1 | DNS Exercise - Delegation |
---|
2 | ========================= |
---|
3 | |
---|
4 | In this exercise, we will create a new TLD in our root. |
---|
5 | for example: MYTLD |
---|
6 | |
---|
7 | You will create a "Hidden Master" nameservice on your "master" machine, and you and |
---|
8 | one of your colleagues will provide the public facing "Slave" servers. |
---|
9 | |
---|
10 | Then you will ask the administrator for the domain above you (the root) to delegate |
---|
11 | your domain to you. |
---|
12 | |
---|
13 | Note: the following should be done as the "root" superuser - use sudo -s |
---|
14 | |
---|
15 | Firstly, note that your hostname is configured correctly on your machine. |
---|
16 | Check that it is configured correctly by |
---|
17 | using the 'hostname' command. |
---|
18 | |
---|
19 | e.g. on auth1.grpXX.dns.nsrc.org, if you type: |
---|
20 | |
---|
21 | # hostname |
---|
22 | |
---|
23 | You should see: |
---|
24 | |
---|
25 | auth1.grpXX.dns.nsrc.org |
---|
26 | |
---|
27 | If not, then configure your server with its name: e.g. for |
---|
28 | auth1.grp25.dns.nsrc.org, type: |
---|
29 | |
---|
30 | # hostname auth1.grp25.dns.nsrc.org |
---|
31 | |
---|
32 | Remember to replace "grpXX" with the the proper group number! |
---|
33 | |
---|
34 | Edit the file /etc/rc.conf (using "vi" or "ee", i.e.: ee /etc/rc.conf), |
---|
35 | and update the "hostname": |
---|
36 | |
---|
37 | hostname="auth1.grpXX.dns.nsrc.org" |
---|
38 | |
---|
39 | At this point, you can also add instructions to enable named in your |
---|
40 | server's configuration file, /etc/rc.conf: |
---|
41 | |
---|
42 | named_chrootdir="" |
---|
43 | named_enable="YES" |
---|
44 | |
---|
45 | In the file /etc/hosts, you should see a line: |
---|
46 | |
---|
47 | 10.10.X.1 auth1.grpXX auth1.grpXX.dns.nsrc.org |
---|
48 | |
---|
49 | |
---|
50 | Exercise |
---|
51 | -------- |
---|
52 | |
---|
53 | Choose a new domain, write it down on the Global Registry sheet at the front of the class. |
---|
54 | |
---|
55 | i.e.: "MYTLD" or "EARTH" - whatever you feel like. |
---|
56 | |
---|
57 | (Do NOT choose any of the PC names, e.g. `auth1.grpXX`, as your subdomain) |
---|
58 | |
---|
59 | This could for example be the name of your country code, country name, |
---|
60 | company name, etc... but REMEMBER that someone might pick the same name! |
---|
61 | Check before you start work on the exercise. First come, first served. |
---|
62 | |
---|
63 | Find someone who will agree to be slave for your domain. Please find someone |
---|
64 | across the room from you (not at your table) (Remember RFC2182: secondaries |
---|
65 | must be on remote networks but here we work on a flat network). |
---|
66 | |
---|
67 | *** Remember, you will need to become root to create this file, |
---|
68 | *** so, e.g. |
---|
69 | *** |
---|
70 | *** $ cd /etc/namedb/master |
---|
71 | *** $ sudo vi MYTLD |
---|
72 | *** |
---|
73 | *** (feel free to use another editor instead of vi, e.g. joe, ee) |
---|
74 | |
---|
75 | |
---|
76 | Create your zone file in `/etc/namedb/master/MYTLD` (where MYTLD is your chosen domain) |
---|
77 | -- you can pretty much "copy and paste" the section below -- but remember to update |
---|
78 | the XX with your own group number: |
---|
79 | |
---|
80 | |
---|
81 | $TTL 2m |
---|
82 | @ IN SOA auth1.grpXX.dns.nsrc.org. your.email.address. ( |
---|
83 | 2012022301 ; Serial - format is YYYYMMDDNN |
---|
84 | 10m ; Refresh |
---|
85 | 5m ; Retry |
---|
86 | 4w ; Expire |
---|
87 | 2m ) ; Negative |
---|
88 | IN NS auth2.grpXX.dns.nsrc.org. ; your slave |
---|
89 | IN NS auth2.grpYY.dns.nsrc.org. ; your partner's slave |
---|
90 | |
---|
91 | www IN A 10.10.XX.1 ; your own IP |
---|
92 | |
---|
93 | |
---|
94 | Replace `your.email.address.` with your home E-mail address, so that |
---|
95 | user@domain.name becomes user.domain.name |
---|
96 | |
---|
97 | XX and YY are the IP of your group, and your partner's group, respectively. |
---|
98 | |
---|
99 | We have chosen purposely low values for TTL, refresh, and retry to make |
---|
100 | it easier to fix problems in the classroom. For a production domain you |
---|
101 | would probably use higher values. |
---|
102 | |
---|
103 | Edit `/etc/namedb/named.conf` and do the following: |
---|
104 | |
---|
105 | *** Remember, you will need to become root to edit this file, |
---|
106 | *** so, e.g. |
---|
107 | *** |
---|
108 | *** $ cd /etc/namedb |
---|
109 | *** $ sudo vi named.conf |
---|
