[00:05:02] 10Wikimedia-Apache-configuration, 10Operations, 10Patch-For-Review, 10User-Joe: Re-organize the apache configuration for MediaWiki in puppet - https://phabricator.wikimedia.org/T196968 (10Krinkle) [00:05:07] 10Wikimedia-Apache-configuration, 10Operations, 10Patch-For-Review, 10User-Joe: Re-organize the apache configuration for MediaWiki in puppet - https://phabricator.wikimedia.org/T196968 (10Krinkle) [00:06:03] 10Wikimedia-Apache-configuration, 10Operations, 10Patch-For-Review, 10User-Joe: Re-organize the apache configuration for MediaWiki in puppet - https://phabricator.wikimedia.org/T196968 (10Krinkle) [10:56:14] willikins:~ vgutierrez$ tshark -r dns.pcap -Y "dns.flags == 0x8005" -Tfields -e dns.qry.name | sort | uniq -c | sort -rn| head -10 [10:56:17] 1443 wikepedia.org [10:56:28] it looks like we need to set up a zone for wikepedia.org :) [11:07:42] it's funny, every request to that domains comes from AWS or google :/ [11:08:04] yeah, it looks like our own doing, it just never made the cut from the hundreds of typo/trademark/etc domains -> stuff we actually park in zonefiles [11:08:21] morning bblack :) [11:08:31] not that it changes things much to part it or not, either way the client gets no result [11:08:58] but at least they get a faster no result and we're not left puzzling over high REFUSED stats and wondering about external lame delegations [11:09:01] morning :) [11:10:06] I've been migrating my setup over to a thinkpad the past couple of days, I'm nearly there now [11:10:23] so you got rid of your old mbair? [11:10:33] only thing left really is I don't think S3 suspend-to-ram works right at all. hibernate works fine though. [11:11:12] yeah the mbair is still here for now, till I get comfortable enough with the new setup to ship it back :) [11:11:43] modern hardware + minimalist i3 setup = huge battery life [11:12:54] if I avoid doing obviously-power-hungry things like hangouts / youtube, it looks like for basically running my "gui" with wifi and basic browsing and IRC, I get ~12-13h battery time. [11:14:43] pretty nice figures [11:15:02] BTW, do we have a way to easy-generate parking domain zones? [11:15:11] I'm seeing a templates/parking file in operations/dns [11:17:20] just make a softlink to parking [11:17:34] we have like 75 of those already heh [11:17:57] it will at least turn the REFUSED into NXDOMAIN [11:18:45] also Queens university is having some issue [11:18:53] 284 queensu.ca.wiki [11:19:09] well [11:19:31] that's partly our fault [11:19:55] we have legitimate delegations for a ton of *.wiki from the TLD for it [11:20:11] they just have something misconfigured somewhere causing those lookups [11:20:46] *.wiki is a known "interesting" case though, I'd not touch anything related to it in our config for now [11:22:39] TL;DR - when the gTLD thing happened, someone registered .wiki, and "graciously" offered to give us all the language code subdomains and whatever other ones we wanted, which someone higher-up who is now long gone liked the idea of and took it. So we have delegation for everything like "en.wiki", etc... [11:23:33] but they didn't give us the whole thing, and in my pessimistic view I think they were hoping that we'd legitimize .wiki by our use of it, which helps sell other commercial foo.wiki domainnames to others, and/or intentionally causes confusion about whether those others are associated with us. [11:23:48] and I hate the random gTLD thing to begin with [11:24:38] and at the time we were going through our HTTPS transition, so setting up the ~300 language codes under .wiki without a wildcard (since we don't own all of .wiki) would've been unmanageable for certificates (still would be an issue, maybe not at some future date with scalable LE set up) [11:25:00] so we punted on it and never used them, but they still delegate them to us [11:25:44] the lone exception is "w.wiki" which the foundation decided to use as our official URL shortener, and we put that in our DNS servers, our big certs, wrote an extension and put in some VCL rules to support it, etc... [11:26:20] 10Traffic, 10Operations: Investigate NXDOMAIN DNS responses in our authdns servers - https://phabricator.wikimedia.org/T199525 (10Vgutierrez) [11:26:22] but afaik that effort has stalled for years somewhere on the Product side of the house and it still doesn't effectively work yet [11:27:09] 10Traffic, 10Operations: Investigate NXDOMAIN DNS responses in our authdns servers - https://phabricator.wikimedia.org/T199525 (10Vgutierrez) p:05Triage>03Normal [12:15:25] 10netops, 10Operations, 10ops-codfw: Rename of wasat to mwmaint2001 (switch labels et al) - https://phabricator.wikimedia.org/T199530 (10MoritzMuehlenhoff) [12:15:28] 10netops, 10Operations, 10ops-codfw: Rename of wasat to mwmaint2001 (switch labels et al) - https://phabricator.wikimedia.org/T199530 (10MoritzMuehlenhoff) p:05Triage>03Normal [12:51:39] 10Traffic, 10Operations: Investigate NXDOMAIN DNS responses in our authdns servers - https://phabricator.wikimedia.org/T199525 (10Vgutierrez) from a 5 minutes traffic capture the following domains belong to the top 10 that are actually owned by the WMF but non configured in our DNS servers: ``` 4820 wikepedia.... [13:40:50] 10Traffic, 10netops, 10Operations, 10ops-ulsfo: troubleshoot cr3/cr4 link - https://phabricator.wikimedia.org/T196030 (10ayounsi) 05Open>03stalled Latest news, Fiberstore optics are not qualified for the MX204, only Finisar are. Waiting on T199483 to move forward here. [13:40:53] 10Traffic, 10netops, 10Operations, 10ops-ulsfo, 10Patch-For-Review: Rack/cable/configure ulsfo MX204 - https://phabricator.wikimedia.org/T189552 (10ayounsi) [14:21:06] 10netops, 10Analytics, 10Analytics-Kanban, 10Operations, 10Patch-For-Review: Review analytics-in4/6 rules on cr1/cr2 eqiad - https://phabricator.wikimedia.org/T198623 (10elukey) So now on stat* and notebook* we have a /etc/gitconfig rule that forces all git users to use the http[s] proxy. The conf1006 fl... [17:37:11] 10netops, 10Analytics, 10Analytics-Kanban, 10Operations, 10Patch-For-Review: Review analytics-in4/6 rules on cr1/cr2 eqiad - https://phabricator.wikimedia.org/T198623 (10ayounsi) In addition to T198623#4415961 We have notebook1003 and notebook1004 sending `ICMPv6 Multicast Listener Report` every 2 minute... [17:55:28] 10netops, 10Analytics, 10Analytics-Kanban, 10Operations, 10Patch-For-Review: Review analytics-in4/6 rules on cr1/cr2 eqiad - https://phabricator.wikimedia.org/T198623 (10elukey) https://www.ietf.org/proceedings/50/I-D/nfsv4-rpc-ipv6-00.txt ``` IPv6 enabled RPC service must join a well known multicast... [18:56:51] very cool doc about IPsec http://www.unixwiz.net/techtips/iguide-ipsec.html