As a domain owner, I would like to be notified about PRs for my domain's terraform file.

This is more of a "nice to have" than a risk but here is what I would be looking for:

• Is there a new product or service launching that we should know about (unlikely, but possible)
• Are old legacy records being modified?
• Is there a need for a 301 redirect in this change ?
• are the changes being rolled out in the right order?
• are the DNS configurations being clearly documented in the file
• Who is the owner begin this product/service

Would be great to have pull requests tested with terraform validate so we know we don't have syntax errors, etc.

/cc @LinuxBozo

A README with a description and instructions (as well as our boilerplate files) would be great!

I noticed that we have a wide array of values used for TTL. I'm guessing that the majority of them can be increased to a larger value.

It's fairly common practice to only use short TTLs while testing out DNS changes and for failover setups. In other cases it is recommended that people use TTL values of 24 hours/86400s.

https://support.google.com/a/answer/48090#TTL

Once the records are configured correctly, we recommend setting a TTL value of 86400, which tells servers across the Internet to check every 24 hours for updates to the record.

https://support.rackspace.com/how-to/about-ttl-best-practices/

Generally, we recommend a TTL of 24 hours (86,400 seconds). However, if you are planning to make DNS changes, you should lower the TTL to 5 minutes (300 seconds) at least 24 hours in advance of making the changes. After the changes are made, increase the TTL back to 24 hours.

• determine suggested short/long term TTL values
• update all records accordingly

We are deprecating https://components.designsystem.digital.gov.

Can you please set up a 301 redirect from components.designsystem.digital.gov to designsystem.digital.gov/components?

Ammie

The documentation is linking to the 18f.us.tf record as a good starter configuration. However, that one no longer exists. What would be a good alternative?

Would be good to add to the README, or at least "ask #infrastructure" or something.

Could I get added as a contributor here to finish off this PR from @jeremyzilar:
#422

We've rebranded Fugacious to Toaster and would prefer to host at toaster.18f.gov

Please use the same configuration as fugacious.18f.gov, which appears to be two CNAME entries:

;; QUESTION SECTION:
;fugacious.18f.gov.		IN	A

;; ANSWER SECTION:
fugacious.18f.gov.	299	IN	CNAME	dualstack.production-star-18f-gov-elb-1963420885.us-gov-west-1.elb.amazonaws.com.
dualstack.production-star-18f-gov-elb-1963420885.us-gov-west-1.elb.amazonaws.com. 60 IN	A 52.222.35.187
dualstack.production-star-18f-gov-elb-1963420885.us-gov-west-1.elb.amazonaws.com. 60 IN	A 96.127.47.199

Question: can cloud.gov handle the redirects from fugacious -> toaster? If it's a pain, I can configure at the app level.

Background information

DRY definition

See discussion in #522.

Implementation steps

• Collect feedback (votes?) from others that interact with this repository

Acceptance criteria

• We have implemented IPv6 in this repository in a way that has consensus

Using the Alias record and Zone id as documented in the cloud.gov documentation does not work when setting up a new redirect - https://cloud.gov/docs/services/external-domain-service/ cc @apburnes

To setup a redirect we still need the full cloudfront url as the alias_name - see build failures from #491 for ref

DNS for 18f.gov is still managed in the old 18F AWS account—we should get it in here so everything is managed in one place.

Follow-up to #477

https://cloud.gov/docs/services/external-domain-service/#how-to-create-an-instance-of-this-service

• add an acme_challenge CNAME record as described in step 1
• add an Alias record for plainlanguage.gov will need to be as described in step 2

The TTS Digital Council has confirmed that atf-eregs.18f.gov should no longer be live since the final client website long ago launched. We've confirmed with the stakeholders that atf-eregs.18f.gov should be deprecated but it still gets decent traffic b/c of SEO, so we want to set up a redirect to the client website.

Sorry but this is a bit beyond my comfort level. Anyone game to help?

Per #23 (comment) we should consider the $$ benefit from switching some of these records to "A" records

Challenge.gov is currently not resolving without the www. Update the record so both www.challenge.gov and challenge.gov resolve.

FYI @jarahameador

Background information

The InSite page about domain names asks for GSA staff to put in DNS requests through Service Now, which includes a step for approval from the Office of Strategic Communications (OSC). TTS manages our own DNS for most of our domains, and therefore is able to make changes without that OSC review.

Digital Council Trello card

Acceptance criteria

• TTS and OSC agree on documentation for when and how domain requests should be reviewed by OSC

The assignee can add some checkboxes as a "sketch" of the steps to complete, which may evolve.

From @brittag:

This needs more detail about the role of gsa-tts-domains, how the DNS lives inside the cloud.gov AWS account, etc.

We should clean out records from this repository that aren't actually in use. Some ideas of things to check for:

• Public Route 53 zones where the domain isn't actually pointing to those nameservers
• A, AAAA, and CNAME records where that hostname doesn't respond

We should add a script to the repository to check for these things.

