| 1 | DNS Exercise - Delegation |
|---|
| 2 | ------------------------- |
|---|
| 3 | |
|---|
| 4 | In this exercise, we will create a new TLD in our root. |
|---|
| 5 | for example: MYTLD |
|---|
| 6 | |
|---|
| 7 | You will create a master nameservice on your own machine, and you will get |
|---|
| 8 | secondary service from the instructor, provided by "auth2.grpYYY.dns.nsrc.org" |
|---|
| 9 | (YYY is the group of the instructor, which will be communicated in class). |
|---|
| 10 | |
|---|
| 11 | Then you will ask the administrator for the domain above you (the root) to |
|---|
| 12 | delegate your domain to you - this is also the instructor. |
|---|
| 13 | |
|---|
| 14 | Note: the following should be done as the "root" superuser - use |
|---|
| 15 | |
|---|
| 16 | $ sudo -s |
|---|
| 17 | # |
|---|
| 18 | |
|---|
| 19 | Remember, when you see a line begining with "#", it means the command is |
|---|
| 20 | executed as root. |
|---|
| 21 | |
|---|
| 22 | Firstly, note that your hostname is configured correctly |
|---|
| 23 | on your machine. Check that it is configured correctly by |
|---|
| 24 | using the 'hostname' command - e.g. on auth1.grpXX.dns.nsrc.org, if you type: |
|---|
| 25 | |
|---|
| 26 | # hostname |
|---|
| 27 | |
|---|
| 28 | You should see: |
|---|
| 29 | |
|---|
| 30 | auth1.grpXX.dns.nsrc.org |
|---|
| 31 | |
|---|
| 32 | If NOT, then configure your server with its name: e.g. for |
|---|
| 33 | |
|---|
| 34 | auth1.grp25.dns.nsrc.org, type: |
|---|
| 35 | |
|---|
| 36 | # hostname auth1.grp25.dns.nsrc.org |
|---|
| 37 | |
|---|
| 38 | Remember to replace "grpXX" with the the proper group number! |
|---|
| 39 | |
|---|
| 40 | Edit the file /etc/rc.conf (using "vi" or "ee", i.e.: ee /etc/rc.conf), |
|---|
| 41 | and update the "hostname": |
|---|
| 42 | |
|---|
| 43 | hostname="auth1.grpXX.dns.nsrc.org" |
|---|
| 44 | |
|---|
| 45 | In the file /etc/hosts, you should see a line: |
|---|
| 46 | |
|---|
| 47 | 10.10.X.1 auth1.grpXX auth1.grpXX.dns.nsrc.org |
|---|
| 48 | |
|---|
| 49 | |
|---|
| 50 | Check /etc/resolv.conf to make sure it points to the class resolver |
|---|
| 51 | and not 127.0.0.1 that was set in a previous exercize. |
|---|
| 52 | /etc/resolv.conf should look like: |
|---|
| 53 | |
|---|
| 54 | search dns.nsrc.org |
|---|
| 55 | nameserver 10.10.0.230 |
|---|
| 56 | |
|---|
| 57 | Any lines begining with "#" are ignored and may be left in place. |
|---|
| 58 | |
|---|
| 59 | |
|---|
| 60 | Exercise |
|---|
| 61 | -------- |
|---|
| 62 | |
|---|
| 63 | * Choose a new domain, write it down somewhere |
|---|
| 64 | |
|---|
| 65 | e.g., "EARTH" - whatever you feel like. |
|---|
| 66 | |
|---|
| 67 | (Do NOT choose any of the PC names, e.g. `auth1.grpXX`, as your subdomain) |
|---|
| 68 | |
|---|
| 69 | This could for example be the name of your country code, country name, |
|---|
| 70 | company name, etc... but REMEMBER that someone might pick the |
|---|
| 71 | same name! First come, first serve. |
|---|
| 72 | |
|---|
| 73 | * Register your new domain using the classroom root zone manager at |
|---|
| 74 | https://rzm.dnssek.org/ |
|---|
| 75 | |
|---|
| 76 | MYTLD is the domain name you have chosen (e.g. "EARTH") |
