1 | DNS Exercise - Delegation |
---|
2 | ------------------------- |
---|
3 | |
---|
4 | In this exercise, we will create a new TLD in our root. |
---|
5 | for example: MYTLD |
---|
6 | |
---|
7 | You will create a master nameservice on your own machine, and you will get |
---|
8 | secondary service from the instructor, provided by "auth2.grpYYY.dns.nsrc.org" |
---|
9 | (YYY is the group of the instructor, which will be communicated in class). |
---|
10 | |
---|
11 | Then you will ask the administrator for the domain above you (the root) to |
---|
12 | delegate your domain to you - this is also the instructor. |
---|
13 | |
---|
14 | Note: the following should be done as the "root" superuser - use |
---|
15 | |
---|
16 | $ sudo -s |
---|
17 | # |
---|
18 | |
---|
19 | Remember, when you see a line begining with "#", it means the command is |
---|
20 | executed as root. |
---|
21 | |
---|
22 | Firstly, note that your hostname is configured correctly |
---|
23 | on your machine. Check that it is configured correctly by |
---|
24 | using the 'hostname' command - e.g. on auth1.grpXX.dns.nsrc.org, if you type: |
---|
25 | |
---|
26 | # hostname |
---|
27 | |
---|
28 | You should see: |
---|
29 | |
---|
30 | auth1.grpXX.dns.nsrc.org |
---|
31 | |
---|
32 | If NOT, then configure your server with its name: e.g. for |
---|
33 | |
---|
34 | auth1.grp25.dns.nsrc.org, type: |
---|
35 | |
---|
36 | # hostname auth1.grp25.dns.nsrc.org |
---|
37 | |
---|
38 | Remember to replace "grpXX" with the the proper group number! |
---|
39 | |
---|
40 | Edit the file /etc/rc.conf (using "vi" or "ee", i.e.: ee /etc/rc.conf), |
---|
41 | and update the "hostname": |
---|
42 | |
---|
43 | hostname="auth1.grpXX.dns.nsrc.org" |
---|
44 | |
---|
45 | In the file /etc/hosts, you should see a line: |
---|
46 | |
---|
47 | 10.10.X.1 auth1.grpXX auth1.grpXX.dns.nsrc.org |
---|
48 | |
---|
49 | |
---|
50 | Check /etc/resolv.conf to make sure it points to the class resolver |
---|
51 | and not 127.0.0.1 that was set in a previous exercize. |
---|
52 | /etc/resolv.conf should look like: |
---|
53 | |
---|
54 | search dns.nsrc.org |
---|
55 | nameserver 10.10.0.230 |
---|
56 | |
---|
57 | Any lines begining with "#" are ignored and may be left in place. |
---|
58 | |
---|
59 | |
---|
60 | Exercise |
---|
61 | -------- |
---|
62 | |
---|
63 | * Choose a new domain, write it down somewhere |
---|
64 | |
---|
65 | e.g., "EARTH" - whatever you feel like. |
---|
66 | |
---|
67 | (Do NOT choose any of the PC names, e.g. `auth1.grpXX`, as your subdomain) |
---|
68 | |
---|
69 | This could for example be the name of your country code, country name, |
---|
70 | company name, etc... but REMEMBER that someone might pick the |
---|
71 | same name! First come, first serve. |
---|
72 | |
---|
73 | * Register your new domain using the classroom root zone manager at |
---|
74 | https://rzm.dnssek.org/ |
---|
75 | |
---|
76 | MYTLD is the domain name you have chosen (e.g. "EARTH") |
---|
77 | Password is up to you but you must remember it for later exercizes. |
---|
78 | The password does not have to be super secure for this class exersize. |
---|
79 | Just pick something easy to remember and write it down. |
---|
80 | |
---|
81 | Click the "Signup" button. |
---|
82 | |
---|
83 | The next page is an example of a two-factor security system. Unless |
---|
84 | told by instructor, leave the "verification code" field blank and |
---|
85 | simply click the "Proceed" button underneath. |
---|
86 | |
---|
87 | You will be able to return to this page later to configure your |
---|
88 | security token (e.g. Google Authenticator, Authy, etc..) if desired. |
---|
89 | |
---|
90 | Click the "Logout" button on the next page. You will fill the |
---|
91 | name and IP address information in later. |
---|
92 | |
---|
93 | * Create your zone file in `/etc/namedb/master/MYTLD` |
---|
94 | (where MYTLD is your chosen domain, e.g., EARTH) -- you can pretty |
