DNS: dns4-exercise.txt

File dns4-exercise.txt, 13.7 KB (added by admin, 9 years ago)

DNS4 subdomain delegation

Line 
1DNS Exercise 4: Delegating a subdomain
2======================================
3
4In this exercise, you will *delegate* a subdomain of your own domain.
5
6In order to keep things simple, it will work like this: each machine will
7delegate a subdomain to the next PC along (which will be the master) and the
8next one after that (which will be the slave).
9
10Example:
11
12* Let's say you are `ws6.ws3.conference.sanog.org` and have domain
13  `bhutan.ws3.conference.sanog.org` already set up
14
15* You will pick a subdomain, let's say `ilove.bhutan.ws3.conference.sanog.org`
16
17* You will delegate this subdomain to ws7 and ws8
18  (ws7 is the master and ws8 is the slave. In practice, when you are
19   delegating it doesn't really matter which is master, because all
20   authoritative nameservers appear the same to the outside world)
21
22* Because you are a conscientious domain owner, you won't add the delegation
23  to ws7 and ws8 until they have correctly set up their authoritative
24  nameservice for the domain, and you've tested it.
25
26Now, because this pattern is repeated by everyone else in the class, it also
27means that:
28
29* You will receive delegation for a domain from ws5 (for which you will
30  be the master)
31
32* You will receive delegation for another domain from ws4 (for which you
33  will be slave, with ws5 as the master)
34
35So you will be doing three different jobs: you will have to set yourself up
36as master for the domain delegated from ws5, as slave for the domain
37delegated from ws4, and delegate a subdomain of yours to ws7 and ws8.
38
39This means that a lot will be going on at once - so please follow the
40worksheet carefully!
41
42--------------------------------------------------------------------------
43
44Exercise parameters
45-------------------
46
47To start, please fill in the blanks numbered (1) to (5). If it's not clear
48to you what needs to be done, please ask.
49
50>     (1)  My machine is:     ws______.ws3.conference.sanog.org
51>
52>     (2)  I control domain:  _______________.ws3.conference.sanog.org
53>
54>          (this is the domain you set up in the previous exercise, for which
55>          your machine is the master)
56>
57>     (3)  I am going to delegate this subdomain:
58>
59>             _______________._______________.ws3.conference.sanog.org
60>                                   (2)
61>
62>          and I am going to delegate it to:
63>
64>     (4)        ws______.ws3.conference.sanog.org        (= myws+1)   [master]
65>
66>     (5)        ws______.ws3.conference.sanog.org        (= myws+2)   [slave]
67>
68>          Wrap around to ws1 and/or ws2 if you run past the highest-numbered
69PC in the class
70
71Once you have done this, copy fields (1)-(5) from the worksheet for the
72machine numbered ONE BELOW YOU into fields (6)-(10) here. If you are ws1,
73then the machine "below" you is the highest-numbered machine in the class.
74
75>     (6)  Their machine is:     ws______.ws3.conference.sanog.org    (= myws-1)
76>
77>     (7)  They control domain:  _______________.ws3.conference.sanog.org
78>
79>     (8)  They are going to delegate this subdomain:
80>
81>             _______________._______________.ws3.conference.sanog.org
82>                                   (7)
83>
84>          and they are going to delegate it to:
85>
86>     (9)        ws______.ws3.conference.sanog.org        (= myws)     [master] **
87>
88>     (10)       ws______.ws3.conference.sanog.org        (= myws+1)   [slave]
89
90Next, copy fields (1)-(5) from the machine TWO BELOW YOU into fields
91(11)-(15)
92
93>     (11) Their machine is:     ws______.ws3.conference.sanog.org    (= myws-2)
94>
95>     (12) They control domain:  _______________.ws3.conference.sanog.org
96>
97>     (13) They are going to delegate this subdomain:
98>
99>             _______________._______________.ws3.conference.sanog.org
100>                                  (12)
101>
102>          and they are going to delegate it to:
103>
104>     (14)       ws______.ws3.conference.sanog.org        (= myws-1)   [master]
105>
106>     (15)       ws______.ws3.conference.sanog.org        (= myws)     [slave]  **
107
108--------------------------------------------------------------------------
109
110Step 1: Set up as master for domain (8)
111---------------------------------------
112
113You are going to be master for the domain given in (8). So the first step is
114to create a zonefile for this domain:
115
116    # vi /etc/namedb/master/__________.__________.ws3.conference.sanog.org
117                                     (8)
118    ... create file with the following contents:
119
120>     $TTL 10m
121>     @       IN      SOA     ws_____.ws3.conference.sanog.org. yourname.example.com.