|---|
| 77 | Password is up to you but you must remember it for later exercizes. |
|---|
| 78 | The password does not have to be super secure for this class exersize. |
|---|
| 79 | Just pick something easy to remember and write it down. |
|---|
| 80 | |
|---|
| 81 | Click the "Signup" button. |
|---|
| 82 | |
|---|
| 83 | The next page is an example of a two-factor security system. Unless |
|---|
| 84 | told by instructor, leave the "verification code" field blank and |
|---|
| 85 | simply click the "Proceed" button underneath. |
|---|
| 86 | |
|---|
| 87 | You will be able to return to this page later to configure your |
|---|
| 88 | security token (e.g. Google Authenticator, Authy, etc..) if desired. |
|---|
| 89 | |
|---|
| 90 | Click the "Logout" button on the next page. You will fill the |
|---|
| 91 | name and IP address information in later. |
|---|
| 92 | |
|---|
| 93 | * Create your zone file in `/etc/namedb/master/MYTLD` |
|---|
| 94 | (where MYTLD is your chosen domain, e.g., EARTH) -- you can pretty |
|---|
| 95 | much "copy and paste" the section below -- but remember to update |
|---|
| 96 | the XXX with your IP and YYY to that given in class: |
|---|
| 97 | |
|---|
| 98 | *** Remember, you will need to become root to create this file, |
|---|
| 99 | *** so, e.g. |
|---|
| 100 | *** |
|---|
| 101 | *** $ cd /etc/namedb/master |
|---|
| 102 | *** $ sudo vi MYTLD |
|---|
| 103 | *** |
|---|
| 104 | *** (feel free to use another editor instead of vi, e.g. joe, ee) |
|---|
| 105 | |
|---|
| 106 | - - - - - - - - - - - - - cut below - - - - - - - - - - - - |
|---|
| 107 | |
|---|
| 108 | $TTL 2m |
|---|
| 109 | @ IN SOA auth1.grpXX.dns.nsrc.org. your.email.address. ( |
|---|
| 110 | 2012022301 ; Serial |
|---|
| 111 | 10m ; Refresh |
|---|
| 112 | 5m ; Retry |
|---|
| 113 | 4w ; Expire |
|---|
| 114 | 2m ) ; Negative |
|---|
| 115 | |
|---|
| 116 | IN NS auth1.grpXXX.dns.nsrc.org. ; master |
|---|
| 117 | IN NS auth2.grpYYY.dns.nsrc.org. ; slave at instructor |
|---|
| 118 | |
|---|
| 119 | www IN A 10.10.XXX.1 ; your own IP |
|---|
| 120 | |
|---|
| 121 | - - - - - - - - - - - - - cut above - - - - - - - - - - - - |
|---|
| 122 | |
|---|
| 123 | Replace `your.email.address.` with your home E-mail address, |
|---|
| 124 | so that user@domain.name becomes user.domain.name |
|---|
| 125 | |
|---|
| 126 | XXX and YYY are the IP of your group, and your slave's, respectively. |
|---|
| 127 | |
|---|
| 128 | We have chosen purposely low values for TTL, refresh, and retry to make |
|---|
| 129 | it easier to fix problems in the classroom. For a production domain you |
|---|
| 130 | might use higher values. |
|---|
| 131 | |
|---|
| 132 | * Edit `/etc/namedb/named.conf` and do the following: |
|---|
| 133 | |
|---|
| 134 | *** Remember, you will need to become root to edit this file, |
|---|
| 135 | *** so, e.g. |
|---|
| 136 | *** |
|---|
| 137 | *** $ cd /etc/namedb |
|---|
| 138 | *** $ sudo vi named.conf |
|---|
| 139 | *** |
|---|
| 140 | *** (feel free to use another editor instead of vi, e.g. joe, ee) |
|---|
| 141 | |
|---|
| 142 | - If it is still there, REMOVE the following lines: |
