1 | DNS Exercise 4: Delegating a subdomain |
---|
2 | ====================================== |
---|
3 | |
---|
4 | In this exercise, you will *delegate* a subdomain of your own domain. |
---|
5 | |
---|
6 | In order to keep things simple, it will work like this: each machine will |
---|
7 | delegate a subdomain to the next PC along (which will be the master) and the |
---|
8 | next one after that (which will be the slave). |
---|
9 | |
---|
10 | Example: |
---|
11 | |
---|
12 | * Let's say you are `ws6.ws3.conference.sanog.org` and have domain |
---|
13 | `bhutan.ws3.conference.sanog.org` already set up |
---|
14 | |
---|
15 | * You will pick a subdomain, let's say `ilove.bhutan.ws3.conference.sanog.org` |
---|
16 | |
---|
17 | * You will delegate this subdomain to ws7 and ws8 |
---|
18 | (ws7 is the master and ws8 is the slave. In practice, when you are |
---|
19 | delegating it doesn't really matter which is master, because all |
---|
20 | authoritative nameservers appear the same to the outside world) |
---|
21 | |
---|
22 | * Because you are a conscientious domain owner, you won't add the delegation |
---|
23 | to ws7 and ws8 until they have correctly set up their authoritative |
---|
24 | nameservice for the domain, and you've tested it. |
---|
25 | |
---|
26 | Now, because this pattern is repeated by everyone else in the class, it also |
---|
27 | means that: |
---|
28 | |
---|
29 | * You will receive delegation for a domain from ws5 (for which you will |
---|
30 | be the master) |
---|
31 | |
---|
32 | * You will receive delegation for another domain from ws4 (for which you |
---|
33 | will be slave, with ws5 as the master) |
---|
34 | |
---|
35 | So you will be doing three different jobs: you will have to set yourself up |
---|
36 | as master for the domain delegated from ws5, as slave for the domain |
---|
37 | delegated from ws4, and delegate a subdomain of yours to ws7 and ws8. |
---|
38 | |
---|
39 | This means that a lot will be going on at once - so please follow the |
---|
40 | worksheet carefully! |
---|
41 | |
---|
42 | -------------------------------------------------------------------------- |
---|
43 | |
---|
44 | Exercise parameters |
---|
45 | ------------------- |
---|
46 | |
---|
47 | To start, please fill in the blanks numbered (1) to (5). If it's not clear |
---|
48 | to you what needs to be done, please ask. |
---|
49 | |
---|
50 | > (1) My machine is: ws______.ws3.conference.sanog.org |
---|
51 | > |
---|
52 | > (2) I control domain: _______________.ws3.conference.sanog.org |
---|
53 | > |
---|
54 | > (this is the domain you set up in the previous exercise, for which |
---|
55 | > your machine is the master) |
---|
56 | > |
---|
57 | > (3) I am going to delegate this subdomain: |
---|
58 | > |
---|
59 | > _______________._______________.ws3.conference.sanog.org |
---|
60 | > (2) |
---|
61 | > |
---|
62 | > and I am going to delegate it to: |
---|
63 | > |
---|
64 | > (4) ws______.ws3.conference.sanog.org (= myws+1) [master] |
---|
65 | > |
---|
66 | > (5) ws______.ws3.conference.sanog.org (= myws+2) [slave] |
---|
67 | > |
---|
68 | > Wrap around to ws1 and/or ws2 if you run past the highest-numbered |
---|
69 | PC in the class |
---|
70 | |
---|
71 | Once you have done this, copy fields (1)-(5) from the worksheet for the |
---|
72 | machine numbered ONE BELOW YOU into fields (6)-(10) here. If you are ws1, |
---|
73 | then the machine "below" you is the highest-numbered machine in the class. |
---|
74 | |
---|
75 | > (6) Their machine is: ws______.ws3.conference.sanog.org (= myws-1) |
---|
76 | > |
---|
77 | > (7) They control domain: _______________.ws3.conference.sanog.org |
---|
78 | > |
---|
79 | > (8) They are going to delegate this subdomain: |
---|
80 | > |
---|
81 | > _______________._______________.ws3.conference.sanog.org |
---|
82 | > (7) |
---|
83 | > |
---|
84 | > and they are going to delegate it to: |
---|
85 | > |
---|
86 | > (9) ws______.ws3.conference.sanog.org (= myws) [master] ** |
---|
87 | > |
---|
88 | > (10) ws______.ws3.conference.sanog.org (= myws+1) [slave] |
---|
89 | |
---|
90 | Next, copy fields (1)-(5) from the machine TWO BELOW YOU into fields |
---|
91 | (11)-(15) |
---|
92 | |
---|
