Moving things around

-Add what you did in/for dn42, yet:

-

-| Who | #peerings | Bandwidth | DNS | Fileserver | Network service | Website |

-|:------- |:--------- |:--------- |:--- |:---------- |:--------------- |:--------- |

-| allo | 7 | 1 GBit/s | auth. only | no | no | yes |

-| stv0g | 8 | 1 GBit/s | no | no | no | [yes](https://dev.0l.dn42) |

-[[_TOC_]]

-

-## Why are you using monotone for the registry? Why not GIT?

-

-There is an important difference between the data model of monotone and GIT: In GIT branches *are* HEADs, while in monotone, branches are a list of HEADs. Or, to state it simpler and probably less correct: It is possible to sync merge conflicts in monotone. In GIT, conflicts are part of the index and/or working tree, and thus can't be pushed/pulled.

-

-The DN42 registry is stored on multiple monotone servers which sync with each other. This is not possible in GIT, because the GIT servers don't know how to handle merge conflicts. In monotone, the servers just sync the conflict.

-

-

-## What about IPv6 in DN42?

-

-There are some ASes in DN42 that route IPv6 traffic. It is not yet agreed upon what prefixes should be used. The following proposals are the more sane ones:

-

-* Use Unique Local Addresses (ULAs). This is the *fd00::/8* range. In theory, this would be the obvious winner of this debate. They were standardised for exactly this purpose (not publicly routed networks that still want to use unique prefixes). Sadly, this would require you to announce two prefixes in your LAN if you want to use stateless autoconfiguration and no NAT: The ULA and a globally routed prefix. It is not yet known if this really works. [RFC 3484](http://www.rfc-editor.org/rfc/rfc3484.txt) demands a behavior that would make this work at the moment (until globally routed addresses from 8000::/1 are used).

-[This](http://www.sixxs.net/tools/grh/ula) generator can be used to generate a ULA prefix from one of your MAC addresses.

-* Use your globally unique PA space. This fixes the LAN-issue, because you only need to announce a single prefix. However, this complicates prefix filtering for everybody, and can lead to strange routing patterns, where packets are routed partially on dn42 and partially through the Internet.

-

-(*TODO*)

-

-At the moment, it is safe to assume that everyone doing IPv6 routing accepts at least prefixes from fd00::/8 with prefix lengths between 48 and 64 bits (inclusive) if they are part of the registry.

-

-

-## Why are you using ASN in the 76100-76199 range?

-

-Yes, we know that this is not private ASN space (rather, it is part of the reserved block 65552-131071, see [IANA](http://www.iana.org/assignments/as-numbers/as-numbers.xhtml)).

-

-We used to assign ASN in the 64600-64855 range, where you would get ASN 64600+X if you had 172.22.X.0/24. Since we are now assigning /25 by default, and we have extended the address range to include 172.23.0.0/16, this is legacy.

-

-Another issue with the private ASN range 64512-65534: other projects are also using it (for instance, Freifunk, Anonet, etc), which can lead to conflicts.

-

-Fortunately, [RFC6996](http://tools.ietf.org/html/rfc6996) defines a new private ASN range: 4200000000-4294967294. Given the size of this range, there is little chance of running into a conflict.

-

-We now encourage dn42 users to use the newly-allocated ranges in **4242420000-4242429999**. See the [registry page](Services-Whois#AS-numbers) for details.

-

-

-## What BGP daemon should I use?

-

-This is really up to you: that's the magic of open protocols.

-

-As of 2014, most people seem to use either Quagga or Bird (with a growing preference for Bird). You may also encounter users of OpenBGPd. Even more occasionally, people use hardware BGP routers in dn42, for instance [Extreme Networks](howto/bgp-on-extreme-summit1i) hardware.

-

-You want to join dn42, but you don't know where to start. This guide gives general guidelines about dn42 and routing in general, but it assumes that you are knowledgeable with routing.

-

-# Requirements

-

-- you have at least one router running 24/7. Any Linux or BSD box can be turned into a router. If your home router runs OpenWRT, you might consider using it for dn42.

-- your router is able to establish network tunnels over the Internet (GRE, OpenVPN, IPSec, Tinc...). Beware, your network operator might filter this kind of traffic, e.g. in schools or universities.

