#catalogzones — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #catalogzones, aggregated by home.social.
-
Numerous technical and security improvements on the infrastructure that supports https://mstdn.dk
- DNS simplified extensively by migrating public facing secondary nameservers to #NSD using #CatalogZones from PowerDNS + DNSDist.
- #DNSSEC reenabled
- #ExternalDNS and #CertManager configuration vastly simplified.
- #Ingress controller migrated from #Nginx to #Traefik
Bottom line: https://sikkerpånettet.dk/ now gives the site a 100% #security score. There are still improvements to be made (weirdly enough) - specifically I'm looking into supporting DANE for #TLS certificate signatures in #DNS.
Now that's off the TODO-list :-)
-
I run my own #nameservers or #DNS if you will, and have done so for over 25 years. Initially based on #BIND (aka named) but I later moved to #PowerDNS, There are numerous frontends of varying quality available for PowerDNS. I have opinions on those, but this isn't about them.
For the secondary name servers (in the old and less enlightened days known as slaves) I've always run the same software as the primary. First BIND, then PowerDNS. Recently though, I've been testing out what appears to be a much simpler alternative: #NSD by #Amsterdam based NLnet Labs.
Using #CatalogZones - a new concept to me - I'm able to run secondaries with TSIG notifies and zone transfers as well as fully supported primary signed DNSSEC with a configuration of only 40 lines. No updates needed when adding or removing zones.
For this to work well though, some configuration is required for each zone on the primary. With a little trigger and function magic, this can be automized by the database.
Wheee!