---|
95 | much "copy and paste" the section below -- but remember to update |
---|
96 | the XXX with your IP and YYY to that given in class: |
---|
97 | |
---|
98 | *** Remember, you will need to become root to create this file, |
---|
99 | *** so, e.g. |
---|
100 | *** |
---|
101 | *** $ cd /etc/namedb/master |
---|
102 | *** $ sudo vi MYTLD |
---|
103 | *** |
---|
104 | *** (feel free to use another editor instead of vi, e.g. joe, ee) |
---|
105 | |
---|
106 | - - - - - - - - - - - - - cut below - - - - - - - - - - - - |
---|
107 | |
---|
108 | $TTL 2m |
---|
109 | @ IN SOA auth1.grpXX.dns.nsrc.org. your.email.address. ( |
---|
110 | 2012022301 ; Serial |
---|
111 | 10m ; Refresh |
---|
112 | 5m ; Retry |
---|
113 | 4w ; Expire |
---|
114 | 2m ) ; Negative |
---|
115 | |
---|
116 | IN NS auth1.grpXXX.dns.nsrc.org. ; master |
---|
117 | IN NS auth2.grpYYY.dns.nsrc.org. ; slave at instructor |
---|
118 | |
---|
119 | www IN A 10.10.XXX.1 ; your own IP |
---|
120 | |
---|
121 | - - - - - - - - - - - - - cut above - - - - - - - - - - - - |
---|
122 | |
---|
123 | Replace `your.email.address.` with your home E-mail address, |
---|
124 | so that user@domain.name becomes user.domain.name |
---|
125 | |
---|
126 | XXX and YYY are the IP of your group, and your slave's, respectively. |
---|
127 | |
---|
128 | We have chosen purposely low values for TTL, refresh, and retry to make |
---|
129 | it easier to fix problems in the classroom. For a production domain you |
---|
130 | might use higher values. |
---|
131 | |
---|
132 | * Edit `/etc/namedb/named.conf` and do the following: |
---|
133 | |
---|
134 | *** Remember, you will need to become root to edit this file, |
---|
135 | *** so, e.g. |
---|
136 | *** |
---|
137 | *** $ cd /etc/namedb |
---|
138 | *** $ sudo vi named.conf |
---|
139 | *** |
---|
140 | *** (feel free to use another editor instead of vi, e.g. joe, ee) |
---|
141 | |
---|
142 | - If it is still there, REMOVE the following lines: |
---|
143 | |
---|
144 | listen-on { 127.0.0.1; }; |
---|
145 | |
---|
146 | allow-recursion { 127.0.0.1; 10.10.0.0/16; }; |
---|
147 | |
---|
148 | ... and add following lines in the options section: |
---|
149 | |
---|
150 | allow-query { any; }; |
---|
151 | recursion no; |
---|
152 | |
---|
153 | ... so that your nameserver will now answer queries from the network |
---|
154 | |
---|
155 | - Add a section to configure your machine as master for |
---|
156 | your domain, by adding something like this at the end |
---|
157 | (the bottom) of the file: |
---|
158 | |
---|
159 | zone "MYTLD" { |
---|
160 | type master; |
---|
161 | file "/etc/namedb/master/MYTLD"; |
---|
162 | also-notify { 10.10.YYY.2; }; |
---|
163 | }; |
---|
164 | |
---|
165 | Pay attention to the ';' and '}' ! ..and case matters in the filename. |
---|
166 | |
---|
167 | * Check that your config file and zone file are valid: |
---|
168 | |
---|
169 | # named-checkconf |
---|
170 | # named-checkzone MYTLD /etc/namedb/master/MYTLD |
---|
171 | |
---|
172 | * If there are any errors, correct them ! * |
---|
173 | |
---|
174 | * Tell the instructor managing grpYYY that you need secondary service for |
---|
175 | your domain - tell them the domain and tell them what your group number is. |
---|
176 | |
---|
177 | For instance, if the domain is "EARTH", and you are Group 5, you |
---|
178 | should write on a piece of paper |
---|
179 | |
---|
180 | "EARTH 5" |
---|
181 | |
---|
182 | And give this to the instructor managing grpYYY |
---|
183 | |
---|
184 | * If this is not already done, enable named in your server's configuration, |
---|
185 | by editing the file /etc/rc.conf and adding, if this is not already done: |
---|
186 | |
---|
187 | ** Remember, again, you need to be root to edit this file |
---|
188 | |
---|
189 | named_chrootdir="" |
---|
190 | named_enable="YES" |
---|
191 | |
---|
192 | - Then start/restart named with |
---|
193 | |
---|
