Agenda: dns-delegation-exercise-inst-is-slave.txt

File dns-delegation-exercise-inst-is-slave.txt, 6.5 KB (added by admin, 6 years ago)
Line 
1                        DNS Exercise - Delegation
2                        -------------------------
3
4In this exercise, we will create a new TLD in our root.
5for example: MYTLD
6
7You will create a master nameservice on your own machine, and you will get
8secondary service from the instructor, provided by "auth1.grpYYY.ws.nsrc.org"
9(YYY is the group of the instructor, which will be communicated in class).
10
11Then you will ask the administrator for the domain above you (the root) to
12delegate your domain to you - this is also the instructor.
13
14Note: the following should be done as the "root" superuser - use sudo -s
15
16Firstly, note that your hostname is configured correctly
17on your machine.  Check that it is configured correctly by
18using the 'hostname' command - e.g. on auth1.grpXX.ws.nsrc.org, if you type:
19
20 # hostname
21
22You should see:
23
24  auth1.grpXX.ws.nsrc.org
25
26If NOT, then configure your server with its name: e.g. for
27
28        auth1.grp25.ws.nsrc.org, type:
29
30 # hostname auth1.grp25.ws.nsrc.org
31
32Remember to replace "grpXX" with the the proper group number!
33
34Edit the file /etc/rc.conf (using "vi" or "ee", i.e.: ee /etc/rc.conf),
35and update the "hostname":
36
37  hostname="auth1.grpXX.ws.nsrc.org"
38
39In the file /etc/hosts, you should see a line:
40
41  10.10.X.1   auth1.grpXX auth1.grpXX.ws.nsrc.org
42
43
44Exercise
45--------
46
47*   Choose a new domain, write it down somewhere
48
49    i.e.: "MYTLD" or "EARTH" - whatever you feel like.
50
51    (Do NOT choose any of the PC names, e.g. `auth1.grpXX`, as your subdomain)
52
53    This could for example be the name of your country code, country name,
54        company name, etc...  but REMEMBER that someone might pick the same name!
55        First come, first serve.
56
57*   Create your zone file in `/etc/namedb/master/MYTLD`
58    (where MYTLD is your chosen domain) -- you can pretty much
59    "copy and paste" the section below -- but remember to update
60    the XXX with your IP:
61
62  ***   Remember, you will need to become root to create this file,
63  ***   so, e.g.
64  ***
65  ***     $ cd /etc/namedb/master
66  ***     $ sudo vi MYTLD
67  ***
68  ***   (feel free to use another editor instead of vi, e.g. joe, ee)
69
70- - - - - - - - - - - - - cut below - - - - - - - - - - - -
71
72$TTL 2m
73@       IN      SOA     auth1.grpXX.ws.nsrc.org. your.email.address. (
74                        2012022301    ; Serial - replace 20120223 with the date
75                        10m           ; Refresh
76                        5m            ; Retry
77                        4w            ; Expire
78                        2m )          ; Negative
79
80        IN      NS      auth1.grpXXX.ws.nsrc.org.   ; master
81        IN      NS      auth1.grpYYY.ws.nsrc.org.   ; slave at instructor
82
83www     IN      A       10.10.XXX.1             ; your own IP
84
85- - - - - - - - - - - - - cut above - - - - - - - - - - - -
86
87    Replace `your.email.address.` with your home E-mail address, so that
88        user@domain.name becomes user.domain.name
89
90        XXX and YYY are the IP of your group, and your slave's, respectively.
91       
92    We have chosen purposely low values for TTL, refresh, and retry to make
93    it easier to fix problems in the classroom. For a production domain you
94    might use higher values.
95
96*   Edit `/etc/namedb/named.conf` and do the following:
97
98  ***   Remember, you will need to become root to edit this file,
99  ***   so, e.g.
100  ***
101  ***     $ cd /etc/namedb
102  ***     $ sudo vi named.conf
103  ***
104  ***   (feel free to use another editor instead of vi, e.g. joe, ee)
105
106    - If it is still there, REMOVE the following line:
107
108         listen-on { 127.0.0.1; };
109
110    ... and add another line in the options section:
111
112        allow-query { any; };
113
114    ... so that your nameserver will now answer queries from the network
115
116    - Add a section to configure your machine as master for
117      your domain, by adding something like this at the end
118          (the bottom) of the file:
119
120      zone "MYTLD" {
121        type master;
122        file "/etc/namedb/master/MYTLD";
123      };
124
125    Pay attention to the ';' and '}' !
126
127*   Check that your config file and zone file are valid:
128
129        # named-checkconf
130        # named-checkzone MYTLD /etc/namedb/master/MYTLD
131
132    * If there are any errors, correct them ! *
133
134*   Tell the instructor managing grpYYY that you need secondary service for
135    your domain - tell them the domain and tell them what your group number is.
136
137        For instance, if the domain is "COCONUT", and you are Group 5, you
138        should write on a piece of paper
139
140COCONUT. NS  auth1.grp5.ws.nsrc.org.
141COCONUT. NS  auth1.grpYYY.ws.nsrc.org.   (YYY = the group of the instructor)
142
143        And give this to the instructor managing grpYYY
144
145*   If this is not already done, enable named in your server's configuration,
146    by editing the file /etc/rc.conf and adding, if this is not already done:
147
148     ** Remember, again, you need to be root to edit this file
149
150        named_chrootdir=""
151        named_enable="YES"
152
153    - Then start/restart named with
154
155        # service named restart
156
157    Check the result with
158
159        # tail /var/log/messages
160
161        Verify with dig that MYTLD is now configured on your host:
162
163                # dig @10.10.XX.1 MYTLD. NS
164
165        Where "XX" is the address of your machine.
166
167        You can also check the nameserver status using rndc:
168
169                # rndc status
170
171    - If there are any errors, correct them. Some configuration errors can
172    cause the daemon to die completely, in which case you may have to
173    start it again:
174
175        # /etc/rc.d/named restart
176
177*   Check that you and the instructor slave at grpYYY are giving authoritative
178    answers for your domain:
179
180        # dig +norec @10.10.XXX.1 MYTLD. SOA
181        # dig +norec @10.10.YYY.1 MYTLD. SOA
182
183    Check that you get an AA (authoritative answer) from both, and that
184    the serial numbers match.
185
186*   Now you are ready to request delegation:
187
188    a) if using the RZM:
189
190    Go to https://rzm.dnssek.org/
191
192    Choose signup.
193
194    Username is your domain name ("COCONUT") for example.
195    Password is up to you but you must remember it.
196
197    We will do a demo of the interface in class.
198
199    b) if not using the RZM:
200
201    Indicate to the instructor, on a piece of paper:
202
203
204        Domain name:          ___________________
205
206        Master nameserver:    auth1.grp___.ws.nsrc.org
207
208        Slave nameserver:     auth1.grp___.ws.nsrc.org
209
210*   Once you have delegation, try to resolve www.MYTLD:
211
212    - On your own machine
213
214    - On someone else's machine - will it work ?
215
216  # dig @10.10.XXX.1 www.MYTLD       (where MYTLD is your domain)
217
218*   Add a new resource record to your zone file. Remember to update the
219    serial number. Check that your slaves have updated. Try resolving this
220    new name.