Recently, Gmail has started to rate-limit deliveries from our
mailing list server, with this message:
SMTP error from remote mail server after end of data: This mail
has been rate limited because it is unauthenticated. Gmail
requires all senders to authenticate with either SPF or DKIM.
According to https://support.google.com/mail/answer/81126 also:
Starting February 2024, Gmail will require the following for
senders who send 5,000 or more messages a day to Gmail accounts:
Authenticate outgoing email, avoid sending unwanted or
unsolicited email, and make it easy for recipients to
unsubscribe.
In order not to place undue additional load on our MTA's deferral
queue, adding a neutral SPF rule is nicer than unsubscribing and
blocking all Gmail users. A simple "a" rule should suffice, since we
don't relay through any smarthost currently. Set the TTL to 5
minutes for now, in case we need to make rapid adjustments to this
policy in the near future.
Change-Id: I388de615035156bc277ff1e1b11ac2bc0346cb27
These have been replaced with the Jammy refresh servers. This should
be done after the registry is udpated to point to the new servers.
Change-Id: I3d10f8d0fb43ffa91efaa91107d3bbde93d642fa
Add the Jammy refresh nameservers to the NS records. This should be
done before updating the registry records.
Change-Id: Ia720cbe3cbca9fe7100bebbf9a3aff489c295b9d
We did this for opendev.org's zonefile a while back and I mistakenly
assumed it had been done for other zones. Lets keep them in sync as a
longer TTL is kinder to servers and clients.
Change-Id: Idbcfa1cfc7f8567832788c62f1d82051bf5dc595
This is cleanup for the previous change. We should only land it once we
are happy with the new server serving things.
Change-Id: I794c96f8590a844764311049899cf4b4be49f845
For records that can be CNAMEs we convert from A/AAAA records to CNAME
records to static.opendev.org. This will cut down on future updates
needed as we can simply update that CNAME in the future. For the @
records CNAMEs are not allowed forcing us to update the A/AAAA records
to point to the new IP addresses. I've also lowered the TTLs on the
A/AAAA records in case we need to revert.
I did not lower the TTLs on the CNAME records because we can simply
change the CNAME which has a small TTL for those records instead.
Depends-On: https://review.opendev.org/c/opendev/zone-opendev.org/+/879780
Change-Id: I82772e4bc8c742cc32febb11e3f2ac77ea8fffff
Now that we're comfortable we don't need to make any further urgent
changes, clean up the temporary TTL override.
Change-Id: Ib83e06f0f4fede35f2338ba11142ae55a90c4cc7
With the import work complete, repoint DNS to the new server so that
deliveries will resume normally.
Change-Id: Iad42f7b5a0a898b24ee5e21b3d42a1613f50855d
This is a cheap hack to get incoming messages for lists.zuul-ci.org
to sit in senders' deferral queues while we're working on moving its
mailing lists to the new server. The firewall rules for
review02.opendev.org are set up to reject connections on 25/tcp,
which causes connecting MTAs to wait and try again after some period
of time. Once we update the records to match the new server instead,
any queued deliveries should arrive normally.
Change-Id: Ida33de7cbfc2c17ea0ef3e4ba736ad86640f11ad
Maintenance is coming up in a few hours, during which lists will
have its DNS records changed at least a couple of times, so lower
the TTL on those in advance in order to facilitate faster global
updates.
Change-Id: I3befc7c09e76dd46af80aa6bb4b996d877eb6e3f
We shutdown files02.openstack.org which was the old host. Point this
at static.opendev.org that has replaced it.
Change-Id: I6accdaa25965bec5e04410cc617108ef744f051b
Story: #2006598
This is currently a CNAME for git.openstack.org, which is a CNAME to
static.opendev.org anyway, which then runs the redirect rules to
opendev gitea. Cut out a layer and just point it at
static.opendev.org directly.
Change-Id: I71b18c3e5f56378daf050cb98d0e91fbd3435f2e
We should use only tabs in the zonefile for consistency (it shouldn't
break anything, but that's the custom).
Change-Id: I6a3f407c90350079323d8f830f68404c7c8a2dbf
This job uses the new validate-zone-db job in the dependent change to
run named-checkconfig over the zone.db files.
Depends-On: https://review.opendev.org/661138
Change-Id: I0853a59d1b7ec46d821d3034841a2eee3c1562ea
To work around lack of whois contact these days, we're stuck using
either HTTP or DNS based domain validation for x.509 certificate
renewals. This record is temporary and will be removed as soon as
the renewed certificate is received.
Change-Id: I174409fc9df0339086ccc56162ccc99310cea6b8
In an effort to thwart egregious typosquatting, host a zuulci.org
domain which will serve as an alias for the canonical zuul-ci.org.
Change-Id: Ic26f4728024839b0b2e978368cca96e463c98c18
Zuul no longer requires the project-name for in-repo configuration.
Omitting it makes forking or renaming projects easier.
Change-Id: I08749ff82a1494585a55d084935bad435d45ae91
Add records pointing to files02.openstack.org for zuul-ci.org and
www.zuul-ci.org.
We could make the www records a CNAME, but we can't do so for the
zone itself, because CNAME can't be used with other record types
and the zone must also carry SOA and NS records.
Change-Id: Ia7d2257876e636042b12f9f87c82772fbdb3abc3
The serial number for the zuul-ci.org zone was manually increased to
1515959169 for the purposes of manually testing zone reloading and
automated signing. This change merely catches the Git repository up
with the current state of that file in production.
Change-Id: Ibda4fd19245ebc3cfca92bb22eaf7be9c01e69ab
Mail hosts may not be the target of CNAMEs. We could use an MX,
but we still need A records for the web site, so just use those.
Change-Id: Icf95451f3c9abec17cdbe6bab3a0bda6b422fa2c
The .org registry doesn't seem happy to have ns1.openstack.org as
NS servers for this domain. Since we're planning to create a
"neutrally branded" domain for our infrastructure hosting, rather
than track down that problem, let's just self-host zuul-ci.org for
now, and we'll move nameservers to the new domain when ready.
These NS records have been added to the registry as glue records.
Change-Id: Ia838de9faa9281be1ab2f4309b70cbe2befca4b9