[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

DNS Dynamic Update: Re: pi.berkeleylug.com.? :-) (cert, ...)

To: "tom r lopes" <tomrlopes@gmail.com>
Subject: DNS Dynamic Update: Re: pi.berkeleylug.com.? :-) (cert, ...)
From: "Michael Paoli" <Michael.Paoli@cal.berkeley.edu>
Date: Mon, 10 Feb 2020 01:05:01 -0800
Arc-authentication-results: i=2; gmr-mx.google.com; spf=neutral (google.com: 198.144.192.42 is neither permitted nor denied by best guess record for domain of michael.paoli@cal.berkeley.edu) smtp.mailfrom=Michael.Paoli@cal.berkeley.edu
Arc-authentication-results: i=1; gmr-mx.google.com; spf=neutral (google.com: 198.144.192.42 is neither permitted nor denied by best guess record for domain of michael.paoli@cal.berkeley.edu) smtp.mailfrom=Michael.Paoli@cal.berkeley.edu
Arc-message-signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:user-agent :content-disposition:mime-version:in-reply-to:references:subject:cc :to:from:date:message-id:sender:dkim-signature; bh=QsFDP9+QJ3LCCGQwpQHhQZofBjpzUIqrCAsAVoiXRIc=; b=TY/QDYaq39Wke/ayBGX2NYHYoZWjPxYYexp6o9xatw/YAO399wDTNMBorooNo61Y2M gup/OCXlDfWjFJlRCAWGK/y81iTCRRGNNeXA/OEd52slKTCCvJeEXOD4WQORv/Wd4p4m uQTa5ABF+FFqpMUHN0+o2EfyhyIIHuhsPRuLderspU8mYil1bDyyZ8BC0mzo5nFnRIFD x+5PfZ0+wsi1kQklaSigDPYmfz0A9Ce6JQOMRf/RFIYZC1aYcFL2dDcuDUowyPwmLXce hShQwfIQfqGes60g+2ryoStnFm50Hq7kVBKfZHuP/abtD3Q/zmnxturUh0RRheUlJpY3 2MXg==
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=user-agent:content-transfer-encoding:content-disposition :mime-version:in-reply-to:references:subject:cc:to:from:date :message-id; bh=S61W58L5TTvG/+oV59bwrvQCYd1Bd3vJB8h72HDaVDk=; b=fPFZabOjRfTJsTZVhFZFnaBpBY8zvsvxhkVplsrwNI1/O+frCYnbKF/hctDNrVwEWh q/QkXzvrqzxtt8BBN8fctxePwnaUZWYHxf+VIfRSvhiKxrAy3VENJq+FUeUMNgo5zR+a 1cuP78ZaGzPGMS99P53O8Rxt8b5ztAg//TbAvx7tgr/jdIx2tnimNrl8BFh0wKau+cw5 muwPWvm4Xmk2FX8oKEV5Yj8kMp7IGZDRO8fzAYuk8a0jh0NEYO2FRwL+pGoI8LsoNEhN O2fiTn6EqICo+1tdHbfYhjaPfZGixS5vz1W3nueLEjfyVhwC9w8yNa/9d9/yaC3ai/l7 Ue2A==
Arc-seal: i=2; a=rsa-sha256; t=1581325503; cv=pass; d=google.com; s=arc-20160816; b=m80fxX5vU4FrgP1mZ5a78FWm2HoG0I0F7PfzueYoUEmCZiM9+5Vzj2M1a0GBtpo3EY oaRxiczEOwCsPzQPW5wybOa2ZOtcfRXCOyT08VOhu7V+b96Ht0w80wTwNGTlLBlPUfG0 4N16Ok0nCz4OdW6+Ny5nvXZjO8Pg4sT6PL5ZSpAlS1UWRWn+eeh3fkT/33TLqHg4A+32 amulEnYaAQmAQ+1m/gagGMae7X/JcUkoUCHPCRqQvAg7An6sENgsYEeoNWIzkt8GtiAZ Zk1+Rs6eE0ml7TWv3n9mNjfU8iUlvBA9hze82UD4va3mJ6XEF2B9VOn88bm1GpQk/Bpg irSQ==
Arc-seal: i=1; a=rsa-sha256; t=1581325503; cv=none; d=google.com; s=arc-20160816; b=XbxMZ3gXkFdft4V8nltmliLzTWu8tsX3dZ6NBAHLpSMzyFmAdXUaSKHukPCFqGDWyw DUyEaBLDpPhQCqgzVfjY5Nq2te63HTud67LUyB41W8KTh/pPgKIPaSd3cnMljgMR3xYw yaa9GWRBxCyZ7negPd8fnDhhl1Uc7DR6YfjedqYNDa6b561odAhl5p4tvi/G16rwqWGc 2QOJJE8R0+kKySU8AgCVQs3A01k8h0LKEV+hn17enOBKUIk9pFS6RrBDgWNYunFN5VXG 5K4JbNxTIuLqfNtq6Jqk91zIAmtrRaebqQJgC7hwTMio+Vv50TKwmeopECnfF1c7dIKz wHIQ==
Cc: BerkeleyLUG <berkeleylug@googlegroups.com>
Delivered-to: historian@entropia.netisland.net
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20161025; h=sender:message-id:date:from:to:cc:subject:references:in-reply-to :mime-version:content-disposition:user-agent:x-original-sender :x-original-authentication-results:reply-to:precedence:mailing-list :list-id:list-post:list-help:list-archive:list-subscribe :list-unsubscribe; bh=QsFDP9+QJ3LCCGQwpQHhQZofBjpzUIqrCAsAVoiXRIc=; b=jaaUhBaTl7j3FB5RwyuRQo3dhuSdjVZyO73H3ZKX+Bvl19qFPzFOOC/KjLFDZx5oic 2adQdV/c/NvRIzW8Ag72PYIyDvyF/LBQ7Xj2OrBElab/Ve4aI5kGXKQz5MsWZsp1FHys zYhADs+lH04A1wipT29ax7dGgAL9nptCyVEJRovnhQuCe6KFx3tPbfVOVq/JCJf9c5qk 4VFUZYp5qeRbReekFg0B/ieM89xh8MLg4dZKkTwPDnSrNmwI+qce+odwJ7gxnZ85Ixfj 2bVZdeoVN0nyIvvaNf+/86oM8/uCPczuA8xqW3+eNim7sT9ZSUHDujNzYNvwoPlR0j6T 9coA==
In-reply-to: <20200201093022.14454a33im2rf46c@webmail.rawbw.com>
List-archive: <https://groups.google.com/group/berkeleylu>
List-help: <https://groups.google.com/support/>, <mailto:berkeleylug+help@googlegroups.com>
List-id: <berkeleylug.googlegroups.com>
List-post: <https://groups.google.com/group/berkeleylug/post>, <mailto:berkeleylug@googlegroups.com>
List-subscribe: <https://groups.google.com/group/berkeleylug/subscribe>, <mailto:berkeleylug+subscribe@googlegroups.com>
List-unsubscribe: <mailto:googlegroups-manage+61884646931+unsubscribe@googlegroups.com>, <https://groups.google.com/group/berkeleylug/subscribe>
Mailing-list: list berkeleylug@googlegroups.com; contact berkeleylug+owners@googlegroups.com
References: <20200201093022.14454a33im2rf46c@webmail.rawbw.com>
Reply-to: berkeleylug@googlegroups.com
Sender: berkeleylug@googlegroups.com
User-agent: Internet Messaging Program (IMP) H3 (4.2.1-RC1)

