[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [MirageOS-devel] self-hosting the dns (Re: invalid certificates on mirage-related domains)


  • To: mirageos-devel@xxxxxxxxxxxxxxxxxxxx
  • From: Hannes Mehnert <hannes@xxxxxxxxxxx>
  • Date: Tue, 14 Aug 2018 22:09:33 +0200
  • Delivery-date: Tue, 14 Aug 2018 20:10:14 +0000
  • List-id: Developer list for MirageOS <mirageos-devel.lists.xenproject.org>
  • Openpgp: id=11B5464249B5BD858FFF6328BC896588DF7C28EE

Hi Anil,

On 14/08/2018 16:19, Anil Madhavapeddy wrote:
> Thanks for the headsup!  I delayed a little with the quick fix this time in 
> order
> to deploy the new udns stack which supports Letsencrypt renewal.  As a
> warning, this means switching our root name servers out, so there may be
> some downtime for DNS over the next few hours/days.  In return, we will
> have a fully-selfhosted DNS/HTTPS mirage.io <http://mirage.io/> domain using 
> itself!
> 
> The steps are:
> 
> - Switching root name server for mirage.io <http://mirage.io/> to udns. I 
> have deployed a new
>   host on packet.net <http://packet.net/> running mirage-ns1.signpost.io 
> <http://mirage-ns1.signpost.io/> (using the other domain
>   to avoid needing a glue record for now).  It uses the "primary-git" example
>   from udns, and is pointing at https://github.com/mirage/ns.mirage.io 
> <https://github.com/mirage/ns.mirage.io> and
>   uses Irmin to retrieve the zone file via Git.

\o/

> - Once this has propagated, I need to setup the tsig keys on that nameserver
>   in order to do automated LE updates.  Hannes, do you have any tips/guides
>   on how to do this or an example in the repo?

To generate TSIG-keys, I use dnssec-keygen -a HMAC-SHA256 -n entity -b
256 barf.10.0.42.2._transfer.mirage

For LE integration, you can use either bin/oacmel (from
https://github.com/hannesm/ocaml-letsencrypt/tree/nsupdate) or the
unikernel in the `mirage` repository, which acts as a secondary, awaits
notify/zone transfer with signing requests, and then communicates with
LE to provision the CSR to put the cert back into DNS -- see
https://github.com/mirleft/tls-demo-server/commit/565fdbe972e0c92c49294cf2120bbfbc9021bba4
for how to use this (or alternatively udns/mirage/examples/certificate).
 I'm in the process of writing documentation about this (but got
distracted by other things).  Please don't hesitate to ask further
questions.


hannes

_______________________________________________
MirageOS-devel mailing list
MirageOS-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/mirageos-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.