On Fri, 28 Feb 2020 00:04:07 +0100 Gerald Pfeifer <gp(a)suse.com> wrote:
A friendly colleague pointed me towards this:
gp@anthias> host opensuse.org
Using domain server:
not found: 2(SERVFAIL)
or opensuse.id resolve just fine.
Yes, there was an issue and yes: it did not affect everyone but only
parts of the internet (which always makes debugging more
interesting). ...and I'm very sorry for the trouble caused!
What happened in the end?
We switched the DNS servers for opensuse.de. Not thinking of the
has ns1.opensuse.de as primary DNS server
* opensuse.de has ns1.opensuse.org
as primary DNS server
...now guess what happens: to find out the IP of the DNS server for
opensuse.de, the resolvers would need to find out the IP of the DNS
server for opensuse.org
I have to admit that I am part of the guys who rolled out the chance
and did not notice the obvious problem above. Without a correct glue
record at the registrar's side, there is not really a way for the
resolvers to get the right answers.
As we (the openSUSE community) have currently no access to the
registrar, we have to wait for SUSE-IT here, which I already like to
thank personally for they responsiveness and reaction outside their
normal working hours! They were so nice to roll back the change in the
evening, once the problem got noticed, but - as usual with DNS - all the
caching results in some delays before a change gets visible everywhere.
The new plan is to add glue records for the opensuse.org
and have everything else (opensuse.de and opensuse.fr) just point to
these DNS servers (ns1.opensuse.org
). We wanted to avoid those glue records in the
beginning, as it currently looks (but is not 100% fixed yet) like we
need to renumber everything in a few weeks, as SUSE (and therefor
openSUSE) might get new IP ranges as follow up of the SUSE carve
out. ...and changes at the Registrar need time.
Note: all 3 domains and the DNS servers are meanwhile managed by the
openSUSE Heroes, which gives us a huge and very welcome independency!
With the planned glue record entries next week, we (the openSUSE
heroes) should be save to go for anything we want.
Just as an examples:
* the first time since decades, openSUSE has full IPv6 capable main DNS
servers. Even in different locations/networks.
* for the first time, openSUSE is running DNS servers, which are part of
the openSUSE distribution (eat your own dogfood)
* DNSSec and DNS over HTTPS are now possible
* additional SRV or TXT records (like SPF or DMARC for mail) are now
"just a mouse click away"
* DNS changes like for the switch of news.opensuse.org
seconds instead of months
To unsubscribe, e-mail: heroes+unsubscribe(a)opensuse.org
To contact the owner, e-mail: heroes+owner(a)opensuse.org