DNS: dns4-exercise.txt

File dns4-exercise.txt, 13.7 KB (added by admin, 9 years ago)
DNS4 subdomain delegation

Line
1	DNS Exercise 4: Delegating a subdomain
2	======================================
3
4	In this exercise, you will delegate a subdomain of your own domain.
5
6	In order to keep things simple, it will work like this: each machine will
7	delegate a subdomain to the next PC along (which will be the master) and the
8	next one after that (which will be the slave).
9
10	Example:
11
12	* Let's say you are `ws6.ws3.conference.sanog.org` and have domain
13	`bhutan.ws3.conference.sanog.org` already set up
14
15	* You will pick a subdomain, let's say `ilove.bhutan.ws3.conference.sanog.org`
16
17	* You will delegate this subdomain to ws7 and ws8
18	(ws7 is the master and ws8 is the slave. In practice, when you are
19	delegating it doesn't really matter which is master, because all
20	authoritative nameservers appear the same to the outside world)
21
22	* Because you are a conscientious domain owner, you won't add the delegation
23	to ws7 and ws8 until they have correctly set up their authoritative
24	nameservice for the domain, and you've tested it.
25
26	Now, because this pattern is repeated by everyone else in the class, it also
27	means that:
28
29	* You will receive delegation for a domain from ws5 (for which you will
30	be the master)
31
32	* You will receive delegation for another domain from ws4 (for which you
33	will be slave, with ws5 as the master)
34
35	So you will be doing three different jobs: you will have to set yourself up
36	as master for the domain delegated from ws5, as slave for the domain
37	delegated from ws4, and delegate a subdomain of yours to ws7 and ws8.
38
39	This means that a lot will be going on at once - so please follow the
40	worksheet carefully!
41
42	--------------------------------------------------------------------------
43
44	Exercise parameters
45	-------------------
46
47	To start, please fill in the blanks numbered (1) to (5). If it's not clear
48	to you what needs to be done, please ask.
49
50	> (1) My machine is: ws______.ws3.conference.sanog.org
51	>
52	> (2) I control domain: _______________.ws3.conference.sanog.org
53	>
54	> (this is the domain you set up in the previous exercise, for which
55	> your machine is the master)
56	>
57	> (3) I am going to delegate this subdomain:
58	>
59	> _______________._______________.ws3.conference.sanog.org
60	> (2)
61	>
62	> and I am going to delegate it to:
63	>
64	> (4) ws______.ws3.conference.sanog.org (= myws+1) [master]
65	>
66	> (5) ws______.ws3.conference.sanog.org (= myws+2) [slave]
67	>
68	> Wrap around to ws1 and/or ws2 if you run past the highest-numbered
69	PC in the class
70
71	Once you have done this, copy fields (1)-(5) from the worksheet for the
72	machine numbered ONE BELOW YOU into fields (6)-(10) here. If you are ws1,
73	then the machine "below" you is the highest-numbered machine in the class.
74
75	> (6) Their machine is: ws______.ws3.conference.sanog.org (= myws-1)
76	>
77	> (7) They control domain: _______________.ws3.conference.sanog.org
78	>
79	> (8) They are going to delegate this subdomain:
80	>
81	> _______________._______________.ws3.conference.sanog.org
82	> (7)
83	>
84	> and they are going to delegate it to:
85	>
86	> (9) ws______.ws3.conference.sanog.org (= myws) [master] **
87	>
88	> (10) ws______.ws3.conference.sanog.org (= myws+1) [slave]
89
90	Next, copy fields (1)-(5) from the machine TWO BELOW YOU into fields
91	(11)-(15)
92
93	> (11) Their machine is: ws______.ws3.conference.sanog.org (= myws-2)
94	>
95	> (12) They control domain: _______________.ws3.conference.sanog.org
96	>
97	> (13) They are going to delegate this subdomain:
98	>
99	> _______________._______________.ws3.conference.sanog.org
100	> (12)
101	>
102	> and they are going to delegate it to:
103	>
104	> (14) ws______.ws3.conference.sanog.org (= myws-1) [master]
105	>
106	> (15) ws______.ws3.conference.sanog.org (= myws) [slave] **
107
108	--------------------------------------------------------------------------
109
110	Step 1: Set up as master for domain (8)
111	---------------------------------------
112
113	You are going to be master for the domain given in (8). So the first step is
114	to create a zonefile for this domain:
115
116	# vi /etc/namedb/master/__________.__________.ws3.conference.sanog.org
117	(8)
118	... create file with the following contents:
119
120	> $TTL 10m
121	> @ IN SOA ws_____.ws3.conference.sanog.org. yourname.example.com.
