Differences

This shows you the differences between two versions of the page.

--- commissies:hornet:start [2023/10/12 12:14]
haaijer created
+++ commissies:hornet:start [2025/06/24 11:20] (current)
haaijer [IMPORTANT: Secondary domains]
@@ Line 13: / Line 13: @@
     ns6.snt.utwente.nl''
   * LISA will point the domain, and the website should be usable through hornet. It is a good idea to verify that everything went correctly and the requester knows how to continue. M&C mentions the need for LISA to talk to us about DNSSEC, but that does not seem to be necessary anymore.
+===== DNS zones =====
+We run quite an interesting DNS setup. [[commissies:syscom:diensten:dns|DNS]]. The most important part here is that cpanel-prod runs a hidden DNS master. And ns4,5,6 are separate machines that replicate from there using AFXR. This is not the quickest, or the most reliable. But it usually works.
+===== DNSSEC =====
+The UT, and SNT, really want DNSSEC enabled for all domains registered at the UT. Creating a new site in hornet automatically runs a script `/opt/hornet-scripts/cpanel/snt-configure-zone.py`, which creates a DNSSEC combined signing key.
+==== IMPORTANT: Secondary domains ====
+Adding new domains in cpanel is possible, but the script does not automatically trigger.
+DO NOT MAKE YOUR OWN DNSSEC KEYS. THIS WILL NOT SYNC CORRECTLY. This is due to issues with nsec3_narrow combined with AFXR.
+Instead, run
+<code>/opt/hornet-scripts/cpanel/snt-configure-zone.py <<< '{"data": {"user": "cpanelusernam", "domain": "associationdomainname.nl"}}'
+</code>
+with the current domain and username to setup the DNSSEC records in a way that they automatically sync to the other nameservers.
+This script will automatically email the DNSSEC records to dnsmaster @ snt, which forwards to some syscommers and board. You can forward this mail nicely to servicedesk, where it usually ends up at Frederik.