A while back, the https://www.freebsddiary.org/topics.php#opteron – the colo facility was purchased and the new owners are not interested in donating services to open source projects. That host also acted as a DNS host for all my domain. I pressed a small VPS into service. It handled the query services fine, but updates were sluggish. It …
To be fair, the name servers weren’t offline, just the two zone files I amended. The effect: none of my services at home were available to anything at home. The other day, I was working on some procedures for adding a jail to a host and then a jail within that jail. I wanted to …
How I took my name servers offline by adding a new hostname Read More »
Today I faced the first implications of deciding to tightly restrict the use of nsupdate keys for modifying TXT records for dns-01 challenges with Let’s Encrypt. Context This section should be on news.freshports.org and you can skip it to get to the real stuff. Today I’m working on a mostly automated FreshPorts node deployment. A …
Today I faced the first consequences of my TXT & Let’s Encrypt strict policy Read More »
In the interests of maintaining Michael W Lucas in the lifestyle to which he has become accustomed, I am creating this blog post. Although Mr Lucas was the first to post, he is not solely to blame for my burdensome workload. Jan-Piet Mens and Evan Hunt also have much to answer for. Their misdeeds include …
Creating a very specific TXT only nsupdate connection for Let’s Encrypt Read More »
The dev.freshports.org website is hosted on server in my basement. For you, that IP addresses resolves to a publicly available IP address. For me, that IP address resolves to an RFC 1918 address: $ host dev.freshports.org dev.freshports.org has address 10.55.0.24 Sometimes this is referred to as split dns, also known as split-horizon DNS, split-view DNS, …
I encountered, and later solved, a DNS issue on a FreeBSD jail. The jail is my web proxy, of sorts. I have one public IP address, which is dynamic (not relevant, but mentioned only in passing) so all incoming web traffic goes to a single internal RFC-1918 IP address. From there, nginx does reverse proxies …
I use pf as my packet filter. Everything blocked gets logged to /var/log/pflog.conf Late last week, I noticed my rules were allowing everything in on one interface. I changed that. Overnight I see that my Let’s Encrypt certificate renewals failed. Nagios also tells me that the DNS servers are not in sync. I suspect firewall …
Back in the good old days, I managed my DNS zones files by checking them into the repo, and then running svn up on the name servers. When I started using Let’s Encrypt, I stopped doing that because of the use of nsupdate. This post outlines how I added two new zones to my nameservers: …
I use bind (Berkeley Internet Name Domain) as my DNS server. I am currently running bind 9.11.5P1 on FreeBSD 11.2-RELEASE-p8 in a jail, with iocage as my jail manager. The OS, jail, and jail manager should play no part in how this works. I have been collecting statistics from bind for some time. I have …
You have an old DNS server: tallboy.example.org You have a new DNS server: ns1.example.org You have a domain, example.com, for which you want to swap the old DNS server with the new DNS using nsupdate. NOTE: the domain is example.com The NS servers are in example.org (different domains). These are the commands you issue: update …