1 files changed, 67 insertions, 20 deletions

diff --git a/_drafts/migrating-dns-servers.md b/_drafts/migrating-dns-servers.md
index 20916c0..26b69e4 100644
--- a/_drafts/migrating-dns-servers.md
+++ b/_drafts/migrating-dns-servers.md
@@ -6,6 +6,8 @@ lang: en
 categories: tech
 ---
 
+### Preface
+
 [As I posted on Mastodon](https://furry.engineer/@uvok/113780013806190576), 
 
 * the DNS registrar (where you register the domain at),
@@ -16,32 +18,75 @@ categories: tech
 can be three different entities / providers, even though for most beginner
 projects these are the same.
 
-I migrated my domain over to [INWX](https://www.inwx.de/en). Quite some while
-ago, actually (iirc I bought it at a different registrar even further back).
-However, their web interface for editing records is a bit clunky. And while they
-do provide an API, it's a bit awkward (XML based, and yes, there are ready-made
-packages for various programming languages). [1]
+I either bought or migrated my domain over to [INWX](https://www.inwx.de/en)
+quite some while ago. However, their web interface for editing records is a bit
+clunky. And while they do provide an API, it's a bit awkward (XML based, and
+yes, there are ready-made packages for various programming languages). [1]
 
 With [DN42](https://blog.uvokchee.de/dn42.html), I already used
 [PowerDNS](https://doc.powerdns.com/authoritative/) a lot. I actually just use
-edit-zone and edit the zone [2] in an editor, that's my preferred way.
+edit-zone and edit the zone[2] in an editor, that's my preferred way. Definitely
+preferred to some web interface. It would be nice to do this to my main domains
+as well. Also, this is another nice "have a technical task to procrastinate
+other stuff" thing ;3. Well, I like playing with tech. This is by no means
+essential.
+
+### Glossary
+
+Quick and dirty glossary, for the purpose of reading this article. It's not
+100% accurate and complete, but should be enough to understand the article.
+
+* **Domain Name**: Basically "the name of the website in the address bar" (e.g.
+  "blog.uvokchee.de").
+* **DNS**: The "Domain Name System". Very simplified, translates domain names
+  to IP addresses (which computers use to connect to each other).
+* **TLD**: Top-Level Domain. It's "the last part of the domain name" (e.g.
+  ".de").
+* **Registry**: These run the TLDs.
+* **Registrar**: These sell you domain names from the registries. As an "end
+  user", you can't talk to a registry yourself.
+* **DNSSEC**: DNS is a plain-text, insecure protocol, from way back when the
+  internet consistent of a handful of trustworthy people. DNSSEC tries to
+  prevent malicious parties from sending  wrong information in response to DNS
+  requests by signing the responses with a cryptographic key, of which the
+  public part is stored in the registry.
+* **NSEC(3)**: Basically signs "negative replies", i.e. "this domain does not
+  exist". If not present, malicious parties could send back replies to sites
+  they don't want to be reachable as "doesn't exist" all the time.
+* **TTL**: Time To Live. The time (in seconds) a reply to a DNS request may be
+  cached by a server.  For example, a TTL of 3600 seconds means that a DNS
+  server can cache a record for 1 hour before checking with the authoritative
+  server again.
+* **Authoritative Server:** The DNS server that holds the official and most
+  up-to-date records for a specific domain.
+* **Bogus reply**: A reply with invalid signature, either because it has been
+  tampered with, or because of misconfiguration.
+* **Zone**: A zone file contains all the DNS records for a specific domain.
+* **AXFR**: A request type for a Domain zone transfer.
+* **Domain Zone Transfer**: The process of copying the contents of a zone from
+  one DNS server to another.
+
+### Migration and DNSSEC
 
 So, why not migrate my domain over to my PowerDNS setup? Well, I want some
 availability, and I don't trust myself enough not to fuck things up. When my
 server is shut down, DNS requests should still be answered. But hey, that's
-where secondaries come in! So, I manage the zone, and let another provider
-mirror its contents.
+where secondaries come in! So, I manage the zone on my server, as primary, and
+let another provider mirror its contents. These will actually serve the zone.
 
-Now, only… there's the "problem" of DNSSEC. In conjunction with the DNS
-propagation time and TTLs. If I simply set the nameservers (in the de. zone) to
+Now, only… there's the "problem" of DNSSEC, in conjunction with the DNS
+propagation time and TTLs. If I simply set the nameservers (in the de zone) to
 a newly created zone by PowerDNS, the DNSSEC keys will be either not present,
 or different. I can't set *additional* keys at INWX easily, I can only switch
 to manual keys (by switching off DNSSEC first). Which would lead to a downtime
 of up to one day, because people requesting records from my domain (such as
-myself) would receive "bogus replies" (invalid signature).
+myself) would receive bogus replies in that time.
+
+### Steps for migration
 
-But, I think I found a solution for that. This is my plan, for the registrar
-INWX.
+But, I think I found a solution for that. This is my plan, which for the
+registrar INWX and my uvokchee.de domain. The process might be different for
+other TLDs and other registrars.
 
 1. Download the zone data from the INWX web interface
 1. Create the zone in PowerDNS and set various settings
@@ -65,7 +110,7 @@ INWX.
    add the zone as secondary myself, because the web interface requires the
    nameservers in the parent zone (?) already to be set to HE, but I wanted a
    zero-downtime migration.
-1. Wait for the DNS provider to AXFR. [3]
+1. Wait for the DNS provider to AXFR.
 1. (optional) check with [dnsviz](https://dnsviz.net/) whether you get any
    errors.  You should set the nameserver on the "Analyze" tab, and then set the
    "Additional trusted keys:" to what `dig example.com DNSKEY` tells you. At
@@ -76,7 +121,8 @@ INWX.
 1. Try to set the new nameservers (nsx.he.net) in the registry (e.h. DENIC) via
    the INWX web interface ("external nameservers").
 1. Receive an "UPDATE FAILED". Read the error message. Realize you fucked up.
-   You need to set the new nameservers within your own zone first.
+   You need to set the new nameservers within your own zone first. This seems
+   to be a requirement for DENIC at any case.
 1. Add the NS entries to the HE nameservers within your zone in the INWX web
    interface. [4]
 1. Download and import the zone file again. Wait for the AXFR.
@@ -107,9 +153,10 @@ INWX.
 1. Wait at least 24 hours (TTLs, DNS propagation time).
 1. `pdnsutil unset-presigned $zone`. I guess at this point you must or should
       * stop PowerDNS, [5]
-      * edit the zone (e.g. clearing out the RRSIGs you imported, I guess if
-        you don't, there'll be trouble. Oh, and the NSEC3PARAM), while also
-        increasing the serial. (Otherwise the AXFR might not take place),
+      * edit the zone (clearing out the RRSIGs you imported. If I understood
+        the PowerDNS docs correctly, there'll be trouble [6] if you don't. Oh,
+        don't forget the NSEC3PARAM record), while also increasing the serial
+        (otherwise the AXFR might not take place),
       * start PowerDNS,
       * notify the secondaries
 1. At this point, you should be done.
@@ -121,8 +168,8 @@ headache for me.
 [2] For the purposes of this blog article, I think you can freely substitute
 zone with domain in your head, I probably won't use the words correctly 100% of
 the time either. \
-[3] DNS zone transfer. \
 [4] I think that shouldn't to any damage. DNS recursion should always ask the
 parent zone? \
 [5] Avoiding a spurious notify or AXFR directly after editing? No idea if
-needed.
+needed. \
+[6] such as duplicate RRSIG replies.