Domain: transfer domain to the CNCF

[upodroid]

As part of cncf/sandbox#218 we will need to handover ownership of the knative domains to CNCF but the DNS zones will be hosted on Google Cloud and changes will be driven via Infrastructure as Code.

Current NS records:

# This domain is not hosted on Google Cloud DNS
 REDACTED  MCW0CDP3YY  ~  Desktop  Git  kn-test-infra   bump-ko  3⚑  $   dig NS knative.dev +short
ns1.googledomains.com.
ns2.googledomains.com.
ns4.googledomains.com.
ns3.googledomains.com.
# Not sure which project owns this.
 REDACTED  MCW0CDP3YY  ~  Desktop  Git  kn-test-infra   bump-ko  3⚑  $   dig NS knative.team +short
ns-cloud-c1.googledomains.com.
ns-cloud-c3.googledomains.com.
ns-cloud-c4.googledomains.com.
ns-cloud-c2.googledomains.com.

We will need to create a new GCP project called knative-dns and host the DNS zones in that project. Once that is done, this issue will be updated with the NS records that can be shared with CNCF.

This is what we need to do:

• Create the new Google Cloud project knative-dns
• Create the dns zones in the knative-dns project
• Copy the records over to the new zones.
• [INCUBATING PROJECT ONBOARDING] Knative cncf/sandbox#218 Transfer the domains to CNCF

/kind cncf-infra

[csantanapr]

Related to [INCUBATING PROJECT ONBOARDING] Knative cncf/sandbox#218

[upodroid]

Can you verify if these records are correct?

 REDACTED  MCW0CDP3YY  ~  Desktop  Git  $  dig any knative.dev

; <<>> DiG 9.10.6 <<>> any knative.dev
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5351
;; flags: qr rd ra; QUERY: 1, ANSWER: 10, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1432
;; QUESTION SECTION:
;knative.dev.			IN	ANY

;; ANSWER SECTION:
knative.dev.		86400	IN	CAA	0 issue "letsencrypt.org"
knative.dev.		86400	IN	CAA	0 issue "pki.goog"
knative.dev.		300	IN	TXT	"v=spf1 ?all"
knative.dev.		300	IN	TXT	"google-site-verification=w5KR-YluNH94Htu_LcKidfaDfQhlyzRaCp4-_VI5yFY"
knative.dev.		3600	IN	SOA	ns1.googledomains.com. dns-admin.google.com. 2018022000 21600 3600 1209600 300
knative.dev.		21600	IN	NS	ns2.googledomains.com.
knative.dev.		21600	IN	NS	ns4.googledomains.com.
knative.dev.		21600	IN	NS	ns3.googledomains.com.
knative.dev.		21600	IN	NS	ns1.googledomains.com.
knative.dev.		3600	IN	A	75.2.60.5

;; Query time: 115 msec
;; SERVER: 10.150.0.1#53(10.150.0.1)
;; WHEN: Tue Mar 29 23:45:26 BST 2022
;; MSG SIZE  rcvd: 364

 REDACTED  MCW0CDP3YY  ~  Desktop  Git  $  dig any knative.team

; <<>> DiG 9.10.6 <<>> any knative.team
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30860
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1432
;; QUESTION SECTION:
;knative.team.			IN	ANY