122	(
123	> (9)
124	> 2006050800
125	> 10m
126	> 10m
127	> 4w
128	> 10m )
129	>
130	> IN NS ws_____.ws3.conference.sanog.org.
131	> (9)
132	> IN NS ws_____.ws3.conference.sanog.org.
133	> (10)
134	>
135	> www IN A 196.200.219.X ; replace with your own IP
136
137	Replace "yourname.example.com." with your modified E-mail address as in the
138	previous exercise, and use the current YYYYMMDD00 as the serial number.
139
140	Now validate the zonefile you have created:
141
142	# named-checkzone __________.__________.ws3.conference.sanog.org
143	/etc/namedb/master/__________.__________.ws3.conference.sanog.org
144	(8)
145	(8)
146
147	If this reports any errors, then fix them. Next, edit
148	`/etc/namedb/named.conf` to configure bind as master for that zone using
149	the zonefile you have created:
150
151	# vi /etc/namedb/named.conf
152
153	... add this entry:
154
155	> zone "__________.__________.ws3.conference.sanog.org" {
156	> (8)
157	> type master;
158	> file "master/__________.__________.ws3.conference.sanog.org";
159	> (8)
160	> allow-transfer { 196.200.219.Y; };
161	> };
162
163	Replace 196.200.219.Y with the IP address of machine (10), which is going to
164	be
165	slave for this zone.
166
167	Then validate your modified configuration file:
168
169	# named-checkconf
170
171	Again, if this reports any errors then fix them. Now get your nameserver to
172	reload its conf file and your new zone:
173
174	# rndc reload
175	# tail /var/log/messages
176
177	Once again, check for any errors and fix them. Finally, test that your
178	machine is giving out authoritative answers:
179
180	# dig +norec @196.200.219.X __________.__________.ws3.conference.sanog.org. soa
181	(8)
182
183	replacing 196.200.219.X with your own IP address. Check that you get a SOA
184	response with the expected serial number, and the AA flag is present.
185
186	Good - you are half way to getting delegation for this domain (it won't be
187	done until your slave is set up properly)
188
189	Step 2: Set up as slave for domain (13)
190	---------------------------------------
191
192	The PC below you has set themselves up as master for the domain you wrote in
193	(13), and will expect you to be the slave.
194
195	So now edit `/etc/namedb/named.conf` to enable yourself as slave for this
196	domain:
197
198	# vi /etc/namedb/named.conf
199
200	... add this entry:
201
202	> zone "__________.__________.ws3.conference.sanog.org" {
203	> (13)
204	> type slave;
205	> file "slave/__________.__________.ws3.conference.sanog.org";
206	> (13)
207	> masters { 196.200.219.W; };
208	> };
209
210	Replace 196.200.219.W with the IP address of the master, the machine listed in
211	space (14).
212
213	Now validate your modified configuration file:
214
215	# named-checkconf
216
217	If this reports any errors then fix them. Now get your nameserver to reload
218	its conf file:
219
220	# rndc reload
221	# tail /var/log/messages
222
223	Once again, check for any errors and fix them.
224
225	If the machine below you has already set themselves up as master, then the
226	zone transfer should take place within a few seconds. You can check this has
227	happened by looking in `/var/log/messages` again, and checking whether the
228	slave zone file has been created:
229
230	# ls /etc/namedb/slave
231
232	If not, then either the machine below you has not finished setting
233	themselves up as master for the domain, or else they have not permitted
234	access to your IP address to allow you to copy the zone. You can check using
235	these commands:
236
237	# dig +norec @196.200.219.W __________.__________.ws3.conference.sanog.org. soa
238	(14) (13)
239
240	# dig @196.200.219.W __________.__________.ws3.conference.sanog.org. axfr
241	(14) (13)
242
243	The first should show you the SOA record with the correct serial number; the
244	second should show you the entire contents of their zone file. If these are
245	OK, then the zone transfer should take place within a few minutes.
246
247	Step 3: Test before delegation of domain (3)
248	--------------------------------------------
249
250	You are now about to delegate the domain you chose in (3) to the machines
251	listed in (4) and (5); here you are acting in the role of a domain registry.
252
253	However, before you perform this delegation, you should check that they are
254	both set up correctly, especially that they are both authoritative for the
255	domain in question. Otherwise, you would be creating a lame delegation,
256	which is not good.
