DNS Exercise - Delegation ------------------------- Each of you will be assigned a group number "X" corresponding to the virtual machine you will be using for this class at IP address 10.10.X.1. You will use ssh or putty.exe (available on the classroom page) to log into your VM. In this exercise, we will create a new sub domain, say, MYNAME. We will be delegating under the existing domain "dnstest.gov.co" in this exercise so MYNAME might be, for example, gonzalo.dnstest.gov.co MYNAME = gonzalo.dnstest.gov.co Remember MYNAME must be a Fully Qualified Domain Name (FQDN). You will create a master nameservice on your own machine, and you will get secondary service from the instructor, provided by "auth2.grpY.ws.nsrc.org" (Y is the group of the instructor, which will be communicated in class). Then you will ask the administrator for the domain above you to delegate your domain to you via a Web based zone manager for the parent. Note: the following should be done as the "root" superuser - use sudo -s Firstly, note that your hostname is configured correctly on your machine. Check that it is configured correctly by using the 'hostname' command - e.g. on auth1.grpX.ws.nsrc.org, if you type: # hostname You should see: auth1.grpX.ws.nsrc.org If NOT, then configure your server with its name: e.g. for auth1.grp25.ws.nsrc.org, type: # hostname auth1.grp25.ws.nsrc.org Remember to replace "grpX" with the the proper group number! Edit the file /etc/rc.conf (using "vi" or "ee", i.e.: ee /etc/rc.conf), and update the "hostname": hostname="auth1.grpX.ws.nsrc.org" In the file /etc/hosts, you should see a line: 10.10.X.1 auth1.grpX auth1.grpX.ws.nsrc.org Exercise -------- * Choose a new domain MYNAME, write it down somewhere. (Do NOT choose any of the PC names, e.g. `auth1.grpX`, as your subdomain) This could for example be the name of your country code, country name, company name, etc... but REMEMBER that someone might pick the same name! First come, first serve. * Signup to the classroom zone manager at https://rzm.dnssek.org/ Username is your MYNAME ("gonzalo.dnstest.gov.co" for example). Password is up to you but you must remember it. Click the "Signup" button. * Create your zone file in `/etc/namedb/master/MYNAME` (where MYNAME is your chosen domain) -- you can pretty much "copy and paste" the section below -- but remember to update the X with your IP: *** Remember, you will need to become root to create this file, *** so, e.g. *** *** $ cd /etc/namedb/master *** $ sudo vi MYNAME *** *** (feel free to use another editor instead of vi, e.g. joe, ee) - - - - - - - - - - - - - cut below - - - - - - - - - - - - $TTL 2m @ IN SOA auth1.grpX.ws.nsrc.org. your.email.address. ( 1367446359 ; Serial 10m ; Refresh 5m ; Retry 4w ; Expire 2m ) ; Negative IN NS auth1.grpX.ws.nsrc.org. ; master IN NS auth2.grpY.ws.nsrc.org. ; slave at instructor www IN A 10.10.X.1 ; your own IP - - - - - - - - - - - - - cut above - - - - - - - - - - - - Replace `your.email.address.` with your home E-mail address, so that user@domain.name becomes user.domain.name. If your "user" has "." in it, just remove the "."s for this exercize. X and Y are the IP of your group, and your slave's, respectively. We have chosen purposely low values for TTL, refresh, and retry to make it easier to fix problems in the classroom. For a production domain you might use higher values. * Edit `/etc/namedb/named.conf` and do the following: *** Remember, you will need to become root to edit this file, *** so, e.g. *** *** $ cd /etc/namedb *** $ sudo vi named.conf *** *** (feel free to use another editor instead of vi, e.g. joe, ee) - If it is still there, REMOVE the following line: listen-on { 127.0.0.1; }; ... and add another line in the options section: allow-query { any; }; ... so that your nameserver will now answer queries from the network - Add a section to configure your machine as master for your domain, by adding something like this at the end (the bottom) of the file: zone "MYNAME" { type master; file "/etc/namedb/master/MYNAME"; also-notify { 10.10.Y.2; }; }; Pay attention to the ';' and '}' ! If there are any other zone sections such as "zone "." { };" remove them. * Check that your config file and zone file are valid: # named-checkconf # named-checkzone MYNAME /etc/namedb/master/MYNAME * If there are any errors, correct them ! * * Tell the instructor managing your "slave" grpY that you need secondary service for your domain - tell them the domain and tell them what X you are using. For instance, if you X is 5, you should write on a piece of paper MYNAME 5 And give this to the instructor managing grpY * If this is not already done, enable named in your server's configuration, by editing the file /etc/rc.conf and adding, if this is not already done: ** Remember, again, you need to be root to edit this file named_chrootdir="" named_enable="YES" - Then start/restart named with # service named restart Check the result with # tail /var/log/messages To see if there were any startup errors. And verify with dig that MYNAME is now configured on your host: # dig @10.10.X.1 MYNAME. NS Where "X" is the address of your machine. You can also check the nameserver status using rndc: # rndc status - If there are any errors, correct them. Some configuration errors can cause the daemon to die completely, in which case you may have to start it again: # /etc/rc.d/named restart * Check that you are giving authoritative answers for your domain: # dig +norec @10.10.X.1 MYNAME. SOA Check that you get an AA (authoritative answer) in the "; flags: ..." section. * Now you are ready to request delegation: Go to https://rzm.dnssek.org/ Login with the information you entered previously and click "Proceed". Username is your MYNAME. Password as entered above. Enter "auth1.grpX.ws.nsrc.org" in "Name Server" field and "10.10.X.1" in the IP field and click "Update" in the name server section. RZM will do a lookup and should recognize this. If all is well, it will also notify the parent domain to update its zone information to complete the delegation. This will take a couple minutes to complete. * Check that you and the instructor slave at grpY are giving authoritative answers for your domain: # dig +norec @10.10.X.1 MYNAME. SOA # dig +norec @10.10.Y.2 MYNAME. SOA Check that you get an AA (authoritative answer) from both, and that the serial numbers match. * Once you have delegation, try to resolve www.MYNAME: - On your own machine - On someone else's machine - will it work ? # dig @10.10.X.1 www.MYNAME * Add a new resource record to your zone file. Remember to update the serial number. Check that your slaves have updated. Try resolving this new name.