;; ANSWER SECTION:
knative.team.		3598	IN	MX	5 alt2.aspmx.l.google.com.
knative.team.		3598	IN	MX	5 alt1.aspmx.l.google.com.
knative.team.		3598	IN	MX	10 alt3.aspmx.l.google.com.
knative.team.		3598	IN	MX	10 alt4.aspmx.l.google.com.
knative.team.		3598	IN	MX	1 aspmx.l.google.com.
knative.team.		3598	IN	RRSIG	MX 8 2 3600 20220419182342 20220328182342 34548 knative.team. Lo7bNnaYpfM+1zabT44d401MvOZHzuUb2rSlPV+bGff6n8R/xshqd4kz M7Txe/IzDNkW0+R2W2/u5vVuv/D3BQ7GjCRjydP/pZPJz0IqN6r+k0G6 yyUwvBGyuzUmYLbaUJXtxMi5qz1nIH5W+R4wAjWil/Xl+UNGffc7Z4rv 8+Q=
knative.team.		21598	IN	SOA	ns-cloud-c1.googledomains.com. cloud-dns-hostmaster.google.com. 16 21600 3600 259200 300
knative.team.		21598	IN	RRSIG	SOA 8 2 21600 20220419182342 20220328182342 34548 knative.team. E/ahYTtb6iOIttLM8AzRshjaxyoil+4oNNZwjxdE1ZmqtFcEmN8fBSDQ 2w/HzKgh3QKHAc2TnSbAwkU6GSyieGZxeMT3nJfgV0yupp67UPJQc2iK qnUDeRsqmxThVwJXzd1sk462W/CmbpQS4eBxYjxLP5oPVsJXxfxNTT29 G9c=
knative.team.		21598	IN	NS	ns-cloud-c2.googledomains.com.
knative.team.		21598	IN	NS	ns-cloud-c4.googledomains.com.
knative.team.		21598	IN	NS	ns-cloud-c1.googledomains.com.
knative.team.		21598	IN	NS	ns-cloud-c3.googledomains.com.
knative.team.		21598	IN	RRSIG	NS 8 2 21600 20220419182342 20220328182342 34548 knative.team. G842OJjOtR1vHdyp5Ad1yqHzdceLBMi8h2AOM4keTrXQ1ojfkGnuGAzr sxn83ygh7cC3zzforGcFP5Xd4G6qQsgyPV/Gm3HYTmOvjstqszymvum4 /8HrZ5cAwDVSnf5+Zm3f37v5z0xpTnKKq+pGcECzhsuRQ2Zvi2p/gQWk v3Q=

;; Query time: 3 msec
;; SERVER: 10.150.0.1#53(10.150.0.1)
;; WHEN: Tue Mar 29 23:45:37 BST 2022
;; MSG SIZE  rcvd: 850

[chizhg]

These are all we have I think. I'm not familiar with Cloud DNS so not sure if anything else are needed.

; [www.]knative.dev leads to documentation in knative.netlify.com
www          CNAME    knative.netlify.com.

; A/AAA records (Netlify LoadBalancer IP)
@            3600     IN A      75.2.60.5

; Subdomains mapping to GAE services in knative-tests GCP project
testgrid     3600     IN CNAME  ghs.googlehosted.com.
gubernator   3600     IN CNAME  ghs.googlehosted.com.
slack        3600     IN CNAME  ghs.googlehosted.com.
blog         3600     IN CNAME  ghs.googlehosted.com.
stats        3600     IN CNAME  ghs.googlehosted.com.

;;; Settings for elections.knative.dev
elections    3600     IN CNAME  elb.apps.ospo-osci.z3b1.p1.openshiftapps.com.

;;; Settings for prow.knative.dev
; prow must point to the prow cluster ingress in knative-tests GCP project
prow                 3600      IN A 35.201.93.215

[csantanapr]

/assign chizhg

[chizhg]

@csantanapr Mahamed said he's going to work on this, and he's got enough information to start. Are there anything I need to do at this moment?

===================

Oh never mind, I just saw we can have multiple assignees.

[upodroid]

This is sorted now.

 REDACTED  MCW0CDP3YY  ~  Desktop  Git  USAGE  $  gcloud dns record-sets list --zone knative-team --project knative-dns
NAME               TYPE   TTL    DATA
knative.team.      MX     300    1 aspmx.l.google.com.,5 alt1.aspmx.l.google.com.,5 alt2.aspmx.l.google.com.,10 alt3.aspmx.l.google.com.,10 alt4.aspmx.l.google.com.
knative.team.      NS     21600  ns-cloud-e1.googledomains.com.,ns-cloud-e2.googledomains.com.,ns-cloud-e3.googledomains.com.,ns-cloud-e4.googledomains.com.
knative.team.      SOA    21600  ns-cloud-e1.googledomains.com. cloud-dns-hostmaster.google.com. 1 21600 3600 259200 300
www.knative.team.  CNAME  300    knative.netlify.com.
 REDACTED  MCW0CDP3YY  ~  Desktop  Git  $  gcloud dns record-sets list --zone knative-dev --project knative-dns
NAME                     TYPE   TTL    DATA
knative.dev.             A      300    75.2.60.5
knative.dev.             CAA    300    0 issue "letsencrypt.org",0 issue "pki.goog"
knative.dev.             NS     21600  ns-cloud-d1.googledomains.com.,ns-cloud-d2.googledomains.com.,ns-cloud-d3.googledomains.com.,ns-cloud-d4.googledomains.com.
knative.dev.             SOA    21600  ns-cloud-d1.googledomains.com. cloud-dns-hostmaster.google.com. 1 21600 3600 259200 300
knative.dev.             TXT    300    "v=spf1 ?all","google-site-verification=w5KR-YluNH94Htu_LcKidfaDfQhlyzRaCp4-_VI5yFY"
blog.knative.dev.        CNAME  300    ghs.googlehosted.com.
elections.knative.dev.   CNAME  300    elb.apps.ospo-osci.z3b1.p1.openshiftapps.com.
gubernator.knative.dev.  CNAME  300    ghs.googlehosted.com.
prow.knative.dev.        A      300    35.201.93.215
slack.knative.dev.       CNAME  300    ghs.googlehosted.com.
stats.knative.dev.       CNAME  300    ghs.googlehosted.com.
testgrid.knative.dev.    CNAME  300    ghs.googlehosted.com.
www.knative.dev.         CNAME  300    knative.netlify.com.