Updates to terraform/digitalgov.gov.tf
PR #518

#331 fixed terraform to 0.11, because we have a lot of DNS resource names that start with numbers, and that no longer works in 0.12:

hashicorp/terraform#19919

Their suggestion is to rename resources, but that requires some work with terraform state mv so that you don't blow the route53 zones away and attempt to recreate them, which is not something you probably want to do.

We are getting errors in Hubspot saying that this record is invalid:

resource "aws_route53_record" "hubspot2_digitalgov_gov_a" {
  zone_id = "${aws_route53_zone.digitalgov_gov_zone.zone_id}"
  name    = "hs2._domainkey.digitalgov.gov."
  type    = "CNAME"
  ttl     = "300"
  records = [
    "digitalgov-gov.hs01b.dkim.hubspotemail.net."
  ]
}

The values that Hubspot is providing for that record are:

NAME
hs2._domainkey.digitalgov.gov

Value
digitalgov-gov.hs01b.dkim.hubspotemail.net.

We no longer own notalone.gov

https://github.com/18F/dns/blob/deploy/terraform/notalone.gov.tf can be removed

The repo description link is inaccessible to me: https://github.com/18F/Infrastructure/wiki/DNS-architecture

Perhaps it has moved, or perhaps it is protected? Could the DNS components be made public in this repo, for those looking to learn from and/or replicate this architecture?

Cheers :)

Yoz's addition to the vote.gov DNS failed with the following error:

* aws_route53_record.vote_gov_www_vote_gov_a: provider.aws: aws_route53_record: www.vote.gov: "ttl": required field is not set

That should get checked in the PR stage.

I think the text to merge looks like one of the two options below. Questions:

1. Is it correct to say we always want the CNAME option?
2. If so, is the bolded text the only piece that would be changed?
3. If not, where does the "zone ID" come from when doing an A record?
4. Should Federalist have the power to merge its own PRs into this?

resource "aws_route53_record" "18f_gov_sample-website-B_18f_gov_cname" {
zone_id = "${aws_route53_zone.18f_gov_zone.zone_id}"
name = "sample-website-A.18f.gov."
type = "CNAME"
ttl = 300
records = ["d1z8tmjf5ismhl.cloudfront.net."]
}

resource "aws_route53_record" "18f_gov_climate-data-user-study_18f_gov_a" {
zone_id = "${aws_route53_zone.18f_gov_zone.zone_id}"
name = "sample-website-B.18f.gov."
type = "A"
alias {
name = "dgkam57c0xckv.cloudfront.net."
zone_id = "Z2FDTNDATAQYW2"
evaluate_target_health = false
}
}

There is a lot of cruft in this repository, with records that are pointing to sites that are no longer available. We should set up redirects, or just delete them. Potentially useful script for pulling the domains across all zones.

@erik-burgess - I heard from @allalala yesterday that app.gov was not renewed. What do we need to do to excise it from DNS here? Just pull the terraform file? cc @afeld

See about getting DNS delegation of the following:

• 18f.gsa.gov
• tts.gsa.gov
• data.gov
• fedramp.gov
• login.gov

cc GSA-TTS/tts-tech-operations#23

Please make the specified update below:

_D670A36BBFD8C7415F5A5997E8DD36A6.digitalgov.gov. IN CNAME 289FD47634D927D0054C6123597F4F24.FF461CB01C73BC95FD87C0AE0955A9CC.5e2f421173150.comodoca.com.

The major issue for all the 18f.us/18f.gov resources:

In Terraform 0.12, resource names must start with a letter.

Implementation Steps

• Schedule time for migration with @amirbey

Acceptance Criterea

• Terraform 14 plan / apply runs with no warnings or errors presented

Background information

We want all of our domains to be preloaded with HTTP Strict Transport Security (HSTS). We can add automated tests to ensure it's in place.

Acceptance criteria

• An error is thrown (on a recurring basis) if a domain in this repository doesn't have the HSTS headers or isn't on the preload list

The assignee can add some checkboxes as a "sketch" of the steps to complete, which may evolve.

We are preparing to move Usability.gov from HHS to the GSA.

Usability.gov will have a new home in 2020

This long-standing UX resource will be part of the family of guidance offered by Digital.gov as part of Digital.gov’s mission to transform how government learns, builds, delivers, and measures digital services in the 21st century. Read more

• Our REPO: https://github.com/GSA/digitalgov-usability
• Federalist Preview: https://cg-ca533af2-85d8-48d5-b022-a488db3d069b.app.cloud.gov/site/gsa/digitalgov-usability/

The following is a list of things the things we are working on to make this transition possible. We are looping in the TTS Infra team on this for visibility and additional guidance on making this a smooth transition.