93 | > (11) Their machine is: ws______.ws3.conference.sanog.org (= myws-2) |
---|
94 | > |
---|
95 | > (12) They control domain: _______________.ws3.conference.sanog.org |
---|
96 | > |
---|
97 | > (13) They are going to delegate this subdomain: |
---|
98 | > |
---|
99 | > _______________._______________.ws3.conference.sanog.org |
---|
100 | > (12) |
---|
101 | > |
---|
102 | > and they are going to delegate it to: |
---|
103 | > |
---|
104 | > (14) ws______.ws3.conference.sanog.org (= myws-1) [master] |
---|
105 | > |
---|
106 | > (15) ws______.ws3.conference.sanog.org (= myws) [slave] ** |
---|
107 | |
---|
108 | -------------------------------------------------------------------------- |
---|
109 | |
---|
110 | Step 1: Set up as master for domain (8) |
---|
111 | --------------------------------------- |
---|
112 | |
---|
113 | You are going to be master for the domain given in (8). So the first step is |
---|
114 | to create a zonefile for this domain: |
---|
115 | |
---|
116 | # vi /etc/namedb/master/__________.__________.ws3.conference.sanog.org |
---|
117 | (8) |
---|
118 | ... create file with the following contents: |
---|
119 | |
---|
120 | > $TTL 10m |
---|
121 | > @ IN SOA ws_____.ws3.conference.sanog.org. yourname.example.com. |
---|
122 | ( |
---|
123 | > (9) |
---|
124 | > 2006050800 |
---|
125 | > 10m |
---|
126 | > 10m |
---|
127 | > 4w |
---|
128 | > 10m ) |
---|
129 | > |
---|
130 | > IN NS ws_____.ws3.conference.sanog.org. |
---|
131 | > (9) |
---|
132 | > IN NS ws_____.ws3.conference.sanog.org. |
---|
133 | > (10) |
---|
134 | > |
---|
135 | > www IN A 196.200.219.X ; replace with your own IP |
---|
136 | |
---|
137 | Replace "yourname.example.com." with your modified E-mail address as in the |
---|
138 | previous exercise, and use the current YYYYMMDD00 as the serial number. |
---|
139 | |
---|
140 | Now validate the zonefile you have created: |
---|
141 | |
---|
142 | # named-checkzone __________.__________.ws3.conference.sanog.org |
---|
143 | /etc/namedb/master/__________.__________.ws3.conference.sanog.org |
---|
144 | (8) |
---|
145 | (8) |
---|
146 | |
---|
147 | If this reports any errors, then fix them. Next, edit |
---|
148 | `/etc/namedb/named.conf` to configure bind as master for that zone using |
---|
149 | the zonefile you have created: |
---|
150 | |
---|
151 | # vi /etc/namedb/named.conf |
---|
152 | |
---|
153 | ... add this entry: |
---|
154 | |
---|
155 | > zone "__________.__________.ws3.conference.sanog.org" { |
---|
156 | > (8) |
---|
157 | > type master; |
---|
158 | > file "master/__________.__________.ws3.conference.sanog.org"; |
---|
159 | > (8) |
---|
160 | > allow-transfer { 196.200.219.Y; }; |
---|
161 | > }; |
---|
162 | |
---|
163 | Replace 196.200.219.Y with the IP address of machine (10), which is going to |
---|
164 | be |
---|
165 | slave for this zone. |
---|
166 | |
---|
167 | Then validate your modified configuration file: |
---|
168 | |
---|
169 | # named-checkconf |
---|
170 | |
---|
171 | Again, if this reports any errors then fix them. Now get your nameserver to |
---|
172 | reload its conf file and your new zone: |
---|
173 | |
---|
174 | # rndc reload |
---|
175 | # tail /var/log/messages |
---|
176 | |
---|
177 | Once again, check for any errors and fix them. Finally, test that your |
---|
178 | machine is giving out authoritative answers: |
---|
179 | |
---|
180 | # dig +norec @196.200.219.X __________.__________.ws3.conference.sanog.org. soa |
---|
181 | (8) |
---|
182 | |
---|
183 | replacing 196.200.219.X with your own IP address. Check that you get a SOA |
---|
184 | response with the expected serial number, and the AA flag is present. |
---|
185 | |
---|
186 | Good - you are half way to getting delegation for this domain (it won't be |
---|
187 | done until your slave is set up properly) |
---|
188 | |
---|
189 | Step 2: Set up as slave for domain (13) |
---|
190 | --------------------------------------- |
---|
191 | |
---|
192 | The PC below you has set themselves up as master for the domain you wrote in |
---|
193 | (13), and will expect you to be the slave. |
---|
194 | |
---|
195 | So now edit `/etc/namedb/named.conf` to enable yourself as slave for this |
---|
196 | domain: |
---|
197 | |
---|
198 | # vi /etc/namedb/named.conf |
---|
199 | |
