Update dns docs after migrating master into space

THe DNS master has been moved into the space for all IT-Syndikat
zones, which are, as of now, also DNSSEC signed.

Signed-off-by: Wachtl Enterprises LLC <tyrolyean@escpe.net>

cloud/hannibass.md

@@ -24,6 +24,12 @@ The firewall is configured to allow all outbound traffic, and deny all inbound
 traffic. If you want to allow inbound IPv6 for your service, use the subnet it
 is in as a general direction, and specify closer inside the firewall on sozial.
 
+## DNS
+
+Hannibass is the recursor for all queries originating from the space, as well as
+one of our authoritative NSes. See the
+[DNS master docs](../space/srv-acraze/dns.md) for further details.
+
 # History
 
 This vps replaces the previous BGP routed subnet entirely. The original idea of

cloud/srv.md

@@ -22,15 +22,9 @@ this tunnel. The tunnel interface has a record at `srv.srv.it-syndikat.org`.
 
 ## DNS
 
-The server also serves the function of NS0.IT-SYNDIKAT.ORG. The server is 
-running a [Knot](https://www.knot-dns.cz/) authoritative DNS server, with config
-in `/etc/knot/` and zone files in `/var/lib/knot`.
-
-To add a dns record, add it to the zone file in `/var/lib/knot` 
-(don't forget to increment the serial, otherwise it **will** fail to transfer to
-the slave servers, current convention is date followed by a daily counter).
-
-Afterwards restart the systemd knot unit.
+Hannibass is the recursor for all queries originating from the space, as well as
+one of our authoritative NSes. See the
+[DNS master docs](../space/srv-acraze/dns.md) for further details.
 
 ## mail server
 
@@ -52,7 +46,7 @@ snid proxy setup we previously had.
 
 If you would like to add a service which connects inbound via http/s, please
 add it to the haproxy config at `/etc/haproxy/haproxy.cfg`. Check wether the
-configuration is valid using the 
+configuration is valid using the
 `sudo haproxy -c -V -f /etc/haproxy/haproxy.cfg` command.
 
 ## NGINX
@@ -74,4 +68,3 @@ handle the "spaceping".
 
 This service produces a hard dependency on php and php-fpm. Please don't remove
 those.
-

space/srv-acraze/dns.md

@@ -1,8 +1,8 @@
-% IT-Syndikat local dns master
+% IT-Syndikat DNS Master
 
 # About
 
-Luude is the local DNS server. It handles both recursion and is a authoritative
+velcros is the local DNS server. It handles both recursion and is a authoritative
 domain server. Access to recursion is restricted using ACLs.
 
 # Maintainers
@@ -15,25 +15,48 @@ Current Maintainers:
 
 ## Software
 
-Software running is the bind9 domain name server bundled with the Rocky Linux
-distribution.
+The box itself is an ArchLinux installation due to bind receiving a lot of new
+features regarding DoT and DoH lately, which have not been backported to any
+majour distributions as of right now. It acts as recursor for all traffic from
+space subnets as layed out in the [IP-Address Plan](../router.md), and as
+master and dnssec signer for all IT-Syndikat zones.
 
 ## Zones
 
-This server is master for the zones `srv.it-syndikat.org`, 
-`asozial.it-syndikat.org` and `cuco`. The former two zones are globally 
-resolvable whilest latter is not. Zones follow a mostly RFC conform 
-serial variant which is a simple incremental counter. This may be changed 
-later to a date based format.
+The server is master for all zones the IT-Syndikat has, and transfers them to
+our secondary and tertiary NS, namely `hannibass` and `srv`. `it-syndikat.org`,
+`it-syndik.at` and `openbdsm.org` are all served from here. Serials for root
+zones are currently in the RFC-recommended date based format, Third level
+domains however, such as `asozial.it-syndikat.org` and `srv.it-syndikat.org` are
+increment based, because they can exceed 99 updates a day, meaning they would
+wander of into the future, making the date confusing instead of helpfull.
+
+The `.cuco` TLD for the cunst subnet is also served on here.
 
 ### Configuration
 
 Configuration file is `/etc/named.conf`. The master zone files are located in
-`/var/lib/named/`. If you want to edit a zone file, first freeze them with
+`/var/named/zones/`. If you want to edit a zone file, first freeze them with
 `rndc freeze <domain>`, then edit the file, and unfreeze with `rndc thaw`.
+Root zones may be static, meaning there is no need to freeze them. In that case,
+you can get bind to reload the zone file using the `rndc reload <domain>`
+command.
 
 ### Zone transfers
 
-Zone transfers happen over IPv6, and authentication is IP-Address based. The
-space local zone has DNSSEC zone signing enabled. DNSSEC key delegation has not 
-been configured fot the it-syndikat.org domain.
+Zones are transferred to the slaves over wireguard tunnels, which, as they are
+all dnssec-signed, makes encrypted and further signed domain transfers less of
+an issue. Therefore slave binds only look at the source IP wether an inbound
+notify is valid.
+
+### DNSSEC
+
+DNSSEC is a mechanism inside the DNS to cryptographically verify responses
+served. It does not encrypt DNS traffic, nor does it anonymize it. DNSSECs only
+purpose is for the recursor to be able to trust the response it gathers. All our
+zones are signed and the KSKs are delegated to us from the TLD NSes.
+
+Bind automatically manages DNSSEC keys and key rollovers using it's builtin
+`dnssec-policy`. Our current ed25519 based policy consists of a KSK which never
+expires and delegates the authority to the ZSK, which handles zone signing and
+is replaced every 60 days.