(feel free to edit/add as you see fit)

Approvals

• Get the domain transfer letter signed by Dave Shive
• Coordinate with HHS on submitting the letters to DotGov.gov to get the transfer moving (in progress)

Prepare Domain Transfer

Here is how I think the transfer will likely go

• Get the Federalist site reviewed by the Federalist Team (in-progress)
• Prepare the DNS records in a draft PR in the TTS DNS repo (see #422)
• Ensure Sara Cope can manage the DotGov registry for this domain

Make the Domain Transfer

• Coordinate with the Federalist team and TTS Infra team on a day to launch
• Alert the HHS IT team of the day we plan on making the switch
• Ask the Federalist team for Cloudfront URLs (needs to be done within 12hrs of the launch)
• Insert them into the draft PR we created for this domain (see #422)
• Get the PR reviewed
• Make the switch in DotGov
• Merge the PR
• Turn things on and off a few times till it works. 😆
• [... unknown...]

@afeld we have a question about creating a new stage.fec.gov DNS within this repo.

We want to enable cloudfront caching on our staging environment, in order to do this we need to set up a stage.fec.gov cdn-route. First off, would we need to submit a terraform PR to get name servers in order for our service provider to delegate a domain?

Would the below code work in a new /terraform/stage.fec.gov.tf? This code would essentially output name servers for us to point to? See below:

# Setting up a staging domain in order to set up a new cdn-route
# to configuring caching headers in cloudfront

resource "aws_route53_zone" "stage_gov_us_zone" {
  name = "stage.fec.gov"
  tags {
    Project = "dns"
  }
}

output "stage_gov_us_ns" {
  value="${aws_route53_zone.stage_gov_us_zone.name_servers}"
}

Once we get the name servers and have it delegated, we should be able to take it from there to set cloudfront caching on our side via the cdn-route instructions in this section of the cloud.gov docs: https://cloud.gov/docs/services/cdn-route/#how-to-create-an-instance-of-this-service

cc @vrajmohan

hashicorp/terraform was recently release to version 0.12 which appears to have new validation rules and blocking updates to this 18f/dns. For now, the docker image has been pinned to 0.11.4:
#331

A longterm solution is needed to resume use of hashicorp/terraform:light

We've got approval to deprecate the private-eye.18f.gov website and would like to change its dns to redirect it to https://github.com/18F/private-eye/.

Anyone game to lend a hand? Mega thanks as always!

The Equity study website is shutting down and we need to redirect to the study's page on the GSA DEIA portal at https://www.gsa.gov/governmentwide-initiatives/diversity-equity-inclusion-and-accessibility/equity-study-on-remote-identity-proofing

This Issue is done when

identityequitystudy.gsa.gov redirects to the GSA website's DEIA portal

We're leveraging TTS DNS for a partner engagement which includes a new top level domain. Initial configuration was rolled out in #362.

This included GSA DMARC reporting destinations common to the other domains configured in this repo:

• [email protected]
• [email protected]

However, a corresponding change was never made at gsa.gov to verify and accept DMARC reports from the new domain in question. ref: https://tools.ietf.org/html/rfc7489#section-3.2

1. Should the GSA reporting destinations be included in this DMARC record?
   • The domain in question is owned by HHS.
   • We're expected to transition away from TTS DNS by 11/22/19
2. If yes, and GSA should receive these DMARC reports. What steps are necessary to setup external destination verification w/ gsa.gov ?
   • e.g. findtreatment.gov._report._dmarc.gsa.gov.
   • Related to #363

This was an alternate name set up in April 2019 when USWDS released USWDS 2. It is no longer needed.

cc: @thisisdano

18F no longer has portfolios and the repo for the site has been archived.
We'd like to redirect the subdomain to the 18F website.

This issue is done when

• https://portfolios.18f.gov resolves to https://18f.gsa.gov

Undocumented HSTS preload status API:

https://hstspreload.org/api/v2/status?domain=gsa.gov

More info about HSTS.

User Story

As a new TTS member I want a clear guide on the entire workflow for creating a new top-level *.gov domain.

Details

Documentation gaps exist for new users who need to establish an entirely new top-level *.gov domain. Documentation is unclear that the first step is to make a PR and merge to obtain the output from nameservers to then submit for the dotgov.gov registration form.

Acceptance Criteria

• Documentation update covers the following:
  • Request new domain in dotgov.gov (submit form w/ Program POC @self, admin POC @afeld, and billing POC @JJediny)
  • Explains how https://github.com/18F/dns/blob/master/get_zone.py works
  • Steps in sequence order start to finish

Include secondary considerations/checks for a new domain

• Coordinate with SecOps (Armando Quintananieves) on DMARC
• Add domain to HSTS preloading list

#152 (comment)

Looked like there were some already in there before we deployed the ones from this repository.

There's consensus to kill off this site - https://agile-labor-categories.18f.gov.

It'd be good to first redirect the site to https://agile.18f.gov/ for a 6 months or so. I know that the DNS for this is here, but am uncomfortable proposing the code-level change for that file. Is anyone else here game to create the PR?