[tor-bugs] #31718 [Internal Services/Tor Sysadmin Team]: Update DNS records for .ooni.torproject.org domains

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Sep 17 15:18:01 UTC 2019 

#31718: Update DNS records for .ooni.torproject.org domains
-------------------------------------------------+-------------------------
 Reporter:  hellais                              |          Owner:  anarcat
     Type:  defect                               |         Status:
                                                 |  assigned
 Priority:  Medium                               |      Milestone:
Component:  Internal Services/Tor Sysadmin Team  |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:                                       |  Actual Points:
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by anarcat):

 seems to me that just adding the CNAME will not be enough, as there are
 many other things to cleanup. the main procedure should be:

  1. remove `ooni.torproject.org` from `tor-puppet/modules/roles/misc
 /static-components.yaml`
  2. ??? make it go away from auto-services somehow?
  3. add the CNAME

 Other things to cleanup include:

 {{{
 letsencrypt-domains/domains:46:ooni.torproject.org
 tor-nagios/config/nagios-master.cfg:1330:    name: mirror static sync -
 ooni
 tor-nagios/config/nagios-master.cfg:1331:    check:
 "dsa_check_staticsync!ooni.torproject.org"
 tor-puppet/modules/sudo/files/sudoers:63:%ooni
 STATICMASTER=(ooni)                     ALL
 tor-puppet/modules/sudo/files/sudoers:95:%ooni
 STATICMASTER=(mirroradm)        NOPASSWD: /usr/local/bin/static-master-
 update-component ooni.torproject.org, /usr/local/bin/static-update-
 component ooni.torproject.org
 tor-puppet/modules/roles/manifests/static_mirror_web.pp:74:  ssl::service
 { 'ooni.torproject.org': ensure => 'ifstatic', notify  => Exec['service
 apache2 reload'], key => true, }
 tor-puppet/modules/roles/manifests/static_mirror_onion.pp:37:
 'ooni.torproject.org',
 tor-puppet/onions/onionbalance-services.yaml:17: [...]
 }}}

 I'm particularly concerned about let's encrypt - wouldn't adding the cname
 break the X509 cert, as we would now point to another server?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31718#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list