Agenda: dns-delegation-exercise.txt

File dns-delegation-exercise.txt, 6.1 KB (added by regnauld, 8 years ago)

DNS delegation lab 1

Line 
1                        DNS Exercise - Delegation
2                        -------------------------
3
4In this exercise, we will create a new TLD in our root.
5for example: MYTLD
6
7You will create a master nameservice on your own machine, and someone else
8will provide slave service. Then you will ask the administrator for the
9domain above you (dns) to delegate your domain to you.
10
11Note: the following should be done as the "root" superuser.
12
13Firstly, note that your hostname is configured correctly
14on your machine.  Check that it is configured correctly by
15using the 'hostname' command - e.g. on master.grpXX.ws.nsrc.org, if you type:
16
17 # hostname
18
19You should see:
20
21  master.grpXX.ws.nsrc.org
22
23If not, then configure your server with its name: e.g. for
24        master.grp25.ws.nsrc.org, type:
25
26
27 # hostname master.grp25.ws.nsrc.org
28
29Remember to replace "grpXX" with the the proper group number!
30
31Edit the file /etc/rc.conf (using "vi" or "pico", i.e.: pico /etc/rc.conf),
32and update the "hostname":
33
34  hostname="master.grpXX.ws.nsrc.org"
35
36In the file /etc/hosts, you should see a line:
37
38  10.10.25.1   master.grpXX master.grpXX.ws.nsrc.org
39
40
41Exercise
42--------
43
44*   Choose a new domain, write it down somewhere
45
46    i.e.: "MYTLD" or "EARTH" - whatever you feel like.
47
48    (Do NOT choose any of the PC names, e.g. `master.grpXX`, as your subdomain)
49
50    This could for example be the name of your country code or country name,
51    but REMEMBER that someone might pick the same name! First come, first
52        serve.
53
54
55*   Find someone who will agree to be slave for your domain. Please find
56    someone on a different table than you (Remember RFC2182: secondaries must
57    be on remote networks but here we work on a flat net). You can
58    have more than one slave if you wish.
59
60*   Create your zone file in `/etc/namedb/master/MYTLD`
61    (where MYTLD is your chosen domain) -- you can pretty much
62    "copy and paste" the section below -- but remember to update
63    the XXX with your IP:
64
65- - - - - - - - - - - - - cut below - - - - - - - - - - - -
66
67$TTL 10m
68@       IN      SOA     master.grpXX.ws.nsrc.org. your@email.address. (
69                        2011021601    ; Serial
70                        10m           ; Refresh
71                        5m            ; Retry
72                        4w            ; Expire
73                        10m )         ; Negative
74
75        IN      NS      master.grpXXX.ws.nsrc.org.   ; master
76        IN      NS      master.grpYYY.ws.nsrc.org.   ; slave
77
78www     IN      A       10.10.XXX.1             ; your own IP
79
80- - - - - - - - - - - - - cut above - - - - - - - - - - - -
81
82    Replace `your@email.address.` with your home E-mail address.
83
84        XXX and YYY are the IP of your group, and your slave's, respectively.
85       
86    We have chosen purposely low values for TTL, refresh, and retry to make
87    it easier to fix problems in the classroom. For a production domain you
88    might use higher values.
89
90*   Edit `/etc/namedb/named.conf` and do the following:
91
92    - If it is still there, REMOVE the following line:
93
94         listen { 127.0.0.1; };
95
96    ... and add another line:
97
98        allow-query { any; };
99
100    ... so that your nameserver will now answer queries from the network
101
102    - Add a section to configure your machine as master for
103      your domain, by adding something like this at the end
104          (the bottom) of the file:
105
106    zone "MYTLD" { type master; file "/etc/namedb/master/MYTLD"; };
107
108    Pay attention to the ';' and '}' !
109
110*   Check that your config file and zone file are valid:
111
112        # named-checkconf
113        # named-checkzone MYTLD /etc/namedb/master/
114
115    * If there are any errors, correct them ! *
116
117*   If this is not already done, enable named in your server's configuration,
118    by editing the file /etc/rc.conf and adding, if this is not already done:
119
120        named_enable="YES"
121
122    - Then start/restart named with
123
124        # /etc/rc.d/named restart
125
126    Check the result with
127
128        # tail /var/log/messages
129
130        Verify with dig that MYTLD is now configured on your host:
131
132                # dig @localhost MYTLD. NS
133
134    - If there are any errors, correct them. Some configuration errors can
135    cause the daemon to die completely, in which case you may have to
136    start it again:
137
138        # /etc/rc.d/named restart
139
140*   Assist your slaves to configure themselves as slave for your domain, and
141    configure yourself as a slave if asked to do so by another table.
142
143    The instructions for how to do this are on the slides, but here's a hint:
144
145    zone "MYTLD" {
146       type slave; masters { 10.10.XXX.1; }; file "/etc/namedb/slave/MYTLD";
147    };
148
149        ... where XXX is the IP of the group of your slave.
150
151        Remember, you will also need to be a slave for someone else's zone!
152
153    When you have changed your `named.conf` so that you are a slave for
154    someone else, make sure there are no errors in `/var/log/messages` after
155    you restart your nameserver.
156
157*   Check that you and your slaves are giving authoritative answers for
158    your domain:
159
160        # dig +norec @10.10.XXX.1 MYTLD. SOA
161        # dig +norec @10.10.YYY.1 MYTLD. SOA
162
163    Check that you get an AA (authoritative answer) from both, and that
164    the serial numbers match.
165
166*   Now you are ready to request delegation – indicate to the instructor,
167    on a piece of paper:
168
169
170        Domain name:          ___________________
171
172        Master nameserver:    master.grp___.ws.nsrc.org
173
174        Slave nameserver:     master.grp___.ws.nsrc.org
175
176
177*   You will not get delegation until the instructor has checked:
178
179    - Your nameservers are all authoritative for your domain
180    - They all have the same SOA serial number
181    - The NS records within the zone match the list of servers you are
182      requesting delegation for
183    - The slave(s) are not on the same side of the room as you :)
184
185        => This is called policy!
186
187*   Once you have delegation, try to resolve www.MYTLD:
188
189    - On your own machine
190    - On someone else's machine (who is not slave for you):
191
192  # dig @10.10.XXX.1 www.MYTLD       (where MYTLD is your domain)
193
194*   Add a new resource record to your zone file. Remember to update the
195    serial number. Check that your slaves have updated. Try resolving this
196    new name.