Track2Agenda: 01-dns-delegation-exercise.txt

File 01-dns-delegation-exercise.txt, 7.6 KB (added by Andy Linton, 6 years ago)
Line 
1                        DNS Exercise - Delegation
2                        -------------------------
3
4In this exercise, we will create a new TLD in our root.
5for example: MYTLD
6
7You will create a master nameservice on your own machine, and someone else
8will provide slave service. Then you will ask the administrator for the
9domain above you (the root) to delegate your domain to you.
10
11Note: the following should be done as the "root" superuser - use sudo -s
12
13Firstly, note that your hostname is configured correctly
14on your machine.  Check that it is configured correctly by
15using the 'hostname' command - e.g. on auth1.grpXX.dns.nsrc.org, if you type:
16
17 # hostname
18
19You should see:
20
21  auth1.grpXX.dns.nsrc.org
22
23If not, then configure your server with its name: e.g. for
24auth1.grp25.dns.nsrc.org, type:
25
26 # hostname auth1.grp25.dns.nsrc.org
27
28Remember to replace "grpXX" with the the proper group number!
29
30Edit the file /etc/rc.conf (using "vi" or "ee", i.e.: ee /etc/rc.conf),
31and update the "hostname":
32
33  hostname="auth1.grpXX.dns.nsrc.org"
34
35At this point, you can also add instructions to enable named in your
36server's configuration file, /etc/rc.conf:
37
38  named_chrootdir=""
39  named_enable="YES" 
40
41In the file /etc/hosts, you should see a line:
42
43  10.10.X.1   auth1.grpXX auth1.grpXX.dns.nsrc.org
44
45
46Exercise
47--------
48
49*   Choose a new domain, write it down on the Global Registry sheet at the front of the class.
50
51    i.e.: "MYTLD" or "EARTH" - whatever you feel like.
52
53    (Do NOT choose any of the PC names, e.g. `auth1.grpXX`, as your subdomain)
54
55    This could for example be the name of your country code, country name,
56    company name, etc...  but REMEMBER that someone might pick the same name!
57        Check before you start work on the exercise. First come, first served.
58
59*   Find someone who will agree to be slave for your domain. Please find someone
60    across the room from you (not at your table) (Remember RFC2182:  secondaries
61    must be on remote networks but here we work on a flat network). You will also
62        create a third slave on your auth2.grpXX.dns.nsrc.org machine in a later exercise.
63
64*   Create your zone file in `/etc/namedb/master/MYTLD`
65    (where MYTLD is your chosen domain) -- you can pretty much
66    "copy and paste" the section below -- but remember to update
67    the XX with your own group number:
68
69  ***   Remember, you will need to become root to create this file,
70  ***   so, e.g.
71  ***
72  ***     $ cd /etc/namedb/master
73  ***     $ sudo vi MYTLD
74  ***
75  ***   (feel free to use another editor instead of vi, e.g. joe, ee)
76
77- - - - - - - - - - - - - cut below - - - - - - - - - - - -
78
79$TTL 2m
80@       IN      SOA     auth1.grpXX.dns.nsrc.org. your.email.address. (
81                        2012022301    ; Serial - replace 20120223 with the date
82                        10m           ; Refresh
83                        5m            ; Retry
84                        4w            ; Expire
85                        2m )          ; Negative
86
87        IN      NS      auth1.grpXX.dns.nsrc.org.   ; master
88        IN      NS      auth1.grpYY.dns.nsrc.org.   ; slave
89
90www     IN      A       10.10.XX.1             ; your own IP
91
92- - - - - - - - - - - - - cut above - - - - - - - - - - - -
93
94    Replace `your.email.address.` with your home E-mail address, so that
95    user@domain.name becomes user.domain.name
96
97    XX and YY are the IP of your group, and your slave's, respectively.
98   
99    We have chosen purposely low values for TTL, refresh, and retry to make
100    it easier to fix problems in the classroom. For a production domain you
101    would probably use higher values.