257
258	Test the master using the following command:
259
260	# dig +norec @ws_____.ws3.conference.sanog.org. __________.__________.ws3.conference.sanog.org.
261	soa
262	(4) (3)
263
264	Check:
265
266	* Is the response authoritative? (Flag AA)
267	* Does the SOA record list the correct PC as the master?
268	* Are the nameserver (NS) records in the Authority section correct? There
269	should be two NS records, one giving the hostname of the master (4) and
270	one
271	the hostname of the slave (5)
272	* Make a note of the zone serial number
273
274	And then test the slave:
275
276	# dig +norec @ws_____.ws3.conference.sanog.org. __________.__________.ws3.conference.sanog.org.
277	soa
278	(5) (3)
279	Check:
280
281	* Is the response authoritative? (Flag AA)
282	* Does the zone serial number match that given by the master?
283	* Are the nameserver (NS) records in the Authority section correct?
284
285	If any of these checks fail, explain what the problem was to the owners of
286	those machines. Don't proceed until they have fixed the problems - and make
287	sure you have re-tested the servers to ensure the problems really have
288	been fixed.
289
290	Step 4: Delegate domain (3)
291	---------------------------
292
293	This is the point at which you delegate the subdomain (3); all queries for
294	this subdomain will be referred to the servers (4) and (5).
295
296	Edit the zonefile for your domain (2):
297
298	# vi /etc/namedb/master/__________.ws3.conference.sanog.org
299	(2)
300	... add these RRs
301
302	> __________ IN NS ws_____.ws3.conference.sanog.org.
303	> (3) (4)
304	> IN NS ws_____.ws3.conference.sanog.org.
305	> (5)
306
307	Note: in the space marked (3) you just put the subdomain you have chosen,
308	e.g.
309
310	> ilove IN NS ws7.ws3.conference.sanog.org.
311	> IN NS ws8.ws3.conference.sanog.org.
312
313	This is because the domain origin is added automatically (e.g. if the
314	zonefile is for `bhutan.ws3.conference.sanog.org` then `ilove` becomes
315	`ilove.bhutan.ws3.conference.sanog.org`)
316
317	You must also _increment_ the serial number in the SOA record at the top of
318	the zone file; this must be done after every zone file change of course.
319
320	Save your changes, then validate your modified zone file:
321
322	# named-checkzone __________.ws3.conference.sanog.org
323	/etc/namedb/master/__________.ws3.conference.sanog.org
324	(2) (2)
325	If it's OK then reload:
326
327	# rndc reload
328	# tail /var/log/messages
329
330	That's it! Now all you need to do is to test the new subdomain by doing a
331	normal recursive lookup for a resource record within it, for example:
332
333	# dig www.__________.__________.ws3.conference.sanog.org.
334	(3)
335
336	This test should work from anywhere on the Internet. The query will be first
337	referred to your nameservers, and then you will give out a referral to the
338	nameservers (4) and (5) which hold the data for this zone.
339
340	Step 5: Check you have received delegation for domain (8)
341	---------------------------------------------------------
342
343	Once you have got this far, you can check that you have received delegation
344	for the domain (8) which you are master for. That is, make sure your slave
345	is functioning correctly and has retrieved a copy of your zonefile; and talk
346	to the domain owner on machine (6) to request delegation. Work along with
347	them to ensure that any problems are ironed out. Once you have delegation,
348	test that your new domain works correctly.
349
350	Additional steps
351	----------------
352
353	If at any time you are being held up waiting for someone else to complete
354	their part, then help them out.
355
356	If you have completed everything successfully, then here are some additional
357	things you can do.
358
359	* Add some more resource records to the zone file for domain (8), which
360	you control. Remember to increment the serial number.
361
362	Check that your slave has copied your modified zone file. Question:
363	how can you check that the slave has updated: (a) given console access
364	onto the slave machine itself, and (b) without any console access
365	to that machine?
366
367	Check that these new resource records work, by resolving them from
368	some other machine (one which is neither master nor slave for the zone)
369
370	* Find someone else who has also finished. Ask them to act as a third
371	nameserver (second slave) for your domain, for increased resilience.
372	Note that you'll have to change the NS records within the zone, and
373	you'll have to change the delegation from above to be consistent.
374
375	* Perform the 'dig +norec' test starting from the root servers, for
376	`www._____._____.ws3.conference.sanog.org` within your subdomain
377