RFC and ICANN Compliance

  • CoCCA supports all the RFC’s required by the Internet Corporation for Assigned Name and Numbers - the peak body for co-ordination of the Internet naming and numbering system (ICANN). Compliant with standards in Specifications 6 and 10 of the ICANN base agreement.
  • List of supported RFCs
  • Support for DNSSEC bootstrap
  • Support for DNSSEC signing using OpenDNSSEC or Packet Clearing House PCH
  • Anycast DNS using PCH Anycast. Additional Anycast using AfriNIC or LAC TLD also recommened - depending on region and TLD manager preference.
  • Support for WHMCS, and desec.
  • European GDPR Compliant.

Infrastructure

Changelog

Prerequisites - Updated November 4th, 2022

  • Ubuntu Server LTS 22.04.1 (server install, basic - no GUI or other options), 12GB RAM, 150GB HDD
  • PostgreSQL 15, JDK 1.8 ( 351+ ), OpenSSL 1.1s, Resin 4.0.66

PostgreSQL

Installation Instructions: https://www.postgresql.org/download/linux/ubuntu/

Create the file repository configuration:

sudo sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list'

Import the repository signing key:

wget --no-check-certificate -q -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add -

Update the package lists:

sudo apt-get update

sudo apt-get -y install postgresql-15
Tune postgresql: https://pgtune.leopard.in.ua/

File to edit when tuning PG:

sudo nano /etc/postgresql/15/main/postgresql.conf

Starting (or stopping) postgres: ( stop | start | restart )

sudo pg_ctlcluster 15 main start

Set password for user "postgres"

sudo -u postgres psql postgres
\password postgres ( enter desired password when prompted )
\q (to exit the posgreSQL command interface )

Edit pg_hba.conf to force password confirmation for postgres commands
Look for --- "Database administrative login by Unix domain socket", replace "peer" with "md5"

sudo nano /etc/postgresql/15/main/pg_hba.conf

Restart PG for changes to take effect:

sudo pg_ctlcluster 15 main restart

Create empty registry database:

sudo -u postgres psql postgres
CREATE database registry;
\q

Import CoCCA database backup:

psql -U postgres -d registry -f backup.sql

OpenSSL

Install Complier Tools

sudo apt update
sudo apt install build-essential checkinstall zlib1g-dev -y

Install Open SSL

cd /usr/local/src/
sudo wget --inet4-only https://www.openssl.org/source/openssl-1.1.1s.tar.gz --no-check-certificate
sudo tar -xf openssl-1.1.1s.tar.gz
cd openssl-1.1.1s
sudo ./config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl shared zlib
sudo make
sudo make test
sudo make install
cd /etc/ld.so.conf.d/
sudo nano openssl-1.1.1s.conf

Insert the following line in openssl-1.1.1s.conf

/usr/local/ssl/lib
Save and Exit, run the following commands
sudo ldconfig -v
sudo mv /usr/bin/c_rehash /usr/bin/c_rehash.backup
sudo mv /usr/bin/openssl /usr/bin/openssl.backup

Set Envronment

sudo nano /etc/environment

Append the following:

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/usr/local/ssl/bin"
Save, and Exit

Load environment

source /etc/environment
echo $PATH

Check and verify

openssl version -a

Java

Install Java JDK 1.8 (Java licence required for production use, CoCCA is still testing Open JDK versions 1.8+)

sudo mkdir /usr/lib/jvm
cd /usr/lib/jvm
Direct Oracle download - https://www.oracle.com/java/technologies/downloads/
sudo wget --inet4-only https://updates.coccaregistry.org/jdk-8u351-linux-x64.tar.gz --no-check-certificate
sudo tar -xvzf jdk-8u351-linux-x64.tar.gz

Append the following command to open the environment variables file.

sudo nano /etc/environment
JAVA_HOME="/usr/lib/jvm/jdk1.8.0_351"

Run from command line.

sudo update-alternatives --install "/usr/bin/java" "java" "/usr/lib/jvm/jdk1.8.0_351/bin/java" 0
sudo update-alternatives --install "/usr/bin/javac" "javac" "/usr/lib/jvm/jdk1.8.0_351/bin/javac" 0
sudo update-alternatives --set java /usr/lib/jvm/jdk1.8.0_351/bin/java
sudo update-alternatives --set javac /usr/lib/jvm/jdk1.8.0_351/bin/javac

Check Version

java -version

Resin

The http server used with CoCCA https://caucho.com

Before installing resin, install OpenSSL and the JDK

Recomended : Create a host name for your instance with an A record to match the server IP

cd /opt
sudo wget --inet4-only http://caucho.com/download/resin-4.0.66.tar.gz --no-check-certificate
tar -vzxf resin-4.0.66.tar.gz
cd resin-4.0.66
./configure --enable-64bit --prefix=/opt/resin/ --with-resin-root=/opt/resin --with-resin-log=/opt/resin/log --with-resin-conf=/opt/resin/conf
sudo make
sudo make install

Post Install Configuration:
Download the CoCCA lab jks from CoCCA ( needed for EPP and https ).

cd /opt/resin/conf/keys/
sudo wget --inet4-only https://updates.coccaregistry.org/star_coccaregistry_org.jks --no-check-certificate

