| 1 | DNS Exercise 4: Delegating a subdomain |
|---|
| 2 | ====================================== |
|---|
| 3 | |
|---|
| 4 | In this exercise, you will *delegate* a subdomain of your own domain. |
|---|
| 5 | |
|---|
| 6 | In order to keep things simple, it will work like this: each machine will |
|---|
| 7 | delegate a subdomain to the next PC along (which will be the master) and the |
|---|
| 8 | next one after that (which will be the slave). |
|---|
| 9 | |
|---|
| 10 | Example: |
|---|
| 11 | |
|---|
| 12 | * Let's say you are `ws6.ws3.conference.sanog.org` and have domain |
|---|
| 13 | `bhutan.ws3.conference.sanog.org` already set up |
|---|
| 14 | |
|---|
| 15 | * You will pick a subdomain, let's say `ilove.bhutan.ws3.conference.sanog.org` |
|---|
| 16 | |
|---|
| 17 | * You will delegate this subdomain to ws7 and ws8 |
|---|
| 18 | (ws7 is the master and ws8 is the slave. In practice, when you are |
|---|
| 19 | delegating it doesn't really matter which is master, because all |
|---|
| 20 | authoritative nameservers appear the same to the outside world) |
|---|
| 21 | |
|---|
| 22 | * Because you are a conscientious domain owner, you won't add the delegation |
|---|
| 23 | to ws7 and ws8 until they have correctly set up their authoritative |
|---|
| 24 | nameservice for the domain, and you've tested it. |
|---|
| 25 | |
|---|
| 26 | Now, because this pattern is repeated by everyone else in the class, it also |
|---|
| 27 | means that: |
|---|
| 28 | |
|---|
| 29 | * You will receive delegation for a domain from ws5 (for which you will |
|---|
| 30 | be the master) |
|---|
| 31 | |
|---|
| 32 | * You will receive delegation for another domain from ws4 (for which you |
|---|
| 33 | will be slave, with ws5 as the master) |
|---|
| 34 | |
|---|
| 35 | So you will be doing three different jobs: you will have to set yourself up |
|---|
| 36 | as master for the domain delegated from ws5, as slave for the domain |
|---|
| 37 | delegated from ws4, and delegate a subdomain of yours to ws7 and ws8. |
|---|
| 38 | |
|---|
| 39 | This means that a lot will be going on at once - so please follow the |
|---|
| 40 | worksheet carefully! |
|---|
| 41 | |
|---|
| 42 | -------------------------------------------------------------------------- |
|---|
| 43 | |
|---|
| 44 | Exercise parameters |
|---|
| 45 | ------------------- |
|---|
| 46 | |
|---|
| 47 | To start, please fill in the blanks numbered (1) to (5). If it's not clear |
|---|
| 48 | to you what needs to be done, please ask. |
|---|
| 49 | |
|---|
| 50 | > (1) My machine is: ws______.ws3.conference.sanog.org |
|---|
| 51 | > |
|---|
| 52 | > (2) I control domain: _______________.ws3.conference.sanog.org |
|---|
| 53 | > |
|---|
| 54 | > (this is the domain you set up in the previous exercise, for which |
|---|
| 55 | > your machine is the master) |
|---|
| 56 | > |
|---|
| 57 | > (3) I am going to delegate this subdomain: |
|---|
| 58 | > |
|---|
| 59 | > _______________._______________.ws3.conference.sanog.org |
|---|
| 60 | > (2) |
|---|
| 61 | > |
|---|
| 62 | > and I am going to delegate it to: |
|---|
| 63 | > |
|---|
| 64 | > (4) ws______.ws3.conference.sanog.org (= myws+1) [master] |
|---|
| 65 | > |
|---|
| 66 | > (5) ws______.ws3.conference.sanog.org (= myws+2) [slave] |
|---|
| 67 | > |
|---|
| 68 | > Wrap around to ws1 and/or ws2 if you run past the highest-numbered |
|---|
| 69 | PC in the class |
|---|
| 70 | |
|---|
| 71 | Once you have done this, copy fields (1)-(5) from the worksheet for the |
|---|
| 72 | machine numbered ONE BELOW YOU into fields (6)-(10) here. If you are ws1, |
|---|