122(
123>                                (9)
124>                                         2006050800
125>                                         10m
126>                                         10m
127>                                         4w
128>                                         10m )
129>
130>             IN      NS      ws_____.ws3.conference.sanog.org.
131>                                (9)
132>             IN      NS      ws_____.ws3.conference.sanog.org.
133>                                (10)
134>
135>     www     IN      A       196.200.219.X    ; replace with your own IP
136
137Replace "yourname.example.com." with your modified E-mail address as in the
138previous exercise, and use the current YYYYMMDD00 as the serial number.
139
140Now validate the zonefile you have created:
141
142    # named-checkzone  __________.__________.ws3.conference.sanog.org
143    /etc/namedb/master/__________.__________.ws3.conference.sanog.org
144                                (8)
145                                (8)
146
147If this reports any errors, then fix them. Next, edit
148`/etc/namedb/named.conf` to configure bind as master for that zone using
149the zonefile you have created:
150
151    # vi /etc/namedb/named.conf
152
153    ... add this entry:
154
155>     zone "__________.__________.ws3.conference.sanog.org" {
156>                    (8)
157>             type master;
158>             file "master/__________.__________.ws3.conference.sanog.org";
159>                                   (8)
160>             allow-transfer { 196.200.219.Y; };
161>     };
162
163Replace 196.200.219.Y with the IP address of machine (10), which is going to
164be
165slave for this zone.
166
167Then validate your modified configuration file:
168
169    # named-checkconf
170
171Again, if this reports any errors then fix them. Now get your nameserver to
172reload its conf file and your new zone:
173
174    # rndc reload
175    # tail /var/log/messages
176
177Once again, check for any errors and fix them. Finally, test that your
178machine is giving out authoritative answers:
179
180    # dig +norec @196.200.219.X  __________.__________.ws3.conference.sanog.org.  soa
181                                      (8)
182
183replacing 196.200.219.X with your own IP address. Check that you get a SOA
184response with the expected serial number, and the AA flag is present.
185
186Good - you are half way to getting delegation for this domain (it won't be
187done until your slave is set up properly)
188
189Step 2: Set up as slave for domain (13)
190---------------------------------------
191
192The PC below you has set themselves up as master for the domain you wrote in
193(13), and will expect you to be the slave.
194
195So now edit `/etc/namedb/named.conf` to enable yourself as slave for this
196domain:
197
198    # vi /etc/namedb/named.conf
199
200    ... add this entry:
201
202>     zone "__________.__________.ws3.conference.sanog.org" {
203>                    (13)
204>             type slave;
205>             file "slave/__________.__________.ws3.conference.sanog.org";
206>                                  (13)
207>             masters { 196.200.219.W; };
208>     };
209
210Replace 196.200.219.W with the IP address of the master, the machine listed in
211space (14).
212
213Now validate your modified configuration file:
214
215    # named-checkconf
216
217If this reports any errors then fix them. Now get your nameserver to reload
218its conf file:
219
220    # rndc reload
221    # tail /var/log/messages
222
223Once again, check for any errors and fix them.
224
225If the machine below you has already set themselves up as master, then the
226zone transfer should take place within a few seconds. You can check this has
227happened by looking in `/var/log/messages` again, and checking whether the
228slave zone file has been created:
229
230    # ls /etc/namedb/slave
231
232If not, then either the machine below you has not finished setting
233themselves up as master for the domain, or else they have not permitted
234access to your IP address to allow you to copy the zone. You can check using
235these commands:
236
237    # dig +norec @196.200.219.W  __________.__________.ws3.conference.sanog.org.  soa
238                     (14)             (13)
239
240    # dig @196.200.219.W  __________.__________.ws3.conference.sanog.org.  axfr
241              (14)             (13)
242
243The first should show you the SOA record with the correct serial number; the
244second should show you the entire contents of their zone file. If these are
245OK, then the zone transfer should take place within a few minutes.
246
247Step 3: Test before delegation of domain (3)
248--------------------------------------------
249
250You are now about to delegate the domain you chose in (3) to the machines
251listed in (4) and (5); here you are acting in the role of a domain registry.
252
253However, before you perform this delegation, you should check that they are
254both set up correctly, especially that they are both authoritative for the
255domain in question. Otherwise, you would be creating a lame delegation,
256which is not good.
