On Fri, 28 Feb 2020 00:04:07 +0100 Gerald Pfeifer <gp@suse.com> wrote:
A friendly colleague pointed me towards this:
gp@anthias> host opensuse.org 8.8.8.8 Using domain server: Name: 8.8.8.8 Address: 8.8.8.8#53 Aliases:
Host opensuse.org not found: 2(SERVFAIL)
suse.de, suse.com or opensuse.id resolve just fine.
Yes, there was an issue and yes: it did not affect everyone but only parts of the internet (which always makes debugging more interesting). ...and I'm very sorry for the trouble caused! What happened in the end? We switched the DNS servers for opensuse.de. Not thinking of the following loop: * opensuse.org has ns1.opensuse.de as primary DNS server * opensuse.de has ns1.opensuse.org as primary DNS server ...now guess what happens: to find out the IP of the DNS server for opensuse.de, the resolvers would need to find out the IP of the DNS server for opensuse.org ... I have to admit that I am part of the guys who rolled out the chance and did not notice the obvious problem above. Without a correct glue record at the registrar's side, there is not really a way for the resolvers to get the right answers. As we (the openSUSE community) have currently no access to the registrar, we have to wait for SUSE-IT here, which I already like to thank personally for they responsiveness and reaction outside their normal working hours! They were so nice to roll back the change in the evening, once the problem got noticed, but - as usual with DNS - all the caching results in some delays before a change gets visible everywhere. The new plan is to add glue records for the opensuse.org DNS servers and have everything else (opensuse.de and opensuse.fr) just point to these DNS servers (ns1.opensuse.org, ns2.opensuse.org, ns3.opensuse.org). We wanted to avoid those glue records in the beginning, as it currently looks (but is not 100% fixed yet) like we need to renumber everything in a few weeks, as SUSE (and therefor openSUSE) might get new IP ranges as follow up of the SUSE carve out. ...and changes at the Registrar need time. Note: all 3 domains and the DNS servers are meanwhile managed by the openSUSE Heroes, which gives us a huge and very welcome independency! With the planned glue record entries next week, we (the openSUSE heroes) should be save to go for anything we want. Just as an examples: * the first time since decades, openSUSE has full IPv6 capable main DNS servers. Even in different locations/networks. * for the first time, openSUSE is running DNS servers, which are part of the openSUSE distribution (eat your own dogfood) * DNSSec and DNS over HTTPS are now possible * additional SRV or TXT records (like SPF or DMARC for mail) are now "just a mouse click away" * DNS changes like for the switch of news.opensuse.org just take seconds instead of months * ... Lars -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org