Track3Sec: 1.6_dns-delegation-exercise-inst-is-slave.txt

                        DNS Exercise - Delegation
                        -------------------------

In this exercise, we will create a new TLD in our root.
for example: MYTLD

You will create a master nameservice on your own machine, and you will get
secondary service from the instructor, provided by "auth2.grpYYY.dns.nsrc.org"
(YYY is the group of the instructor, which will be communicated in class).

Then you will ask the administrator for the domain above you (the root) to
delegate your domain to you - this is also the instructor.

Note: the following should be done as the "root" superuser - use 

     $ sudo -s
     #

Remember, when you see a line begining with "#", it means the command is
executed as root.

Firstly, note that your hostname is configured correctly
on your machine.  Check that it is configured correctly by
using the 'hostname' command - e.g. on auth1.grpXX.dns.nsrc.org, if you type:

 # hostname

You should see:

  auth1.grpXX.dns.nsrc.org

If NOT, then configure your server with its name: e.g. for

        auth1.grp25.dns.nsrc.org, type:

        # hostname auth1.grp25.dns.nsrc.org

    Remember to replace "grpXX" with the the proper group number!

    Edit the file /etc/rc.conf (using "vi" or "ee", i.e.: ee /etc/rc.conf),
    and update the "hostname":

        hostname="auth1.grpXX.dns.nsrc.org"

    In the file /etc/hosts, you should see a line:

        10.10.X.1   auth1.grpXX auth1.grpXX.dns.nsrc.org


Check /etc/resolv.conf to make sure it points to the class resolver
and not 127.0.0.1 that was set in a previous exercize. 
/etc/resolv.conf should look like:

                 search dns.nsrc.org
                 nameserver 10.10.0.230

Any lines begining with "#" are ignored and may be left in place.


Exercise
--------

*   Choose a new domain, write it down somewhere

    e.g., "EARTH" - whatever you feel like.

    (Do NOT choose any of the PC names, e.g. `auth1.grpXX`, as your subdomain)

    This could for example be the name of your country code, country name,
       company name, etc...  but REMEMBER that someone might pick the 
       same name!  First come, first serve.

*   Register your new domain using the classroom root zone manager at
    https://rzm.dnssek.org/

    MYTLD is the domain name you have chosen (e.g. "EARTH")
    Password is up to you but you must remember it for later exercizes.
    The password does not have to be super secure for this class exersize.
    Just pick something easy to remember and write it down.

    Click the "Signup" button.

    The next page is an example of a two-factor security system. Unless
    told by instructor, leave the "verification code" field blank and
    simply click the "Proceed" button underneath.  

    You will be able to return to this page later to configure your 
    security token (e.g. Google Authenticator, Authy, etc..) if desired.

    Click the "Logout" button on the next page.  You will fill the 
    name and IP address information in later.

*   Create your zone file in `/etc/namedb/master/MYTLD`
    (where MYTLD is your chosen domain, e.g., EARTH) -- you can pretty 
    much "copy and paste" the section below -- but remember to update
    the XXX with your IP and YYY to that given in class:

  ***   Remember, you will need to become root to create this file,
  ***   so, e.g.
  ***
  ***     $ cd /etc/namedb/master
  ***     $ sudo vi MYTLD
  ***
  ***   (feel free to use another editor instead of vi, e.g. joe, ee)

- - - - - - - - - - - - - cut below - - - - - - - - - - - -

$TTL 2m
@       IN      SOA     auth1.grpXX.dns.nsrc.org. your.email.address. (
                        2012022301    ; Serial
                        10m           ; Refresh
                        5m            ; Retry
                        4w            ; Expire
                        2m )          ; Negative

        IN      NS      auth1.grpXXX.dns.nsrc.org.   ; master
        IN      NS      auth2.grpYYY.dns.nsrc.org.   ; slave at instructor

www     IN      A       10.10.XXX.1             ; your own IP

- - - - - - - - - - - - - cut above - - - - - - - - - - - -

    Replace `your.email.address.` with your home E-mail address,
    so that user@domain.name becomes user.domain.name

    XXX and YYY are the IP of your group, and your slave's, respectively.
        
    We have chosen purposely low values for TTL, refresh, and retry to make
    it easier to fix problems in the classroom. For a production domain you
    might use higher values.

