Infrastructure
  1. Infrastructure
  2. INFRA-2507

ASF-ify the spamassassin.org DNS hosting

    Details

    • Type: Task Task
    • Status: Waiting for Infra
    • Priority: Minor Minor
    • Resolution: Unresolved
    • Fix Version/s: None
    • Component/s: DNS
    • Labels:
      None

      Description

      As discussed in the thread "Moving spamassassin.org DNS zone to ASF DNS servers - the redux" on infra@ on Jan 22-25, 2010, the SpamAssassin PMC would like to get the spamassassin.org domain's DNS zone hosted on the same infrastructure as the other ASF domains.

      Also, as discussed, we need a way to automatically reload the zone file since our automated rule update infrastructure depends on being able to update DNS records to publish the rule updates.

      Ideally we'd split the zone up into spamassassin.org and updates.spamassassin.org as automatic updates only happen to updates.spamassassin.org. We could get by without, but it'd be icing on the cake.

      We'd also like to consider allowing zone transfers to sonic.net's name servers. I think keeping them as slave name servers wouldn't be a bad idea. Their IPs are 209.204.159.20, 64.142.88.72 and 69.9.186.104.

      We'll also need to figure out how exactly we want the automatic reloads of the updates.spamassassin.org zone to happen. There's dozens of ways to do it (frequent cron job (every 15 minutes?), svn commit hook, etc)... whatever fits in with the current security policy works for me.

      Thanks,

      Daryl

        Activity

        Daryl C. W. O'Shea created issue -
        #asfinfra IRC Bot made changes -
        Field Original Value New Value
        Assignee Philip M. Gollucci [ pgollucci ]
        #asfinfra IRC Bot made changes -
        Assignee Philip M. Gollucci [ pgollucci ] Joe Schaefer [ joes ]
        Hide
        Tony Stevenson added a comment -
        Daryl,

        I guess we should actually get this done now. :)

        Do you/the PMC stil want to do this? I guess we can look at a few options of reloading the updates.spamassassin.org zone

        A cron job might be simple enough, or running named on the spam zone, as a hidden master.
        How often do you think you might update the zone? I ask as one of the current public NS hosts can be temperamental.

        It would be a lot simpler for us if we dont use the sonic NS service, we now use no-ip.com who provide a far better NS service than we had when this ticket was opened.
        Show
        Tony Stevenson added a comment - Daryl, I guess we should actually get this done now. :) Do you/the PMC stil want to do this? I guess we can look at a few options of reloading the updates.spamassassin.org zone A cron job might be simple enough, or running named on the spam zone, as a hidden master. How often do you think you might update the zone? I ask as one of the current public NS hosts can be temperamental. It would be a lot simpler for us if we dont use the sonic NS service, we now use no-ip.com who provide a far better NS service than we had when this ticket was opened.
        Hide
        Tony Stevenson added a comment -
        Daryl, ping...
        Show
        Tony Stevenson added a comment - Daryl, ping...
        Hide
        Tony Stevenson added a comment -
        emailed the PMC directly asking for comments/help
        Show
        Tony Stevenson added a comment - emailed the PMC directly asking for comments/help
        Hide
        Kevin A. McGrail added a comment -
        Q: Do you/the PMC stil want to do this? I guess we can look at a few options of reloading the updates.spamassassin.org zone

        A: Yes, we want to do this as part of the continued migration of resources used by the project to ASFINFRA.

        Q: A cron job might be simple enough, or running named on the spam zone, as a hidden master.

        A: Running named on the spam zone would be brilliant as a hidden master. It solves all the issues in one fell swoop.

        Q: How often do you think you might update the zone? I ask as one of the current public NS hosts can be temperamental.

        A: The zone updates with rule releases and those are getting more automated. Daily at a minimum.

        Q: It would be a lot simpler for us if we dont use the sonic NS service, we now use no-ip.com who provide a far better NS service than we had when this ticket was opened.

        A: The hidden master should let us just list their NS and allow transfers in bind so this can be a debate for a later date. I think the project is many times bitten, twice shy with DNS. In fact, it's why I originally started helping them oh so many years ago!
        Show
        Kevin A. McGrail added a comment - Q: Do you/the PMC stil want to do this? I guess we can look at a few options of reloading the updates.spamassassin.org zone A: Yes, we want to do this as part of the continued migration of resources used by the project to ASFINFRA. Q: A cron job might be simple enough, or running named on the spam zone, as a hidden master. A: Running named on the spam zone would be brilliant as a hidden master. It solves all the issues in one fell swoop. Q: How often do you think you might update the zone? I ask as one of the current public NS hosts can be temperamental. A: The zone updates with rule releases and those are getting more automated. Daily at a minimum. Q: It would be a lot simpler for us if we dont use the sonic NS service, we now use no-ip.com who provide a far better NS service than we had when this ticket was opened. A: The hidden master should let us just list their NS and allow transfers in bind so this can be a debate for a later date. I think the project is many times bitten, twice shy with DNS. In fact, it's why I originally started helping them oh so many years ago!
        Hide
        Tony Stevenson added a comment -
        Kevin,

        Thanks for geting back to us. So my plan is this:

        Move the main spamassassin.org zone into line with the other ASF zones and have infra manage it.
        Setup an instance of named on your PMC's zone and have that be a hidden master for updates.spamassassin.org

        This means the PMC can manage the updates zone how it sees fit, but allows us to manage the main zone inline with others.