|---|
| 143 | |
|---|
| 144 | listen-on { 127.0.0.1; }; |
|---|
| 145 | |
|---|
| 146 | allow-recursion { 127.0.0.1; 10.10.0.0/16; }; |
|---|
| 147 | |
|---|
| 148 | ... and add following lines in the options section: |
|---|
| 149 | |
|---|
| 150 | allow-query { any; }; |
|---|
| 151 | recursion no; |
|---|
| 152 | |
|---|
| 153 | ... so that your nameserver will now answer queries from the network |
|---|
| 154 | |
|---|
| 155 | - Add a section to configure your machine as master for |
|---|
| 156 | your domain, by adding something like this at the end |
|---|
| 157 | (the bottom) of the file: |
|---|
| 158 | |
|---|
| 159 | zone "MYTLD" { |
|---|
| 160 | type master; |
|---|
| 161 | file "/etc/namedb/master/MYTLD"; |
|---|
| 162 | also-notify { 10.10.YYY.2; }; |
|---|
| 163 | }; |
|---|
| 164 | |
|---|
| 165 | Pay attention to the ';' and '}' ! ..and case matters in the filename. |
|---|
| 166 | |
|---|
| 167 | * Check that your config file and zone file are valid: |
|---|
| 168 | |
|---|
| 169 | # named-checkconf |
|---|
| 170 | # named-checkzone MYTLD /etc/namedb/master/MYTLD |
|---|
| 171 | |
|---|
| 172 | * If there are any errors, correct them ! * |
|---|
| 173 | |
|---|
| 174 | * Tell the instructor managing grpYYY that you need secondary service for |
|---|
| 175 | your domain - tell them the domain and tell them what your group number is. |
|---|
| 176 | |
|---|
| 177 | For instance, if the domain is "EARTH", and you are Group 5, you |
|---|
| 178 | should write on a piece of paper |
|---|
| 179 | |
|---|
| 180 | "EARTH 5" |
|---|
| 181 | |
|---|
| 182 | And give this to the instructor managing grpYYY |
|---|
| 183 | |
|---|
| 184 | * If this is not already done, enable named in your server's configuration, |
|---|
| 185 | by editing the file /etc/rc.conf and adding, if this is not already done: |
|---|
| 186 | |
|---|
| 187 | ** Remember, again, you need to be root to edit this file |
|---|
| 188 | |
|---|
| 189 | named_chrootdir="" |
|---|
| 190 | named_enable="YES" |
|---|
| 191 | |
|---|
| 192 | - Then start/restart named with |
|---|
| 193 | |
|---|
| 194 | # service named restart |
|---|
| 195 | |
|---|
| 196 | Check the result with |
|---|
| 197 | |
|---|
| 198 | # tail -100 /var/log/messages |
|---|
| 199 | |
|---|
| 200 | Verify with dig that MYTLD is now configured on your host: |
|---|
| 201 | |
|---|
| 202 | # dig @10.10.XX.1 MYTLD. NS |
|---|
| 203 | |
|---|
| 204 | Where "XX" is the address of your machine. |
|---|
| 205 | |
|---|
| 206 | You can also check the nameserver status using rndc: |
|---|
| 207 | |
|---|
| 208 | # rndc status |
|---|
| 209 | |
|---|
| 210 | - If there are any errors, correct them. Some configuration errors can |
|---|
| 211 | cause the daemon to die completely, in which case you may have to |
|---|
| 212 | start it again: |
|---|
| 213 | |
|---|
| 214 | # /etc/rc.d/named restart |
|---|
| 215 | |
|---|
| 216 | * Check that you and the instructor slave at grpYYY are giving authoritative |
|---|
| 217 | answers for your domain: |
|---|
| 218 | |
|---|
| 219 | # dig +norec @10.10.XXX.1 MYTLD. SOA |
|---|
| 220 | # dig +norec @10.10.YYY.2 MYTLD. SOA |
|---|
| 221 | |
|---|
