Studenten Net Twente making the net wiki work
You are here: start » commissies » hornet
Show pageOld revisions
AdminRecent ChangesSitemap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
commissies:hornet:start [2023/10/12 12:14] – created haaijercommissies:hornet:start [2026/02/07 11:31] (current) – [Mail routing] haaijer
Line 13: Line 13:
     ns6.snt.utwente.nl''     ns6.snt.utwente.nl''
   * LISA will point the domain, and the website should be usable through hornet. It is a good idea to verify that everything went correctly and the requester knows how to continue. M&C mentions the need for LISA to talk to us about DNSSEC, but that does not seem to be necessary anymore.   * LISA will point the domain, and the website should be usable through hornet. It is a good idea to verify that everything went correctly and the requester knows how to continue. M&C mentions the need for LISA to talk to us about DNSSEC, but that does not seem to be necessary anymore.
 +
 +===== DNS zones =====
 +We run quite an interesting DNS setup. [[commissies:syscom:diensten:dns|DNS]]. The most important part here is that cpanel-prod runs a hidden DNS master. And ns4,5,6 are separate machines that replicate from there using AFXR. This is not the quickest, or the most reliable. But it usually works.
 +
 +===== DNSSEC =====
 +The UT, and SNT, really want DNSSEC enabled for all domains registered at the UT. Creating a new site in hornet automatically runs a script `/opt/hornet-scripts/cpanel/snt-configure-zone.py`, which creates a DNSSEC combined signing key.
 +
 +==== IMPORTANT: Secondary domains ====
 +Adding new domains in cpanel is possible, but the script does not automatically trigger.
 +
 +DO NOT MAKE YOUR OWN DNSSEC KEYS. THIS WILL NOT SYNC CORRECTLY. This is due to issues with nsec3_narrow combined with AFXR.
 +
 +Instead, run 
 +<code>/opt/hornet-scripts/cpanel/snt-configure-zone.py <<< '{"data": {"user": "cpanelusernam", "domain": "associationdomainname.nl"}}'
 +</code>
 +with the current domain and username to setup the DNSSEC records in a way that they automatically sync to the other nameservers.
 +
 +This script will automatically email the DNSSEC records to dnsmaster @ snt, which forwards to some syscommers and board. You can forward this mail nicely to servicedesk, where it usually ends up at Frederik. 
 +
 +===== Mail routing =====
 +
 +  host association.nl [2001:67c:2564:a120:1::79]
 +  SMTP error from remote mail server after RCPT TO:snt@association.nl:
 +  550-The mail server could not deliver mail to snt@association.nl. The account
 +  550-or domain may not exist, they may be blacklisted, or missing the proper dns
 +  550 entries.
 +
 +
 +This sometimes happens after upgrades? 
 +
 +In any case, this happens because /etc/localdomains and /etc/remotedomains are wrong. 
 +
 +cPanel has a tab "email routing" that is used to determine if cpanel is the email host for a given domain. Most domains have this set to automatic. 
 +
 +It has happened multiple times before that cpanel thinks that it is not the host for many domains (presumably DNS does not sync fast enough, or caused by the hidden master DNS setup that SNT has). 
 +
 +In this case. There is a script you can run to re-detect this: https://help.bigscoots.com/en/articles/1783776-whm-how-to-rebuild-etc-localdomains-and-etc-remotedomains-on-cpanel
 +
 +Make backups beforehand!
 +
 +THIS MUST BE CHECKED AFTER EVERY BIG cPanel UPGRADE!
commissies/hornet/start.1697112882.txt.gz · Last modified: 2023/10/12 12:14 by haaijer
Show pageOld revisions
[unknown link type]Back to top