        Any objections?

        If not, can I please get a copy of the current main zone file, and I can get that under way. We can get it all setup and then just notify the registrar once it is all up and running.
        Show
        Tony Stevenson added a comment - Kevin, Thanks for geting back to us. So my plan is this: Move the main spamassassin.org zone into line with the other ASF zones and have infra manage it. Setup an instance of named on your PMC's zone and have that be a hidden master for updates.spamassassin.org This means the PMC can manage the updates zone how it sees fit, but allows us to manage the main zone inline with others. Any objections? If not, can I please get a copy of the current main zone file, and I can get that under way. We can get it all setup and then just notify the registrar once it is all up and running.
        Hide
        Tony Stevenson added a comment -
        Guys,

        I have setup our named instance with a zone, and config. It is not yet notifying our slaves, I want to setup named on your zone, unless you guys are happy to do so. As such I'd need shall and root access.

        Once I have this, I can ask the current providers to pick up the two zones, from our hidden master and then your zone from your hidden master (your zone).

        Then we can sync the zone contents, and change the NS hosts with the spamassassin.org registrar.

        Show
        Tony Stevenson added a comment - Guys, I have setup our named instance with a zone, and config. It is not yet notifying our slaves, I want to setup named on your zone, unless you guys are happy to do so. As such I'd need shall and root access. Once I have this, I can ask the current providers to pick up the two zones, from our hidden master and then your zone from your hidden master (your zone). Then we can sync the zone contents, and change the NS hosts with the spamassassin.org registrar.
        Hide
        Daryl C. W. O'Shea added a comment -
        Hi Tony,

        Thanks for working on this. Sorry I did not respond earlier, I've been away.

        Progress is pretty much as I desired so far.

        Some notes:

        1. named is already running (for years) as our hidden master on spamassassin.zones.apache.org... so we just need to allow transfers to your named instance.

        2. In addition to the "updates" subdomain, we also need control over the subdomains "dnsbltest" and "sa-test". These two subdomains are part of SpamAssassin's test suite. Without them, a network enabled "make test" will not succeed.

        3. If you don't have a current copy of our root zone, the version in svn should be up-to-date: http://svn.apache.org/repos/asf/spamassassin/dns/spamassassin.org

        So...

        Let us know where we need to allow zone transfers to and we'll set it up. We'll need to do some work on our zone files though, as currently there's only one zone file with a mix of inline subdomains and $INCLUDE'ed subdomains. It'd actually be easier for us to maintain control of the spamassassin.org root zone.

        Daryl
        Show
        Daryl C. W. O'Shea added a comment - Hi Tony, Thanks for working on this. Sorry I did not respond earlier, I've been away. Progress is pretty much as I desired so far. Some notes: 1. named is already running (for years) as our hidden master on spamassassin.zones.apache.org... so we just need to allow transfers to your named instance. 2. In addition to the "updates" subdomain, we also need control over the subdomains "dnsbltest" and "sa-test". These two subdomains are part of SpamAssassin's test suite. Without them, a network enabled "make test" will not succeed. 3. If you don't have a current copy of our root zone, the version in svn should be up-to-date: http://svn.apache.org/repos/asf/spamassassin/dns/spamassassin.org So... Let us know where we need to allow zone transfers to and we'll set it up. We'll need to do some work on our zone files though, as currently there's only one zone file with a mix of inline subdomains and $INCLUDE'ed subdomains. It'd actually be easier for us to maintain control of the spamassassin.org root zone. Daryl
        Hide
        Tony Stevenson added a comment -
        Daryl,

        Well, if you guys want to manage the entire domain, I dont have an issue with that. Makes my life simpler :-)
        So all we need to do then is notify our list of NS slaves, and have them pull from you.

        Are you already running as a hidden master for the entire zone? If so, I dont see any changes are necessary if you're happy.

        Comments?
        Show
        Tony Stevenson added a comment - Daryl, Well, if you guys want to manage the entire domain, I dont have an issue with that. Makes my life simpler :-) So all we need to do then is notify our list of NS slaves, and have them pull from you. Are you already running as a hidden master for the entire zone? If so, I dont see any changes are necessary if you're happy. Comments?
        Hide
        Daryl C. W. O'Shea added a comment -
        How often do your list of NS slaves change? Do you think they would prefer slaving from your NS rather than our hidden master NS? I don't mind doing the work to split up the zone files if you think it would be better to continue down the road you were going.
        Show
        Daryl C. W. O'Shea added a comment - How often do your list of NS slaves change? Do you think they would prefer slaving from your NS rather than our hidden master NS? I don't mind doing the work to split up the zone files if you think it would be better to continue down the road you were going.
        Hide
        Tony Stevenson added a comment -
        Daryl,

        We havent changed our NS hosts since introducing no-ip.com, and dropping the the hyperreal hosts.
        If you want us (Infra) to slave the zone from you and then allow our slave hosts to pull it in I'm sure we can do that. I'd just want to check that if we were being a slave we could notify other slaves too.

