Agenda: 01-dns-delegation-exercise.txt

File 01-dns-delegation-exercise.txt, 6.5 KB (added by Andy Linton, 6 years ago)
Line 
1DNS Exercise - Delegation
2=========================
3
4In this exercise, we will create a new TLD in our root.
5for example: MYTLD
6
7You will create a "Hidden Master" nameservice on your "master" machine, and you and
8one of your colleagues will provide the public facing "Slave" servers.
9
10Then you will ask the administrator for the domain above you (the root) to delegate
11your domain to you.
12
13Note: the following should be done as the "root" superuser - use sudo -s
14
15Firstly, note that your hostname is configured correctly on your machine. 
16Check that it is configured correctly by
17using the 'hostname' command.
18
19e.g. on auth1.grpXX.dns.nsrc.org, if you type:
20
21        # hostname
22
23You should see:
24
25        auth1.grpXX.dns.nsrc.org
26
27If not, then configure your server with its name: e.g. for
28auth1.grp25.dns.nsrc.org, type:
29
30        # hostname auth1.grp25.dns.nsrc.org
31
32Remember to replace "grpXX" with the the proper group number!
33
34Edit the file /etc/rc.conf (using "vi" or "ee", i.e.: ee /etc/rc.conf),
35and update the "hostname":
36
37        hostname="auth1.grpXX.dns.nsrc.org"
38
39At this point, you can also add instructions to enable named in your
40server's configuration file, /etc/rc.conf:
41
42        named_chrootdir=""
43        named_enable="YES" 
44
45In the file /etc/hosts, you should see a line:
46
47        10.10.X.1   auth1.grpXX auth1.grpXX.dns.nsrc.org
48
49
50Exercise
51--------
52
53Choose a new domain, write it down on the Global Registry sheet at the front of the class.
54
55        i.e.: "MYTLD" or "EARTH" - whatever you feel like.
56
57(Do NOT choose any of the PC names, e.g. `auth1.grpXX`, as your subdomain)
58
59This could for example be the name of your country code, country name,
60company name, etc...  but REMEMBER that someone might pick the same name!
61Check before you start work on the exercise. First come, first served.
62
63Find someone who will agree to be slave for your domain. Please find someone
64across the room from you (not at your table) (Remember RFC2182:  secondaries
65must be on remote networks but here we work on a flat network).
66
67        *** Remember, you will need to become root to create this file,
68        ***   so, e.g.
69        ***
70        ***     $ cd /etc/namedb/master
71        ***     $ sudo vi MYTLD
72        ***
73        ***   (feel free to use another editor instead of vi, e.g. joe, ee)
74
75
76Create your zone file in `/etc/namedb/master/MYTLD` (where MYTLD is your chosen domain)
77-- you can pretty much "copy and paste" the section below -- but remember to update
78the XX with your own group number:
79
80
81        $TTL 2m
82        @       IN      SOA     auth1.grpXX.dns.nsrc.org. your.email.address. (
83                                2012022301    ; Serial - format is YYYYMMDDNN
84                                10m           ; Refresh
85                                5m            ; Retry
86                                4w            ; Expire
87                                2m )          ; Negative
88                        IN      NS      auth2.grpXX.dns.nsrc.org.   ; your slave
89                        IN      NS      auth2.grpYY.dns.nsrc.org.   ; your partner's slave
90
91        www     IN      A       10.10.XX.1             ; your own IP
92
93
94Replace `your.email.address.` with your home E-mail address, so that
95user@domain.name becomes user.domain.name
96
97XX and YY are the IP of your group, and your partner's group, respectively.
98
99We have chosen purposely low values for TTL, refresh, and retry to make
100it easier to fix problems in the classroom. For a production domain you
101would probably use higher values.
102
103Edit `/etc/namedb/named.conf` and do the following:
104
105        ***   Remember, you will need to become root to edit this file,
106        ***   so, e.g.
107        ***
108        ***     $ cd /etc/namedb
109        ***     $ sudo vi named.conf
110        ***
111        ***   (feel free to use another editor instead of vi, e.g. joe, ee)
112
113If it is still there, REMOVE the following line:
114
115     listen-on { 127.0.0.1; };
116
117and add these lines in the options section:
118
119    allow-query { any; };
120        listen-on-v6 {any;};   
121
122so that your nameserver will now answer queries from the network on IPv4 and IPv6 addresses
123
124Add a section to configure your machine as master for your domain, by adding
125something like this at the end (the bottom) of the file:
126
127        zone "MYTLD" {
128        type master;
129        file "/etc/namedb/master/MYTLD";
130        };
131
132Pay attention to the ';' and '}' !
133
134Check that your config file and zone file are valid:
135
136    # named-checkconf
137    # named-checkzone MYTLD /etc/namedb/master/MYTLD
138
139If there are any errors, **correct** them !
140
141If this is not already done, enable named in your server's configuration,
142by editing the file /etc/rc.conf and adding, if this is not already done:
143
144 ** Remember, again, you need to be root to edit this file
145
146    named_chrootdir=""
147    named_enable="YES"
148
149Then start/restart named with
150
151    # service named restart
152       
153If the system complains about missing configuration files for rndc (the name server control utility)
154we can fix this by this by running:
155       
156        # rndc-confgen -a
157
158Check that the nameserver has started correctly by looking at the log file:
159
160    # tail /var/log/messages
161
162Verify with dig that MYTLD is now configured on your host:
163
164    # dig @10.10.XX.1 NS MYTLD.
165
166Where "XX" is the group number of your machine.
167
168You can also check the nameserver status using rndc:
169
170        # rndc status
171
172If there are any errors, correct them. Some configuration errors can
173cause the daemon to die completely, in which case you may have to
174start it again after correcting the problem:
175
176    # service named restart
177
178Assist your slaves to configure themselves as slave for your domain, and
179configure yourself as a slave if asked to do so by another table.
180
181Check that you and your slaves are giving authoritative answers for
182your domain:
183
184    # dig +norec @10.10.XX.2 SOA MYTLD.
185    # dig +norec @10.10.YY.2 SOA MYTLD.
186
187Check that you get an AA (authoritative answer) from both, and that
188the serial numbers match.
189
190Now you are ready to request delegation by confirming with the instructor that your details
191in the Global Registry are now complete e.g.
192
193
194    Domain name:          ___________________
195
196    Master nameserver:    auth2.grp___.dns.nsrc.org
197
198    Slave nameserver:     auth2.grp___.dns.nsrc.org
199
200
201You will not get delegation until the instructor has checked:
202
203        - Your nameservers are all authoritative for your domain
204        - They all have the same SOA serial number
205        - The NS records within the zone match the list of servers you are requesting delegation for
206        - The slave(s) are across the room from you :)
207
208=> This is called policy!
209
210Once you have delegation, try to resolve www.MYTLD:
211
212        - On your own machine
213        - On someone else's machine (who is not slave for you):
214
215        # dig @10.10.0.230 www.MYTLD       (where MYTLD is your domain)
216
217Next steps
218----------
219
220 * Add a new resource record to your zone file.
221 * Remember to update the serial number.
222 * Check that your slaves have updated.
223 * Try resolving this new name.