| 73 | then the machine "below" you is the highest-numbered machine in the class. |
|---|
| 74 | |
|---|
| 75 | > (6) Their machine is: ws______.ws3.conference.sanog.org (= myws-1) |
|---|
| 76 | > |
|---|
| 77 | > (7) They control domain: _______________.ws3.conference.sanog.org |
|---|
| 78 | > |
|---|
| 79 | > (8) They are going to delegate this subdomain: |
|---|
| 80 | > |
|---|
| 81 | > _______________._______________.ws3.conference.sanog.org |
|---|
| 82 | > (7) |
|---|
| 83 | > |
|---|
| 84 | > and they are going to delegate it to: |
|---|
| 85 | > |
|---|
| 86 | > (9) ws______.ws3.conference.sanog.org (= myws) [master] ** |
|---|
| 87 | > |
|---|
| 88 | > (10) ws______.ws3.conference.sanog.org (= myws+1) [slave] |
|---|
| 89 | |
|---|
| 90 | Next, copy fields (1)-(5) from the machine TWO BELOW YOU into fields |
|---|
| 91 | (11)-(15) |
|---|
| 92 | |
|---|
| 93 | > (11) Their machine is: ws______.ws3.conference.sanog.org (= myws-2) |
|---|
| 94 | > |
|---|
| 95 | > (12) They control domain: _______________.ws3.conference.sanog.org |
|---|
| 96 | > |
|---|
| 97 | > (13) They are going to delegate this subdomain: |
|---|
| 98 | > |
|---|
| 99 | > _______________._______________.ws3.conference.sanog.org |
|---|
| 100 | > (12) |
|---|
| 101 | > |
|---|
| 102 | > and they are going to delegate it to: |
|---|
| 103 | > |
|---|
| 104 | > (14) ws______.ws3.conference.sanog.org (= myws-1) [master] |
|---|
| 105 | > |
|---|
| 106 | > (15) ws______.ws3.conference.sanog.org (= myws) [slave] ** |
|---|
| 107 | |
|---|
| 108 | -------------------------------------------------------------------------- |
|---|
| 109 | |
|---|
| 110 | Step 1: Set up as master for domain (8) |
|---|
| 111 | --------------------------------------- |
|---|
| 112 | |
|---|
| 113 | You are going to be master for the domain given in (8). So the first step is |
|---|
| 114 | to create a zonefile for this domain: |
|---|
| 115 | |
|---|
| 116 | # vi /etc/namedb/master/__________.__________.ws3.conference.sanog.org |
|---|
| 117 | (8) |
|---|
| 118 | ... create file with the following contents: |
|---|
| 119 | |
|---|
| 120 | > $TTL 10m |
|---|
| 121 | > @ IN SOA ws_____.ws3.conference.sanog.org. yourname.example.com. |
|---|
| 122 | ( |
|---|
| 123 | > (9) |
|---|
| 124 | > 2006050800 |
|---|
| 125 | > 10m |
|---|
| 126 | > 10m |
|---|
| 127 | > 4w |
|---|
| 128 | > 10m ) |
|---|
| 129 | > |
|---|
| 130 | > IN NS ws_____.ws3.conference.sanog.org. |
|---|
| 131 | > (9) |
|---|
| 132 | > IN NS ws_____.ws3.conference.sanog.org. |
|---|
| 133 | > (10) |
|---|
| 134 | > |
|---|
| 135 | > www IN A 196.200.219.X ; replace with your own IP |
|---|
| 136 | |
|---|
| 137 | Replace "yourname.example.com." with your modified E-mail address as in the |
|---|
| 138 | previous exercise, and use the current YYYYMMDD00 as the serial number. |
|---|
| 139 | |
|---|
| 140 | Now validate the zonefile you have created: |
|---|
| 141 | |
|---|
| 142 | # named-checkzone __________.__________.ws3.conference.sanog.org |
|---|
| 143 | /etc/namedb/master/__________.__________.ws3.conference.sanog.org |
|---|
| 144 | (8) |
|---|
| 145 | (8) |
|---|
| 146 | |
|---|
| 147 | If this reports any errors, then fix them. Next, edit |
|---|
| 148 | `/etc/namedb/named.conf` to configure bind as master for that zone using |
|---|
| 149 | the zonefile you have created: |
|---|
| 150 | |
|---|
| 151 | # vi /etc/namedb/named.conf |
|---|
| 152 | |
|---|
| 153 | ... add this entry: |
|---|
| 154 | |
|---|
| 155 | > zone "__________.__________.ws3.conference.sanog.org" { |
|---|
| 156 | > (8) |
|---|
| 157 | > type master; |
|---|
