This shows you the differences between two versions of the page.
Both sides previous revision Previous revision | Next revision Both sides next revision | ||
berkeleylug:digital_resources [2019-03-29T07:31:30+0000] michael_paoli updated DNS for redirector (should be fully effective within an hour) |
berkeleylug:digital_resources [2019-03-29T14:13:04+0000] michael_paoli various updated information (mostly) on DNS & certs |
||
---|---|---|---|
Line 8: | Line 8: | ||
DNS: | DNS: | ||
- | $ TZ=GMT0 date -Iseconds && (for d in berkeleylug.com. berkeleylug.org.; do NS=$(dig +short "$d" NS | sort -R | head -n 1); n=$(dig +short "$NS" A "$NS" AAAA | sort -R | head -n 1); for s in '' '*.' calendar. docs. mail. sites. temp. www.; do for t in A AAAA CNAME SOA NS MX TXT SPF ANY; do dig @"$n" +norecurse +noall +answer "$s$d" "$t"; done; done; done) | grep '^[^ ]*[Bb][Ee][Rr][Kk][Ee][Ll][Ee][Yy][Ll][Uu][Gg]\.' | sort -u | + | $ TZ=GMT0 date -Iseconds && (dig @ns0.berkeleylug.org. +noall +norecurse +answer berkeleylug.org. AXFR; for d in berkeleylug.com. ; do NS=$(dig +short "$d" NS | sort -R | head -n 1); n=$(dig +short "$NS" A "$NS" AAAA | sort -R | head -n 1); for s in '' '*.' calendar. docs. mail. sites. temp. www.; do for t in A AAAA CAA CNAME SOA NS MX TXT SPF ANY; do dig @"$n" +norecurse +noall +answer "$s$d" "$t"; done; done; done) | grep '^[^ ]*[Bb][Ee][Rr][Kk][Ee][Ll][Ee][Yy][Ll][Uu][Gg]\.' | sort -u |
- | 2019-03-29T07:27:36+00:00 | + | 2019-03-29T13:42:45+00:00 |
*.berkeleylug.com. 14400 IN CNAME berkeleylug.com. | *.berkeleylug.com. 14400 IN CNAME berkeleylug.com. | ||
berkeleylug.com. 14400 IN MX 10 aspmx.l.google.com. | berkeleylug.com. 14400 IN MX 10 aspmx.l.google.com. | ||
Line 23: | Line 23: | ||
berkeleylug.com. 300 IN A 192.0.78.24 | berkeleylug.com. 300 IN A 192.0.78.24 | ||
berkeleylug.com. 300 IN A 192.0.78.25 | berkeleylug.com. 300 IN A 192.0.78.25 | ||
- | berkeleylug.org. 21600 IN NS ns-cloud-b1.googledomains.com. | + | berkeleylug.org. 172800 IN NS ns0.berkeleylug.org. |
- | berkeleylug.org. 21600 IN NS ns-cloud-b2.googledomains.com. | + | berkeleylug.org. 172800 IN NS puck.nether.net. |
- | berkeleylug.org. 21600 IN NS ns-cloud-b3.googledomains.com. | + | berkeleylug.org. 172800 IN SOA ns0.berkeleylug.org. Michael\.Paoli.cal.berkeley.edu.berkeleylug.org. 1553849364 10800 3600 1209600 86400 |
- | berkeleylug.org. 21600 IN NS ns-cloud-b4.googledomains.com. | + | |
- | berkeleylug.org. 21600 IN SOA ns-cloud-b1.googledomains.com. dns-admin.google.com. 15 21600 3600 1209600 300 | + | |
berkeleylug.org. 3600 IN A 198.144.194.238 | berkeleylug.org. 3600 IN A 198.144.194.238 | ||
berkeleylug.org. 3600 IN AAAA 2001:470:1f05:19e::4 | berkeleylug.org. 3600 IN AAAA 2001:470:1f05:19e::4 | ||
+ | berkeleylug.org. 86400 IN CAA 0 iodef "mailto:Michael.Paoli@cal.berkeley.edu" | ||
+ | berkeleylug.org. 86400 IN CAA 128 issue "letsencrypt.org" | ||
+ | berkeleylug.org. 86400 IN CAA 128 issuewild "letsencrypt.org" | ||
