RFC and ICANN Compliance

• CoCCA supports all the RFC’s required by the Internet Corporation for Assigned Name and Numbers - the peak body for co-ordination of the Internet naming and numbering system (ICANN). Compliant with standards in Specifications 6 and 10 of the ICANN base agreement.
  
• List of supported RFCs
• Support for DNSSEC bootstrap
• Support for DNSSEC signing using OpenDNSSEC or Packet Clearing House PCH
• Anycast DNS using PCH Anycast. Additional Anycast using AfriNIC or LAC TLD also recommened - depending on region and TLD manager preference.
• Support for WHMCS, and desec.
• European GDPR Compliant.

Infrastructure

• Infrastructure and Continuity Recomendations (pdf)

Changelog

• https://changelog.cocca.org.nz

Prerequisites - Updated November 4th, 2022

• Ubuntu Server LTS 22.04.1 (server install, basic - no GUI or other options), 12GB RAM, 150GB HDD
• PostgreSQL 15, JDK 1.8 ( 351+ ), latest OpenSSL 3.X, Resin 4.0.66
• Tips

---

PostgreSQL

Installation Instructions: https://www.postgresql.org/download/linux/ubuntu/

Create the file repository configuration:

Import the repository signing key:

Update the package lists:

File to edit when tuning PG:

Starting (or stopping) postgres: ( stop | start | restart )

Set password for user "postgres"

Edit pg_hba.conf to force password confirmation for postgres commands
Look for --- "Database administrative login by Unix domain socket", replace "peer" with "md5"

Restart PG for changes to take effect:

Create empty registry database:

Import CoCCA database from a backup:

Java

Install Java JDK 1.8 (Java licence required for production use, CoCCA is still testing Open JDK versions 1.8+)

Append the following command to open the environment variables file.

Run from command line.

Check Version

OpenSSL

Resin

The http server used with CoCCA https://caucho.com

Before installing resin, install OpenSSL and the JDK

Recomended : Create a host name for your instance with an A record to match the server IP

Post Install Configuration:
Download the CoCCA lab jks from CoCCA ( needed for EPP and https ).

Download the latest CoCCA ROOT.war file

Delete default resin.xml and download resin config file for CoCCA:

Edit resin config file:

• replace default IPs with your server IPs ( line 28 and 42 )
• replace default host registry.example.tld with your host name (line 75 and 83 ). Note: If you have not created an A record yet, you may put the server IP in place of the host name.
• insert postgreql password you created in postgesql section above ( line 92 )

Get postgreSQL jdbc driver

Start ( or restart ) resin and login to portal. If restart does not work, try stop then start.

Go to your host name URL- https://registry.example.tld ( or https://ipaddress - will take ±15-20 seconds to load )

letsencrypt

Optional The CoCCA lab jks downloaded above will enable https connections but with a browser warning. If you want a free https certificate to match your host name, we suggest https://letsencrypt.org

Tool - https://snapcraft.io/docs/installing-snapd

Stop resin webserver to release port 80 and 443 temporarily.

Request a new certificate

Create p12 (one long srting/command)

Create Java keystore and import p12 (one long string/command):

Move newly created jks to the resin keys folder

Edit resin config file to enable new http certificate:

Add the path, jks file name and password for the custom jks created above (lines 45 & 46)

Start ( or restart ) resin and login to portal. If restart does not work, try stop then start.

Other

Set server time to UTC for RFC compliance:

Ubunutu firewall basic configuration, handy commands:

• sudo ufw enable | disable
• sudo ufw status numbered ( see rules )
• sudo ufw delete X ( delete a rule by number )
• sudo ufw reload ( after rule changes )

Secure from brute force/dictionary ssh attacks and mal-formed http requests. It should be used for ssh as and http & https filtering.

Basic sshd refinements. ( consider using ssh keys )

sudo nano /etc/ssh/sshd_config