| 158 | > file "master/__________.__________.ws3.conference.sanog.org"; |
|---|
| 159 | > (8) |
|---|
| 160 | > allow-transfer { 196.200.219.Y; }; |
|---|
| 161 | > }; |
|---|
| 162 | |
|---|
| 163 | Replace 196.200.219.Y with the IP address of machine (10), which is going to |
|---|
| 164 | be |
|---|
| 165 | slave for this zone. |
|---|
| 166 | |
|---|
| 167 | Then validate your modified configuration file: |
|---|
| 168 | |
|---|
| 169 | # named-checkconf |
|---|
| 170 | |
|---|
| 171 | Again, if this reports any errors then fix them. Now get your nameserver to |
|---|
| 172 | reload its conf file and your new zone: |
|---|
| 173 | |
|---|
| 174 | # rndc reload |
|---|
| 175 | # tail /var/log/messages |
|---|
| 176 | |
|---|
| 177 | Once again, check for any errors and fix them. Finally, test that your |
|---|
| 178 | machine is giving out authoritative answers: |
|---|
| 179 | |
|---|
| 180 | # dig +norec @196.200.219.X __________.__________.ws3.conference.sanog.org. soa |
|---|
| 181 | (8) |
|---|
| 182 | |
|---|
| 183 | replacing 196.200.219.X with your own IP address. Check that you get a SOA |
|---|
| 184 | response with the expected serial number, and the AA flag is present. |
|---|
| 185 | |
|---|
| 186 | Good - you are half way to getting delegation for this domain (it won't be |
|---|
| 187 | done until your slave is set up properly) |
|---|
| 188 | |
|---|
| 189 | Step 2: Set up as slave for domain (13) |
|---|
| 190 | --------------------------------------- |
|---|
| 191 | |
|---|
| 192 | The PC below you has set themselves up as master for the domain you wrote in |
|---|
| 193 | (13), and will expect you to be the slave. |
|---|
| 194 | |
|---|
| 195 | So now edit `/etc/namedb/named.conf` to enable yourself as slave for this |
|---|
| 196 | domain: |
|---|
| 197 | |
|---|
| 198 | # vi /etc/namedb/named.conf |
|---|
| 199 | |
|---|
| 200 | ... add this entry: |
|---|
| 201 | |
|---|
| 202 | > zone "__________.__________.ws3.conference.sanog.org" { |
|---|
| 203 | > (13) |
|---|
| 204 | > type slave; |
|---|
| 205 | > file "slave/__________.__________.ws3.conference.sanog.org"; |
|---|
| 206 | > (13) |
|---|
| 207 | > masters { 196.200.219.W; }; |
|---|
| 208 | > }; |
|---|
| 209 | |
|---|
| 210 | Replace 196.200.219.W with the IP address of the master, the machine listed in |
|---|
| 211 | space (14). |
|---|
| 212 | |
|---|
| 213 | Now validate your modified configuration file: |
|---|
| 214 | |
|---|
| 215 | # named-checkconf |
|---|
| 216 | |
|---|
| 217 | If this reports any errors then fix them. Now get your nameserver to reload |
|---|
| 218 | its conf file: |
|---|
| 219 | |
|---|
| 220 | # rndc reload |
|---|
| 221 | # tail /var/log/messages |
|---|
| 222 | |
|---|
| 223 | Once again, check for any errors and fix them. |
|---|
| 224 | |
|---|
| 225 | If the machine below you has already set themselves up as master, then the |
|---|
| 226 | zone transfer should take place within a few seconds. You can check this has |
|---|
| 227 | happened by looking in `/var/log/messages` again, and checking whether the |
|---|
| 228 | slave zone file has been created: |
|---|
| 229 | |
|---|
| 230 | # ls /etc/namedb/slave |
|---|
| 231 | |
|---|
| 232 | If not, then either the machine below you has not finished setting |
|---|
| 233 | themselves up as master for the domain, or else they have not permitted |
|---|
| 234 | access to your IP address to allow you to copy the zone. You can check using |
|---|
| 235 | these commands: |
|---|
| 236 | |
|---|
| 237 | # dig +norec @196.200.219.W __________.__________.ws3.conference.sanog.org. soa |
|---|
| 238 | (14) (13) |
|---|
| 239 | |
