Agenda: dns-delegation-exercise.txt

File dns-delegation-exercise.txt, 7.2 KB (added by admin, 6 years ago)
Line 
1                        DNS Exercise - Delegation
2                        -------------------------
3
4In this exercise, we will create a new TLD in our root.
5for example: MYTLD
6
7You will create a master nameservice on your own machine, and someone else
8will provide slave service. Then you will ask the administrator for the
9domain above you (the root) to delegate your domain to you.
10
11Note: the following should be done as the "root" superuser.
12
13Firstly, note that your hostname is configured correctly
14on your machine.  Check that it is configured correctly by
15using the 'hostname' command - e.g. on auth1.grpXX.dns.nsrc.org, if you type:
16
17 # hostname
18
19You should see:
20
21  auth1.grpXX.dns.nsrc.org
22
23If not, then configure your server with its name: e.g. for
24    auth1.grp25.dns.nsrc.org, type:
25
26
27 # hostname auth1.grp25.dns.nsrc.org
28
29Remember to replace "grpXX" with the the proper group number!
30
31Edit the file /etc/rc.conf (using "vi" or "ee", i.e.: ee /etc/rc.conf),
32and update the "hostname":
33
34  hostname="auth1.grpXX.dns.nsrc.org"
35
36In the file /etc/hosts, you should see a line:
37
38  10.20.X.1   auth1.grpXX auth1.grpXX.dns.nsrc.org
39
40
41Exercise
42--------
43
44*   Choose a new domain, write it down somewhere
45
46    i.e.: "MYTLD" or "EARTH" - whatever you feel like.
47
48    (Do NOT choose any of the PC names, e.g. `auth1.grpXX`, as your subdomain)
49
50    This could for example be the name of your country code, country name,
51    company name, etc...  but REMEMBER that someone might pick the same name!
52    First come, first serve.
53
54*   Find someone who will agree to be slave for your domain. Please find someone
55    across the room from you (not at your table) (Remember RFC2182:  secondaries
56    must be on remote networks but here we work on a flat network). You can have
57    more than one slave if you wish.
58
59*   Create your zone file in `/etc/namedb/master/MYTLD`
60    (where MYTLD is your chosen domain) -- you can pretty much
61    "copy and paste" the section below -- but remember to update
62    the XXX with your IP:
63
64  ***   Remember, you will need to become root to create this file,
65  ***   so, e.g.
66  ***
67  ***     $ cd /etc/namedb/master
68  ***     $ sudo vi MYTLD
69  ***
70  ***   (feel free to use another editor instead of vi, e.g. joe, ee)
71
72- - - - - - - - - - - - - cut below - - - - - - - - - - - -
73
74$TTL 2m
75@       IN      SOA     auth1.grpXX.dns.nsrc.org. your.email.address. (
76                        2012022301    ; Serial
77                        10m           ; Refresh
78                        5m            ; Retry
79                        4w            ; Expire
80                        2m )          ; Negative
81
82        IN      NS      auth1.grpXXX.dns.nsrc.org.   ; master
83        IN      NS      auth1.grpYYY.dns.nsrc.org.   ; slave
84
85www     IN      A       10.20.XXX.1             ; your own IP
86
87- - - - - - - - - - - - - cut above - - - - - - - - - - - -
88
89    Replace `your.email.address.` with your home E-mail address, so that
90    user@domain.name becomes user.domain.name
91
92    XXX and YYY are the IP of your group, and your slave's, respectively.
93   
94    We have chosen purposely low values for TTL, refresh, and retry to make
95    it easier to fix problems in the classroom. For a production domain you
96    might use higher values.
97
98*   Edit `/etc/namedb/named.conf` and do the following:
99
100  ***   Remember, you will need to become root to edit this file,
101  ***   so, e.g.
