Agenda: dns-delegation-exercise2.txt

DNS Exercise - Part II
======================

In this exercise, you will *delegate* a subdomain of your own domain.

In order to keep things simple, it will work like this: each machine will
delegate a subdomain to the next host along (which will be the master) and the
next one after that (which will be the slave).

Example:

* Let's say you are host103.dns and have domain `utopia.dns` already set up

* You will pick a subdomain, let's say `elmo.utopia.dns`

* You will delegate this subdomain to host104.dns and host105.dns
  (host105.dns is the master and host106.dns is the slave. In practice,
  when you are delegating it doesn't really matter which is master,
  because all authoritative nameservers appear the same to the outside world)

* Because you are a conscientious domain owner, you won't add the delegation
  to host105.dns and host106.dns until they have correctly set up their
  authoritative nameservice for the domain, and you've tested it.

Now, because this pattern is repeated by everyone else in the class, it also
means that:

* You will receive delegation for a domain from host102.dns (for which you
  will be the master)

* You will receive delegation for another domain from host101.dns (for which
  you will be slave, with host102.dns as the master)

So you will be doing three different jobs!  You will have to:

    1. set yourself up as master for the domain delegated from host102.dns
    2. set yourself up as slave for the domain delegated from host101.dns
    3. and delegate a subdomain of yours to host104.dns and host105.dns

This means that a lot will be going on at once - so please follow the
worksheet carefully!

--------------------------------------------------------------------------

Exercise parameters
-------------------

To start, please write the following missing information down on a piece of
paper, numbered as (1) to (5). If it's not clear to you what needs to be done,
please ask.

     (1)  My machine is:     host______.dns
 
     (2)  I control domain:  _______________.dns
 
          (this is the domain you set up in the previous exercise, for which
          your machine is the master)
 
     (3)  I am going to delegate this subdomain:
 
             _______________._______________.dns
                                   (2)
 
          and I am going to delegate it to:
 
     (4)        host______.dns        (= myhost+1)   [master]
 
     (5)        host______.dns        (= myhost+2)   [slave]
 
          Wrap around to host101 and/or host101 if you run past the highest-
          numbered host in the class (whoever has the highest number)

Once you have done this, copy fields (1)-(5) from the worksheet for the
machine numbered ONE BELOW YOU into fields (6)-(10) (write them down on
paper). If you are host101, then the machine "below" you is the
highest-numbered host in use in the class.

     (6)  Their machine is:     host______.dns    (= myhost-1)
 
     (7)  They control domain:  _______________.dns
 
     (8)  They are going to delegate this subdomain:
 
             _______________._______________.dns
                                   (7)
 
          and they are going to delegate it to:
 
     (9)        host______.dns        (= myhost)     [master] **
 
     (10)       host______.dns        (= myhost+1)   [slave]

Next, copy fields (1)-(5) from the machine TWO BELOW YOU into fields
(11)-(15)  (on paper)

     (11) Their machine is:     host______.dns    (= myhost-2)
 
     (12) They control domain:  _______________.dns
 
     (13) They are going to delegate this subdomain:
 
             _______________._______________.dns
                                  (12)
 
          and they are going to delegate it to:
 
     (14)       host______.dns        (= myhost-1)   [master]
 
     (15)       host______.dns        (= myhost)     [slave]  **

--------------------------------------------------------------------------

Step 1: Set up as master for domain (8)
---------------------------------------

You are going to be master for the domain given in (8). So the first step is
to create a zonefile for this domain:

    # vi /etc/namedb/master/__________.__________.dns

    Or if you prefer PICO:

    # pico /etc/namedb/master/__________.__________.dns
                                     (8)

    ... and insert the following contents in the file (don't include the 
    sections with numbers like '(9)' - these are just notes.



     $TTL 10m
     @       IN      SOA     host_____.dns. yourname.example.com. (
                                (9)
                                         2010070101
                                         10m
                                         10m
                                         4w
                                         10m )
 
             IN      NS      host_____.dns.
                                (9)
             IN      NS      host_____.dns.
                                (10)
 
     www     IN      A       10.20.XXX.1    ; replace with your own IP




Replace "yourname.example.com." with your modified E-mail address as in the
previous exercise, and use the current YYYYMMDD00 as the serial number.

Now validate the zonefile you have created:

    # named-checkzone  __________.__________.dns  /etc/namedb/master/__________.__________.dns
                                (8)                                                      (8)

If this reports any errors, then fix them.

Next, edit `/etc/namedb/named.conf` to configure bind as master for that zone
using the zonefile you have created:

    (Remember, if you don't know "vi", use "pico")

    # vi /etc/namedb/named.conf

    ... add this entry:



     zone "__________.__________.dns" {
                    (8)
             type master;
             file "master/__________.__________.dns";
                                   (8)
             allow-transfer { 10.20.XXX.1; };
     };



Replace 10.20.XXX.1 with the IP address of machine (10), which is going to be
slave for this zone.

Then validate your modified configuration file:

    # named-checkconf

Again, if this reports any errors then fix them. Now get your nameserver to
reload its conf file and your new zone:

    # rndc reload
    # tail /var/log/messages

Once again, check for any errors and fix them. Finally, test that your
machine is giving out authoritative answers:


    # dig +norec @10.20.XXX.1  __________.__________.dns.  soa
                                      (8)


replacing 10.20.XXX.1 with your own IP address. Check that you get a SOA
response with the expected serial number, and the AA flag is present.

