Zone delegation

Introduction

Create your own Top Level Domain (TLD) in our class root.

Notes

Commands preceded with “$” imply that you should execute the command as a general user - not as root.
Commands preceded with “#” imply that you should be working as root.
Commands with more specific command lines (e.g. “rtrX>” or “mysql>”) imply that you are executing commands on remote equipment, or within another program.

Overview

In this exercise, we will create a new TLD in our root. for example: MYTLD

You will create a master nameservice on your SOA machine.

We will not configure secondary service at this time.

Then you will ask the administrator for the the root to delegate your domain to you.

Note: the following should be done as the root superuser - use

$ sudo -s
#

Remember, when you see a line begining with “#”, it means the command is executed as root.

Requesting domain delegation

Choose a new domain, write it down somewhere

e.g., earth - whatever you feel like.

(Do NOT choose any of the PC names, e.g. soa.grpXX, as your subdomain)

This could for example be the name of your country code, country name, company name, etc… but REMEMBER that someone might pick the same name! First come, first serve.

Register your new domain with the instructor

Write the domain name on a piece of paper, or send an email, and deliver/send it to the instructor.

Create a directory to hold the zone

We’ll create some directories to hold our zones (replace ‘mytld’ with the name you picked!

# mkdir -p /etc/bind/zones/mytld

Create your zone file as `/etc/bind/zones/mytld/mytld`

It’s normal that we have mytld/mytld – we create a FILE mytld under the directory /etc/bind/zones/mytld

… where MYTLD is your chosen domain (e.g., earth) – you can pretty much “copy and paste” the section below – but remember to update the XX with your group number, MYTLD with your chosen domain.

Remember, you will need to become root to create this file, for example:

$ cd /etc/bind/zones/mytld
$ sudo editor mytld

Here are the zone contents:

$TTL 2m
@       IN      SOA     soa.grpX.dns. hostmaster.mytld. (
                        2018032701    ; Serial
                        10m           ; Refresh
                        5m            ; Retry
                        2w            ; Expire
                        2m )          ; Negative

        IN      NS      soa.grpX.dns.   ; your 'SOA' server name

www     IN      A       10.X.1.1

Replace X with your group number (1-16) and mytld with your actual tld.

We have chosen purposely low values for TTL, refresh, and retry to make it easier to fix problems in the classroom. For a production domain you might use higher values.

Edit `/etc/bind/named.conf.options`

Remember, you will need to become root to edit this file, for example:

$ cd /etc/bind
$ sudo editor named.conf.options

Update the configuration so it looks like:

dnssec-validation auto;
listen-on-v6 { any; };
allow-query { any; };
recursion no;

Don’t forget the closing }; at the end of the file!

Save the file, and exit, then:

$ sudo editor named.conf.local

At the end of this file, add this:

zone "mytld" {
    type master;
    file "/etc/bind/zones/mytld/mytld";
};

… where /etc/bind/zones/mytld is where you stored your zone file (and mytld is replaced with the name of YOUR domain.) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pay attention to the ; and } ! … and cAsE matters in the filename.

Check that your config file and zone file are valid:

# named-checkconf
# named-checkzone MYTLD /etc/bind/zones/mytld/mytld

If there are any errors, correct them !

Tell bind to re-read its configuration files:

# rndc reconfig

Check the result with

# tail -100 /var/log/syslog

Verify with dig that MYTLD is now configured on your host:

# dig @10.X.1.1 MYTLD. NS

Where 10.X.1.1 is the address of your machine.

You can also check the nameserver status using rndc:

# rndc status

If there are any errors, correct them. Some configuration errors can cause the daemon to die completely, in which case you may have to start it again:

 # service bind9 restart

Check that your SOA server is answering authoritatively for your domain:

# dig +norec @10.X.1.1 MYTLD. SOA

Check that you get an aa flag (authoritative answer).

Note:

# dig @10.0.0.237 MYTLD. SOA

… may not return an ANSWER since the root possibly does not yet know about you!

If the zone is not yet delegated, wait until your instructor has done so.

Once you have delegation, try to resolve `www.MYTLD`:

On your own machine

# dig @10.X.1.1 www.MYTLD       (where MYTLD is your domain)

Asking the class resolver - will it work ?

# dig @10.0.0.252 www.MYTLD       (where MYTLD is your domain)

This may take a bit longer due to caching of any previous negative NXDOMAIN results.

Add a new resource record to your zone file. Remember to update the SOA serial number. Then run

# rndc reload

Check that your slaves have updated. Try resolving this new name.