102  ***
103  ***     $ cd /etc/namedb
104  ***     $ sudo vi named.conf
105  ***
106  ***   (feel free to use another editor instead of vi, e.g. joe, ee)
107
108    - If it is still there, REMOVE the following line:
109
110         listen-on { 127.0.0.1; };
111
112    ... and add another line in the options section:
113
114        allow-query { any; };
115
116    ... so that your nameserver will now answer queries from the network
117
118    - Add a section to configure your machine as master for
119      your domain, by adding something like this at the end
120      (the bottom) of the file:
121
122      zone "MYTLD" {
123        type master;
124        file "/etc/namedb/master/MYTLD";
125      };
126
127    Pay attention to the ';' and '}' !
128
129*   Check that your config file and zone file are valid:
130
131        # named-checkconf
132        # named-checkzone MYTLD /etc/namedb/master/MYTLD
133
134    * If there are any errors, correct them ! *
135
136*   If this is not already done, enable named in your server's configuration,
137    by editing the file /etc/rc.conf and adding, if this is not already done:
138
139     ** Remember, again, you need to be root to edit this file
140
141        named_chrootdir=""
142        named_enable="YES"
143
144    - Then start/restart named with
145
146        # service named restart
147
148    Check the result with
149
150        # tail /var/log/messages
151
152    Verify with dig that MYTLD is now configured on your host:
153
154        # dig @10.20.XX.1 MYTLD. NS
155
156    Where "XX" is the address of your machine.
157
158        You can also check the nameserver status using rndc:
159
160                # rndc status
161
162    - If there are any errors, correct them. Some configuration errors can
163    cause the daemon to die completely, in which case you may have to
164    start it again:
165
166        # /etc/rc.d/named restart
167
168*   Assist your slaves to configure themselves as slave for your domain, and
169    configure yourself as a slave if asked to do so by another table.
170
171    Here is most of what you need to add to the end of the named.conf file:
172
173      zone "MYTLD" {
174         type slave;
175         masters { 10.20.XXX.1; };
176         file "/etc/namedb/slave/MYTLD";
177      };
178
179    ... where XXX is the group where the master is located.
180
181    If you have changed your `named.conf` so that you are a slave for
182    someone else, make sure that there are no errors in `/var/log/messages` after
183    you restart your nameserver.
184
185    You will need a slave directory with proper permissions and ownership where
186    bind can write the zone file received from the master.
187
188*   Check that you and your slaves are giving authoritative answers for
189    your domain:
190
191        # dig +norec @10.20.XXX.1 MYTLD. SOA
192        # dig +norec @10.20.YYY.1 MYTLD. SOA
193
194    Check that you get an AA (authoritative answer) from both, and that
195    the serial numbers match.
196
197*   Now you are ready to request delegation:
198
199    a) if using the RZM:
200
201    Go to https://rzm.dnssek.org/
202
203    Choose signup.
204
205    Username is your domain name ("COCONUT") for example.
206    Password is up to you but you must remember it.
207
208    We will do a demo of the interface in class.
209
210    b) if not using the RZM:
211
212    Indicate to the instructor, on a piece of paper:
213
214
215        Domain name:          ___________________
216
217        Master nameserver:    auth1.grp___.dns.nsrc.org
218
219        Slave nameserver:     auth1.grp___.dns.nsrc.org
220
221
222*   You will not get delegation until the instructor has checked:
223
224    - Your nameservers are all authoritative for your domain
225    - They all have the same SOA serial number
226    - The NS records within the zone match the list of servers you are
227      requesting delegation for
228    - The slave(s) are across the room from you :)
229
230    => This is called policy!
231
232*   Once you have delegation, try to resolve www.MYTLD:
233
234    - On your own machine
235    - On someone else's machine (who is not slave for you):
236
237  # dig @10.20.XXX.1 www.MYTLD       (where MYTLD is your domain)
238
239*   Add a new resource record to your zone file. Remember to update the
240    serial number. Check that your slaves have updated. Try resolving this
241    new name.