This reverts commit b8a327b128.
PowerDNS's bind backend doesn't appear to handle wildcards consistently
as secondaries, so I'm reverting this change and instead using a pair of
FreeBSD+bind servers (ns-he + ns-digitalocean) to provide the DNS.
fixes:
```
Jul 21 01:07:03 Caught an exception instantiating a backend: launch= suffixes are not supported on the bindbackend
```
```
Jul 21 01:08:47 Fatal error: Trying to set unknown parameter 'bind-first-config'
```
```
Jul 21 01:08:57 Fatal error: Trying to set unknown parameter 'pipe-second-command'
```
We now introduce a second Dockerfile, `Dockerfile-nginx`, to be used for
the web assets for sslip.io.
It does not run TLS; we assume that the load balancer will take care of
that.
We also gussied-up the PowerDNS Dockerfile with minor changes.
- nodePort service is merely a proof-of-concept; this won't be the final
form the service takes. The port needs to be 53, not 32767.
- the deployment doesn't include the nginx webserver, merely the DNS
server. Also, I had trouble connecting both UDP & TCP to port 53,
so I chose UDP.
We are now secondaries for diarizer.com because it needs to share the
same webserver as *.cf.nono.io, and needs SSL certs, and needs to be
able to participate in the DNS challenge.
- Include BIND secondaries for nono.io/nono.com
(use this & you'll be unwitting secondaries for my domains)
- Fedora-based. Because IBM/Red Hat hires a lot of the Linux kernel developers.
I turn off ns-vultr typically the last week of the month because it
exceeds its 3TB bandwidth because it's one of the few NTP servers in
Singapore. Because it's not consistently up, it should not be a
nameserver, removing.
fixes <https://ci.nono.io/teams/main/pipelines/sslip.io/jobs/check-dns/builds/1874>
```
nameserver ns-vultr.nono.io.'s SOA record match (FAILED - 2)
nameserver ns-vultr.nono.io. resolves 199.147.119.111.sslip.io to 199.147.119.111 (FAILED - 3)
nameserver ns-vultr.nono.io. resolves 28-165-216-73.sslip.io to 28.165.216.73 (FAILED - 4)
nameserver ns-vultr.nono.io. resolves 5fjtv1hr.82-45-16-87.sslip.io to 82.45.16.87 (FAILED - 5)
nameserver ns-vultr.nono.io. resolves 207-60-213-72.9cs26rza to 207.60.213.72 (FAILED - 6)
nameserver ns-vultr.nono.io. resolves api.--.sslip.io' to eq ::)} (FAILED - 7)
nameserver ns-vultr.nono.io. resolves localhost.--1.sslip.io' to eq ::1)} (FAILED - 8)
nameserver ns-vultr.nono.io. resolves 2001-4860-4860--8888.sslip.io' to eq 2001:4860:4860::8888)} (FAILED - 9)
nameserver ns-vultr.nono.io. resolves 2601-646-100-69f0--24.sslip.io' to eq 2601:646:100:69f0::24)} (FAILED - 10)
```
The PowerDNS pipe backend will return NO RECORDS for domains which are
excluded (`XIP_EXCLUDED_DOMAINS`);
This fixes an error where the pipe backend returns authoritative records
for the domains which I want the bind backend to answer; surprisingly,
this behavior breaks wildcard records:
fixes:
```
TYPE=any RECORD=c.pas.nono.io; dig +short $TYPE $RECORD @ns-aws.nono.io; echo; dig +short $TYPE $RECORD @ns-he.nono.io
ns-aws.nono.io.
ns-azure.nono.io.
ns-gce.nono.io.
ns-vultr.nono.io.
"protonmail-verification=ce0ca3f5010aa7a2cf8bcc693778338ffde73e26"
10 mail.protonmail.ch.
briancunnie.gmail.com. ns-he.nono.io. 2018092000 300 300 300 300
haproxy.pas.nono.io.
```
- I had to remove `ns-he.nono.io`; I'm moving back to BIND on that one.
- `resolve_ns_subdomain` is deprecated; I don't need to resolve
the IP addresses of the NS records, for they're in a different domain.
- Added `localhost` resolution; it was one of the common queries.
- Pull the pipeline configuration from Concourse, but re-add the
comments at the top & the entire `resources` section which has YAML
anchors and is much more brief as a result
Previously _deploy-pws-diego-cellblock-02_ waited for
_deploy-pws-pivotal-internal-apps_ to complete before starting, but that
particular job has taken as long as 1:47 (HH:MM) (cf-deployment v2.5.0).
_deploy-pws-diego-cellblock-02_'s other dependency,
_deploy-pws-diego-cellblock-01_, completed in a much more reasonable
timeframe (1:08), and is also a more similar deployment (in other words,
if the deployment to cellblock 01 has succeeded, then we should proceed
with cellblock 02 & not bother to wait for Internal Apps).
This is a dummy pipeline to demonstrate visually the changes to
accelerate the deployment to PWS (Pivotal Web Services). We hope to
reduced deployment time from 17 hours to 11 hours while restricting
Diego cell vacating to one az (availability zone) at a time.
