Day 3 17th January 2004
Lab exercises 5 - RNDC

Objective:  Be able to use RNDC to sercurely send control messages to a name server
	    either remotely or locally.


1.  Use RNDC for the lab primary name server. Under /var/named/primary generate
    the RNDC key using rndc-confgen and update named.conf to use it.

	% rndc-confgen


2. Cut the first part the of statement to rndc.conf and the second part which 
   has a comment (hash) to named.conf. Make sure to remove the comment starting from 
   the "key" statement before using it.  

   You could also place the second part to a file then use "include" statement 
   in your named.conf to specify that file. 

	example"

	include "/var/named/primary/myrndc-key.txt";

3. Run primary name server using -g flag and try the following statement on
   a different terminal.

	rndc -s <server ip>  -c rndc.conf   reload/flush
	rndc -s <server ip>  -c rndc.conf   stop/stats/status/trace     



Lab exercises 6 - TSIG


Objective:

Be able to secure zone transfer between primary & secondary name server.
        
	Primary servers			Secondary servers
	PC1				PC2
	PC3				PC4
	PC5				PC6
	PC7				PC8
	PC9				PC10

From the table above pc2  will act as slave for pc1.net zone, pc4 for pc3.net 
and so forth.



1. Primary & Secondary name server should try zone transfer without the key. 



2. All the primary server will derive a key using "dnssec-keygen" statement 

	% dnssec-keygen -a HMAC-MD5 -b 128 -n HOST ns1-ns2.pcX.net  

where: x is your pc number.


3. Send the key off-band to your secondary name server administrator so they
   could configure their secondary name server to use the key.


4. Update primary & secondary named.conf with this key. It is recommended to 
   put it in a separate file and use the "include" statement in named.conf 
   to specify this key.

5. Zone transfer could also be done using dig command, try using it with a key


	example: without the key which is expected to fail..
 
	dig @server domain  axfr   


	example: with a key

	dig @server domain axfr -y ns1-ns2.pcX.net:lksdjfq38475-qejflavna==


6. If the time difference between primary & secondary is more than 3 minutes 	
   zone transfer will fail even if you have the correct key. 	 






