A little bit closer.

So, thing I'd been thinking about and started (test)
implementation of at BerkeleLUG yesterday (Sunday) ...
with the (proposed) Raspberry Pi, not having static IPv4
address, having a means to updated it ([*.]pi.berkeleylug.com)
in DNS.  Ah, thinks I, ... Dynamic Update.  That and some
suitable sudoers(5) entries, and that should then cover it,
allowing client to update its DNS.

Delegating subdomain (pi.berkeleylug.com) would be more work than
it would be worth (would need to arrange slaves, etc.), so idea
is [*.]pi.berkeleylug.com would be in same zone.
sudoers(5) and/or configuration of Dynamic Updated would be
used to suitably restrict authorized client to only update
[*.]pi.berkeleylug.com DNS data.

But ... for initial testing, easier to start with a
delegated subdomain (easier to test that Dynamics won't
change data where they're not supposed to) ... once all is
well tested and configured and such, can apply that to the
berkeleylug.com zone - with suitable restrictions to
[*.]pi.berkeleylug.com DNS data.

So, for test zone ... tmp202002.berkeleylug.com.
And why such a zone?  Well, won't later conflict with
[*.]pi.berkeleylug.com - even if some remnant data hangs out
for a while (in caches or whatever).  Also, I wanted to
do DNSSEC with it to (as is already the case with
berkeleylug.com) ... got that covered and validated,
and with DNSSEC, best practice with (ZSK) key rotation is
(about) monthly ... already have that covered.  But along with
that, don't want older or possibly conflicting keys hanging
out too long.  Hence, for testing now, separate delegated
sub-domain, that doesn't conflict, and is quite clearly
intended to be temporary.

Oh, and since it's just for proof-of-concept / testing, and
nothin' all that important at the moment ... who needs slaves?
(yeah, I know, RFCs 'n all that, but for a who cares throwaway
anyway ...).
So, DNSSEC ... done: Try this also for a nice view thereof:
https://dnsviz.net/d/tmp202002.berkeleylug.com/dnssec/
And of course:
$ delv tmp202002.berkeleylug.com. SOA +multiline
; fully validated

tmp202002.berkeleylug.com. 291 IN SOA ns0.tmp202002.berkeleylug.com.Michael\.Paoli.cal.berkeley.edu. (

                                1581288117 ; serial
                                3600       ; refresh (1 hour)
                                1200       ; retry (20 minutes)
                                604800     ; expire (1 week)
                                180        ; minimum (3 minutes)
                                )
tmp202002.berkeleylug.com. 291 IN RRSIG SOA 8 3 300 (

20200311085137 20200210075137 6543tmp202002.berkeleylug.com.