257
258Test the master using the following command:
259
260    # dig +norec @ws_____.ws3.conference.sanog.org.  __________.__________.ws3.conference.sanog.org.
261    soa
262                     (4)                            (3)
263
264Check:
265
266*   Is the response authoritative? (Flag AA)
267*   Does the SOA record list the correct PC as the master?
268*   Are the nameserver (NS) records in the Authority section correct? There
269    should be two NS records, one giving the hostname of the master (4) and
270    one
271    the hostname of the slave (5)
272*   Make a note of the zone serial number
273
274And then test the slave:
275
276    # dig +norec @ws_____.ws3.conference.sanog.org.  __________.__________.ws3.conference.sanog.org.
277    soa
278                     (5)                            (3)
279Check:
280
281*   Is the response authoritative? (Flag AA)
282*   Does the zone serial number match that given by the master?
283*   Are the nameserver (NS) records in the Authority section correct?
284
285If any of these checks fail, explain what the problem was to the owners of
286those machines. Don't proceed until they have fixed the problems - and make
287sure you have *re-tested* the servers to ensure the problems really have
288been fixed.
289
290Step 4: Delegate domain (3)
291---------------------------
292
293This is the point at which you delegate the subdomain (3); all queries for
294this subdomain will be referred to the servers (4) and (5).
295
296Edit the zonefile for your domain (2):
297
298    # vi /etc/namedb/master/__________.ws3.conference.sanog.org
299                               (2)
300    ... add these RRs
301
302>     __________  IN     NS     ws_____.ws3.conference.sanog.org.
303>         (3)                      (4)
304>                 IN     NS     ws_____.ws3.conference.sanog.org.
305>                                  (5)
306
307Note: in the space marked (3) you just put the *subdomain* you have chosen,
308e.g.
309
310>     ilove        IN     NS     ws7.ws3.conference.sanog.org.
311>                 IN     NS     ws8.ws3.conference.sanog.org.
312
313This is because the domain origin is added automatically (e.g. if the
314zonefile is for `bhutan.ws3.conference.sanog.org` then `ilove` becomes
315`ilove.bhutan.ws3.conference.sanog.org`)
316
317You must also _increment_ the serial number in the SOA record at the top of
318the zone file; this must be done after every zone file change of course.
319
320Save your changes, then validate your modified zone file:
321
322    # named-checkzone  __________.ws3.conference.sanog.org
323    /etc/namedb/master/__________.ws3.conference.sanog.org
324                           (2)                                           (2)
325If it's OK then reload:
326
327    # rndc reload
328    # tail /var/log/messages
329
330That's it! Now all you need to do is to test the new subdomain by doing a
331normal recursive lookup for a resource record within it, for example:
332
333    # dig www.__________.__________.ws3.conference.sanog.org.
334                       (3)
335
336This test should work from anywhere on the Internet. The query will be first
337referred to your nameservers, and then you will give out a referral to the
338nameservers (4) and (5) which hold the data for this zone.
339
340Step 5: Check you have received delegation for domain (8)
341---------------------------------------------------------
342
343Once you have got this far, you can check that you have received delegation
344for the domain (8) which you are master for. That is, make sure your slave
345is functioning correctly and has retrieved a copy of your zonefile; and talk
346to the domain owner on machine (6) to request delegation. Work along with
347them to ensure that any problems are ironed out. Once you have delegation,
348test that your new domain works correctly.
349
350Additional steps
351----------------
352
353If at any time you are being held up waiting for someone else to complete
354their part, then help them out.
355
356If you have completed everything successfully, then here are some additional
357things you can do.
358
359*   Add some more resource records to the zone file for domain (8), which
360    you control. Remember to increment the serial number.
361
362    Check that your slave has copied your modified zone file. Question:
363    how can you check that the slave has updated: (a) given console access
364    onto the slave machine itself, and (b) without any console access
365    to that machine?
366
367    Check that these new resource records work, by resolving them from
368    some other machine (one which is neither master nor slave for the zone)
369
370*   Find someone else who has also finished. Ask them to act as a third
371    nameserver (second slave) for your domain, for increased resilience.
372    Note that you'll have to change the NS records within the zone, and
373    you'll have to change the delegation from above to be consistent.
374
375*   Perform the 'dig +norec' test starting from the root servers, for
376    `www._____._____.ws3.conference.sanog.org` within your subdomain
377