Yes, according to the RFC it shouldn't begin with a hyphen. And, since
we're on the topic, underscores were supposed to be off the table, too,
but Microsoft used them anyway, and you know what? We're gonna use the
"forbidden hyphen". And we're gonna instruct `dig` to not be so
persnickety.
fixes:
```
dig +short AAAA api.--.sslip.io
dig: idn2_lookup_ul failed: string start/ends with forbidden hyphen
```
I had to make it work for old-style (e.g. macOS dig) which is version
"DiG 9.8.3-P1" as well as for the new version ("DiG
9.11.3-RedHat-9.11.3-6.fc28") which has this new
[library](https://www.gnu.org/software/libidn/libidn2/reference/libidn2-idn2.html)
which does the following:
> Perform IDNA2008 lookup string conversion on domain name src , as described in section 5 of RFC 5891
Nothing like a good example to drive the point home.
I need to update the AWS and Hetzner content to reflect these changes,
and include the new URL in the Hetzner LetsEncrypt list.
I wasted an hour trying to figure out how I converted `index.md` to
`index.html` (`pandoc`? `hugo`?), only to discover that it was never the
true source, I had merely converted then cut-and-pasted to the
hand-curated `index.html`.
Also modified simple so that _unit_ would pass and _integration_ would
fail. If swapped, then _unit_ would fail and _integration_ would never
run.
fixes:
```
error: invalid configuration:
unknown/extra keys:
- jobs[0].plan[0].config.image
- jobs[0].plan[0].config.tags
```
When queried with a mixed-case domain, e.g. "SsLiP.Io", the A and AAAA
records are properly returned. Previously they weren't. This is a
problem when Let's Encrypt queries with a mixed-case domain, which it
does for reasons which are not clear:
<https://github.com/letsencrypt/boulder/issues/1243>
fixes:
```
Failed authorization procedure. sslip.io (http-01): urn:acme:error:unknownHost :: The server could not resolve a domain name :: No valid IP addresses found for sslip.io
```
- cert is from LetsEncrypt
- Hetzner already "owns" the IPv6 version
- For simplicity, it should also own IPv4
This marks a milestone in the sslip.io; its original purpose was to use
a wildcard certificate, and now we're hosting the domain using a
LetsEncrypt certificate. My, how the world has changed.
- Like xip.io, except
- allow dashes as well as dots
- allow IPv6
- allow branding
- allow wildcard TLS
We deprecate the old message, which was about using SSL.
Instead, we use a filler "x{0}", i.e. "'x' appearing exactly
zero times" to separate the parentheses.
fixes:
```
Task 21945 | 00:31:48 | Error: Unable to render instance groups for deployment. Errors are:
- Unable to render jobs for instance group 'concourse'. Errors are:
- Unable to render templates for job 'pdns'. Errors are:
Variable name '(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?' must only contain alphanumeric, underscores, dashes, or forward slash characters
```
- api.system.2a01-4f8-c17-b8f--2.sslip.io ➡ 2a01:4f8:c17:b8f::2
- `dashed` domains only (e.g. only "fe80-2a01-4f8-c17--de0e" not
"fe80.2a01.4f8.c17..de0e"; DNS doesn't allow two dots next to each
other.
- mirrored from https://github.com/cunnie/bin/blob/master/pdns_pipe.sh
which has colocated tests.
- DNS is flaky, and sometimes tests fail for spurious reasons
(e.g. <https://ci.nono.io/teams/main/pipelines/sslip.io/jobs/check-dns/builds/1621>)
fixes
```
dig: couldn't get address for 'ns-he.nono.io.': not found
nameserver ns-he.nono.io.'s NS records match whois's ["ns-azure.nono.io.", "ns-aws.nono.io.", "ns-he.nono.io.", "ns-gce.nono.io."], `dig +short ns sslip.io @ns-he.nono.io.` (FAILED - 1)
```
- causes BOSH interpolation to become confused
- separate parentheses using null-string "x{0}"
fixes:
```
Task 19122 | 15:47:01 | Error: Unable to render instance groups for deployment. Errors are:
- Unable to render jobs for instance group 'concourse'. Errors are:
- Unable to render templates for job 'pdns'. Errors are:
Variable name '(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?' must only contain alphanumeric, underscores, dashes, or forward slash characters
```
- improperly templated with tabs:
```yaml
pipe: "#!/usr/bin/env bash\n#\n# Originally written by Sam Stephenson for xip.io\nset
-e\nshopt -s nocasematch\n\n# Configuration\n#\n# Increment this timestamp
```
- properly templated without:
```yaml
pipe: |
#!/usr/bin/env bash
#
# Originally written by Sam Stephenson for xip.io
```
fixes:
```
Task 19122 | 15:47:01 | Error: Unable to render instance groups for deployment. Errors are:
- Unable to render jobs for instance group 'concourse'. Errors are:
- Unable to render templates for job 'pdns'. Errors are:
Variable name '(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?' must only contain alphanumeric, underscores, dashes, or forward slash characters
```
- previously Name Server line began with "NS"
- now they begin with "Name Server"
- fixed typo
fixes:
```
1) sslip.io should have at least 2 nameservers
Failure/Error: expect(whois_nameservers.size).to be > 1
expected: > 1
got: 0
# ./sslip.io/spec/check-dns_spec.rb:37:in `block (2 levels) in <top (required)>'
```
