After the ever-such-fun of dealing with rotating out our proxies and with puppet and with broken dns zones and dnssec and all the other pain we settled on a solution and I implemented it today. We'll be putting it into place and testing it more wednesday morning (later wednesday morning). Here's the basis of things http://infrastructure.fedoraproject.org/infra/dns/README I've added zone-checking and signed-zone-checking at just about every place I can. I have a pre-commit hook available so you can check your changes before you commit. I have a pre-receive hook in the server repo to stop you from committing broken files if you didn't test your own. All the zones files are checked when ./do-domains is run. In short, I hope you will have to work REALLY hard to break a zone file with this system. Finally, this changes how dns has been handled in the past. It means named's configuration of the daemon (named.conf, etc) are stored in puppet - but named's DATA (zone files) are stored in this /git/dns. We've done this b/c we change the configuration quite less than we do the data and we need a separate mechanism to build/modify/check the data than we could easily get in the existing puppet module. finally, doing this should let us sign the zones for dnssec in a single location rather than how we have been doing them. We'll be testing this all out tomorrow and i'll update with the results, once we're done. -sv _______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
