DNS Exercise - Delegation ------------------------- In this exercise, we will create a new TLD in our root. for example: MYTLD You will create a master nameservice on your own machine, and someone else will provide slave service. Then you will ask the administrator for the domain above you (the root) to delegate your domain to you. Note: the following should be done as the "root" superuser - use $ sudo -s # Remember, when you see a line begining with "#", it means the command is executed as root. Exercise -------- * Choose a new domain, write it down somewhere e.g., "EARTH" - whatever you feel like. (Do NOT choose any of the PC names, e.g. `auth1.grpX`, as your subdomain) This could for example be the name of your country code, country name, company name, etc... but REMEMBER that someone might pick the same name! First come, first serve. * Register your new domain using the classroom root zone manager at https://rzm.dnssek.org/ MYTLD is the domain name you have chosen (e.g. "EARTH") Password is up to you but you must remember it for later exercizes. The password does not have to be super secure for this class exersize. Just pick something easy to remember and write it down. Click the "Signup" button. The next page is an example of a two-factor security system. Unless told by instructor, leave the "verification code" field blank and simply click the "Proceed" button underneath. You will be able to return to this page later to configure your security token (e.g. Google Authenticator, Authy, etc..) if desired. Click the "Logout" button on the next page. You will fill the name and IP address information in later. * Create your zone file in `/etc/bind/master/MYTLD` (where MYTLD is your chosen domain, e.g., EARTH) -- you can pretty much "copy and paste" the section below -- but remember to update the X with your group number, MYTLD with your chosen domain, and OTHERTLD with your slave's TLD: *** Remember, you will need to become root to create this file, *** so, e.g. *** *** $ cd /etc/bind/master *** $ sudo vi MYTLD *** *** (feel free to use another editor instead of vi, e.g. emacs) - - - - - - - - - - - - - cut below - - - - - - - - - - - - $TTL 2m @ IN SOA ns1.nic.MYTLD. your.email.address. ( 2017050100 ; Serial 10m ; Refresh 5m ; Retry 4w ; Expire 2m ) ; Negative IN NS ns1.nic.MYTLD. ; master IN NS ns1.nic.OTHERTLD. ; slave somewhere else ns1.nic IN A 10.192.X.1 www IN A 10.192.X.3 noc IN A 10.192.X.2 finance IN A 10.192.X.201 mysql IN A 10.192.X.202 google IN NS ns1.google.com. IN NS ns2.google.com. cust2 IN NS ns1.cust2.MYTLD. ns1.cust2.MYTLD. IN A 192.101.186.19 - - - - - - - - - - - - - cut above - - - - - - - - - - - - Replace `your.email.address.` with your home E-mail address, so that user@domain.name becomes user.domain.name Replace X with your group number and MYTLD with your actual value. You may leave OTHERTLD as is until you determine who your secondary slave server will be. We have chosen purposely low values for TTL, refresh, and retry to make it easier to fix problems in the classroom. For a production domain you might use higher values. * Edit `/etc/bind/named.conf` and do the following: *** Remember, you will need to become root to edit this file, *** so, e.g. *** *** $ cd /etc/bind *** $ sudo vi named.conf *** *** (feel free to use another editor instead of vi, e.g. emacs) - If it is still there, REMOVE the following lines: dnssec-validation auto; dnssec-enable yes; listen-on-v6 { any; }; listen-on { 127.0.0.1; }; allow-recursion { 127.0.0.1; }; ... and add following lines in the options section: allow-query { any; }; recursion no; ... so that your nameserver will now answer queries from the network - Add a section to configure your machine as master for your domain, by adding something like this at the end (the bottom) of the file: zone "MYTLD" { type master; file "/etc/bind/master/MYTLD"; also-notify { 10.192.Y.1; }; }; where 10.192.Y.1 is the IP address for ns1.nic.OTHERTLD. Y is the group number for your slave. If you have not found a slave yet, you can set Y to your X, i.e., your group number. Pay attention to the ';' and '}' ! ..and case matters in the filename. * Check that your config file and zone file are valid: # named-checkconf # named-checkzone MYTLD /etc/bind/master/MYTLD * If there are any errors, correct them ! * * Start/restart named with: # service bind9 restart If not enabled on startup: # update-rc.d bind9 enable Check the result with # tail -100 /var/log/syslog Verify with dig that MYTLD is now configured on your host: # dig @10.192.X.1 MYTLD. NS Where "10.192.X.1" is the address of your machine. You can also check the nameserver status using rndc: # rndc status - If there are any errors, correct them. Some configuration errors can cause the daemon to die completely, in which case you may have to start it again: # /etc/init.d/bind9 restart * Assist your slave (OTHERTLD/10.192.Y.1) to configure themselves as slave for your domain, and configure yourself as a slave if asked to do so by another group. Here is most of what you need to add to the end of the named.conf file: zone MYTLD { type slave; masters { 10.192.X.1; }; file "/etc/bind/slave/MYTLD"; }; ... where X is the group where the master is located (YOU). If you have changed your `named.conf` so that you are a slave for someone else, make sure that there are no errors in `/var/log/syslog` after you restart your nameserver. You will need a slave directory with proper permissions and ownership where bind can write the zone file received from the master. * Check that you and the slave at 10.192.Y.1 are giving authoritative answers for your domain: # dig +norec @10.192.X.1 MYTLD. SOA # dig +norec @10.192.Y.1 MYTLD. SOA Check that you get an "aa" flag (authoritative answer) from both, and that the serial numbers match. Note that: # dig MYTLD. SOA should not return an ANSWER since the root does not know about you. The next step will fix that. * Now you are ready to request delegation: Go to https://rzm.dnssek.org/ Login using the MYTLD/Password you used at the begining of the exercize. Click "Proceed" button. Under "Edit Name Server Details": Enter your Name Server, e.g., ns1.nic.MYTLD and corresponding IP address for it, e.g., 10.192.X.1 Then click "Update". The RZM program will then execute a few "dig" commands just as you did to figure out what the name servers and IP addresses are for MYTLD. If you see an "eye", this means that RZM was able to see what some of your name servers were by doing its own "digs" and are showing you them here for your approval. You should see an entry with an "eye" icon indicating that your slave server was seen. If the slave entry looks correct, e.g., it is ns1.nic.OTHERTLD AND has an associated IP address, click on the "eye" to get a "check" mark. Similarly, if you see any check marks next to items that you feel are incorrect, click on the check mark until you get a "X" mark. Click "Update". If all goes well, your entry(s) should show up with a "document" icon next to it indicating it checked out and has been inserted into the root zone file. In a minute, your zone should be delegated. Note: The RZM interface is a rudimentary example of what a typical Registry registration system may look like. * Once you have delegation, try to resolve www.MYTLD: - On your own machine # dig @10.192.X.1 www.MYTLD (where MYTLD is your domain) - On someone else's machine - will it work ? # dig @10.192.0.230 www.MYTLD (where MYTLD is your domain) This may take a bit longer due to caching of any previous negative (NXDOMAIN) results. * Add a new resource record to your zone file. Remember to update the SOA serial number. The run # rndc reload Check that your slaves have updated. Try resolving this new name.