@csantanapr @thisisnotapril Please provide the following NS records to CNCF

knative.team
ns-cloud-e1.googledomains.com.
ns-cloud-e2.googledomains.com.
ns-cloud-e3.googledomains.com.
ns-cloud-e4.googledomains.com.

knative.dev
ns-cloud-d1.googledomains.com.
ns-cloud-d2.googledomains.com.
ns-cloud-d3.googledomains.com.
ns-cloud-d4.googledomains.com.

[chizhg]

I have three more questions about this:

1. I see knative.dev domain is registered through Google domains - https://domains.google.com/registrar/search/whois/knative.dev?searchTerm=knative.dev, and it's going to expire on 2022-05-23. Shall we also transfer the ownership AND extend it?

2. When should we delete the dns zones managed internally at Google? It's unclear to me how it works when two dns zones are configured for the same domain.

3. There is an AppEngine app at https://pantheon.corp.google.com/appengine/services?project=knative-tests we are using for redirecting the xxx.knative.dev to the corresponding URLs (the code for deploying it is in our internal codebase, but I can move it out). Would it make more sense to move this app to the knative-dns project as well?

[upodroid]

1. I see knative.dev domain is registered through Google domains - https://domains.google.com/registrar/search/whois/knative.dev?searchTerm=knative.dev, and it's going to expire on 2022-05-23. Shall we also transfer the ownership AND extend it?

When you transfer the domain to CNCF, they will be able to renew it. However, if the transfer is after that date, you'll need to renew it to avoid losing the domain.

2. When should we delete the dns zones managed internally at Google? It's unclear to me how it works when two dns zones are configured for the same domain.

After the new zones are in operation. We can verify that by checking the NS records returned for the domains after the transition. The active DNS zone is determined by the nameservers configured with the domain registry.

3. There is an AppEngine app at https://pantheon.corp.google.com/appengine/services?project=knative-tests we are using for redirecting the xxx.knative.dev to the corresponding URLs (the code for deploying it is in our internal codebase, but I can move it out). Would it make more sense to move this app to the knative-dns project as well?

Yes.

Typical DNS Migration Guide: https://cloud.google.com/dns/docs/migrating

In summary:

Cloud DNS supports the migration of an existing DNS domain from another DNS provider to Cloud DNS. This procedure describes how to complete the necessary steps: create a managed zone for your domain, export the DNS configuration from your existing provider, import your existing DNS configuration to Cloud DNS, update your registrar's name server records, and then verify the migration.

I can join the steering call this week to answer any questions.

[csantanapr]

@thisisnotapril will find out the codes for two domain knative.dev and knative.team to put into one form https://jira.linuxfoundation.org/plugins/servlet/theme/portal/2/create/63

Along with the NS records in one form

knative.team
ns-cloud-e1.googledomains.com.
ns-cloud-e2.googledomains.com.
ns-cloud-e3.googledomains.com.
ns-cloud-e4.googledomains.com.

and

knative.dev
ns-cloud-d1.googledomains.com.
ns-cloud-d2.googledomains.com.
ns-cloud-d3.googledomains.com.
ns-cloud-d4.googledomains.com.