+ | berkeleylug.org. 86400 IN SPF "v=spf1 -all" | ||
+ | berkeleylug.org. 86400 IN TXT "v=spf1 -all" | ||
calendar.berkeleylug.com. 3600 IN CNAME ghs.googlehosted.com. | calendar.berkeleylug.com. 3600 IN CNAME ghs.googlehosted.com. | ||
docs.berkeleylug.com. 3600 IN CNAME ghs.googlehosted.com. | docs.berkeleylug.com. 3600 IN CNAME ghs.googlehosted.com. | ||
mail.berkeleylug.com. 3600 IN CNAME ghs.googlehosted.com. | mail.berkeleylug.com. 3600 IN CNAME ghs.googlehosted.com. | ||
+ | ns0.berkeleylug.org. 172800 IN A 198.144.194.238 | ||
+ | ns0.berkeleylug.org. 172800 IN AAAA 2001:470:1f05:19e::4 | ||
sites.berkeleylug.com. 3600 IN CNAME ghs.googlehosted.com. | sites.berkeleylug.com. 3600 IN CNAME ghs.googlehosted.com. | ||
temp.berkeleylug.com. 300 IN A 198.144.194.238 | temp.berkeleylug.com. 300 IN A 198.144.194.238 | ||
Line 41: | Line 46: | ||
$ | $ | ||
- | .org not primary: | + | .org not primary, redirector in place: |
- | $ curl -s -I http://berkeleylug.org/ | sed -ne '/^HTTP/p;/^[Ll]ocation:/p' | + | $ (for protocol_port in 'http 80' 'https 443'; do set -- $protocol_port; protocol="$1"; port="$2"; for host in www.berkeleylug.org berkeleylug.org; do for path in '' / /// /foo/bar/baz; do t="$protocol://$host$path"; echo "$t"; curl -s -I "$t" | grep -e '^HTTP/' -e '^[Ll]ocation: '; done; done done) |
- | HTTP/1.1 301 Moved Permanently | + | |
- | Location: http://berkeleylug.com/ | + | |
- | $ curl -s -I http://www.berkeleylug.org/ | sed -ne '/^HTTP/p;/^[Ll]ocation:/p' | + | |
- | HTTP/1.1 301 Moved Permanently | + | |
- | Location: http://berkeleylug.com/ | + | |
- | $ curl -s -I https://berkeleylug.org/ | sed -ne '/^HTTP/p;/^[Ll]ocation:/p' | + | |
- | HTTP/2 301 | + | |
- | location: http://berkeleylug.com/ | + | |
- | $ curl -s -I https://www.berkeleylug.org/ | sed -ne '/^HTTP/p;/^[Ll]ocation:/p' | + | |
- | HTTP/2 301 | + | |
- | location: http://berkeleylug.com/ | + | |
- | $ | + | |
- | @berkeleylug.org does not accept email (no MX, A/AAAA times out on TCP port 25 even from known good email sender IP) | + | |
- | + | ||
- | ------------------------------------------------------------------------ | + | |
- | [www.]berkeleylug.org - set up redirector - but still need to repoint DNS: | + | |
- | $ (for protocol_port in 'http 80' 'https 443'; do set -- $protocol_port; protocol="$1"; port="$2"; for host in www.berkeleylug.org berkeleylug.org; do for path in '' / /// /foo/bar/baz; do t="$protocol://$host$path"; echo "$t"; curl -s -I --resolve "$host":"$port":198.144.194.238 "$t" | grep -e '^HTTP/' -e '^Location: '; done; done done) | + | |
http://www.berkeleylug.org | http://www.berkeleylug.org | ||
HTTP/1.1 301 Moved Permanently | HTTP/1.1 301 Moved Permanently | ||
Line 109: | Line 97: | ||
Location: https://berkeleylug.com/foo/bar/baz | Location: https://berkeleylug.com/foo/bar/baz | ||
$ | $ | ||
- | ------------------------------------------------------------------------ | + | @berkeleylug.org neither accepts nor sends email (no MX, A/AAAA on TCP port 25 rejects connection or rejects SMTP attempts to domain, SPF - none sends, hard fail all: |
