Track3Sec: 1.6_dns-delegation-exercise-inst-is-slave.txt

File 1.6_dns-delegation-exercise-inst-is-slave.txt, 9.1 KB (added by Fakrul Alam, 6 years ago)
Line 
1                        DNS Exercise - Delegation
2                        -------------------------
3
4In this exercise, we will create a new TLD in our root.
5for example: MYTLD
6
7You will create a master nameservice on your own machine, and you will get
8secondary service from the instructor, provided by "auth2.grpYYY.dns.nsrc.org"
9(YYY is the group of the instructor, which will be communicated in class).
10
11Then you will ask the administrator for the domain above you (the root) to
12delegate your domain to you - this is also the instructor.
13
14Note: the following should be done as the "root" superuser - use
15
16     $ sudo -s
17     #
18
19Remember, when you see a line begining with "#", it means the command is
20executed as root.
21
22Firstly, note that your hostname is configured correctly
23on your machine.  Check that it is configured correctly by
24using the 'hostname' command - e.g. on auth1.grpXX.dns.nsrc.org, if you type:
25
26 # hostname
27
28You should see:
29
30  auth1.grpXX.dns.nsrc.org
31
32If NOT, then configure your server with its name: e.g. for
33
34        auth1.grp25.dns.nsrc.org, type:
35
36        # hostname auth1.grp25.dns.nsrc.org
37
38    Remember to replace "grpXX" with the the proper group number!
39
40    Edit the file /etc/rc.conf (using "vi" or "ee", i.e.: ee /etc/rc.conf),
41    and update the "hostname":
42
43        hostname="auth1.grpXX.dns.nsrc.org"
44
45    In the file /etc/hosts, you should see a line:
46
47        10.10.X.1   auth1.grpXX auth1.grpXX.dns.nsrc.org
48
49
50Check /etc/resolv.conf to make sure it points to the class resolver
51and not 127.0.0.1 that was set in a previous exercize.
52/etc/resolv.conf should look like:
53
54                 search dns.nsrc.org
55                 nameserver 10.10.0.230
56
57Any lines begining with "#" are ignored and may be left in place.
58
59
60Exercise
61--------
62
63*   Choose a new domain, write it down somewhere
64
65    e.g., "EARTH" - whatever you feel like.
66
67    (Do NOT choose any of the PC names, e.g. `auth1.grpXX`, as your subdomain)
68
69    This could for example be the name of your country code, country name,
70       company name, etc...  but REMEMBER that someone might pick the
71       same name!  First come, first serve.
72
73*   Register your new domain using the classroom root zone manager at
74    https://rzm.dnssek.org/
75
76    MYTLD is the domain name you have chosen (e.g. "EARTH")
77    Password is up to you but you must remember it for later exercizes.
78    The password does not have to be super secure for this class exersize.
79    Just pick something easy to remember and write it down.
80
81    Click the "Signup" button.
82
83    The next page is an example of a two-factor security system. Unless
84    told by instructor, leave the "verification code" field blank and
85    simply click the "Proceed" button underneath. 
86
87    You will be able to return to this page later to configure your
88    security token (e.g. Google Authenticator, Authy, etc..) if desired.
89
90    Click the "Logout" button on the next page.  You will fill the
91    name and IP address information in later.
92
93*   Create your zone file in `/etc/namedb/master/MYTLD`
94    (where MYTLD is your chosen domain, e.g., EARTH) -- you can pretty
95    much "copy and paste" the section below -- but remember to update
96    the XXX with your IP and YYY to that given in class:
97
98  ***   Remember, you will need to become root to create this file,
99  ***   so, e.g.
100  ***
101  ***     $ cd /etc/namedb/master
102  ***     $ sudo vi MYTLD
103  ***
104  ***   (feel free to use another editor instead of vi, e.g. joe, ee)
105
106- - - - - - - - - - - - - cut below - - - - - - - - - - - -
107
108$TTL 2m
109@       IN      SOA     auth1.grpXX.dns.nsrc.org. your.email.address. (
110                        2012022301    ; Serial
111                        10m           ; Refresh
112                        5m            ; Retry
113                        4w            ; Expire
114                        2m )          ; Negative
115
116        IN      NS      auth1.grpXXX.dns.nsrc.org.   ; master
117        IN      NS      auth2.grpYYY.dns.nsrc.org.   ; slave at instructor
118
119www     IN      A       10.10.XXX.1             ; your own IP
120
121- - - - - - - - - - - - - cut above - - - - - - - - - - - -
122
123    Replace `your.email.address.` with your home E-mail address,
124    so that user@domain.name becomes user.domain.name
125
126    XXX and YYY are the IP of your group, and your slave's, respectively.
127       
128    We have chosen purposely low values for TTL, refresh, and retry to make
129    it easier to fix problems in the classroom. For a production domain you
130    might use higher values.