102
103*   Edit `/etc/namedb/named.conf` and do the following:
104
105  ***   Remember, you will need to become root to edit this file,
106  ***   so, e.g.
107  ***
108  ***     $ cd /etc/namedb
109  ***     $ sudo vi named.conf
110  ***
111  ***   (feel free to use another editor instead of vi, e.g. joe, ee)
112
113    - If it is still there, REMOVE the following line:
114
115         listen-on { 127.0.0.1; };
116
117    ... and add another line in the options section:
118
119        allow-query { any; };
120
121    ... so that your nameserver will now answer queries from the network
122
123    - Add a section to configure your machine as master for
124      your domain, by adding something like this at the end
125      (the bottom) of the file:
126
127      zone "MYTLD" {
128        type master;
129        file "/etc/namedb/master/MYTLD";
130      };
131
132    Pay attention to the ';' and '}' !
133
134*   Check that your config file and zone file are valid:
135
136        # named-checkconf
137        # named-checkzone MYTLD /etc/namedb/master/MYTLD
138
139    * If there are any errors, correct them ! *
140
141*   If this is not already done, enable named in your server's configuration,
142    by editing the file /etc/rc.conf and adding, if this is not already done:
143
144     ** Remember, again, you need to be root to edit this file
145
146        named_chrootdir=""
147        named_enable="YES"
148
149    - Then start/restart named with
150
151        # service named restart
152               
153*       If the system complains about missing configuration files for rndc (the name
154        server control utility) we can fix this by this by running:
155               
156                # rndc-confgen -a
157
158*   Check that the nameserver has started correctly by looking at the log file:
159
160        # tail /var/log/messages
161
162*   Verify with dig that MYTLD is now configured on your host:
163
164        # dig @10.10.XX.1 MYTLD. NS
165
166    Where "XX" is the group number of your machine.
167
168        You can also check the nameserver status using rndc:
169
170    # rndc status
171
172    - If there are any errors, correct them. Some configuration errors can
173    cause the daemon to die completely, in which case you may have to
174    start it again after correcting the problem:
175
176        # service named restart
177
178*   Assist your slaves to configure themselves as slave for your domain, and
179    configure yourself as a slave if asked to do so by another table.
180
181    Here is most of what you need to add to the end of the named.conf file:
182
183      zone "MYTLD" {
184         type slave;
185         masters { 10.10.XX.1; };
186         file "/etc/namedb/slave/MYTLD";
187      };
188
189    ... where XX is the group where the master is located.
190
191    If you have changed your `named.conf` so that you are a slave for
192    someone else, make sure that there are no errors in `/var/log/messages` after
193    you restart your nameserver.
194
195    You will need a slave directory with proper permissions and ownership where
196    bind can write the zone file received from the master.
197
198*   Check that you and your slaves are giving authoritative answers for
199    your domain:
200
201        # dig +norec @10.10.XX.1 MYTLD. SOA
202        # dig +norec @10.10.YY.1 MYTLD. SOA
203
204    Check that you get an AA (authoritative answer) from both, and that
205    the serial numbers match.
206
207*   Now you are ready to request delegation by confirming with the instructor that your details
208    in the Global Registry are now complete e.g.
209
210
211        Domain name:          ___________________
212
213        Master nameserver:    auth1.grp___.dns.nsrc.org
214
215        Slave nameserver:     auth1.grp___.dns.nsrc.org
216
217
218*   You will not get delegation until the instructor has checked:
219
220    - Your nameservers are all authoritative for your domain
221    - They all have the same SOA serial number
222    - The NS records within the zone match the list of servers you are
223      requesting delegation for
224    - The slave(s) are across the room from you :)
225
226    => This is called policy!
227
228*   Once you have delegation, try to resolve www.MYTLD:
229
230    - On your own machine
231    - On someone else's machine (who is not slave for you):
232
233  # dig @10.10.0.230 www.MYTLD       (where MYTLD is your domain)
234
235*   Add a new resource record to your zone file. Remember to update the
236    serial number. Check that your slaves have updated. Try resolving this
237    new name.