Agenda: dns-delegation-exercise.txt

File dns-delegation-exercise.txt, 6.7 KB (added by admin, 7 years ago)
Line 
1                        DNS Exercise - Delegation
2                        -------------------------
3
4In this exercise, we will create a new TLD in our root.
5for example: MYTLD
6
7You will create a master nameservice on your own machine, and someone else
8will provide slave service. Then you will ask the administrator for the
9domain above you (dns) to delegate your domain to you.
10
11Note: the following should be done as the "root" superuser.
12
13Firstly, note that your hostname is configured correctly
14on your machine.  Check that it is configured correctly by
15using the 'hostname' command - e.g. on pc18.ws.nsrc.org, if you type:
16
17 # hostname
18
19You should see:
20
21  pc18.ws.nsrc.org
22
23If not, then configure your server with its name: e.g. for
24pc18.ws.nsrc.org, type:
25
26
27 # hostname pc18.ws.nsrc.org
28
29Remember to replace "grpXX" with the the proper group number!
30
31Edit the file /etc/hostname (using "vi" or "joe", i.e.: editor /etc/rc.conf),
32and update the "hostname":
33
34        pc18.ws.nsrc.org
35
36In the file /etc/hosts, you should add a line:
37
38  10.10.X.18    pc18.ws.nsrc.org pc18
39
40
41Exercise
42--------
43
44*   Choose a new domain, write it down somewhere
45
46    i.e.: "MYNAME.ws.nsrc.org" or "KANGURU.ws.nsrc.org" - whatever you feel
47        like.
48
49    (Do *NOT* choose any of the PC names, e.g. `pc18.ws.nsrc.org`,
50        as your subdomain)
51
52    This could for example be the name of your country code, country name,
53        company name, etc...  but REMEMBER that someone might pick the same name!
54        First come, first serve - and it must be a subdomain of ".ws.nsrc.org".
55
56*   Find someone who will agree to be slave for your domain. Please find
57    someone on a different table than you (Remember RFC2182: secondaries must
58    be on remote networks but here we work on a flat net). You can
59    have more than one slave if you wish.
60
61*   If required, installed bind9:
62
63    Ubuntu: apt-get install bind9
64
65*   Create your zone file in `/etc/bind/db.MYNAME.ws.nsrc.org`
66    (where MYNAME is your chosen domain) -- you can pretty much
67    "copy and paste" the section below -- but remember to update
68    the XXX with your IP:
69
70  ***   Remember, you will need to become root to create this file,
71  ***   so, e.g.
72  ***
73  ***     $ cd /etc/bind/
74  ***     $ sudo vi db.MYNAME.ws.nsrc.org
75  ***
76  ***   (feel free to use another editor instead of vi, e.g. joe, ee)
77
78- - - - - - - - - - - - - cut below - - - - - - - - - - - -
79
80$TTL 10m
81@       IN      SOA     pcXX.ws.nsrc.org. sysadm@pcXX.ws.nsrc.org. (
82                        2011112301    ; Serial
83                        10m           ; Refresh
84                        5m            ; Retry
85                        4w            ; Expire
86                        10m )         ; Negative
87
88        IN      NS      pcXX.ws.nsrc.org.   ; master
89        IN      NS      pxYY.ws.nsrc.org.   ; slave
90
91www     IN      A       10.10.0.XX             ; your own IP
92
93- - - - - - - - - - - - - cut above - - - - - - - - - - - -
94
95        You can replace `sysadm@pcXX.ws.nsrc.org..` with your home E-mail address
96        if you want.
97
98        XX and YY are the IP of your PC and your slave's.
99       
100    We have chosen purposely low values for TTL, refresh, and retry to make
101    it easier to fix problems in the classroom. For a production domain you
102    might use higher values.
103
104*   Edit `/etc/bind/named.conf.options`
105
106  ***   Remember, you will need to become root to edit this file,
107  ***   so, e.g.
108  ***
109  ***     $ cd /etc/bind
110  ***     $ sudo vi named.conf.local
111  ***
112
113    ... add another line in the options section, so it becomes:
114
115
116        listen-on-v6 { any; };
117
118        allow-query { any; };           // <- this is a new line!
119
120    ... so that your nameserver will now answer queries from the network
121
122        Save & quit the editor.
123
124*   Edit `/etc/bind/named.conf.local` and do the following:
125
126    - Add a section to configure your machine as master for
127      your domain, by adding something like this at the end
128          (the bottom) of the file:
129
130      zone "MYNAME.ws.nsrc.org" {
131        type master;
132        file "/etc/bind/db.MYNAME.ws.nsrc.org";
133      };
134
135    Pay attention to the ';' and '}' !
136
137*   Check that your config file and zone file are valid:
138
139        $ named-checkconf
140        $ named-checkzone MYNAME.ws.nsrc.org /etc/bind/db.MYNAME.ws.nsrc.org
141
142    * If there are any errors, correct them ! *
143
144*   Restart named (the BIND nameserver):
145
146        $ sudo service bind9 restart
147
148    Check the result with
149
150        $ tail /var/log/messages
151
152        Verify with dig that MYNAME.ws.nsrc.org. is now configured on your host:
153
154                $ dig @localhost MYNAME.ws.nsrc.org. NS
155
156        You can also check the nameserver status using rndc:
157
158        $ sudo rndc status
159
160    - If there are any errors, correct them. Some configuration errors can
161    cause the daemon to die completely, in which case you may have to
162    start it again:
163
164        $ sudo service bind9 restart
165
166*   Assist your slaves to configure themselves as slave for your domain, and
167    configure yourself as a slave if asked to do so by another table.
168
169    The instructions for how to do this are on the slides, but here's a hint
170    on what to put in /etc/bind/named.conf.local
171
172      zone "MYNAME.ws.nsrc.org" {
173         type slave;
174         masters { 10.10.0.XX; };
175         file "/var/cache/bind/db.MYNAME.ws.nsrc.org";
176      };
177
178        ... where XX is the IP of the MASTER PC for the zone.
179
180        Remember, you will also need to be a slave for someone else's zone!
181
182    When you have changed your `named.conf.local` so that you are a slave for
183    someone else, make sure there are no errors in `/var/log/messages` after
184    you restart your nameserver.
185
186*   Check that you and your slaves are giving authoritative answers for
187    your domain:
188
189        # dig +norec @10.10.0.XX MYNAME.ws.nsrc.org. SOA
190        # dig +norec @10.10.0.YY MYNAME.ws.nsrc.org. SOA
191
192    Check that you get an AA (authoritative answer) from both, and that
193    the serial numbers match.
194
195*   Now you are ready to request delegation – indicate to the instructor,
196    on a piece of paper:
197
198
199        Domain name:          ___________________
200
201        Master nameserver:    pcX.ws.nsrc.org
202
203        Slave nameserver:     pcY.ws.nsrc.org
204
205
206*   You will not get delegation until the instructor has checked:
207
208    - Your nameservers are all authoritative for your domain
209    - They all have the same SOA serial number
210    - The NS records within the zone match the list of servers you are
211      requesting delegation for
212    - The slave(s) are not on the same side of the room as you :)
213
214        => This is called policy!
215
216*   Once you have delegation, try to resolve www.MYNAME.ws.nsrc.org
217
218    - On your own machine
219    - On someone else's machine (who is not slave for you):
220
221  # dig @10.10.0.XX www.MYNAME.ws.nsrc.org       (where MYNAME is your domain)
222
223*   Add a new resource record to your zone file. Remember to update the
224    serial number. Check that your slaves have updated. Try resolving this
225    new name.