| 222 | Check that you get an "aa" flag (authoritative answer) from both, and that |
|---|
| 223 | the serial numbers match. |
|---|
| 224 | |
|---|
| 225 | Note that: |
|---|
| 226 | |
|---|
| 227 | # dig MYTLD. SOA |
|---|
| 228 | |
|---|
| 229 | should not return an ANSWER since the root does not know about you. |
|---|
| 230 | The next step will fix that. |
|---|
| 231 | |
|---|
| 232 | * Now you are ready to request delegation: |
|---|
| 233 | |
|---|
| 234 | Go to https://rzm.dnssek.org/ |
|---|
| 235 | |
|---|
| 236 | Login using the MYTLD/Password you used at the begining |
|---|
| 237 | of the exercize. |
|---|
| 238 | |
|---|
| 239 | Click "Proceed" button. |
|---|
| 240 | |
|---|
| 241 | Under "Edit Name Server Details": |
|---|
| 242 | Enter your Name Server, e.g., auth1.grpXX.dns.nsrc.org |
|---|
| 243 | and corresponding IP address for it, e.g., 10.10.X.1 |
|---|
| 244 | Then click "Update". |
|---|
| 245 | |
|---|
| 246 | The RZM program will then execute a few "dig" commands just |
|---|
| 247 | as you did to figure out what the name servers and IP addresses |
|---|
| 248 | are for MYTLD. |
|---|
| 249 | |
|---|
| 250 | If you see an "eye", this means that RZM was able to see |
|---|
| 251 | what some of your name servers were by doing its own "digs" |
|---|
| 252 | and are showing you them here for your approval. |
|---|
| 253 | |
|---|
| 254 | You should see an entry with an "eye" icon indicating |
|---|
| 255 | that your slave server was seen. |
|---|
| 256 | |
|---|
| 257 | If the slave entry looks correct, e.g., it is |
|---|
| 258 | auth2.grpYY.dns.nsrc.org, |
|---|
| 259 | click on the "eye" to get a "check" mark. |
|---|
| 260 | |
|---|
| 261 | Similarly, if you see any check marks next to items that you |
|---|
| 262 | feel are incorrect, click on the check mark until you get a "X" mark. |
|---|
| 263 | |
|---|
| 264 | Click "Update". |
|---|
| 265 | |
|---|
| 266 | If all goes well, your entry(s) should show up with a |
|---|
| 267 | "document" icon next to it indicating it checked |
|---|
| 268 | out and has been inserted into the root zone file. |
|---|
| 269 | |
|---|
| 270 | In a minute, your zone should be delegated. |
|---|
| 271 | |
|---|
| 272 | Note: The RZM interface is a rudimentary example of what |
|---|
| 273 | a typical Registry registration system may look like. |
|---|
| 274 | |
|---|
| 275 | * Once you have delegation, try to resolve www.MYTLD: |
|---|
| 276 | |
|---|
| 277 | - On your own machine |
|---|
| 278 | |
|---|
| 279 | # dig @10.10.XXX.1 www.MYTLD (where MYTLD is your domain) |
|---|
| 280 | |
|---|
| 281 | - On someone else's machine - will it work ? |
|---|
| 282 | |
|---|
| 283 | # dig @10.10.0.230 www.MYTLD (where MYTLD is your domain) |
|---|
| 284 | |
|---|
| 285 | This may take a bit longer due to caching of any previous |
|---|
| 286 | negative (NXDOMAIN) results. |
|---|
| 287 | |
|---|
| 288 | * Add a new resource record to your zone file. Remember to update the |
|---|
| 289 | SOA serial number. The run |
|---|
| 290 | |
|---|
| 291 | # rndc reload |
|---|
| 292 | |
|---|
| 293 | Check that your slaves have updated. Try resolving this new name. |
|---|
| 294 | |
|---|