---|
200 | ... add this entry: |
---|
201 | |
---|
202 | > zone "__________.__________.ws3.conference.sanog.org" { |
---|
203 | > (13) |
---|
204 | > type slave; |
---|
205 | > file "slave/__________.__________.ws3.conference.sanog.org"; |
---|
206 | > (13) |
---|
207 | > masters { 196.200.219.W; }; |
---|
208 | > }; |
---|
209 | |
---|
210 | Replace 196.200.219.W with the IP address of the master, the machine listed in |
---|
211 | space (14). |
---|
212 | |
---|
213 | Now validate your modified configuration file: |
---|
214 | |
---|
215 | # named-checkconf |
---|
216 | |
---|
217 | If this reports any errors then fix them. Now get your nameserver to reload |
---|
218 | its conf file: |
---|
219 | |
---|
220 | # rndc reload |
---|
221 | # tail /var/log/messages |
---|
222 | |
---|
223 | Once again, check for any errors and fix them. |
---|
224 | |
---|
225 | If the machine below you has already set themselves up as master, then the |
---|
226 | zone transfer should take place within a few seconds. You can check this has |
---|
227 | happened by looking in `/var/log/messages` again, and checking whether the |
---|
228 | slave zone file has been created: |
---|
229 | |
---|
230 | # ls /etc/namedb/slave |
---|
231 | |
---|
232 | If not, then either the machine below you has not finished setting |
---|
233 | themselves up as master for the domain, or else they have not permitted |
---|
234 | access to your IP address to allow you to copy the zone. You can check using |
---|
235 | these commands: |
---|
236 | |
---|
237 | # dig +norec @196.200.219.W __________.__________.ws3.conference.sanog.org. soa |
---|
238 | (14) (13) |
---|
239 | |
---|
240 | # dig @196.200.219.W __________.__________.ws3.conference.sanog.org. axfr |
---|
241 | (14) (13) |
---|
242 | |
---|
243 | The first should show you the SOA record with the correct serial number; the |
---|
244 | second should show you the entire contents of their zone file. If these are |
---|
245 | OK, then the zone transfer should take place within a few minutes. |
---|
246 | |
---|
247 | Step 3: Test before delegation of domain (3) |
---|
248 | -------------------------------------------- |
---|
249 | |
---|
250 | You are now about to delegate the domain you chose in (3) to the machines |
---|
251 | listed in (4) and (5); here you are acting in the role of a domain registry. |
---|
252 | |
---|
253 | However, before you perform this delegation, you should check that they are |
---|
254 | both set up correctly, especially that they are both authoritative for the |
---|
255 | domain in question. Otherwise, you would be creating a lame delegation, |
---|
256 | which is not good. |
---|
257 | |
---|
258 | Test the master using the following command: |
---|
259 | |
---|
260 | # dig +norec @ws_____.ws3.conference.sanog.org. __________.__________.ws3.conference.sanog.org. |
---|
261 | soa |
---|
262 | (4) (3) |
---|
263 | |
---|
264 | Check: |
---|
265 | |
---|
266 | * Is the response authoritative? (Flag AA) |
---|
267 | * Does the SOA record list the correct PC as the master? |
---|
268 | * Are the nameserver (NS) records in the Authority section correct? There |
---|
269 | should be two NS records, one giving the hostname of the master (4) and |
---|
270 | one |
---|
271 | the hostname of the slave (5) |
---|
272 | * Make a note of the zone serial number |
---|
273 | |
---|
274 | And then test the slave: |
---|
275 | |
---|
276 | # dig +norec @ws_____.ws3.conference.sanog.org. __________.__________.ws3.conference.sanog.org. |
---|
277 | soa |
---|
278 | (5) (3) |
---|
279 | Check: |
---|
280 | |
---|
281 | * Is the response authoritative? (Flag AA) |
---|
282 | * Does the zone serial number match that given by the master? |
---|
283 | * Are the nameserver (NS) records in the Authority section correct? |
---|
284 | |
---|
285 | If any of these checks fail, explain what the problem was to the owners of |
---|
286 | those machines. Don't proceed until they have fixed the problems - and make |
---|
287 | sure you have *re-tested* the servers to ensure the problems really have |
---|
288 | been fixed. |
---|
289 | |
---|
290 | Step 4: Delegate domain (3) |
---|
291 | --------------------------- |
---|
292 | |
---|
