Track2Agenda: 01-dns-delegation-exercise.txt

                        DNS Exercise - Delegation
                        -------------------------

In this exercise, we will create a new TLD in our root.
for example: MYTLD

You will create a master nameservice on your own machine, and someone else
will provide slave service. Then you will ask the administrator for the
domain above you (the root) to delegate your domain to you.

Note: the following should be done as the "root" superuser - use sudo -s

Firstly, note that your hostname is configured correctly
on your machine.  Check that it is configured correctly by
using the 'hostname' command - e.g. on auth1.grpXX.dns.nsrc.org, if you type:

 # hostname

You should see:

  auth1.grpXX.dns.nsrc.org

If not, then configure your server with its name: e.g. for
auth1.grp25.dns.nsrc.org, type:

 # hostname auth1.grp25.dns.nsrc.org

Remember to replace "grpXX" with the the proper group number!

Edit the file /etc/rc.conf (using "vi" or "ee", i.e.: ee /etc/rc.conf),
and update the "hostname":

  hostname="auth1.grpXX.dns.nsrc.org"

At this point, you can also add instructions to enable named in your 
server's configuration file, /etc/rc.conf:

  named_chrootdir=""
  named_enable="YES"  

In the file /etc/hosts, you should see a line:

  10.10.X.1   auth1.grpXX auth1.grpXX.dns.nsrc.org


Exercise
--------

*   Choose a new domain, write it down on the Global Registry sheet at the front of the class.

    i.e.: "MYTLD" or "EARTH" - whatever you feel like.

    (Do NOT choose any of the PC names, e.g. `auth1.grpXX`, as your subdomain)

    This could for example be the name of your country code, country name,
    company name, etc...  but REMEMBER that someone might pick the same name!
        Check before you start work on the exercise. First come, first served.

*   Find someone who will agree to be slave for your domain. Please find someone
    across the room from you (not at your table) (Remember RFC2182:  secondaries
    must be on remote networks but here we work on a flat network). You will also 
        create a third slave on your auth2.grpXX.dns.nsrc.org machine in a later exercise.

*   Create your zone file in `/etc/namedb/master/MYTLD`
    (where MYTLD is your chosen domain) -- you can pretty much
    "copy and paste" the section below -- but remember to update
    the XX with your own group number:

  ***   Remember, you will need to become root to create this file,
  ***   so, e.g.
  ***
  ***     $ cd /etc/namedb/master
  ***     $ sudo vi MYTLD
  ***
  ***   (feel free to use another editor instead of vi, e.g. joe, ee)

- - - - - - - - - - - - - cut below - - - - - - - - - - - -

$TTL 2m
@       IN      SOA     auth1.grpXX.dns.nsrc.org. your.email.address. (
                        2012022301    ; Serial - replace 20120223 with the date
                        10m           ; Refresh
                        5m            ; Retry
                        4w            ; Expire
                        2m )          ; Negative

        IN      NS      auth1.grpXX.dns.nsrc.org.   ; master
        IN      NS      auth1.grpYY.dns.nsrc.org.   ; slave

www     IN      A       10.10.XX.1             ; your own IP

- - - - - - - - - - - - - cut above - - - - - - - - - - - -

    Replace `your.email.address.` with your home E-mail address, so that
    user@domain.name becomes user.domain.name

    XX and YY are the IP of your group, and your slave's, respectively.
    
    We have chosen purposely low values for TTL, refresh, and retry to make
    it easier to fix problems in the classroom. For a production domain you
    would probably use higher values.

*   Edit `/etc/namedb/named.conf` and do the following:

  ***   Remember, you will need to become root to edit this file,
  ***   so, e.g.
  ***
  ***     $ cd /etc/namedb
  ***     $ sudo vi named.conf
  ***
  ***   (feel free to use another editor instead of vi, e.g. joe, ee)

    - If it is still there, REMOVE the following line:

         listen-on { 127.0.0.1; };

    ... and add another line in the options section:

        allow-query { any; };

    ... so that your nameserver will now answer queries from the network

    - Add a section to configure your machine as master for
      your domain, by adding something like this at the end
      (the bottom) of the file:

      zone "MYTLD" {
        type master;
        file "/etc/namedb/master/MYTLD";
      };

    Pay attention to the ';' and '}' !

*   Check that your config file and zone file are valid:

        # named-checkconf
        # named-checkzone MYTLD /etc/namedb/master/MYTLD

    * If there are any errors, correct them ! *

*   If this is not already done, enable named in your server's configuration,
    by editing the file /etc/rc.conf and adding, if this is not already done:

     ** Remember, again, you need to be root to edit this file

        named_chrootdir=""
        named_enable="YES"

    - Then start/restart named with

        # service named restart
                
*       If the system complains about missing configuration files for rndc (the name 
        server control utility) we can fix this by this by running:
                
                # rndc-confgen -a

*   Check that the nameserver has started correctly by looking at the log file:

        # tail /var/log/messages

*   Verify with dig that MYTLD is now configured on your host:

        # dig @10.10.XX.1 MYTLD. NS

    Where "XX" is the group number of your machine.

        You can also check the nameserver status using rndc:

    # rndc status

    - If there are any errors, correct them. Some configuration errors can
    cause the daemon to die completely, in which case you may have to
    start it again after correcting the problem:

        # service named restart

*   Assist your slaves to configure themselves as slave for your domain, and
    configure yourself as a slave if asked to do so by another table.

    Here is most of what you need to add to the end of the named.conf file:

      zone "MYTLD" { 
         type slave;
         masters { 10.10.XX.1; };
         file "/etc/namedb/slave/MYTLD";
      };

    ... where XX is the group where the master is located.

    If you have changed your `named.conf` so that you are a slave for
    someone else, make sure that there are no errors in `/var/log/messages` after
    you restart your nameserver.

    You will need a slave directory with proper permissions and ownership where
    bind can write the zone file received from the master.

*   Check that you and your slaves are giving authoritative answers for
    your domain:

        # dig +norec @10.10.XX.1 MYTLD. SOA
        # dig +norec @10.10.YY.1 MYTLD. SOA

    Check that you get an AA (authoritative answer) from both, and that
    the serial numbers match.

*   Now you are ready to request delegation by confirming with the instructor that your details
    in the Global Registry are now complete e.g.


        Domain name:          ___________________

        Master nameserver:    auth1.grp___.dns.nsrc.org

        Slave nameserver:     auth1.grp___.dns.nsrc.org


*   You will not get delegation until the instructor has checked:

    - Your nameservers are all authoritative for your domain
    - They all have the same SOA serial number
    - The NS records within the zone match the list of servers you are
      requesting delegation for
    - The slave(s) are across the room from you :)

    => This is called policy!

*   Once you have delegation, try to resolve www.MYTLD:

    - On your own machine
    - On someone else's machine (who is not slave for you):

  # dig @10.10.0.230 www.MYTLD       (where MYTLD is your domain)

*   Add a new resource record to your zone file. Remember to update the
    serial number. Check that your slaves have updated. Try resolving this
    new name.