*   Edit `/etc/namedb/named.conf` and do the following:

  ***   Remember, you will need to become root to edit this file,
  ***   so, e.g.
  ***
  ***     $ cd /etc/namedb
  ***     $ sudo vi named.conf
  ***
  ***   (feel free to use another editor instead of vi, e.g. joe, ee)

    - If it is still there, REMOVE the following lines:

         listen-on { 127.0.0.1; };

         allow-recursion { 127.0.0.1; 10.10.0.0/16; };

    ... and add following lines in the options section:

        allow-query { any; };
        recursion no;

    ... so that your nameserver will now answer queries from the network

    - Add a section to configure your machine as master for
      your domain, by adding something like this at the end
          (the bottom) of the file:

      zone "MYTLD" {
        type master;
        file "/etc/namedb/master/MYTLD";
        also-notify { 10.10.YYY.2; };
      };

    Pay attention to the ';' and '}' !  ..and case matters in the filename.

*   Check that your config file and zone file are valid:

        # named-checkconf
        # named-checkzone MYTLD /etc/namedb/master/MYTLD

    * If there are any errors, correct them ! *

*   Tell the instructor managing grpYYY that you need secondary service for
    your domain - tell them the domain and tell them what your group number is.

        For instance, if the domain is "EARTH", and you are Group 5, you
        should write on a piece of paper

        "EARTH 5"

        And give this to the instructor managing grpYYY

*   If this is not already done, enable named in your server's configuration,
    by editing the file /etc/rc.conf and adding, if this is not already done:

     ** Remember, again, you need to be root to edit this file

        named_chrootdir=""
        named_enable="YES"

    - Then start/restart named with

        # service named restart

    Check the result with

        # tail -100 /var/log/messages

        Verify with dig that MYTLD is now configured on your host:

                # dig @10.10.XX.1 MYTLD. NS

        Where "XX" is the address of your machine.

        You can also check the nameserver status using rndc:

                # rndc status

    - If there are any errors, correct them. Some configuration errors can
    cause the daemon to die completely, in which case you may have to
    start it again:

        # /etc/rc.d/named restart

*   Check that you and the instructor slave at grpYYY are giving authoritative
    answers for your domain:

        # dig +norec @10.10.XXX.1 MYTLD. SOA
        # dig +norec @10.10.YYY.2 MYTLD. SOA

    Check that you get an "aa" flag (authoritative answer) from both, and that
    the serial numbers match.

    Note that:

        # dig MYTLD. SOA

    should not return an ANSWER since the root does not know about you.
    The next step will fix that.

*   Now you are ready to request delegation:

    Go to https://rzm.dnssek.org/

       Login using the MYTLD/Password you used at the begining
       of the exercize. 

       Click "Proceed" button.
       
       Under "Edit Name Server Details":
       Enter your Name Server, e.g., auth1.grpXX.dns.nsrc.org
       and corresponding IP address for it, e.g., 10.10.X.1
       Then click "Update".

       The RZM program will then execute a few "dig" commands just
       as you did to figure out what the name servers and IP addresses
       are for MYTLD.

       If you see an "eye", this means that RZM was able to see
       what some of your name servers were by doing its own "digs" 
       and are showing you them here for your approval.

       You should see an entry with an "eye" icon indicating
       that your slave server was seen.

       If the slave entry looks correct, e.g., it is
       auth2.grpYY.dns.nsrc.org,
       click on the "eye" to get a "check" mark.

       Similarly, if you see any check marks next to items that you
       feel are incorrect, click on the check mark until you get a "X" mark.

       Click "Update".

       If all goes well, your entry(s) should show up with a 
       "document" icon next to it indicating it checked
       out and has been inserted into the root zone file.

       In a minute, your zone should be delegated.

       Note: The RZM interface is a rudimentary example of what
       a typical Registry registration system may look like.

*   Once you have delegation, try to resolve www.MYTLD:

    - On your own machine

      # dig @10.10.XXX.1 www.MYTLD       (where MYTLD is your domain)

    - On someone else's machine - will it work ?

      # dig @10.10.0.230 www.MYTLD       (where MYTLD is your domain)

      This may take a bit longer due to caching of any previous 
      negative (NXDOMAIN) results.

*   Add a new resource record to your zone file. Remember to update the
    SOA serial number. The run

    # rndc reload

    Check that your slaves have updated. Try resolving this new name.