110 | *** |
---|
111 | *** (feel free to use another editor instead of vi, e.g. joe, ee) |
---|
112 | |
---|
113 | If it is still there, REMOVE the following line: |
---|
114 | |
---|
115 | listen-on { 127.0.0.1; }; |
---|
116 | |
---|
117 | and add these lines in the options section: |
---|
118 | |
---|
119 | allow-query { any; }; |
---|
120 | listen-on-v6 {any;}; |
---|
121 | |
---|
122 | so that your nameserver will now answer queries from the network on IPv4 and IPv6 addresses |
---|
123 | |
---|
124 | Add a section to configure your machine as master for your domain, by adding |
---|
125 | something like this at the end (the bottom) of the file: |
---|
126 | |
---|
127 | zone "MYTLD" { |
---|
128 | type master; |
---|
129 | file "/etc/namedb/master/MYTLD"; |
---|
130 | }; |
---|
131 | |
---|
132 | Pay attention to the ';' and '}' ! |
---|
133 | |
---|
134 | Check that your config file and zone file are valid: |
---|
135 | |
---|
136 | # named-checkconf |
---|
137 | # named-checkzone MYTLD /etc/namedb/master/MYTLD |
---|
138 | |
---|
139 | If there are any errors, **correct** them ! |
---|
140 | |
---|
141 | If this is not already done, enable named in your server's configuration, |
---|
142 | by editing the file /etc/rc.conf and adding, if this is not already done: |
---|
143 | |
---|
144 | ** Remember, again, you need to be root to edit this file |
---|
145 | |
---|
146 | named_chrootdir="" |
---|
147 | named_enable="YES" |
---|
148 | |
---|
149 | Then start/restart named with |
---|
150 | |
---|
151 | # service named restart |
---|
152 | |
---|
153 | If the system complains about missing configuration files for rndc (the name server control utility) |
---|
154 | we can fix this by this by running: |
---|
155 | |
---|
156 | # rndc-confgen -a |
---|
157 | |
---|
158 | Check that the nameserver has started correctly by looking at the log file: |
---|
159 | |
---|
160 | # tail /var/log/messages |
---|
161 | |
---|
162 | Verify with dig that MYTLD is now configured on your host: |
---|
163 | |
---|
164 | # dig @10.10.XX.1 NS MYTLD. |
---|
165 | |
---|
166 | Where "XX" is the group number of your machine. |
---|
167 | |
---|
168 | You can also check the nameserver status using rndc: |
---|
169 | |
---|
170 | # rndc status |
---|
171 | |
---|
172 | If there are any errors, correct them. Some configuration errors can |
---|
173 | cause the daemon to die completely, in which case you may have to |
---|
174 | start it again after correcting the problem: |
---|
175 | |
---|
176 | # service named restart |
---|
177 | |
---|
178 | Assist your slaves to configure themselves as slave for your domain, and |
---|
179 | configure yourself as a slave if asked to do so by another table. |
---|
180 | |
---|
181 | Check that you and your slaves are giving authoritative answers for |
---|
182 | your domain: |
---|
183 | |
---|
184 | # dig +norec @10.10.XX.2 SOA MYTLD. |
---|
185 | # dig +norec @10.10.YY.2 SOA MYTLD. |
---|
186 | |
---|
187 | Check that you get an AA (authoritative answer) from both, and that |
---|
188 | the serial numbers match. |
---|
189 | |
---|
190 | Now you are ready to request delegation by confirming with the instructor that your details |
---|
191 | in the Global Registry are now complete e.g. |
---|
192 | |
---|
193 | |
---|
194 | Domain name: ___________________ |
---|
195 | |
---|
196 | Master nameserver: auth2.grp___.dns.nsrc.org |
---|
197 | |
---|
198 | Slave nameserver: auth2.grp___.dns.nsrc.org |
---|
199 | |
---|
200 | |
---|
201 | You will not get delegation until the instructor has checked: |
---|
202 | |
---|
203 | - Your nameservers are all authoritative for your domain |
---|
204 | - They all have the same SOA serial number |
---|
205 | - The NS records within the zone match the list of servers you are requesting delegation for |
---|
206 | - The slave(s) are across the room from you :) |
---|
207 | |
---|
208 | => This is called policy! |
---|
209 | |
---|
210 | Once you have delegation, try to resolve www.MYTLD: |
---|
211 | |
---|
212 | - On your own machine |
---|
213 | - On someone else's machine (who is not slave for you): |
---|
214 | |
---|
215 | # dig @10.10.0.230 www.MYTLD (where MYTLD is your domain) |
---|
216 | |
---|
217 | Next steps |
---|
218 | ---------- |
---|
219 | |
---|
220 | * Add a new resource record to your zone file. |
---|
221 | * Remember to update the serial number. |
---|
222 | * Check that your slaves have updated. |
---|
223 | * Try resolving this new name. |
---|