[csantanapr]

/assign @thisisnotapril

[hh]

/assign @hh

[hh]

/assign @BobyMCbobs

[knative-prow]

@hh: GitHub didn't allow me to assign the following users: bobyMCBobs.

Note that only knative members, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time.
For more information please see the contributor guide

In response to this:

/assign @BobyMCbobs

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[hh]

Created https://jira.linuxfoundation.org/plugins/servlet/theme/portal/2/IT-23949

Those domains need to be unlocked and an xfer code generated for those domains.

I'll take a look to see if I have access.

[hh]

LF IT now has the domain xfer codes.

[csantanapr]

Thanks @hh !

[csantanapr]

@hh feel free to close this issue once the transfer is done

[hh]

Johnson Nguyen has added a comment on your request [IT-23949]:

Both domains have been transferred in sucessfully

/close

[knative-prow]

@hh: Closing this issue.

In response to this:

Johnson Nguyen has added a comment on your request [IT-23949]:

Both domains have been transferred in sucessfully

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[mattmoor]

When I was at Google I also scooped kn.dev for Knative, if it's easy enough to transfer that, I'd suggest it as well.

[chizhg]

When I was at Google I also scooped kn.dev for Knative, if it's easy enough to transfer that, I'd suggest it as well.

I see there is also kn-e2e.dev which I assume is also for Knative?

Are these domains now used anywhere? If not probably makes more sense to drop them. There was a non-trivial review process to transfer Google domains to third parties, though probably we won't have to go over the same process again to add the kn.dev domain.

[mattmoor]

We should check on the domains used for auto-TLS e2e testing. IDK which are for that, but this smells like one, and @ZhiminXiang would know (also the scripts likely reference them).

[chizhg]

Zhimin has left Google so unlikely he'll be checking the GitHub issues..

I see kn-e2e.dev is indeed referenced at https://github.com/knative/serving/blob/main/test/e2e-auto-tls-tests.sh#L27. I'll ask if they can also help move these two domains out.

[mattmoor]

(So did I 😉 )

[ZhiminXiang]

hey I am still around :)

The kn-e2e.dev is used for the auto TLS E2E tests only. It is NOT a fake domain as we need to manipulate DNS records for its subdomains to make DNS01 challenge and HTTP01 changes fulfilled in our auto TLS E2E tests. So if we want to transfer the DNS servers of this domain to third parties, we need to make sure our test infra has the permission to manipulate the DNS records of the new DNS server.

Also The caveat of kn-e2e.dev is that I have asked LetsEncrypt to raise the quota for this domain to meet the needs of our E2E tests (but unfortunately I forgot the exact quota number, probably thousands per week). So if we consider to replace it with another domain, we may also need to raise the LetsEncrypt quota for the new one.

[upodroid]

I tracked down the zone for that domain and it is in a project that manage. We want to use GCP Cloud DNS domains instead of Google Domain DNS.

 REDACTED  MCW0CDP3YY  ~  $  dig kn-e2e.dev NS +short
ns-cloud-e1.googledomains.com.
ns-cloud-e3.googledomains.com.
ns-cloud-e4.googledomains.com.
ns-cloud-e2.googledomains.com.
 REDACTED  MCW0CDP3YY  ~  $  gcloud dns managed-zones list --project knative-e2e-dns --format yaml
---
cloudLoggingConfig:
  kind: dns#managedZoneCloudLoggingConfig
creationTime: '2020-01-28T21:33:55.966Z'
description: Custom domain used only for Knative E2E tests.
dnsName: kn-e2e.dev.
dnssecConfig:
  defaultKeySpecs:
  - algorithm: rsasha256
    keyLength: 2048
    keyType: keySigning
    kind: dns#dnsKeySpec
  - algorithm: rsasha256
    keyLength: 1024
    keyType: zoneSigning
    kind: dns#dnsKeySpec
  kind: dns#managedZoneDnsSecConfig
  nonExistence: nsec3
  state: on
id: '1624510263478052234'
kind: dns#managedZone
name: knative-e2e
nameServers:
- ns-cloud-e1.googledomains.com.
- ns-cloud-e2.googledomains.com.
- ns-cloud-e3.googledomains.com.
- ns-cloud-e4.googledomains.com.
visibility: public

@hh I will log a separate issue to request the transfer for that domain and kn.dev