Hi Anil, On 14/08/2018 16:19, Anil Madhavapeddy wrote: > Thanks for the headsup! I delayed a little with the quick fix this time in > order > to deploy the new udns stack which supports Letsencrypt renewal. As a > warning, this means switching our root name servers out, so there may be > some downtime for DNS over the next few hours/days. In return, we will > have a fully-selfhosted DNS/HTTPS mirage.io <http://mirage.io/> domain using > itself! > > The steps are: > > - Switching root name server for mirage.io <http://mirage.io/> to udns. I > have deployed a new > host on packet.net <http://packet.net/> running mirage-ns1.signpost.io > <http://mirage-ns1.signpost.io/> (using the other domain > to avoid needing a glue record for now). It uses the "primary-git" example > from udns, and is pointing at https://github.com/mirage/ns.mirage.io > <https://github.com/mirage/ns.mirage.io> and > uses Irmin to retrieve the zone file via Git.
\o/ > - Once this has propagated, I need to setup the tsig keys on that nameserver > in order to do automated LE updates. Hannes, do you have any tips/guides > on how to do this or an example in the repo? To generate TSIG-keys, I use dnssec-keygen -a HMAC-SHA256 -n entity -b 256 barf.10.0.42.2._transfer.mirage For LE integration, you can use either bin/oacmel (from https://github.com/hannesm/ocaml-letsencrypt/tree/nsupdate) or the unikernel in the `mirage` repository, which acts as a secondary, awaits notify/zone transfer with signing requests, and then communicates with LE to provision the CSR to put the cert back into DNS -- see https://github.com/mirleft/tls-demo-server/commit/565fdbe972e0c92c49294cf2120bbfbc9021bba4 for how to use this (or alternatively udns/mirage/examples/certificate). I'm in the process of writing documentation about this (but got distracted by other things). Please don't hesitate to ask further questions. hannes _______________________________________________ MirageOS-devel mailing list [email protected] https://lists.xenproject.org/mailman/listinfo/mirageos-devel