        Alternatively we can just how our slaves pull in directly from your hidden master.

        Either way can I get setup with an account (and sudo) please so I can start testing?

        Cheers,
        Tony
        Show
        Tony Stevenson added a comment - Daryl, We havent changed our NS hosts since introducing no-ip.com, and dropping the the hyperreal hosts. If you want us (Infra) to slave the zone from you and then allow our slave hosts to pull it in I'm sure we can do that. I'd just want to check that if we were being a slave we could notify other slaves too. Alternatively we can just how our slaves pull in directly from your hidden master. Either way can I get setup with an account (and sudo) please so I can start testing? Cheers, Tony
        Hide
        Kevin A. McGrail added a comment -
        Tony,

        Daryl is on travel until the 26th so please ping me if you need anything!

        I looked at the system and I show you already have access to the hidden master on spamassassin.zones.apache.org.

        pctony:x:2677:1:Tony @ Infra (for backups):/export/home/pctony:/bin/sh

        You are also already in sudoers in /etc/opt/sfw

        If you have any problems, just let me know. We are nervous when it comes to DNS because of the automated ripple for sa-update.

        Regards,
        KAM
        Show
        Kevin A. McGrail added a comment - Tony, Daryl is on travel until the 26th so please ping me if you need anything! I looked at the system and I show you already have access to the hidden master on spamassassin.zones.apache.org. pctony:x:2677:1:Tony @ Infra (for backups):/export/home/pctony:/bin/sh You are also already in sudoers in /etc/opt/sfw If you have any problems, just let me know. We are nervous when it comes to DNS because of the automated ripple for sa-update. Regards, KAM
        Hide
        Tony Stevenson added a comment -
        Wow,

        So I apologise for this job slipping and slipping. However I still cannot login, I clearly dont know my SSH password, could someone please reset this and then let me know it (not via jira) pctony@a.o would be sufficient.
        Once I check named.conf I will notify our slaves, and we will take it from there.
        Show
        Tony Stevenson added a comment - Wow, So I apologise for this job slipping and slipping. However I still cannot login, I clearly dont know my SSH password, could someone please reset this and then let me know it (not via jira) pctony@a.o would be sufficient. Once I check named.conf I will notify our slaves, and we will take it from there.
        Hide
        Kevin A. McGrail added a comment -
        Password just sent.
        Show
        Kevin A. McGrail added a comment - Password just sent.
        Hide
        Tony Stevenson added a comment -
        Thanks Kevin,

        I am in. Can I just clarify one last point, please? Do you want us to slave

        spamassassin.org, and updates.spamassassin.org ? Or just one of these?

        I'm about to re-configure named to allow slaving from our list of NS's - Once this is working we can drop hyperreal, and sonic.
        Show
        Tony Stevenson added a comment - Thanks Kevin, I am in. Can I just clarify one last point, please? Do you want us to slave spamassassin.org, and updates.spamassassin.org ? Or just one of these? I'm about to re-configure named to allow slaving from our list of NS's - Once this is working we can drop hyperreal, and sonic.
        Hide
        Tony Stevenson added a comment -
        Ignore that, it seems you only have the one zone, and that updates. is incorporated into the main/parent zone.
        Show
        Tony Stevenson added a comment - Ignore that, it seems you only have the one zone, and that updates. is incorporated into the main/parent zone.
        Hide
        Tony Stevenson added a comment -
        I am still waiting for our contact at no-ip to respond, I will ping him again today.
        Show
        Tony Stevenson added a comment - I am still waiting for our contact at no-ip to respond, I will ping him again today.
        Hide
        Tony Stevenson added a comment -
        Still waiting... Sorry.
        Show
        Tony Stevenson added a comment - Still waiting... Sorry.
        Hide
        Kevin A. McGrail added a comment -
        Tony, it appears that sometime over the weekend, the change was made and reverted back https://issues.apache.org/jira/browse/INFRA-4531

        Most likely they made the switch but weren't pulling from the hidden master?
        Show
        Kevin A. McGrail added a comment - Tony, it appears that sometime over the weekend, the change was made and reverted back https://issues.apache.org/jira/browse/INFRA-4531 Most likely they made the switch but weren't pulling from the hidden master?
        Tony Stevenson made changes -
        Workflow jira [ 12499629 ] INFRA Workflow [ 12711856 ]
        Hide
        Tony Stevenson added a comment -
        Transitioning to waiting for Infra
        Show
        Tony Stevenson added a comment - Transitioning to waiting for Infra
        Tony Stevenson made changes -
        Status Open [ 1 ] Waiting for Infra [ 10011 ]
        Gavin made changes -
        Assignee Joe Schaefer [ joes ]

          People

          • Assignee:
            Unassigned
            Reporter:
            Daryl C. W. O'Shea
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:

              Development