Good - you are half way to getting delegation for this domain (it won't be
done until your slave is set up properly)

Step 2: Set up as slave for domain (13)
---------------------------------------

The host below you has set themselves up as master for the domain you wrote in
(13), and will expect you to be the slave.

So now edit `/etc/namedb/named.conf` to enable yourself as slave for this
domain:

    # pico /etc/namedb/named.conf
    or
    # vi /etc/namedb/named.conf

    ... add this entry:



     zone "__________.__________.dns" {
                    (13)
             type slave;
             file "slave/__________.__________.dns";
                                  (13)
             masters { 10.20.XXX.1; };
     };



Replace 10.20.XXX.1 with the IP address of the master, the machine listed in
space (14).

Now validate your modified configuration file:

    # named-checkconf

If this reports any errors then fix them. Now get your nameserver to reload
its conf file:

    # rndc reload
    # tail /var/log/messages

Once again, check for any errors and fix them.

If the machine below you has already set themselves up as master, then the
zone transfer should take place within a few seconds. You can check this has
happened by looking in `/var/log/messages` again, and checking whether the
slave zone file has been created:

    # ls /etc/namedb/slave/

If not, then either the machine below you has not finished setting
themselves up as master for the domain, or else they have not permitted
access to your IP address to allow you to copy the zone. You can check using
these commands:

    # dig +norec @10.20.XXX.1  __________.__________.dns.  soa
                     (14)             (13)

    # dig @10.20.XXX.1  __________.__________.dns.  axfr
              (14)             (13)

The first should show you the SOA record with the correct serial number; the
second should show you the entire contents of their zone file. If these are
OK, then the zone transfer should take place within a few minutes.

Step 3: Test before delegation of domain (3)
--------------------------------------------

You are now about to delegate the domain you chose in (3) to the machines
listed in (4) and (5); here you are acting in the role of a domain registry.

However, before you perform this delegation, you should check that they are
both set up correctly, especially that they are both authoritative for the
domain in question. Otherwise, you would be creating a lame delegation,
which is not good.

Test the master using the following command:

    # dig +norec @host_____.dns.  __________.__________.dns.  soa
                     (4)                            (3)

Check:

*   Is the response authoritative? (Flag AA)
*   Does the SOA record list the correct host as the master?
*   Are the nameserver (NS) records in the Authority section correct? There
    should be two NS records, one giving the hostname of the master (4) and
    one the hostname of the slave (5)
*   Make a note of the zone serial number

And then test the slave:

    # dig +norec @host_____.dns.  __________.__________.dns.  soa
                     (5)                            (3)
Check:

*   Is the response authoritative? (Flag AA)
*   Does the zone serial number match that given by the master?
*   Are the nameserver (NS) records in the Authority section correct?

If any of these checks fail, explain what the problem was to the owners of
those machines. Don't proceed until they have fixed the problems - and make
sure you have *re-tested* the servers to ensure the problems really have
been fixed.


Step 4: Delegate domain (3)
---------------------------

This is the point at which you delegate the subdomain (3); all queries for
this subdomain will be referred to the servers (4) and (5).

Edit the zonefile for your domain (2):


    # pico /etc/namedb/master/__________.dns
    or
    # vi /etc/namedb/master/__________.dns
                               (2)

    ... add these RRs (records)

     __________  IN     NS     host_____.dns.
         (3)                      (4)
                 IN     NS     host_____.dns.
                                  (5)

Note: in the space marked (3) you just put the *subdomain* you have chosen, e.g.

     elmo        IN     NS     host104.dns.
                 IN     NS     host105.dns.

This is because the domain origin is added automatically (e.g. if the
zonefile is for `utopia.dns` then `elmo` becomes
`elmo.utopia.dns`)

You must also _increment_ the serial number in the SOA record at the top of
the zone file; this must be done after every zone file change of course.

Save your changes, then validate your modified zone file:

    # named-checkzone  __________.dns  /etc/namedb/master/__________.dns
                           (2)                                (2)
If it's OK then reload:

    # rndc reload
    # tail /var/log/messages

That's it! Now all you need to do is to test the new subdomain by doing a
normal recursive lookup for a resource record within it, for example:

    # dig www.__________.__________.dns.
                       (3)

This test should work from anywhere in the class. The query will be first
referred to your nameservers, and then you will give out a referral to the
nameservers (4) and (5) which hold the data for this zone.

Step 5: Check you have received delegation for domain (8)
---------------------------------------------------------

Once you have got this far, you can check that you have received delegation
for the domain (8) which you are master for. That is, make sure your slave
is functioning correctly and has retrieved a copy of your zonefile; and talk
to the domain owner on machine (6) to request delegation. Work along with
them to ensure that any problems are ironed out. Once you have delegation,
test that your new domain works correctly.

Additional steps
----------------

If at any time you are being held up waiting for someone else to complete
their part, then help them out.

If you have completed everything successfully, then here are some additional
things you can do.

*   Add some more resource records to the zone file for domain (8), which
    you control. Remember to increment the serial number.

    Check that your slave has copied your modified zone file. Question:
    how can you check that the slave has updated: (a) given console access
    onto the slave machine itself, and (b) without any console access
    to that machine?

    Check that these new resource records work, by resolving them from
    some other machine (one which is neither master nor slave for the zone)

*   Find someone else who has also finished. Ask them to act as a third
    nameserver (second slave) for your domain, for increased resilience.
    Note that you'll have to change the NS records within the zone, and
    you'll have to change the delegation from above to be consistent.

*   Perform the 'dig +norec' test starting from the root servers, for
    `www._____._____.dns` within your subdomain