Agenda: dns-delegation-exercise.txt

File dns-delegation-exercise.txt, 8.4 KB (added by admin, 5 years ago)
Line 
1                        DNS Exercise - Delegation
2                        -------------------------
3
4In this exercise, we will create a new TLD in our root.
5for example: MYTLD
6
7You will create a master nameservice on your own machine, and someone else
8will provide slave service. Then you will ask the administrator for the
9domain above you (the root) to delegate your domain to you.
10
11Note: the following should be done as the "root" superuser - use sudo -s
12
13Firstly, note that your hostname is configured correctly
14on your machine.  Check that it is configured correctly by
15using the 'hostname' command - e.g. on auth1.grpXX.dns.nsrc.org, if you type:
16
17 # hostname
18
19You should see:
20
21  auth1.grpXX.dns.nsrc.org
22
23If not, then configure your server with its name: e.g. for
24auth1.grp25.dns.nsrc.org, type:
25
26 # hostname auth1.grp25.dns.nsrc.org
27
28Remember to replace "grpXX" with the the proper group number!
29
30Edit the file /etc/rc.conf (using "vi" or "ee", i.e.: ee /etc/rc.conf),
31and update the "hostname":
32
33  hostname="auth1.grpXX.dns.nsrc.org"
34
35In the file /etc/hosts, you should see a line:
36
37  10.10.X.1   auth1.grpXX auth1.grpXX.dns.nsrc.org
38
39
40Exercise
41--------
42
43*   Choose a new domain, write it down somewhere
44
45    i.e.: "MYTLD" or "EARTH" - whatever you feel like.
46
47    (Do NOT choose any of the PC names, e.g. `auth1.grpXX`, as your subdomain)
48
49    This could for example be the name of your country code, country name,
50    company name, etc...  but REMEMBER that someone might pick the same name!
51    First come, first serve.
52
53*   If we are using the web interface for registration (RZM):
54
55    Register your new domain using the classroom root zone manager at
56    https://rzm.dnssek.org/
57
58    Username is your MYTLD
59    Password is up to you but you must remember it for later exercises.
60    Click the "Signup" button.
61
62    The next page is an example of a two-factor security system. Unless
63    told by instructor, leave the "verification code" field blank and
64    simply click "Proceed".  You will be able to return to this page
65    later to configure your security token (e.g. Google Authenticator)
66    if desired.
67
68    Click logout on the next page.  You will fill the information in later.
69
70*   Find someone who will agree to be slave for your domain. Please find someone
71    across the room from you (not at your table) (Remember RFC2182:  secondaries
72    must be on remote networks but here we work on a flat network). You can have
73    more than one slave if you wish.
74
75*   Create your zone file in `/etc/namedb/master/MYTLD`
76    (where MYTLD is your chosen domain) -- you can pretty much
77    "copy and paste" the section below -- but remember to update
78    the XXX with your IP:
79
80  ***   Remember, you will need to become root to create this file,
81  ***   so, e.g.
82  ***
83  ***     $ cd /etc/namedb/master
84  ***     $ sudo vi MYTLD
85  ***
86  ***   (feel free to use another editor instead of vi, e.g. joe, ee)
87
88- - - - - - - - - - - - - cut below - - - - - - - - - - - -
89
90$TTL 2m
91@       IN      SOA     auth1.grpXX.dns.nsrc.org. your.email.address. (
92                        2012022301    ; Serial - replace 20120223 with the date
93                        10m           ; Refresh
94                        5m            ; Retry
95                        4w            ; Expire
96                        2m )          ; Negative
97
98        IN      NS      auth1.grpXXX.dns.nsrc.org.   ; master
99        IN      NS      auth1.grpYYY.dns.nsrc.org.   ; slave
100
101www     IN      A       10.10.XXX.1             ; your own IP
102
103- - - - - - - - - - - - - cut above - - - - - - - - - - - -
104
105    Replace `your.email.address.` with your home E-mail address, so that
106    user@domain.name becomes user.domain.name
107
108    XXX and YYY are the IP of your group, and your slave's, respectively.
109   
110    We have chosen purposely low values for TTL, refresh, and retry to make
111    it easier to fix problems in the classroom. For a production domain you
112    might use higher values.
113
114*   Edit `/etc/namedb/named.conf` and do the following:
115
116  ***   Remember, you will need to become root to edit this file,
117  ***   so, e.g.