-- you are generally knowledgable with networking and routing (i.e. you've heard about BGP, IGP, forwarding, and you're willing to configure a BGP router such as Quagga or Bird)

-

-# Formalities

-

-Don't worry, it's not as tedious as registering with a RIR ;)

-

-## Subscribe to the mailing list

-

-This is important, as it allows to stay up-to-date on best practices, new services, security issues...

-

-See [Home#Contact](Home#Contact) to subscribe.

-

-## Fill in the registry

-

-You must create several objects in the registry. The recommended method is to use the [web interface](https://io.nixnodes.net/?registry), but you may still work directly with the [monotone repository](Services-Whois#Monotone).

-

-This example assumes that your name is `<FOO>`, part of an organisation called `<FOO-ORG>` (for instance, your hackerspace). Obviously, these should be replaced by the appropriate values in all examples below.

-

-We will create several types of objects: **maintainer** objects, which have an associated password and allow you to authenticate so that you can edit your own objects; **person** objects, which describe people or organisations and provide contact information; and finally, all other objects, which are resources (AS number, IP subnet, DNS zone, etc).

-

-### Create a maintainer object

-

-Create a `mntner` object named `<FOO>-MNT`. It will be used to edit all the objects that are under your responsibility.

-

-- choose a password, and don't forget it. **Note:** even though the field is named `sha512-pw`, you must enter *your password* directly, *not* the sha512 of your password.

-- use `DUMMY-DN42` as `admin-c` and `tech-c`. We will update this later.

-- use `<FOO>-MNT` as `mnt-by`, otherwise, you won't be able to edit your maintainer object.

-

-### Create person objects

-

-Create a `person` object for **yourself** (not your organisation/hackerspace/whatever).

-

-- use something like `<FOO>-DN42` as `nic-hdl`, it should end with `-DN42`.

-- the `person` field is more freeform, you may use your nickname or even real name here.

-- provide an email.

-- you may provide additional ways of contacting you, using one or more `contact` field. For instance `xmpp:[email protected]`, `irc:luke42@hackint`, `twitter: TheGreatLuke`.

-- you may whish to add other fields, such as `pgp-id`, `pgp-fingerprint`, `remarks`, and so on.

-- don't forget to set `mnt-by` to `<FOO>-MNT`.

-

-You must now edit the maintainer object created earlier, to properly fill in the `admin-c` and `tech-c` fields (set them to `<FOO>-DN42`).

-

-If you intend to register resources for an organisation (e.g. your hackerspace), you must also create an `organisation` object for your organisation:

-

-- `organisation` is of the form `<ORG-FOO>`.

-- email should be a contact address for your organisation, or maybe a mailing list (but people should be able to send email without subscribing).

-- you may provide a website (`www` field).

-- don't forget to set `mnt-by` to `<FOO>-MNT`, since you're managing this object on behalf of your organisation.

-

-### Guidelines for future objects

-

-From now on, you should use:

-

-- `admin-c: <FOO>-DN42` and `tech-c: <FOO>-DN42` for your own resources.

-- `admin-c: <ORG-FOO>` and `tech-c: <FOO>-DN42` for the resources of your organisation.

-- `mnt-by: <FOO>-MNT` for all objects, so that you can edit them later.

-

-This applies to AS numbers, network prefixes, routes, DNS records...

-

-### Register an AS number

-

-To register an AS number, simply create an `autnum` object.

-

-Your AS number can be chosen arbitrarily in the dn42 ASN space, look at the `as-block` objects. The historic ASN space is around 64600-64855 and 76100-76200. Starting from June 2014, **you must allocate your AS number in the new 4242420000-4242423999 range**.

-

-For a list of currently assigned AS numbers, see http://ix.ucis.nl/dn42/as.php. This list is automatically built from the registry.

-

-If you intend to use an ASN outside of the native dn42 ranges, please check that it doesn't clash with the [Freifunk AS-Numbers] (http://wiki.freifunk.net/AS-Nummern) or other networks (ChaosVPN, etc). For a list of ASN currently announced in dn42, see [this map](http://nixnodes.net/dn42/graph/) or [this list](http://109.24.208.244:8888/dn42/lastseen/).

-

-If unsure, ask on the mailing list or IRC.

