Agenda: dns-delegation-exercise-inst-is-slave.txt

File dns-delegation-exercise-inst-is-slave.txt, 8.1 KB (added by admin, 5 years ago)
Line 
1                        DNS Exercise - Delegation
2                        -------------------------
3
4In this exercise, we will create a new TLD in our root.
5for example: MYTLD
6
7You will create a master nameservice on your own machine, and you will get
8secondary service from the instructor, provided by "auth1.grpYYY.dns.nsrc.org"
9(YYY is the group of the instructor, which will be communicated in class).
10
11Then you will ask the administrator for the domain above you (the root) to
12delegate your domain to you - this is also the instructor.
13
14Note: the following should be done as the "root" superuser - use sudo -s
15
16Firstly, note that your hostname is configured correctly
17on your machine.  Check that it is configured correctly by
18using the 'hostname' command - e.g. on auth1.grpXX.dns.nsrc.org, if you type:
19
20 # hostname
21
22You should see:
23
24  auth1.grpXX.dns.nsrc.org
25
26If not, then configure your server with its name: e.g. for
27auth1.grp25.dns.nsrc.org, type:
28
29 # hostname auth1.grp25.dns.nsrc.org
30
31Remember to replace "grpXX" with the the proper group number!
32
33Edit the file /etc/rc.conf (using "vi" or "ee", i.e.: ee /etc/rc.conf),
34and update the "hostname":
35
36  hostname="auth1.grpXX.dns.nsrc.org"
37
38In the file /etc/hosts, you should see a line:
39
40  10.10.X.1   auth1.grpXX auth1.grpXX.dns.nsrc.org
41
42
43Exercise
44--------
45
46*   Choose a new domain, write it down somewhere
47
48    i.e.: "MYTLD" or "EARTH" - whatever you feel like.
49
50    (Do NOT choose any of the PC names, e.g. `auth1.grpXX`, as your subdomain)
51
52    This could for example be the name of your country code, country name,
53    company name, etc...  but REMEMBER that someone might pick the same name!
54    First come, first serve.
55
56*   If we are using the web interface for registration (RZM):
57
58    Register your new domain using the classroom root zone manager at
59    https://rzm.dnssek.org/
60
61    Username is your MYTLD
62    Password is up to you but you must remember it for later exercises.
63    Click the "Signup" button.
64
65    The next page is an example of a two-factor security system. Unless
66    told by instructor, leave the "verification code" field blank and
67    simply click "Proceed".  You will be able to return to this page
68    later to configure your security token (e.g. Google Authenticator)
69    if desired.
70
71    Click logout on the next page.  You will fill the information in later.
72
73*   Create your zone file in `/etc/namedb/master/MYTLD`
74    (where MYTLD is your chosen domain) -- you can pretty much
75    "copy and paste" the section below -- but remember to update
76    the XXX with your IP:
77
78  ***   Remember, you will need to become root to create this file,
79  ***   so, e.g.
80  ***
81  ***     $ cd /etc/namedb/master
82  ***     $ sudo vi MYTLD
83  ***
84  ***   (feel free to use another editor instead of vi, e.g. joe, ee)
85
86- - - - - - - - - - - - - cut below - - - - - - - - - - - -
87
88$TTL 2m
89@       IN      SOA     auth1.grpXX.dns.nsrc.org. your.email.address. (
90                        2012022301    ; Serial - replace 20120223 with the date
91                        10m           ; Refresh
92                        5m            ; Retry
93                        4w            ; Expire
94                        2m )          ; Negative
95
96        IN      NS      auth1.grpXXX.dns.nsrc.org.   ; master
97        IN      NS      auth1.grpYYY.dns.nsrc.org.   ; slave at instructor
98
99www     IN      A       10.10.XXX.1             ; your own IP
100
101- - - - - - - - - - - - - cut above - - - - - - - - - - - -
102
103    Replace `your.email.address.` with your home E-mail address, so that
104    user@domain.name becomes user.domain.name
105
106    XXX and YYY are the IP of your group, and your slave's, respectively.
107   
108    We have chosen purposely low values for TTL, refresh, and retry to make
109    it easier to fix problems in the classroom. For a production domain you
110    might use higher values.
111
112*   Edit `/etc/namedb/named.conf` and do the following:
113
114  ***   Remember, you will need to become root to edit this file,
115  ***   so, e.g.