|---|
| 240 | # dig @196.200.219.W __________.__________.ws3.conference.sanog.org. axfr |
|---|
| 241 | (14) (13) |
|---|
| 242 | |
|---|
| 243 | The first should show you the SOA record with the correct serial number; the |
|---|
| 244 | second should show you the entire contents of their zone file. If these are |
|---|
| 245 | OK, then the zone transfer should take place within a few minutes. |
|---|
| 246 | |
|---|
| 247 | Step 3: Test before delegation of domain (3) |
|---|
| 248 | -------------------------------------------- |
|---|
| 249 | |
|---|
| 250 | You are now about to delegate the domain you chose in (3) to the machines |
|---|
| 251 | listed in (4) and (5); here you are acting in the role of a domain registry. |
|---|
| 252 | |
|---|
| 253 | However, before you perform this delegation, you should check that they are |
|---|
| 254 | both set up correctly, especially that they are both authoritative for the |
|---|
| 255 | domain in question. Otherwise, you would be creating a lame delegation, |
|---|
| 256 | which is not good. |
|---|
| 257 | |
|---|
| 258 | Test the master using the following command: |
|---|
| 259 | |
|---|
| 260 | # dig +norec @ws_____.ws3.conference.sanog.org. __________.__________.ws3.conference.sanog.org. |
|---|
| 261 | soa |
|---|
| 262 | (4) (3) |
|---|
| 263 | |
|---|
| 264 | Check: |
|---|
| 265 | |
|---|
| 266 | * Is the response authoritative? (Flag AA) |
|---|
| 267 | * Does the SOA record list the correct PC as the master? |
|---|
| 268 | * Are the nameserver (NS) records in the Authority section correct? There |
|---|
| 269 | should be two NS records, one giving the hostname of the master (4) and |
|---|
| 270 | one |
|---|
| 271 | the hostname of the slave (5) |
|---|
| 272 | * Make a note of the zone serial number |
|---|
| 273 | |
|---|
| 274 | And then test the slave: |
|---|
| 275 | |
|---|
| 276 | # dig +norec @ws_____.ws3.conference.sanog.org. __________.__________.ws3.conference.sanog.org. |
|---|
| 277 | soa |
|---|
| 278 | (5) (3) |
|---|
| 279 | Check: |
|---|
| 280 | |
|---|
| 281 | * Is the response authoritative? (Flag AA) |
|---|
| 282 | * Does the zone serial number match that given by the master? |
|---|
| 283 | * Are the nameserver (NS) records in the Authority section correct? |
|---|
| 284 | |
|---|
| 285 | If any of these checks fail, explain what the problem was to the owners of |
|---|
| 286 | those machines. Don't proceed until they have fixed the problems - and make |
|---|
| 287 | sure you have *re-tested* the servers to ensure the problems really have |
|---|
| 288 | been fixed. |
|---|
| 289 | |
|---|
| 290 | Step 4: Delegate domain (3) |
|---|
| 291 | --------------------------- |
|---|
| 292 | |
|---|
| 293 | This is the point at which you delegate the subdomain (3); all queries for |
|---|
| 294 | this subdomain will be referred to the servers (4) and (5). |
|---|
| 295 | |
|---|
| 296 | Edit the zonefile for your domain (2): |
|---|
| 297 | |
|---|
| 298 | # vi /etc/namedb/master/__________.ws3.conference.sanog.org |
|---|
| 299 | (2) |
|---|
| 300 | ... add these RRs |
|---|
| 301 | |
|---|
| 302 | > __________ IN NS ws_____.ws3.conference.sanog.org. |
|---|
| 303 | > (3) (4) |
|---|
| 304 | > IN NS ws_____.ws3.conference.sanog.org. |
|---|
| 305 | > (5) |
|---|
| 306 | |
|---|
| 307 | Note: in the space marked (3) you just put the *subdomain* you have chosen, |
|---|
| 308 | e.g. |
|---|
| 309 | |
|---|
| 310 | > ilove IN NS ws7.ws3.conference.sanog.org. |
|---|
| 311 | > IN NS ws8.ws3.conference.sanog.org. |
|---|
| 312 | |
|---|
| 313 | This is because the domain origin is added automatically (e.g. if the |