194 | # service named restart |
---|
195 | |
---|
196 | Check the result with |
---|
197 | |
---|
198 | # tail -100 /var/log/messages |
---|
199 | |
---|
200 | Verify with dig that MYTLD is now configured on your host: |
---|
201 | |
---|
202 | # dig @10.10.XX.1 MYTLD. NS |
---|
203 | |
---|
204 | Where "XX" is the address of your machine. |
---|
205 | |
---|
206 | You can also check the nameserver status using rndc: |
---|
207 | |
---|
208 | # rndc status |
---|
209 | |
---|
210 | - If there are any errors, correct them. Some configuration errors can |
---|
211 | cause the daemon to die completely, in which case you may have to |
---|
212 | start it again: |
---|
213 | |
---|
214 | # /etc/rc.d/named restart |
---|
215 | |
---|
216 | * Check that you and the instructor slave at grpYYY are giving authoritative |
---|
217 | answers for your domain: |
---|
218 | |
---|
219 | # dig +norec @10.10.XXX.1 MYTLD. SOA |
---|
220 | # dig +norec @10.10.YYY.2 MYTLD. SOA |
---|
221 | |
---|
222 | Check that you get an "aa" flag (authoritative answer) from both, and that |
---|
223 | the serial numbers match. |
---|
224 | |
---|
225 | Note that: |
---|
226 | |
---|
227 | # dig MYTLD. SOA |
---|
228 | |
---|
229 | should not return an ANSWER since the root does not know about you. |
---|
230 | The next step will fix that. |
---|
231 | |
---|
232 | * Now you are ready to request delegation: |
---|
233 | |
---|
234 | Go to https://rzm.dnssek.org/ |
---|
235 | |
---|
236 | Login using the MYTLD/Password you used at the begining |
---|
237 | of the exercize. |
---|
238 | |
---|
239 | Click "Proceed" button. |
---|
240 | |
---|
241 | Under "Edit Name Server Details": |
---|
242 | Enter your Name Server, e.g., auth1.grpXX.dns.nsrc.org |
---|
243 | and corresponding IP address for it, e.g., 10.10.X.1 |
---|
244 | Then click "Update". |
---|
245 | |
---|
246 | The RZM program will then execute a few "dig" commands just |
---|
247 | as you did to figure out what the name servers and IP addresses |
---|
248 | are for MYTLD. |
---|
249 | |
---|
250 | If you see an "eye", this means that RZM was able to see |
---|
251 | what some of your name servers were by doing its own "digs" |
---|
252 | and are showing you them here for your approval. |
---|
253 | |
---|
254 | You should see an entry with an "eye" icon indicating |
---|
255 | that your slave server was seen. |
---|
256 | |
---|
257 | If the slave entry looks correct, e.g., it is |
---|
258 | auth2.grpYY.dns.nsrc.org, |
---|
259 | click on the "eye" to get a "check" mark. |
---|
260 | |
---|
261 | Similarly, if you see any check marks next to items that you |
---|
262 | feel are incorrect, click on the check mark until you get a "X" mark. |
---|
263 | |
---|
264 | Click "Update". |
---|
265 | |
---|
266 | If all goes well, your entry(s) should show up with a |
---|
267 | "document" icon next to it indicating it checked |
---|
268 | out and has been inserted into the root zone file. |
---|
269 | |
---|
270 | In a minute, your zone should be delegated. |
---|
271 | |
---|
272 | Note: The RZM interface is a rudimentary example of what |
---|
273 | a typical Registry registration system may look like. |
---|
274 | |
---|
275 | * Once you have delegation, try to resolve www.MYTLD: |
---|
276 | |
---|
277 | - On your own machine |
---|
278 | |
---|
279 | # dig @10.10.XXX.1 www.MYTLD (where MYTLD is your domain) |
---|
280 | |
---|
281 | - On someone else's machine - will it work ? |
---|
282 | |
---|
283 | # dig @10.10.0.230 www.MYTLD (where MYTLD is your domain) |
---|
284 | |
---|
285 | This may take a bit longer due to caching of any previous |
---|
286 | negative (NXDOMAIN) results. |
---|
287 | |
---|
288 | * Add a new resource record to your zone file. Remember to update the |
---|
289 | SOA serial number. The run |
---|
290 | |
---|
291 | # rndc reload |
---|
292 | |
---|
293 | Check that your slaves have updated. Try resolving this new name. |
---|
294 | |
---|