User Tools

Site Tools


2015:dns:01-dns-delegation-exercise

DNS Exercise - Delegation

In this exercise, we will create a new TLD in our root. for example: MYTLD

You will create a “Hidden Master” nameservice on your “master” machine, and you and one of your colleagues will provide the public facing “Slave” servers.

Then you will ask the administrator for the domain above you (the root) to delegate your domain to you.

Note: the following should be done as the “root” superuser - use sudo -s

Check your machine configuration

Firstly, note that your hostname is configured correctly on your machine. Check that it is configured correctly by using the 'hostname' command.

e.g. on auth1.grpXX.dns.nsrc.org, if you type:

# hostname

You should see:

auth1.grpXX.dns.nsrc.org

If not, then configure your server with its name: e.g. for auth1.grp25.dns.nsrc.org, type:

# hostname auth1.grp25.dns.nsrc.org

Remember to replace “grpXX” with the the proper group number!

Edit the file /etc/rc.conf (using “vi” or “ee”, i.e.: ee /etc/rc.conf), and update the “hostname”:

hostname="auth1.grpXX.dns.nsrc.org"

At this point, you can also add instructions to enable named in your server's configuration file, /etc/rc.conf:

named_chrootdir=""
named_enable="YES"

In the file /etc/hosts, you should see a line:

10.10.X.1   auth1.grpXX auth1.grpXX.dns.nsrc.org

Exercise

Choose a new domain, write it down on the Global Registry sheet at the front of the class.

i.e.: "MYTLD" or "EARTH" - whatever you feel like.

(Do NOT choose any of the PC names, e.g. auth1.grpXX, as your subdomain)

This could for example be the name of your country code, country name, company name, etc… but REMEMBER that someone might pick the same name! Check before you start work on the exercise. First come, first served.

Find someone who will agree to be slave for your domain. Please find someone across the room from you (not at your table) (Remember RFC2182: secondaries must be on remote networks but here we work on a flat network).

Remember, you will need to become root to create this file: e.g.

$ cd /etc/namedb/master
$ sudo vi MYTLD 
  
(feel free to use another editor instead of vi, e.g. joe, ee)

Create your zone file in /etc/namedb/master/MYTLD (where MYTLD is your chosen domain). You can pretty much “copy and paste” the section below but remember to update the XX with your own group number:

$TTL 2m
@       IN      SOA     auth1.grpXX.dns.nsrc.org. your.email.address. (
                        2012022301    ; Serial - format is YYYYMMDDNN
                        10m           ; Refresh
                        5m            ; Retry
                        4w            ; Expire
                        2m )          ; Negative
  IN      NS      auth2.grpXX.dns.nsrc.org.   ; your slave
  IN      NS      auth2.grpYY.dns.nsrc.org.   ; your partner's slave
;
www     IN      A       10.10.XX.1             ; your own IP

Replace your.email.address. with your home E-mail address, so that user@domain.name becomes user.domain.name

XX and YY are the IP of your group, and your partner's group, respectively.

We have chosen purposely low values for TTL, refresh, and retry to make it easier to fix problems in the classroom. For a production domain you would probably use higher values.

Edit /etc/namedb/named.conf and do the following:

Remember, you will need to become root to edit this file;
e.g.

$ cd /etc/namedb
$ sudo vi named.conf

(feel free to use another editor instead of vi, e.g. joe, ee)

If it is still there, REMOVE the following line:

listen-on { 127.0.0.1; };

and add these lines in the options section:

allow-query { any; };
listen-on-v6 {any;};

so that your nameserver will now answer queries from the network on IPv4 and IPv6 addresses

Add a section to configure your machine as master for your domain, by adding something like this at the end (the bottom) of the file:

zone "MYTLD" {
type master;
file "/etc/namedb/master/MYTLD";
};

Pay attention to the ';' and '}' !

Check that your config file and zone file are valid:

# named-checkconf
# named-checkzone MYTLD /etc/namedb/master/MYTLD

If there are any errors, correct them !

If this is not already done, enable named in your server's configuration, by editing the file /etc/rc.conf and adding, if this is not already done:

Remember, again, you need to be root to edit this file

named_chrootdir=""
named_enable="YES"

Then start/restart named with

# service named restart

If the system complains about missing configuration files for rndc (the name server control utility) we can fix this by this by running:

# rndc-confgen -a

Check that the nameserver has started correctly by looking at the log file:

# tail /var/log/messages

Verify with dig that MYTLD is now configured on your host:

# dig @10.10.XX.1 NS MYTLD.

Where “XX” is the group number of your machine.

You can also check the nameserver status using rndc:

# rndc status

If there are any errors, correct them. Some configuration errors can cause the daemon to die completely, in which case you may have to start it again after correcting the problem:

# service named restart

Setup slave servers

At this stage you should go back to the Agenda and complete the NSD-TXT exercise.

Assist your slaves to configure themselves as slave for your domain, and configure yourself as a slave if asked to do so by another table.

When you have done that come back here

After you have setup the slaves

Check that you and your slaves are giving authoritative answers for your domain:

# dig +norec @10.10.XX.2 SOA MYTLD.
# dig +norec @10.10.YY.2 SOA MYTLD.

Check that you get an AA (authoritative answer) from both, and that the serial numbers match.

Now you are ready to request delegation by confirming with the instructor that your details in the Global Registry are now complete e.g.

Domain name:     ___________________

Nameserver1:     auth2.grp___.dns.nsrc.org

Nameserver2:     auth2.grp___.dns.nsrc.org

You will not get delegation until the instructor has checked:

  • Your nameservers are all authoritative for your domain
  • They all have the same SOA serial number
  • The NS records within the zone match the list of servers you are requesting delegation for
  • The slave(s) are across the room from you :)

This is called policy!

Once you have delegation, try to resolve www.MYTLD:

  • On your own machine
  • On someone else's machine (who is not slave for you):

    # dig @10.10.0.230 www.MYTLD (where MYTLD is your domain)

Next steps

  • Add a new resource record to your zone file.
  • Remember to update the serial number.
  • Check that your slaves have updated.
  • Try resolving this new name.
2015/dns/01-dns-delegation-exercise.txt · Last modified: 2016/02/03 05:04 (external edit)