-

-### Register a network prefix

-

-To register an IPv4 network prefix, simply create an `inetnum` object.

-

-You may choose your network prefix in one of the currently open netblocks. There is also a [graphical visualisation of the assigned ranges](http://109.24.208.244:8888/dn42-netblock-visu/registry.html).

-

-The current guideline is to allocate a /25 by default, keeping space for a /23. You may allocate more than a /25 if you need to, but no more than a /23. In particular, if you want reverse DNS for your prefix, you will need at least a /24. (check? maybe the scripts in the repo are clever enough)

-

-

-# Get some peers

-

-In dn42, there is no real distinction between peering and transit: in most cases, everybody serves as an upstream provider to all its peers. Note that if you have very slow connectivity to the Internet, you may want to avoid providing transit between your peers, which can be done by filtering or prepending your ASN.

-

-If you don't know anybody who can peer with you, you can use this tool: http://peerfinder.polyno.me

-

-It will let you find people to peer with. You can then contact them on IRC or by email. In case you're really at loss, you can also ask for peers on the mailing list.

-

-## Establishing tunnels

-

-Unless your dn42 peers are on the same network, you must establish tunnels. Choose anything you like: OpenVPN, GRE, GRE + IPSec, IPIP, Tinc, ...

-

-There is some documentation in this wiki, like [gre-plus-ipsec](howto/gre-plus-ipsec).

-

-## Running a routing daemon

-

-You need a routing daemon to speak BGP with your peers. People usually run Quagga or Bird, but you may use anything (OpenBGPD, XORP, somebody even used an old [hardware router](howto/bgp-on-extreme-summit1i) ). See the relevant [FAQ entry](Frequently-Asked-Questions#What-BGP-daemon-should-I-use?).

-

-You can find [configuration examples for Bird here](howto/bird).

-

-Some [documentation of the old wiki] (http://dn42.volcanis.me/initenv/wiki/HowToPeer.html) might still be handy, but remember that everything there is terribly outdated.

-

-## Configuration Examples

-

-* [EdgeOS Configuration](EdgeOS-Config-Example)

-* [EdgeOS GRE/IPsec Example](howto/EdgeOS-GRE-IPsec-Example)

-* [BGP on Extreme Networks Summit 1i](howto/bgp-on-extreme-summit1i)

-* [dn42 on OpenWRT](howto/dn42-on-OpenWRT)

-* [Bird](howto/bird)

-* [IPsec with public key authentication](/howto/IPsecWithPublicKeys)

-

-# Configure DNS

-

-See [Services DNS](Services-DNS).

-

-# Use and provide services

-

-See [internal](internal) for internal services.

-

-Don't hesitate to provide interesting services, but *please*, document them on the wiki! Otherwise, nobody will use them because nobody can guess they even exist.

-We provide some anycast services over IPv6.

-

-## Anycast address space

-

-**fd42:d42:d42::/48** is reserved for anycast services.

-

-Each anycast service runs on a dedicated /64 in this range. This way, nobody needs to update filters.

-

-Remember, if you announce an anycast /64, then you need to provide **all** services within this /64. It's probably simpler to only provide one service for each /64.

-

-## Anycast services

-

-| **Name** | **/64 prefix announced** | **Service address** | **Protocol/port** | **Comment** |

-|----------|-------------------------|---------------------|-------------------|---|

-| Recursive DNS resolver | `fd42:d42:d42:53::/64` | `fd42:d42:d42:53::1` | UDP/53 | `.` and `dn42.` [Providers](Providing-Anycast-DNS#Persons-providing-anycast-DNS-for-IPv6) |

-

-### Future services

-

-- streaming

-- other kind of DNS (authoritative-only, recursive for `dn42` only)

-# Ideas

-

-… or the service that would make dn42 truly interesting for people (for non-technical reasons).

-

-#### Criterias

-

- - it should be difficult to setup on the Internet (for technical or legal reasons)

- - it should interest people that are likely to know dn42 (hackerspaces, etc)

-

-Any idea, apart from pr0n? Multicasting video flux?