131
132*   Edit `/etc/namedb/named.conf` and do the following:
133
134  ***   Remember, you will need to become root to edit this file,
135  ***   so, e.g.
136  ***
137  ***     $ cd /etc/namedb
138  ***     $ sudo vi named.conf
139  ***
140  ***   (feel free to use another editor instead of vi, e.g. joe, ee)
141
142    - If it is still there, REMOVE the following lines:
143
144         listen-on { 127.0.0.1; };
145
146         allow-recursion { 127.0.0.1; 10.10.0.0/16; };
147
148    ... and add following lines in the options section:
149
150        allow-query { any; };
151        recursion no;
152
153    ... so that your nameserver will now answer queries from the network
154
155    - Add a section to configure your machine as master for
156      your domain, by adding something like this at the end
157          (the bottom) of the file:
158
159      zone "MYTLD" {
160        type master;
161        file "/etc/namedb/master/MYTLD";
162        also-notify { 10.10.YYY.2; };
163      };
164
165    Pay attention to the ';' and '}' !  ..and case matters in the filename.
166
167*   Check that your config file and zone file are valid:
168
169        # named-checkconf
170        # named-checkzone MYTLD /etc/namedb/master/MYTLD
171
172    * If there are any errors, correct them ! *
173
174*   Tell the instructor managing grpYYY that you need secondary service for
175    your domain - tell them the domain and tell them what your group number is.
176
177        For instance, if the domain is "EARTH", and you are Group 5, you
178        should write on a piece of paper
179
180        "EARTH 5"
181
182        And give this to the instructor managing grpYYY
183
184*   If this is not already done, enable named in your server's configuration,
185    by editing the file /etc/rc.conf and adding, if this is not already done:
186
187     ** Remember, again, you need to be root to edit this file
188
189        named_chrootdir=""
190        named_enable="YES"
191
192    - Then start/restart named with
193
194        # service named restart
195
196    Check the result with
197
198        # tail -100 /var/log/messages
199
200        Verify with dig that MYTLD is now configured on your host:
201
202                # dig @10.10.XX.1 MYTLD. NS
203
204        Where "XX" is the address of your machine.
205
206        You can also check the nameserver status using rndc:
207
208                # rndc status
209
210    - If there are any errors, correct them. Some configuration errors can
211    cause the daemon to die completely, in which case you may have to
212    start it again:
213
214        # /etc/rc.d/named restart
215
216*   Check that you and the instructor slave at grpYYY are giving authoritative
217    answers for your domain:
218
219        # dig +norec @10.10.XXX.1 MYTLD. SOA
220        # dig +norec @10.10.YYY.2 MYTLD. SOA
221
222    Check that you get an "aa" flag (authoritative answer) from both, and that
223    the serial numbers match.
224
225    Note that:
226
227        # dig MYTLD. SOA
228
229    should not return an ANSWER since the root does not know about you.
230    The next step will fix that.
231
232*   Now you are ready to request delegation:
233
234    Go to https://rzm.dnssek.org/
235
236       Login using the MYTLD/Password you used at the begining
237       of the exercize.
238
239       Click "Proceed" button.
240       
241       Under "Edit Name Server Details":
242       Enter your Name Server, e.g., auth1.grpXX.dns.nsrc.org
243       and corresponding IP address for it, e.g., 10.10.X.1
244       Then click "Update".
245
246       The RZM program will then execute a few "dig" commands just
247       as you did to figure out what the name servers and IP addresses
248       are for MYTLD.
249
250       If you see an "eye", this means that RZM was able to see
251       what some of your name servers were by doing its own "digs"
252       and are showing you them here for your approval.
253
254       You should see an entry with an "eye" icon indicating
255       that your slave server was seen.
256
257       If the slave entry looks correct, e.g., it is
258       auth2.grpYY.dns.nsrc.org,
259       click on the "eye" to get a "check" mark.
260
261       Similarly, if you see any check marks next to items that you
262       feel are incorrect, click on the check mark until you get a "X" mark.
263
264       Click "Update".
265
266       If all goes well, your entry(s) should show up with a
267       "document" icon next to it indicating it checked
268       out and has been inserted into the root zone file.
269
270       In a minute, your zone should be delegated.
271
272       Note: The RZM interface is a rudimentary example of what
273       a typical Registry registration system may look like.
274
275*   Once you have delegation, try to resolve www.MYTLD:
276
277    - On your own machine
278
279      # dig @10.10.XXX.1 www.MYTLD       (where MYTLD is your domain)
280
281    - On someone else's machine - will it work ?
282
283      # dig @10.10.0.230 www.MYTLD       (where MYTLD is your domain)
284
285      This may take a bit longer due to caching of any previous
286      negative (NXDOMAIN) results.
287
288*   Add a new resource record to your zone file. Remember to update the
289    SOA serial number. The run
290
291    # rndc reload
292
293    Check that your slaves have updated. Try resolving this new name.
294