[okfn-dev] DNS setup

William Waites ww at eris.okfn.org
Sun Dec 5 14:05:15 UTC 2010 

So I'm sitting here working on http://ckan.org/ticket/844 and
waiting... Why am I waiting? Because everydns, where okfn domains are
hosted doesn't update the nameservers in the normal way but instead
batches updates and we have to wait a while for the changes to appear
there (this is before any caching of responses by the actual DNS
infrastructure is taken into account which shouldn't matter at all
with new records).

To wit, after about 20 minutes::

    ww at river[~]$ host -t mx ckan.net. ns1.everydns.net.
    Using domain server:
    Name: ns1.everydns.net.
    Address: 208.76.61.100#53
    Aliases: 

    ckan.net has no MX record

My infrastructure setup (for domains such as styx.org, groovy.net,
etc). is slightly different, but significantly more robust. I have a
"hidden master" that has the authoritative records and runs bind (and
could as wel run whatever other dns software). If you look at the
public nameservers, you'll see::

    ww at river[~]$ host -t ns styx.org
    styx.org name server ns1.first-ns.de.
    styx.org name server robotns2.second-ns.de.
    styx.org name server robotns3.second-ns.com.

these nameservers are actually Hetzner, and this is a free service
that they offer if you have a dedicated server hosted with them (which
I used to do, and OKF currently still does). They are configured as
secondaries which just pull the records from the hidden master, and
the hidden master notifies them of changes (e.g. serial number
updates).

This has several advantages:

    * new records are visible almost instantly
    * records of other types (PTR, NAPTR, not to mention more
      complicated but important things like DNSSec) just work
    * only uses standards-compliant infrastructure
    * flexibility to actually use the DNS in novel ways (an idea off
      the top of my head

          name.packages.ckan.net IN TXT "http://zh.ckan.net/package/name"

      not saying this is a good idea, but at least it would be
      possible. 

And one disadvantage from what I can see:

    * No web interface

The disadvantage could be mitigated by installing some sort of web
front end, several of which exist, or even writing our own (not that
hard).

My question then is this, do we want to migrate the DNS infrastructure
to a setup more like this?

As I finish writing this note, I see that the DNS has finally updated
about half an hour as I made the change on the everydns.com website...

Cheers,
-w

P.S. There is also the question of everydns' ethics given the recent
Wikileaks debacle -- it is very unlikely that a similar situation
would affect us but it still is troubling
-- 
William Waites
http://eris.okfn.org/ww/foaf#i
9C7E F636 52F6 1004 E40A  E565 98E3 BBF3 8320 7664

More information about the okfn-labs mailing list