Download the latest CoCCA ROOT.war file

cd /opt/resin/webapps/
sudo wget --inet4-only https://updates.coccaregistry.org/ROOT.war --no-check-certificate
! For dedicated WHOIS/ DR instance only !
cd /opt/resin/webapps/
wget --inet4-only https://updates.coccaregistry.org/whois-dr/ROOT.war --no-check-certificate

Delete default resin.xml and download resin config file for CoCCA:

cd /opt/resin/conf/
rm -fr resin.xml
sudo wget --inet4-only https://updates.coccaregistry.org/resin/resin.xml --no-check-certificate

Edit resin config file:

  • replace default IPs with your server IPs ( line 28 and 42 )
  • replace default host registry.example.tld with your host name (line 75 and 83 ). Note: If you have not created an A record yet, you may put the server IP in place of the host name.
  • insert postgreql password you created in postgesql section above ( line 92 )
sudo nano /opt/resin/conf/resin.xml

Get postgreSQL jdbc driver

cd /opt/resin/lib/
wget --inet4-only https://jdbc.postgresql.org/download/postgresql-42.5.0.jar --no-check-certificate

Start ( or restart ) resin and login to portal. If restart does not work, try stop then start.

/etc/init.d/resin stop | start | restart

Go to your host name URL- https://registry.example.tld ( or https://ipaddress - will take ±15-20 seconds to load )

letsencrypt

Optional The CoCCA lab jks downloaded above will enable https connections but with a browser warning. If you want a free https certificate to match your host name, we suggest https://letsencrypt.org

Tool - https://snapcraft.io/docs/installing-snapd

sudo snap install core; sudo snap refresh core
sudo snap install --classic certbot

Stop resin webserver to release port 80 and 443 temporarily.

/etc/init.d/resin stop

Request a new certificate

sudo certbot certonly --standalone

Create p12 (one long srting/command)

/usr/local/ssl/bin/openssl pkcs12 -export -name sslcertificate -in /etc/letsencrypt/live/registry.example.tld/fullchain.pem -inkey /etc/letsencrypt/live/registry.example.tld/privkey.pem -out registry.example.tld.p12

Create Java keystore and import p12 (one long string/command):

/usr/lib/jvm/jdk1.8.0_351/bin/keytool -importkeystore -destkeystore registry.example.tld.jks -srckeystore registry.example.tld.p12 -srcstoretype pkcs12 -alias sslcertificate

Move newly created jks to the resin keys folder

mv registry.example.tld.jks /opt/resin/conf/keys/registry.example.tld.jks

Edit resin config file to enable new http certificate:

sudo nano /opt/resin/conf/resin.xml

Add the path, jks file name and password for the custom jks created above (lines 45 & 46)

Start ( or restart ) resin and login to portal. If restart does not work, try stop then start.

/etc/init.d/resin stop | start | restart

Other

Set server time to UTC for RFC compliance:

sudo timedatectl set-timezone UTC
sudo timedatectl set-ntp on

Ubunutu firewall basic configuration, handy commands:

  • sudo ufw enable | disable
  • sudo ufw status numbered ( see rules )
  • sudo ufw delete X ( delete a rule by number )
  • sudo ufw reload ( after rule changes )
sudo ufw enable
sudo ufw allow from "trusted IP" to any port 22 ( if sshd is on non-standard port use that port )
sudo ufw allow from "trusted IP" to any port 53
sudo ufw allow from any to any port 80
sudo ufw allow from any to any port 443
sudo ufw allow from any to any port 43
sudo ufw allow from any to any port 700

Secure from brute force/dictionary ssh attacks and mal-formed http requests. It should be used for ssh as and http & https filtering.

sudo apt install fail2ban

Basic sshd refinements. ( consider using ssh keys )

sudo nano /etc/ssh/sshd_config

Protocol 2
Port XXX ( change port, config ufw to allow the selected port )
ListenAddress x.x.x.x ( if multiple IP, bind to one IP )
LogLevel VERBOSE
AllowUsers user_1 user_2 ( list logins that are allowed to ssh )
LoginGraceTime 30
PermitRootLogin no
MaxAuthTries 3
HostbasedAuthentication no
IgnoreRhosts yes
PermitEmptyPasswords no
AllowTcpForwarding no
X11Forwarding no
ClientAliveInterval 300
ClientAliveCountMax 0
MaxStartups 2
sudo systemctl restart sshd

Replication

If you need to re-sync the replica due to network outage or other issue, on the REPLICA server just re-run the base backup as the replicator user

  • /etc/init.d/resin stop
  • stop postgres - sudo pg_ctlcluster 15 main stop
  • access as postgres user
    su - postgres
  • remove old DATA folder - where xx/main is the pg version folder
    rm -rf 15/main
  • start base backup
    pg_basebackup -h xxx.xxx.xxx.xxx -U replicator -p 5432 -D /var/lib/postgresql/15/main -Fp -Xs -P -R
    password {the replicator user password on the primary}
    • exit
    sudo pg_ctlcluster 15 main start
  • /etc/init.d/resin start

To change a replicator password: log in into the psql console on primary:
sudo -u postgres psql
postgres=# \password replicator
Enter new password:
postgres=# \q

Use \du to list all user accounts (or roles)
postgres=# \du
\q