AfNOG 2003 Kampala, Uganda Track 1 - Scalable Internet Services Domain Name System - Exercise 4 Setting up an Autoritative-Only Primary/Master Name Server In the previous exercise we setup a caching-only name server. In this exercise we will setup an authoritative primary/master name server. 1. Edit the /etc/namedb/named.conf file and change the directive "recursion" from yes to no and delete the line that has the "allow-query" directive. It should look like the entry below after your edits. options { directory "/etc/namedb"; recursion no; }; 2. Restart the name daemon and test to see if your server is still resolving recursively. # ndc restart # dig @81.199.110.# isc.org ns Question: Is your named server resolving recursively? _______________ What could be the reason? Answer:____________________________________________________ 3. Change directory to /etc/namedb # cd /etc/namedb 4. Create the primary and secondary zone file directories. # mkdir m # mkdir s 5. Create the zone file for your domain .afnogws.gh. # vi m/.db Add the following lines to the .db file. $TTL 1d @ IN SOA pc#.t1.ws.afnog.org. root..afnogws.gh. ( 2003061000 ;serial YYYYMMDDnn 6h ;refresh 1h ;retry 2w ;expire 1h ;nttl ) @ IN NS pc#.t1.ws.afnog.org. IN A 81.199.110.# www IN A 81.199.110.# Note: Replace all instances of "" with your master/primary zone on the worksheet or one that you have selected to use, and # with your pc number. 6. Edit the /etc/namedb/named.conf file and make the following entry at the end of the file. zone ".afnogws.gh" { type master; file "m/.db"; }; Note: Replace with your master/primary zone on the worksheet or one that you have selected to use. 7. Reload the zone files. # ndc reload 8. Check if named is running by issuing the following command. # ps -aux | grep named 9. Check the version of BIND you are running. # /usr/sbin/named -v 10. Test if your server is able to resolve the domain .afnogws.gh. # dig @127.0.0.1 www..afnogws.gh a # dig @81.199.110.100 www..afnogws.gh a Question: Was your server able to resolve your domain in the first command? Answer:______________________________________________________ Question: Was the 81.199.110.100 server able to resolve your domain in the second command? Answer:______________________________________________________ Question: Why was the 81.199.110.100 server unable to resolve your domain? Answer:______________________________________________________ Ask a friend to setup a slave/secondary name server for your domain (Refer to your worksheet). Remember in real life you should look for a secondary name server on a different network (see RFC-2182). This takes us to the next exercise where you will be setting up a secondary name server for a friend. ;o) Fill out the following for your friend who is going to setup a secondary/slave name server for your domain. AfNOG 2003 Kampala, Uganda Track 1 - Scalable Internet Services Domain Name System - Exercise 5 Setting up an Authoritative Slave/Secondary Name Server In this exercise you will setup secondary name services on your computer for the computer next to you. Please refer to the worksheet given to you. Talk to the person sitting next to you to provide secondary name services for your domain based on the worksheet provided. Do the following on your own computer. Edit the /etc/namedb/m/.db (where .db is the zone file you created in the previous exercise) and make an entry in there for a secondary name server. The entries will look something like: <.......................................After your SOA record.................................................................................> IN NS pc#.t1.ws.afnog.org. IN NS pc##.t1.ws.afnog.org. IN A 81.199.110.# ; ; Address (A) records go in this section. ; pc#.t1.ws.afnog.org. IN A 81.199.110.# pc##.t1.ws.afnog.org. IN A 81.199.110.## NOTE: DO NOT FORGET to increase the serial number in the zone file (usually by 1). Do the following on your computer for your friend, and your friend should be doing the same for you. 1. Edit the /etc/namedb/named.conf file and make the following entry. zone ".afnogws.gh" { type slave; file "s/.db"; masters { 81.199.110.##; }; }; Replace with the domain name of your friend. Please refer the worksheet. Replace ## in the IP address with the IP address of the computer next to you. 2. Reload the zone files. # ndc reload 3. Check the log file /var/log/messages to ensure that your named server started without any errors. 4. Check if the .db file exists in the /etc/namedb/s directory. If it does exist, it means the secondary server has transferred the zone file from the primary name server. This file is created by the named daemon. # ls -al /etc/namedb/s 5. If it does not exist you will have to debug the problem to figure out what the problem could be. Your main debugging tool here will be the log file /var/log/messages. 6. Once you get the .db file in the /etc/namedb/s directory, Test if your server is resolving the domain. # dig @127.0.0.1 .afnogws.gh ns Where is the domain for which you are running secondary name services. 7. Test if the secondary your friend setup for you works. # dig @81.199.110.## .afnogws.gh ns +norec NOTE: You have just successfully setup a secondary name server for your friend. Ensure that the secondary name server for your domain is also working. If you test it and it is working, Congratulations!!! you are now ready to go to the hostmaster for delegation of your domain. 8. Please fill the domain name request form below and submit it to the hostmaster. 9. Once you get acknowledgement from the hostmaster about the delegation of your domain name, test it using dig. # dig @81.199.110.100 .afnogws.gh ns +norec Check if the name servers in the answer section are the same as that you submitted to the hostmaster. 10. Test recursively that data is consistent amongst all the name servers starting with: # dig @a.root-servers.net .afnogws.gh ns +norec YOU KNOW THE REST OF THE STORY............... HOSTMASTER CHECKS BEFORE DELEGATING ZONE * Are there two (2) or more name servers for the domain? * Are all name servers reachable? * Does the name match the IP address? * Do all name servers give authoritative answers for SOA and NS queries? And are the results identical? * Do the NS records in the zone match the requested delegation?