|---|
| 314 | zonefile is for `bhutan.ws3.conference.sanog.org` then `ilove` becomes |
|---|
| 315 | `ilove.bhutan.ws3.conference.sanog.org`) |
|---|
| 316 | |
|---|
| 317 | You must also _increment_ the serial number in the SOA record at the top of |
|---|
| 318 | the zone file; this must be done after every zone file change of course. |
|---|
| 319 | |
|---|
| 320 | Save your changes, then validate your modified zone file: |
|---|
| 321 | |
|---|
| 322 | # named-checkzone __________.ws3.conference.sanog.org |
|---|
| 323 | /etc/namedb/master/__________.ws3.conference.sanog.org |
|---|
| 324 | (2) (2) |
|---|
| 325 | If it's OK then reload: |
|---|
| 326 | |
|---|
| 327 | # rndc reload |
|---|
| 328 | # tail /var/log/messages |
|---|
| 329 | |
|---|
| 330 | That's it! Now all you need to do is to test the new subdomain by doing a |
|---|
| 331 | normal recursive lookup for a resource record within it, for example: |
|---|
| 332 | |
|---|
| 333 | # dig www.__________.__________.ws3.conference.sanog.org. |
|---|
| 334 | (3) |
|---|
| 335 | |
|---|
| 336 | This test should work from anywhere on the Internet. The query will be first |
|---|
| 337 | referred to your nameservers, and then you will give out a referral to the |
|---|
| 338 | nameservers (4) and (5) which hold the data for this zone. |
|---|
| 339 | |
|---|
| 340 | Step 5: Check you have received delegation for domain (8) |
|---|
| 341 | --------------------------------------------------------- |
|---|
| 342 | |
|---|
| 343 | Once you have got this far, you can check that you have received delegation |
|---|
| 344 | for the domain (8) which you are master for. That is, make sure your slave |
|---|
| 345 | is functioning correctly and has retrieved a copy of your zonefile; and talk |
|---|
| 346 | to the domain owner on machine (6) to request delegation. Work along with |
|---|
| 347 | them to ensure that any problems are ironed out. Once you have delegation, |
|---|
| 348 | test that your new domain works correctly. |
|---|
| 349 | |
|---|
| 350 | Additional steps |
|---|
| 351 | ---------------- |
|---|
| 352 | |
|---|
| 353 | If at any time you are being held up waiting for someone else to complete |
|---|
| 354 | their part, then help them out. |
|---|
| 355 | |
|---|
| 356 | If you have completed everything successfully, then here are some additional |
|---|
| 357 | things you can do. |
|---|
| 358 | |
|---|
| 359 | * Add some more resource records to the zone file for domain (8), which |
|---|
| 360 | you control. Remember to increment the serial number. |
|---|
| 361 | |
|---|
| 362 | Check that your slave has copied your modified zone file. Question: |
|---|
| 363 | how can you check that the slave has updated: (a) given console access |
|---|
| 364 | onto the slave machine itself, and (b) without any console access |
|---|
| 365 | to that machine? |
|---|
| 366 | |
|---|
| 367 | Check that these new resource records work, by resolving them from |
|---|
| 368 | some other machine (one which is neither master nor slave for the zone) |
|---|
| 369 | |
|---|
| 370 | * Find someone else who has also finished. Ask them to act as a third |
|---|
| 371 | nameserver (second slave) for your domain, for increased resilience. |
|---|
| 372 | Note that you'll have to change the NS records within the zone, and |
|---|
| 373 | you'll have to change the delegation from above to be consistent. |
|---|
| 374 | |
|---|
| 375 | * Perform the 'dig +norec' test starting from the root servers, for |
|---|
| 376 | `www._____._____.ws3.conference.sanog.org` within your subdomain |
|---|
| 377 | |
|---|