                                Ub0l4cQnPmt47MvguwCW1YHztF6CpWGksWl6MYHiYDgs
                                y3kiyOMAvGd2hmOwQMbU2NndI9DTpfn9iYycxKFZcjP3
                                VTPUD/7iKa7yXXvVq+G81q2YfJx7Aqxe0yczCAG+8G0j
                                0Ui3oYdxb2ZxmqT7b8cVRdDAZ9DwUHkRjgWCvjs= )
$

And ... Dynamic Update, yep, have that implemented too:

$ dig +noall +answer www.tmp202002.berkeleylug.com. Awww.tmp202002.berkeleylug.com. AAAA

www.tmp202002.berkeleylug.com. 300 IN   A       96.86.170.229
www.tmp202002.berkeleylug.com. 300 IN   AAAA    2001:470:1f05:19e::4

# echo -e 'update del www.tmp202002.berkeleylug.com.update add www.tmp202002.berkeleylug.com. 300 A10.9.8.7update add www.tmp202002.berkeleylug.com. 300 AAAA2001:470:1f05:19e:babe:face:deaf:beefupdate addwww.tmp202002.berkeleylug.com. 300 AAAA2001:470:1f05:19e:beef:face:deaf:babeupdate addwww.tmp202002.berkeleylug.com. 300 AAAA2001:470:1f05:19e:feed:babe:dead:beef

send' | nsupdate -l
#

$ dig +noall +answer www.tmp202002.berkeleylug.com. Awww.tmp202002.berkeleylug.

com. AAAA
www.tmp202002.berkeleylug.com. 300 IN   A       10.9.8.7

www.tmp202002.berkeleylug.com. 300 IN AAAA2001:470:1f05:19e:beef:face:deaf:babewww.tmp202002.berkeleylug.com. 300 IN AAAA2001:470:1f05:19e:feed:babe:dead:beefwww.tmp202002.berkeleylug.com. 300 IN AAAA2001:470:1f05:19e:babe:face:deaf:beef

From: "Michael Paoli" <Michael.Paoli@cal.berkeley.edu>
Subject: pi.berkeleylug.com.?  :-) (cert, ...)
Date: Sat, 01 Feb 2020 09:30:22 -0800

Tom,

Per our earlier communications:

Let me know when you check if you can have open TCP ports
80 & 443 with your ISP on IPv4 (and also, if applicable/available,
IPv6).

We could then:
set up page, likely:
https://berkeleylug.com/pi/
On the BerkeleyLUG web site.
And could then also include link(s) from there to:
http[s]://[www.]pi.berkeleylug.com/
I could also work on setting up dynamic DNS on
berkeleylug.com
and account and suitable access, so you'd be able to change DNS
for [*.]pi.berkeleylug.com.

Oh, and do also have TLS(/"SSL") cert ready for you - if you wish
to use it, and when we have secure means to transfer key (e.g. via
aforementioned above account and ssh/scp/sftp):
            Not Before: Feb  1 15:32:20 2020 GMT
            Not After : May  1 15:32:20 2020 GMT
        Subject: CN = *.pi.berkeleylug.com
*.pi.berkeleylug.com,pi.berkeleylug.com
I use letsencrypt.org, and generally get new certs a bit
more frequently than every 90 days (since they expire after 90 days).
Anyway, got such cert covering the above
(Subject Alternative Name (SAN) & wildcard)
so that would suffice to cover not only
pi.berkeleylug.com, but also any subdomain directly thereunder, e.g.:
www.pi.berkeleylug.com
And you could decide what you'd want the canonical to be
(with or without leading www., and https, or http).
Anyway, not much extra work for me to obtain such cert when I
do all my others (for efficiency, I grab 'em all right around the
same time, so all the expirations are fairly closely aligned, and
then I effectively process 'em all as a (sequential) "batch",
bit more frequent than once every 90 days ... then generally no
other such certs to muck with in the time between).

see also:
http://linuxmafia.com/pipermail/conspire/2020-January/date.html


--
You received this message because you are subscribed to the Google Groups "BerkeleyLUG" group.
To unsubscribe from this group and stop receiving emails from it, send an email to berkeleylug+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/berkeleylug/20200210010501.14629se5xfr8w05c%40webmail.rawbw.com.

Follow-Ups:
- DNS Dynamic Update: Re: pi.berkeleylug.com.? :-) (cert, ...)
  - From: "Michael Paoli" <Michael.Paoli@cal.berkeley.edu>

References:
- pi.berkeleylug.com.? :-) (cert, ...)
  - From: "Michael Paoli" <Michael.Paoli@cal.berkeley.edu>

Prev by Date: And some of us here bit early, have space, power, Wi-Fi, Internet*, ...: Re: BerkeleyLUG meetup this Sunday 2020-02-09 at Cafe Blue Door
Next by Date: DNS Dynamic Update: Re: pi.berkeleylug.com.? :-) (cert, ...)
Previous by thread: pi.berkeleylug.com.? :-) (cert, ...)
Next by thread: DNS Dynamic Update: Re: pi.berkeleylug.com.? :-) (cert, ...)
Index(es):
- Date
- Thread