-

-Ideas for stuff that are technically difficult on the Internet:

-

- - multicast routing (well, it doesn't work in dn42 either)

- - something that depends on the network infrastructure or topology (e.g. a game where you have to announce things with BGP)

-

----

-

- - We could make the services zeroconf-browseable with the .dn42 TLD

-lglass is a Python software package designed for Internet Registries like the DN42. You can generate zone files for DNS and rDNS IPv4/v6, and handle the registry. It is available on GitHub as free software:

-

- $ git clone git://github.com/fritz0705/lglass.git

-

-## Running your own Whois daemon

-

-lglass provides an event-based whois daemon with internal caching, which was written in Python. It is very simple to run an instance:

-

- $ ./bin/lglass-whoisd -D $PATH_TO_DATA_DIR -H $HOST -P $PORT

-

-## Generate zone files

-

-lglass also provides a script to generate zone files from the registry. It's named zonegen.py and requires a registry dump from Monotone.

-

-To generate DNS zones:

-

- $ ./bin/lglass-zonegen -d $PATH_TO_DATA_DIR -n ns1... -n ns2... -e foo.bar.com dns -z dn42

-

-To generate IPv4 rDNS zones:

-

- $ ./bin/lglass-zonegen -d $PATH_TO_DATA_DIR -n ns1... -n ns2... -e foo.bar.com rdns4 -N 172.22.0.0/16

-

-To generate IPv6 rDNS zones:

-

- $ ./bin/lglass-zonegen -d $PATH_TO_DATA_DIR -n ns1... -n ns2... -e foo.bar.com rdns6 -N fd00::/8

-

-## Reformat RPSL files

-

-You can also reformat RPSL files using lglass by using the lglass.rpsl module:

-

- $ ./bin/lglass-rpsl < $DATA/inetnum/172.22.0.53_32

-

-lglass.rpsl also supports in-place operation:

-

- $ ./bin/lglass-rpsl -i $DATA/inetnum/172.22.0.53_32

-

-This opens the file, reads the content into memory, seeks to position 0, writes the formatted object and truncates the file.

-Simple web interface

-

-lglass also comes with a simple web interface written in Python3 using Bottle and Jinja2. It also provides a binary to run it using wsgiref:

-

- $ ./bin/lglass-web

-

-Furthermore you can use any WSGI server like Gunicorn by using lglass.web.application:app as WSGI callback. You can provide a path to the configuration file in the environment variable `LGLASS_WEB_CFG`.

-# DNS

-

-*(tl;dr)* We have a TLD for dn42, which is `.dn42`. The anycast resolver for `.dn42` runs on `172.22.0.53`.

-

-**DNS is build from [[whois database|Services Whois]]. So please edit your DNS-records there.**

-

-## Using the DNS service

-

-Below are several ways to use the `dn42` DNS service, from easiest to more challenging. The recommended method is the second one.

-

-### Using the anycast resolver directly

-

-Please be aware that this method sends **all** your DNS queries (e.g. `google.com`) to a random DNS server inside dn42. The server could fake the result and point you towards the russian mafia. They probably won't, but think about what you are doing. At the end of the day, your ISP could be evil as well, so it always boils down to a question of trust.

-

-To do this, just use `172.22.0.53` as your resolver, for instance in `/etc/resolv.conf`.

-

-### Forwarding `.dn42` queries to the anycast resolver

-

-If you run your own resolver (`unbound`, `dnsmasq`, `bind`), you can configure it to forward dn42 queries to the anycast DNS resolver. See [[DNS forwarder configuration|Services DNS Configuration]].

-

-### Recursive resolver

-

-You may also want to configure your resolver to recursively resolve dn42 domains. For this, you need to find authoritative DNS servers for the `dn42` zone (and for the reverse zones). See [[Recursive DNS resolver]].

-

-### Building the dn42 zones from the registry

-

-Finally, you may want to host your own authoritative DNS server for the `dn42` zone and the reverse zones. The zone files are built from the monotone repository: scripts are provided in the repository itself.

-

-## Register a `.dn42` domain name

-

-The root zone for `dn42.` is built from the [[whois registry|Services Whois]]. If you want to register a domain name, you need to add it to the registry (of course, you also need one or two authoritative nameservers).

-

-## DNS services for other networks

-

-Other networks are interconnected with dn42 (ChaosVPN, Freifunk, etc). Some of them also provide DNS service, you can configure your resolver to use it. See [[External DNS]].

-

-## Providing DNS service

-

-See [[Providing Anycast DNS]].