Agenda: dns-delegation-exercise.2.txt

File dns-delegation-exercise.2.txt, 6.8 KB (added by admin, 7 years ago)
Line 
1                        DNS Exercise - Delegation
2                        -------------------------
3
4In this exercise, we will create a new TLD in our root.
5for example: MYTLD
6
7You will create a master nameservice on your own machine, and someone else
8will provide slave service. Then you will ask the administrator for the
9domain above you (dns) to delegate your domain to you.
10
11Note: the following should be done as the "root" superuser.
12
13Firstly, note that your hostname is configured correctly
14on your machine.  Check that it is configured correctly by
15using the 'hostname' command - e.g. on master.grpXX.ws.nsrc.org, if you type:
16
17 # hostname
18
19You should see:
20
21  master.grpXX.ws.nsrc.org
22
23If not, then configure your server with its name: e.g. for
24        master.grp25.ws.nsrc.org, type:
25
26
27 # hostname master.grp25.ws.nsrc.org
28
29Remember to replace "grpXX" with the the proper group number!
30
31Edit the file /etc/rc.conf (using "vi" or "ee", i.e.: ee /etc/rc.conf),
32and update the "hostname":
33
34  hostname="master.grpXX.ws.nsrc.org"
35
36In the file /etc/hosts, you should see a line:
37
38  10.10.X.1   master.grpXX master.grpXX.ws.nsrc.org
39
40
41Exercise
42--------
43
44*   Choose a new domain, write it down somewhere
45
46    i.e.: "MYTLD" or "EARTH" - whatever you feel like.
47
48    (Do NOT choose any of the PC names, e.g. `master.grpXX`, as your subdomain)
49
50    This could for example be the name of your country code, country name,
51        company name, etc...  but REMEMBER that someone might pick the same name!
52        First come, first serve.
53
54*   Find someone who will agree to be slave for your domain. Please find
55    someone on a different table than you (Remember RFC2182: secondaries must
56    be on remote networks but here we work on a flat net). You can
57    have more than one slave if you wish.
58
59*   Create your zone file in `/etc/namedb/master/MYTLD`
60    (where MYTLD is your chosen domain) -- you can pretty much
61    "copy and paste" the section below -- but remember to update
62    the XXX with your IP:
63
64  ***   Remember, you will need to become root to create this file,
65  ***   so, e.g.
66  ***
67  ***     $ cd /etc/namedb/master
68  ***     $ sudo vi MYTLD
69  ***
70  ***   (feel free to use another editor instead of vi, e.g. joe, ee)
71
72- - - - - - - - - - - - - cut below - - - - - - - - - - - -
73
74$TTL 10m
75@       IN      SOA     master.grpXX.ws.nsrc.org. your@email.address. (
76                        2011021601    ; Serial
77                        10m           ; Refresh
78                        5m            ; Retry
79                        4w            ; Expire
80                        10m )         ; Negative
81
82        IN      NS      master.grpXXX.ws.nsrc.org.   ; master
83        IN      NS      master.grpYYY.ws.nsrc.org.   ; slave
84
85www     IN      A       10.10.XXX.1             ; your own IP
86
87- - - - - - - - - - - - - cut above - - - - - - - - - - - -
88
89    Replace `your@email.address.` with your home E-mail address.
90
91        XXX and YYY are the IP of your group, and your slave's, respectively.
92       
93    We have chosen purposely low values for TTL, refresh, and retry to make
94    it easier to fix problems in the classroom. For a production domain you
95    might use higher values.
96
97*   Edit `/etc/namedb/named.conf` and do the following:
98
99  ***   Remember, you will need to become root to edit this file,
100  ***   so, e.g.
101  ***
102  ***     $ cd /etc/named
103  ***     $ sudo vi named.conf
104  ***
105  ***   (feel free to use another editor instead of vi, e.g. joe, ee)
106
107    - If it is still there, REMOVE the following line:
108
109         listen-on { 127.0.0.1; };
110
111    ... and add another line in the options section:
112
113        allow-query { any; };
114
115    ... so that your nameserver will now answer queries from the network
116
117    - Add a section to configure your machine as master for
118      your domain, by adding something like this at the end
119          (the bottom) of the file:
120
121      zone "MYTLD" {
122        type master;
123        file "/etc/namedb/master/MYTLD";
124      };
125
126    Pay attention to the ';' and '}' !
127
128*   Check that your config file and zone file are valid:
129
130        # named-checkconf
131        # named-checkzone MYTLD /etc/namedb/master/MYTLD
132
133    * If there are any errors, correct them ! *
134
135*   If this is not already done, enable named in your server's configuration,
136    by editing the file /etc/rc.conf and adding, if this is not already done:
137
138     ** Remember, again, you need to be root to edit this file
139
140        named_chrootdir=""
141        named_enable="YES"
142
143    - Then start/restart named with
144
145        # /etc/rc.d/named restart
146
147    Check the result with
148
149        # tail /var/log/messages
150
151        Verify with dig that MYTLD is now configured on your host:
152
153                # dig @localhost MYTLD. NS
154
155        You can also check the nameserver status using rndc:
156
157                # rndc status
158
159    - If there are any errors, correct them. Some configuration errors can
160    cause the daemon to die completely, in which case you may have to
161    start it again:
162
163        # /etc/rc.d/named restart
164
165*   Assist your slaves to configure themselves as slave for your domain, and
166    configure yourself as a slave if asked to do so by another table.
167
168    The instructions for how to do this are not complicated, but here's a hint:
169
170      zone "MYTLD" {
171         type slave;
172         masters { 10.10.XXX.1; };
173         file "/etc/namedb/slave/MYTLD";
174      };
175
176        ... where XXX is the IP of the group of your slave.
177
178        Remember, you will also need to be a slave for someone else's zone!
179
180    When you have changed your `named.conf` so that you are a slave for
181    someone else, make sure there are no errors in `/var/log/messages` after
182    you restart your nameserver.
183
184*   Check that you and your slaves are giving authoritative answers for
185    your domain:
186
187        # dig +norec @10.10.XXX.1 MYTLD. SOA
188        # dig +norec @10.10.YYY.1 MYTLD. SOA
189
190    Check that you get an AA (authoritative answer) from both, and that
191    the serial numbers match.
192
193*   Now you are ready to request delegation – indicate to the instructor,
194    on a piece of paper:
195
196
197        Domain name:          ___________________
198
199        Master nameserver:    master.grp___.ws.nsrc.org
200
201        Slave nameserver:     master.grp___.ws.nsrc.org
202
203
204*   You will not get delegation until the instructor has checked:
205
206    - Your nameservers are all authoritative for your domain
207    - They all have the same SOA serial number
208    - The NS records within the zone match the list of servers you are
209      requesting delegation for
210    - The slave(s) are not on the same side of the room as you :)
211
212        => This is called policy!
213
214*   Once you have delegation, try to resolve www.MYTLD:
215
216    - On your own machine
217    - On someone else's machine (who is not slave for you):
218
219  # dig @10.10.XXX.1 www.MYTLD       (where MYTLD is your domain)
220
221*   Add a new resource record to your zone file. Remember to update the
222    serial number. Check that your slaves have updated. Try resolving this
223    new name.