118  ***
119  ***     $ cd /etc/namedb
120  ***     $ sudo vi named.conf
121  ***
122  ***   (feel free to use another editor instead of vi, e.g. joe, ee)
123
124    - If it is still there, REMOVE the following line:
125
126         listen-on { 127.0.0.1; };
127
128    ... and add another line in the options section:
129
130        allow-query { any; };
131
132    ... so that your nameserver will now answer queries from the network
133
134    - Add a section to configure your machine as master for
135      your domain, by adding something like this at the end
136      (the bottom) of the file:
137
138      zone "MYTLD" {
139        type master;
140        file "/etc/namedb/master/MYTLD";
141      };
142
143    Pay attention to the ';' and '}' !
144
145*   Check that your config file and zone file are valid:
146
147        # named-checkconf
148        # named-checkzone MYTLD /etc/namedb/master/MYTLD
149
150    * If there are any errors, correct them ! *
151
152*   If this is not already done, enable named in your server's configuration,
153    by editing the file /etc/rc.conf and adding, if this is not already done:
154
155     ** Remember, again, you need to be root to edit this file
156
157        named_chrootdir=""
158        named_enable="YES"
159
160    - Then start/restart named with
161
162        # service named restart
163
164    Check the result with
165
166        # tail /var/log/messages
167
168    Verify with dig that MYTLD is now configured on your host:
169
170        # dig @10.10.XX.1 MYTLD. NS
171
172    Where "XX" is the group number of your machine.
173
174        You can also check the nameserver status using rndc:
175
176    # rndc status
177
178    - If there are any errors, correct them. Some configuration errors can
179    cause the daemon to die completely, in which case you may have to
180    start it again after correcting the problem:
181
182        # service named restart
183
184*   Assist your slaves to configure themselves as slave for your domain, and
185    configure yourself as a slave if asked to do so by another table.
186
187    Here is most of what you need to add to the end of the named.conf file:
188
189      zone "MYTLD" {
190         type slave;
191         masters { 10.10.XXX.1; };
192         file "/etc/namedb/slave/MYTLD";
193      };
194
195    ... where XXX is the group where the master is located.
196
197    If you have changed your `named.conf` so that you are a slave for
198    someone else, make sure that there are no errors in `/var/log/messages` after
199    you restart your nameserver.
200
201    You will need a slave directory with proper permissions and ownership where
202    bind can write the zone file received from the master.
203
204*   Check that you and your slaves are giving authoritative answers for
205    your domain:
206
207        # dig +norec @10.10.XXX.1 MYTLD. SOA
208        # dig +norec @10.10.YYY.1 MYTLD. SOA
209
210    Check that you get an AA (authoritative answer) from both, and that
211    the serial numbers match.
212
213*   Now you are ready to request delegation:
214
215    a) if using the RZM:
216
217    Go to https://rzm.dnssek.org/
218
219    Login using the Username/Password you used at the begining
220    of the exercise. Click "Proceed"
221
222    Enter your nameserver, e.g., auth1.grpXX.dns.nsrc.org
223    and IP address for it, e.g., 10.10.X.1
224
225    Click "Update".  If all goes well, your entry should
226    show up with a document icon next to it indicating it checked
227    out and has been inserted into the root zone file.
228
229    You should also see and entry with an "eye" icon indicating
230    that another server, your slave server, was noticed.
231    If the slave entry looks correct,e.g., it is auth2.grpYY.dns.nsrc.org,
232    click on the "eye" to get a "check" mark and then click
233    "Update" to also send this to the root.
234
235    b) if not using the RZM:
236
237    Indicate to the instructor, on a piece of paper:
238
239
240        Domain name:          ___________________
241
242        Master nameserver:    auth1.grp___.dns.nsrc.org
243
244        Slave nameserver:     auth1.grp___.dns.nsrc.org
245
246
247*   You will not get delegation until the instructor has checked:
248
249    - Your nameservers are all authoritative for your domain
250    - They all have the same SOA serial number
251    - The NS records within the zone match the list of servers you are
252      requesting delegation for
253    - The slave(s) are across the room from you :)
254
255    => This is called policy!
256
257*   Once you have delegation, try to resolve www.MYTLD:
258
259    - On your own machine
260    - On someone else's machine (who is not slave for you):
261
262  # dig @10.10.XXX.230 www.MYTLD       (where MYTLD is your domain)
263
264*   Add a new resource record to your zone file. Remember to update the
265    serial number. Check that your slaves have updated. Try resolving this
266    new name.