293 | This is the point at which you delegate the subdomain (3); all queries for |
---|
294 | this subdomain will be referred to the servers (4) and (5). |
---|
295 | |
---|
296 | Edit the zonefile for your domain (2): |
---|
297 | |
---|
298 | # vi /etc/namedb/master/__________.ws3.conference.sanog.org |
---|
299 | (2) |
---|
300 | ... add these RRs |
---|
301 | |
---|
302 | > __________ IN NS ws_____.ws3.conference.sanog.org. |
---|
303 | > (3) (4) |
---|
304 | > IN NS ws_____.ws3.conference.sanog.org. |
---|
305 | > (5) |
---|
306 | |
---|
307 | Note: in the space marked (3) you just put the *subdomain* you have chosen, |
---|
308 | e.g. |
---|
309 | |
---|
310 | > ilove IN NS ws7.ws3.conference.sanog.org. |
---|
311 | > IN NS ws8.ws3.conference.sanog.org. |
---|
312 | |
---|
313 | This is because the domain origin is added automatically (e.g. if the |
---|
314 | zonefile is for `bhutan.ws3.conference.sanog.org` then `ilove` becomes |
---|
315 | `ilove.bhutan.ws3.conference.sanog.org`) |
---|
316 | |
---|
317 | You must also _increment_ the serial number in the SOA record at the top of |
---|
318 | the zone file; this must be done after every zone file change of course. |
---|
319 | |
---|
320 | Save your changes, then validate your modified zone file: |
---|
321 | |
---|
322 | # named-checkzone __________.ws3.conference.sanog.org |
---|
323 | /etc/namedb/master/__________.ws3.conference.sanog.org |
---|
324 | (2) (2) |
---|
325 | If it's OK then reload: |
---|
326 | |
---|
327 | # rndc reload |
---|
328 | # tail /var/log/messages |
---|
329 | |
---|
330 | That's it! Now all you need to do is to test the new subdomain by doing a |
---|
331 | normal recursive lookup for a resource record within it, for example: |
---|
332 | |
---|
333 | # dig www.__________.__________.ws3.conference.sanog.org. |
---|
334 | (3) |
---|
335 | |
---|
336 | This test should work from anywhere on the Internet. The query will be first |
---|
337 | referred to your nameservers, and then you will give out a referral to the |
---|
338 | nameservers (4) and (5) which hold the data for this zone. |
---|
339 | |
---|
340 | Step 5: Check you have received delegation for domain (8) |
---|
341 | --------------------------------------------------------- |
---|
342 | |
---|
343 | Once you have got this far, you can check that you have received delegation |
---|
344 | for the domain (8) which you are master for. That is, make sure your slave |
---|
345 | is functioning correctly and has retrieved a copy of your zonefile; and talk |
---|
346 | to the domain owner on machine (6) to request delegation. Work along with |
---|
347 | them to ensure that any problems are ironed out. Once you have delegation, |
---|
348 | test that your new domain works correctly. |
---|
349 | |
---|
350 | Additional steps |
---|
351 | ---------------- |
---|
352 | |
---|
353 | If at any time you are being held up waiting for someone else to complete |
---|
354 | their part, then help them out. |
---|
355 | |
---|
356 | If you have completed everything successfully, then here are some additional |
---|
357 | things you can do. |
---|
358 | |
---|
359 | * Add some more resource records to the zone file for domain (8), which |
---|
360 | you control. Remember to increment the serial number. |
---|
361 | |
---|
362 | Check that your slave has copied your modified zone file. Question: |
---|
363 | how can you check that the slave has updated: (a) given console access |
---|
364 | onto the slave machine itself, and (b) without any console access |
---|
365 | to that machine? |
---|
366 | |
---|
367 | Check that these new resource records work, by resolving them from |
---|
368 | some other machine (one which is neither master nor slave for the zone) |
---|
369 | |
---|
370 | * Find someone else who has also finished. Ask them to act as a third |
---|
371 | nameserver (second slave) for your domain, for increased resilience. |
---|
372 | Note that you'll have to change the NS records within the zone, and |
---|
373 | you'll have to change the delegation from above to be consistent. |
---|
374 | |
---|
375 | * Perform the 'dig +norec' test starting from the root servers, for |
---|
376 | `www._____._____.ws3.conference.sanog.org` within your subdomain |
---|
377 | |
---|