2020-01-29 - Progress - Tony Finch
Some notes looking back on what happened last year...
Stats
1028 commits to IP Register
121 commits to Superglue
48 commits to git.uis.cam.ac.uk
26 commits to BIND
4287 IP Register / MZS support messages (about 6% more than last year)
2786 cronspam messages (less than half of last year, mainly due to changes in the MWS)
Projects
Server reshuffle (Jan, Nov, Dec)
January was continuing upgrades/renames from the end of 2018.
November was initial work on splitting authoritative servers from zone transfer servers. (This is still work in progress.)
December was abolishing the old
authdns.csxnames. (nearly done!)Wholesale delegation cleanup (Jan, Sep, Oct, Nov, Dec)
This was in support of:
the
authdns.csx->auth.dnsserver renamingthe withdrawal of
sns-pb.isc.organd moving our off-site secondary service to Mythic Beastsupgrading DNSSEC from RSASHA1 to ECDSA256
ensuring all our domains have consistent ownership and contact information - there was an error rate of more than 10% due to mistakes and omissions in manual maintenance
The development work involved:
porting the web site automation code from CasperJS to WebDriver
new integration code for Mythic Beasts
extending the scope to cover domain ownership and contact information as well as DNS delegations
improvements to the way we manage encrypted secrets
Zonemaster DNS rule checking for all zones
Overall this took a lot longer than I would have liked. This automation code has been a barely-working mess since 2015, but at last now it is close to the point of being releasable production code.
We now have fast, automated consistency checking and enforcement across our domains. The anomaly rate has been pushed down from somewhere over 10% to near zero.
Future of IP Register
Porting web front end from Jackdaw to
www.dns.cam.ac.uk(Apr, May, Jun, Jul, Aug)Building on 2018's work on the web site infrastructure.
Ported Jackdaw's Oracle + mod_perl platform and web application framework - simplifying and moving to the DNS web server.
Reskinned the IP Register web forms to Project Light.
This project is more than half done, but it had to go on the back burner after more urgent work turned up, which is somewhat irritating.
git.uis -> GitLab
February: added a light-weight self-service migration tool, with documentation.
September: determined timetable for migration and shut-down.
IETF
Less busy this year.
ANAME draft dropped due to technical difficulties; the consensus was to pursue different solutions to the general problem.
Received thanks in RFC 8482 (minimal ANY responses), RFC 8499 (DNS Terminology), RFC 8689 (SMTP Require TLS).
Open Source
Superglue scripts for managing domain registrations and delegations
This is the code supporting the delegation cleanup project.
It is not quite up to a releasable standard - there are missing safety checks, missing documentation, missing build/install scripts.
-
Support for YAML metadata alongside encrypted secrets. This was for Superglue's login credentials, but it also led to improvements in IP Register's secret handling in several places.
-
Improved handling of CDS and CDNSKEY records.
Twenty-six patches committed to BIND9.
Several improvements to
rndcCryptography improvements: deprecated SHA-1, upgraded default RSA key size.
Better support for CDS and CDNSKEY records.
Numerous others.
What's next?
Short term:
Split authoritative servers from zone transfer servers
Sort out RPZ + RBL subscriptions
Deploy replacement hardware for recursive DNS servers
Finish Superglue; publish ReGPG and Superglue on CPAN; proper Debian package builds
Longer term:
Operating system refresh
Finish new IP Register web front end
Start porting IP Register database from Oracle to PostgreSQL