ZONE TRANSFER ATTEMPT

0. If you have already setup nameservers as part of the DNS/DNSSEC workshop
   skip this exersize.

1. Install bind and dns tools on DNS machine (10.X.1.1):

   sudo apt-get install dnsutils bind9

   and test

   dig www.co.tt @127.0.0.1

   What do you see?

2. Check to see if your TLD is preconfigured as it should be.

   dig axfr tldX @127.0.0.1

   where X=your group number.  You should see a few entries including 
   two SOA records - at beginning and end.

   As currently configured, anyone can get this! (try it from other machines)

3. Set up DNS logging.  
   At end of /etc/bind/named.conf cut and paste:

logging {
  channel transfer_log {
    file "log/transfer" versions 2 size 50m;
    print-time yes;      // add timestamp the entries
    print-category yes;  // add category name
    print-severity yes;  // add severity level
    severity debug 0; // 99; // 3 print debug messages


  };
  channel security-syslog {
    syslog security;
    severity info;
  };
  category security { transfer_log; security-syslog; };
  category xfer-in { transfer_log; security-syslog; };
  category xfer-out { transfer_log; security-syslog; };
};


   and to the "options" section add:

recursion no;
dnssec-enable yes;

  and remove:

dnssec-validation auto;

4. Create the corresponding log directory

   sudo mkdir /var/cache/bind/log
   sudo chown bind:bind /var/cache/bind/log

   and restart named
 
   sudo service bind9 restart

5. Watch the syslog file:
 
   sudo tail -f /var/log/syslog

   and on another ssh session try to transfer the zone.

   dig axfr tldX @127.0.0.1

   or

   dig axfr tldX @10.X.1.1

   You should see the zonefile in its entirety.