How to manage DNS

Please ensure that you are familiar with the DNS naming policy before editing DNS records or submitting any requests.

Most DNS management is now carried out in Hydra, our web-based management tool for IP subnet and DNS zone management.

Expand All

DNS records for zones that you manage can be edited in Hydra. Record types that can be managed in Hydra include: A/AAAA, CNAME, MX, SRV and TXT. Creating an A/AAAA record will create the corresponding PTR record if you have permission to edit the associated subnet.

Note: authoritative DNS update schedule

DNS record updates made in Hydra are published to Oxford's authoritative nameservers periodically. In most cases this means that changes go live every 5 minutes.

 

To create a new record

  1. Visit the Hydra DNS records list (requires Oxford network or VPN)
  2. Select create under the search bar
  3. Enter the details for your new record
  4. Select Create

To edit, delete or clone an existing record

  1. Visit the Hydra DNS records list (requires Oxford network or VPN)
  2. Use the search bar to locate the record you want to change
  3. Select the record you want to change
  4. Select edit, delete or clone as appropriate

To bulk edit records

  1. Visit the Hydra DNS records list (requires Oxford network or VPN)
  2. Use the search bar to locate the records you want to change
  3. Select bulk edit to view the records in CSV format
  4. Amend the fields to change, prefix lines with hyphen ("-") to delete those records, or add lines leaving the record ID field empty to create new records
  5. Select submit to apply the changes. Note this is done as a single transaction: all changes have effect, or no changes take effect

DNS zones and subnets in Hydra are associated with IPAM groups in Groupstore. Users who are members of the relevant IPAM group can manage records in the associated DNS zones and subnets.

One IPAM group is automatically created for each unit in OakLDAP. This group is pre-populated with the unit's ITSS01. The group name will be app:ipam:units:code where code is the unit code from IT Services registration.

Note: Groupstore access is required

In order to manage group membership and privileges you will need access to the Groupstore UI

Note: Overnight synchronisation

Changes to group membership are copied to Hydra overnight, so will not take effect until the following morning. This does not apply to group admin privileges which are effective in Groupstore immediately

 

To change who can manage zones and subnets

  1. Visit the Hydra allocations page (may require VPN)
  2. Search for the zone or an IP address in the subnet you want to manage permissions for (zone example: admin.ox.ac.uk; subnet example: 129.67.1.1). Hydra will show you details of the group this zone or subnet is allocated to. If more than one group has permissions on the zone or subnet then Hydra will list them all, and you will need to click on the group you want to edit
  3. The Hydra group information page shows who can manage group membership, and who the current group members are
  4. Click on the link labelled "Groupstore" under the Users heading
  5. On the Members tab, click Add members, enter an SSO username or email address, and click Add to grant IPAM permissions
  6. On the Members tab, click Actions > Revoke membership next to any member to revoke IPAM permissions

To change who can manage membership of the group

  1. Follow steps 1 to 4 above to access the Groupstore page for editing the relevant IPAM group
  2. On the Privileges tab, add/remove permission to manage group membership by clicking the tick mark in the Admin column for the relevant user entry
  3. On the Privileges tab, click Add members, enter an SSO username or email address, for Assign these privileges tick Admin (and untick Member if this user should not have IPAM permissions), then click Add to grant membership management permissions for a new user

A complete and searchable list of Oxford-managed DNS zones is available in Hydra. You can also select individual zones to view details including ownership, and to obtain the zone listing in structured formats.

VIEW THE ZONE LIST IN HYDRA

  1. Read the Hydra IPAM API specification (requires Oxford network or VPN)
  2. Send a service principal request to unix-team@it.ox.ac.uk using the following template:
    Dear IT Services,
    
    I wish to gain API access to the Hydra API. To that end, may I please request:
    
    A new service principal be created by Unix Platform Services
    	hydra/[% FQDN_OF_THE_HOST_CONNECTING_TO_HYDRA %]@OX.AC.UK
    	rights to me ([% SSO %]/itss)
    
    Please create my /itss principal if I do not already have one. I can come to 13 Banbury Road
    to present my University Card as identification and configure an initial password at the following
    dates/times over the next 5 working days:
      - [% DATE %] - [% TIMES %]
    
    Thank you.
    
  3. Once your service principal has been created: lookup the domain(s) you want to view/manage via the API in the Hydra IPAM Allocations area, and contact one or more people in the GroupStore group managers list to request access.

    In many cases this will be a member of local ITSS for the unit that the domain is associated with, and it may be courteous and expedient to send your request the local IT contact address rather than an individual.

    Remember that you will need to wait up to 24h after the change has been made for it to take effect

  4. Setup ketytab and run test query:
    user@host:~$ kadmin -p abcd1234/itss
    Authenticating as principal abcd1234/itss with password.
    Password for abcd1234/itss@OX.AC.UK:
    kadmin:  ktadd hydra/[% FQDN_OF_THE_HOST_CONNECTING_TO_HYDRA %]@OX.AC.UK
    Entry for principal hydra/[% FQDN_OF_THE_HOST_CONNECTING_TO_HYDRA %]@OX.AC.UK with kvno 3, encryption type XXXX added to keytab WRFILE:/etc/krb5.keytab.
    ...
    kadmin:  quit
    user@host:~$ export KRB5CCNAME=/tmp/krb5cc_hi_hydra
    user@host:~$ kinit -k -t /etc/krb5.keytab hydra/[% FQDN_OF_THE_HOST_CONNECTING_TO_HYDRA %]@OX.AC.UK
    user@host:~$ curl -i --negotiate -u : -b ~/cookiejar.txt -c ~/cookiejar.txt https://networks.it.ox.ac.uk/api/ipam
    [snip HTTP headers]
    {
    	"records" : "https://networks.it.ox.ac.uk/api/ipam/records",
    	"zones" : "https://networks.it.ox.ac.uk/api/ipam/zones",
    	"spec" : "https://networks.it.ox.ac.uk/api/ipam/spec",
    	"version" : "0.46"
    }

Additional guidance with a technical focus is available from the Hydra IPAM help page (Oxford network or VPN required).

Related links


Get support


If you cannot find the solution you need here then we have other ways to get IT support

Get IT support

 

Submit a suggestion, compliment or complaint