+ | berkeleylug.org. IN SPF "v=spf1 -all" | ||
+ | berkeleylug.org. IN TXT "v=spf1 -all" | ||
+ | ) | ||
canonical/primary is: https://berkeleylug.com/ | canonical/primary is: https://berkeleylug.com/ | ||
Line 126: | Line 117: | ||
TLS(/"SSL") - Web - handful of (separate) Web certs only*: | TLS(/"SSL") - Web - handful of (separate) Web certs only*: | ||
- | $ nmap -Pn -r -sT -p 443 --script=ssl-cert berkeleylug.com calendar.berkeleylug.com docs.berkeleylug.com mail.berkeleylug.com sites.berkeleylug.com www.berkeleylug.com berkeleylug.org www.berkeleylug.org | perl -e 'while(<>){print if /Not valid after: /o; if(/^\| Subject Alternative Name: /){chomp; s/DNS:(?:(?i)(?![^, ]*berkeleylug\.))[^, ]+(?:, |$)//go; s/, ?$//o; print "$_\n";};};' | + | $ nmap -Pn -r -sT -p 443 --script=ssl-cert berkeleylug.com calendar.berkeleylug.com docs.berkeleylug.com mail.berkeleylug.com sites.berkeleylug.com www.berkeleylug.com perl -e 'while(<>){print if /Not valid after: /o; if(/^\| Subject Alternative Name: /){chomp; s/DNS:(?:(?i)(?![^, ]*berkeleylug\.))[^, ]+(?:, |$)//go; s/, ?$//o; print "$_\n";};};' |
| Subject Alternative Name: DNS:berkeleylug.com | | Subject Alternative Name: DNS:berkeleylug.com | ||
| Not valid after: 2019-04-28T02:29:40 | | Not valid after: 2019-04-28T02:29:40 | ||
| Subject Alternative Name: DNS:www.berkeleylug.com | | Subject Alternative Name: DNS:www.berkeleylug.com | ||
| Not valid after: 2019-06-01T14:37:18 | | Not valid after: 2019-06-01T14:37:18 | ||
- | | Subject Alternative Name: DNS:berkeleylug.org | ||
- | | Not valid after: 2019-06-03T05:26:39 | ||
- | | Subject Alternative Name: DNS:www.berkeleylug.org | ||
- | | Not valid after: 2019-06-03T05:22:56 | ||
$ | $ | ||
*ignoring domains that WordPress.com lumps in there that aren't at all BerkeleyLUG | *ignoring domains that WordPress.com lumps in there that aren't at all BerkeleyLUG | ||
Line 140: | Line 127: | ||
######################################################################## | ######################################################################## | ||
various bits to test on temp.berkeleylug.com - to presumably later be | various bits to test on temp.berkeleylug.com - to presumably later be | ||
- | berkeleylug.com | + | berkeleylug.com, cert also for [www.]berkeleylug.org |
Created key and obtained (non-Google) CA signed cert also covering: | Created key and obtained (non-Google) CA signed cert also covering: | ||
*.berkeleylug.com,berkeleylug.com,*.berkeleylug.org,berkeleylug.org expires: 2019-06-07T02:07:58Z | *.berkeleylug.com,berkeleylug.com,*.berkeleylug.org,berkeleylug.org expires: 2019-06-07T02:07:58Z | ||
- | $ dig +noall +answer +nottl temp.berkeleylug.com. A temp.berkeleylug.com. AAAA | ||
- | temp.berkeleylug.com. IN A 198.144.194.238 | ||
- | temp.berkeleylug.com. IN AAAA 2001:470:1f05:19e::4 | ||