116  ***
117  ***     $ cd /etc/namedb
118  ***     $ sudo vi named.conf
119  ***
120  ***   (feel free to use another editor instead of vi, e.g. joe, ee)
121
122    - If it is still there, REMOVE the following line:
123
124         listen-on { 127.0.0.1; };
125
126    ... and add another line in the options section:
127
128        allow-query { any; };
129
130    ... so that your nameserver will now answer queries from the network
131
132    - Add a section to configure your machine as master for
133      your domain, by adding something like this at the end
134      (the bottom) of the file:
135
136      zone "MYTLD" {
137        type master;
138        file "/etc/namedb/master/MYTLD";
139      };
140
141    Pay attention to the ';' and '}' !
142
143*   Check that your config file and zone file are valid:
144
145        # named-checkconf
146        # named-checkzone MYTLD /etc/namedb/master/MYTLD
147
148    * If there are any errors, correct them ! *
149
150*   If we are not using the web interface for registration of domain names:
151
152    Tell the instructor managing grpYYY that you need secondary service for
153    your domain - tell them the domain and tell them what your group number is.
154
155    For instance, if the domain is "COCONUT", and you are Group 5, you
156    should write on a piece of paper
157
158COCONUT. NS  auth1.grp5.dns.nsrc.org.
159COCONUT. NS  auth1.grpYYY.dns.nsrc.org.   (YYY = the group of the instructor)
160
161    And give this to the instructor managing grpYYY
162
163*   If this is not already done, enable named in your server's configuration,
164    by editing the file /etc/rc.conf and adding, if this is not already done:
165
166     ** Remember, again, you need to be root to edit this file
167
168        named_chrootdir=""
169        named_enable="YES"
170
171    - Then start/restart named with
172
173        # service named restart
174
175    Check the result with
176
177        # tail /var/log/messages
178
179    Verify with dig that MYTLD is now configured on your host:
180
181        # dig @10.10.XX.1 MYTLD. NS
182
183    Where "XX" is the group number of your machine.
184
185        You can also check the nameserver status using rndc:
186
187    # rndc status
188
189    - If there are any errors, correct them. Some configuration errors can
190    cause the daemon to die completely, in which case you may have to
191    start it again after correcting the problem:
192
193        # service named restart
194
195*   Check that you and the instructor slave at grpYYY are giving authoritative
196    answers for your domain:
197
198        # dig +norec @10.10.XXX.230 MYTLD. SOA
199        # dig +norec @10.10.YYY.230 MYTLD. SOA
200
201    Check that you get an AA (authoritative answer) from both, and that
202    the serial numbers match.
203
204*   Now you are ready to request delegation:
205
206    a) if using the RZM:
207
208    Go to https://rzm.dnssek.org/
209
210    Login using the Username/Password you used at the begining
211    of the exercise. Click "Proceed"
212
213    Enter your nameserver, e.g., auth1.grpXX.ws.nsrc.org
214    and IP address for it, e.g., 10.10.X.1
215
216    Click "Update".  If all goes well, your entry should
217    show up with a document icon next to it indicating it checked
218    out and has been inserted into the root zone file.
219
220    You should also see and entry with an "eye" icon indicating
221    that another server, your slave server, was noticed.
222    If the slave entry looks correct,e.g., it is auth2.grpYY.ws.nsrc.org,
223    click on the "eye" to get a "check" mark and then click
224    "Update" to also send this to the root.
225
226    b) if not using the RZM:
227
228    Indicate to the instructor, on a piece of paper:
229
230
231        Domain name:          ___________________
232
233        Master nameserver:    auth1.grp___.dns.nsrc.org
234
235        Slave nameserver:     auth1.grp___.dns.nsrc.org
236
237*   You will not get delegation until the instructor has checked:
238
239    - Your nameservers are all authoritative for your domain
240    - They all have the same SOA serial number
241    - The NS records within the zone match the list of servers you are
242      requesting delegation for
243    - The slave(s) are across the room from you :)
244
245    => This is called policy!
246
247*   Once you have delegation, try to resolve www.MYTLD:
248
249    - On your own machine
250    - On someone else's machine (who is not slave for you):
251
252  # dig @10.10.XXX.230 www.MYTLD       (where MYTLD is your domain)
253
254*   Add a new resource record to your zone file. Remember to update the
255    serial number. Check that your slaves have updated. Try resolving this
256    new name.