcvd: 255
What's left is updating the reverse DNS delegations for the /24 to point to ns0/1/2.wikimedia.org. @ayounsi @cmooney could either of you take care of that?
RIPE DB update completed, I'll update again when I've confirmed its changed on the RIPE auth dns servers.
Change is live with RIPE, all PTR records resolving as they should (netbox generated and those from openstack) for me here at home.
Thanks for fixing this @taavi!
cathal@officepc:~$ dig +nsid NS 56.15.185.in-addr.arpa @pri.authdns.ripe.net.
; <<>> DiG 9.18.18-0ubuntu0.22.04.2-Ubuntu <<>> +nsid NS 56.15.185.in-addr.arpa @pri.authdns.ripe.net.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53735
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; NSID: 6e 73 32 2e 67 62 2d 6c 6f 6e 2e 61 75 74 68 64 6e 73 2e 72 69 70 65 2e 6e 65 74 ("ns2.gb-lon.authdns.ripe.net")
;; QUESTION SECTION:
;56.15.185.in-addr.arpa. IN NS
;; AUTHORITY SECTION:
56.15.185.in-addr.arpa. 86400 IN NS ns0.wikimedia.org.
56.15.185.in-addr.arpa. 86400 IN NS ns1.wikimedia.org.
56.15.185.in-addr.arpa. 86400 IN NS ns2.wikimedia.org.
;; Query time: 16 msec
;; SERVER: 2001:67c:e0::5#53(pri.authdns.ripe.net.) (UDP)
;; WHEN: Thu Feb 15 16:18:31 GMT 2024
;; MSG SIZE rcvd: 149It's not clear to me that I can delete 56.15.185.in-addr.arpa. while 0-25.56.15.185.in-addr.arpa. exists:
root@cloudcontrol1007:~# openstack zone show --all-projects e07defe3-6d08-4f37-bd7d-1bdc1c45d7e8 +----------------+--------------------------------------+ | Field | Value | +----------------+--------------------------------------+ | action | NONE | | attributes | | | created_at | 2018-09-01T23:13:23.000000 | | description | holds ptr entries for floating IPs | | email | root@wmflabs.org | | id | e07defe3-6d08-4f37-bd7d-1bdc1c45d7e8 | | masters | | | name | 56.15.185.in-addr.arpa. | | pool_id | 794ccc2c-d751-44fe-b57f-8894c9f5c842 | | project_id | wmflabsdotorg | | serial | 1709057079 | | shared | False | | status | ACTIVE | | transferred_at | 2024-02-27T18:07:05.000000 | | ttl | 3600 | | type | PRIMARY | | updated_at | 2024-02-27T18:10:19.000000 | | version | 6015 | +----------------+--------------------------------------+ root@cloudcontrol1007:~# openstack zone delete --all-projects e07defe3-6d08-4f37-bd7d-1bdc1c45d7e8 Please delete any subzones before deleting this zone