dns: add PTR support for 2a02:ec80:a000::
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	• aborrero
	Nov 25 2024, 2:02 PM

Description

This ticket is to track the work to add PTR support for the 2a02:ec80:a000:: subnet.

Details

Related Changes in Gerrit:

	Subject	Repo	Branch	Lines +/-
	Delegate WMCS Eqiad ranges to OpenStack auth dns	operations/dns	master	+6 -0

Customize query in gerrit

Related Changes in GitLab:

	Title	Reference	Author	Source Branch	Dest Branch
	eqiad1: cloudinfra: introduce PTR zones for 2a02:ec80:a000::	repos/cloud/cloud-vps/tofu-infra!205	aborrero	arturo-228-eqiad1-cloudinfra-i	main

Customize query in GitLab

Related Objects
Search...

Status	Assigned	Task
Open	None	T53494 Use Beta cluster as a true canary for code deployments (epic)
Declined	None	T87220 Minimize infrastructure differences between Beta Cluster and production
Open	None	T211677 Support IPv6 in beta
Open	None	T404466 Support IPv6-only VMs
Open	None	T392688 Enable IPv6 on Cloud VPS infrastructure services
Resolved	taavi	T379175 Enable IPv6 for the Cloud VPS web proxy
Open	None	T270694 CloudVPS: introduce tenant networks
Resolved	• aborrero	T364725 Migrate Cloud VPS instances to VXLAN based networks
Open	None	T392509 Enable IPv6 for Toolforge services
Resolved	taavi	T392506 Enable IPv6 for tools.wmflabs.org / *.toolserver.org legacy redirector service
Resolved	taavi	T211575 Enable IPv6 on toolforge.org
Open	None	T220306 Add IPv6 monitoring
Resolved	• aborrero	T37947 Enable IPv6 on CloudVPS
Resolved	• aborrero	T380174 CloudVPS: IPv6 in eqiad1
Resolved	cmooney	T380746 dns: add PTR support for 2a02:ec80:a000::

Event Timeline

• aborrero created this task.Nov 25 2024, 2:02 PM

joanna_borun triaged this task as Medium priority.Jan 22 2025, 3:21 PM

taavi moved this task from Unsorted to DNS (Designate + pdns-recursor) on the Cloud-VPS board.Jan 22 2025, 4:15 PM

Change #1113527 had a related patch set uploaded (by Cathal Mooney; author: Cathal Mooney):

[operations/dns@master] Delegate WMCS Eqiad ranges to OpenStack auth dns

https://gerrit.wikimedia.org/r/1113527

gerritbot added a project: Patch-For-Review.Jan 22 2025, 7:16 PM

I think most of the work here is already done. 2a02:ec80:a000::/48 comes out of parent block 2a02:ec80::/32, which is delegated to the Wikimedia NS servers:

cmooney@wikilap:~$ dig +noall +answer NS 0.8.c.e.2.0.a.2.ip6.arpa. @pri.authdns.ripe.net.
0.8.c.e.2.0.a.2.ip6.arpa. 86316	IN	NS	ns0.wikimedia.org.
0.8.c.e.2.0.a.2.ip6.arpa. 86316	IN	NS	ns2.wikimedia.org.
0.8.c.e.2.0.a.2.ip6.arpa. 86316	IN	NS	ns1.wikimedia.org.

Most records for hosts in the /48 are directly set up on our authdns and reverses are working, for example:

cmooney@wikilap:~$ dig +short -x 2a02:ec80:a000:fe01::2
xe-0-0-0-1102.cloudsw1-c8-eqiad.wikimedia.org.

The two ranges that we have allocated for OpenStack networks do need to be delegated from the Wikimedia prod servers to OpenStack authdns. The above patch should do so. Before we merge it, however, we need to make sure the OpenStack DNS is correctly configured for the zones, returning SOA records. Currently it's not:

2a02:ec80:a000::/56:

cmooney@cumin1002:~$ dig SOA 0.0.0.0.0.a.0.8.c.e.2.0.a.2.ip6.arpa. @ns0.openstack.eqiad1.wikimediacloud.org. 

; <<>> DiG 9.16.50-Debian <<>> SOA 0.0.0.0.0.a.0.8.c.e.2.0.a.2.ip6.arpa. @ns0.openstack.eqiad1.wikimediacloud.org.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 49520
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;0.0.0.0.0.a.0.8.c.e.2.0.a.2.ip6.arpa. IN SOA

;; Query time: 4 msec
;; SERVER: 185.15.56.162#53(185.15.56.162)
;; WHEN: Wed Jan 22 19:06:09 UTC 2025
;; MSG SIZE  rcvd: 65

2a02:ec80:a000:100::/56:

cmooney@cumin1002:~$ dig SOA 1.0.0.0.0.a.0.8.c.e.2.0.a.2.ip6.arpa. @ns0.openstack.eqiad1.wikimediacloud.org. 

; <<>> DiG 9.16.50-Debian <<>> SOA 1.0.0.0.0.a.0.8.c.e.2.0.a.2.ip6.arpa. @ns0.openstack.eqiad1.wikimediacloud.org.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 1376
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;1.0.0.0.0.a.0.8.c.e.2.0.a.2.ip6.arpa. IN SOA

;; Query time: 4 msec
;; SERVER: 185.15.56.162#53(185.15.56.162)
;; WHEN: Wed Jan 22 19:08:50 UTC 2025
;; MSG SIZE  rcvd: 65

aborrero opened https://gitlab.wikimedia.org/repos/cloud/cloud-vps/tofu-infra/-/merge_requests/205

eqiad1: cloudinfra: introduce PTR zones for 2a02:ec80:a000::

• aborrero moved this task from Backlog to Doing on the User-aborrero board.Apr 21 2025, 11:46 AM

aborrero merged https://gitlab.wikimedia.org/repos/cloud/cloud-vps/tofu-infra/-/merge_requests/205

eqiad1: cloudinfra: introduce PTR zones for 2a02:ec80:a000::

The openstack DNS is now returning an SOA for the reverse zone of 2a02:ec80:a000:1::/64

cmooney@cumin1002:~$ dig +noall +answer SOA 1.0.0.0.0.0.0.a.0.8.c.e.2.0.a.2.ip6.arpa. @ns0.openstack.eqiad1.wikimediacloud.org.
1.0.0.0.0.0.0.a.0.8.c.e.2.0.a.2.ip6.arpa. 3600 IN SOA ns1.openstack.eqiad1.wikimediacloud.org. root.wmcloud.org. 1745403537 3511 600 86400 3600

If someone can +1 the below patch I'll merge which should add the delegation on the WMF auth dns side:

https://gerrit.wikimedia.org/r/c/operations/dns/+/1113527

Change #1113527 merged by Cathal Mooney:

[operations/dns@master] Delegate WMCS Eqiad ranges to OpenStack auth dns

https://gerrit.wikimedia.org/r/1113527

Maintenance_bot removed a project: Patch-For-Review.Apr 23 2025, 12:31 PM

taavi closed this task as Resolved.Apr 23 2025, 4:18 PM

taavi assigned this task to cmooney.

Stang unsubscribed.Apr 27 2025, 4:33 AM