- | $ </dev/null openssl s_client -servername temp.berkeleylug.com -starttls smtp -connect 198.144.194.238:25 2>>/dev/null | sed -ne '/^-----BEGIN CERTIFICATE-----$/,/^-----END CERTIFICATE-----$/p' | openssl x509 -text -noout | sed -ne '/Not After : /p;/Subject Alternative Name:/{N;p;q;}' | ||
- | Not After : May 22 11:41:24 2019 GMT | ||
- | X509v3 Subject Alternative Name: | ||
- | DNS:*.balug.org, DNS:*.lists.balug.org, DNS:balug.org | ||
- | $ | ||
... install the newer cert for SMTP (will likely end up needed for at | ... install the newer cert for SMTP (will likely end up needed for at | ||
least postmaster@berkeleylug.com, for WordPress site to, e.g. send | least postmaster@berkeleylug.com, for WordPress site to, e.g. send | ||
Line 171: | Line 150: | ||
DNS:*.balug.org, DNS:*.berkeleylug.com, DNS:*.berkeleylug.org, DNS:*.lists.balug.org, DNS:balug.org, DNS:berkeleylug.com, DNS:berkeleylug.org | DNS:*.balug.org, DNS:*.berkeleylug.com, DNS:*.berkeleylug.org, DNS:*.lists.balug.org, DNS:balug.org, DNS:berkeleylug.com, DNS:berkeleylug.org | ||
$ | $ | ||
+ | Also installed on https://[www.]berkeleylug.org/: | ||
+ | $ (TZ=GMT0 export TZ; hosts='www.berkeleylug.org berkeleylug.org'; { nmap -Pn -r -sT -p 443 --script=ssl-cert $hosts; nmap -6 -Pn -r -sT -p 443 --script=ssl-cert $hosts; } | grep -e '^Nmap scan report for ' -e '^PORT ' -e '^[0-9]*/tcp open' -e '^| Subject Alternative Name: ' -e '^| Not valid after: ') | ||
+ | Nmap scan report for www.berkeleylug.org (198.144.194.238) | ||
+ | PORT STATE SERVICE | ||
+ | 443/tcp open https | ||
+ | | Subject Alternative Name: DNS:*.balug.org, DNS:*.berkeleylug.com, DNS:*.berkeleylug.org, DNS:*.lists.balug.org, DNS:balug.org, DNS:berkeleylug.com, DNS:berkeleylug.org | ||
+ | | Not valid after: 2019-06-07T02:07:58 | ||
+ | Nmap scan report for berkeleylug.org (198.144.194.238) | ||
+ | PORT STATE SERVICE | ||
+ | 443/tcp open https | ||
+ | | Subject Alternative Name: DNS:*.balug.org, DNS:*.berkeleylug.com, DNS:*.berkeleylug.org, DNS:*.lists.balug.org, DNS:balug.org, DNS:berkeleylug.com, DNS:berkeleylug.org | ||
+ | | Not valid after: 2019-06-07T02:07:58 | ||
+ | Nmap scan report for www.berkeleylug.org (2001:470:1f05:19e::4) | ||
+ | PORT STATE SERVICE | ||
+ | 443/tcp open https | ||
+ | | Subject Alternative Name: DNS:*.balug.org, DNS:*.berkeleylug.com, DNS:*.berkeleylug.org, DNS:*.lists.balug.org, DNS:balug.org, DNS:berkeleylug.com, DNS:berkeleylug.org | ||
+ | | Not valid after: 2019-06-07T02:07:58 | ||
+ | Nmap scan report for berkeleylug.org (2001:470:1f05:19e::4) | ||
+ | PORT STATE SERVICE | ||
+ | 443/tcp open https | ||
+ | | Subject Alternative Name: DNS:*.balug.org, DNS:*.berkeleylug.com, DNS:*.berkeleylug.org, DNS:*.lists.balug.org, DNS:balug.org, DNS:berkeleylug.com, DNS:berkeleylug.org | ||
+ | | Not valid after: 2019-06-07T02:07:58 | ||
+ | $ | ||
######################################################################## | ######################################################################## | ||