downloading and installing BIND
- Why is it wise to use a signature to check your download?
To ensure the integrity of the file and ensures that it is the correct file I am downloading.
- Download the BIND 9.7.1-P2 tarball and check its validity using one of the signatures.
public key of isc found on page https://www.isc.org/files/pgpkey2009.txt
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.9 (NetBSD) mQENBEoTO74BCAC7o5DwA+rKMksrNojiHniDJNk7z5OS9bsv/isVqQ2DgFlj9E0R q4UC+AdZDlYM7sDjWicJXBhChAv13DcLi5Bt0hxaNZhJMucgQiiFbaJwJI02GrRN u/sZAyFOFwWbarDG86Xa4AkwwXi9PFDXf8IIsaSNkQsZhwEMd1KQoImA07rFnx3X osE/QgD9CHm1+pyFTV+PbfuMigEBrVW7CrxKgOcC1ofrxnUKCenMd1O1o08NkXc/ EOOpoDfSIWXb+NqRoC5JbMee3yvriYALvSc5IQE8T0KWHtD5BCiPJ1hSlDWGDy7j G3px5/G5jaU1rO+DG6zRzH8OcPJn0O/5MBb3ABEBAAG0SkludGVybmV0IFN5c3Rl bXMgQ29uc29ydGl1bSwgSW5jLiAoU2lnbmluZyBrZXksIDIwMDkpIDxwZ3BrZXky MDA5QGlzYy5vcmc+iQE3BBMBAgAhBQJKEzu+AhsDBQkFo5qABgsJCAcKAgQVCggC Ah4BAheAAAoJENgRtT8Le64ApVMH/3z5Dc2Z4JN9Zdu4QpJfyQ82iim2bXiwU9oG bEoTx4IYIISX+h8AIILnE5tItd7RFRnuuscb2wTmjCnAlWGchRxRArsAF2dXFM7h ou25dNRpk48LPOfplVy9DpDv4ztqXfgKzF/PaEuebhlueLjYdmBRx/eqXjiYkalv pez2INi2+eaiQO/Jdb6G4za++AIMAi7ohv7R+WxHlQKthOTnZiNwmUft20jIHL5T q0c4/sjHJKL7GvVaSKoUorOMmfyk1rIY6+VuzSbSenQ1H01TMrH8e0Kr/lJ7grED 5NfPJPO0pTPMzun9lnQKOErdgJleSpoWMbiLGAfJoBsohk47+3uJARwEEAECAAYF AkoTPSkACgkQsnDngS3G/4L4PQf/Y1dyIXUp5DTklIaNfuumae69/FnL9l/yM59z Zl38Ni9OBJuEYxEaJWwccV1lnH71SgyfKx/iYbGOXDycKu1cTlc+/ucTQ1Qy2RWD UFkff4yXo90tTItJx1AOiTPyMb6JVBdHn4laIgwtaR/Vwz78OsKyo0Fh1+ew6gmb U/rDLznbn2LCd4hCWeB+VDz9+yAkm+C63b7QveCBmQlcqvw6V8Lc/8xyIARX9Iwj xP5pyNhn+S9A6wGmwd5ZJAk4B1z+S1pZkTgZIvuA9V9bNO4ZDl7vOfS5im27GeAq beo1DH+7VP+HGumnYFAvccNS3MldRBnYk3K8jxribj6SLeTpRokBHAQQAQIABgUC ShNA2gAKCRAjNBJOG8kebA8ECACEH8E0ydSy1Q90Ab5y6AI0xor/d1glueJgexSg 9I83Sj/YcBnuyGvR21MyYfnWY1+fi1khXj7gBzm0vfia8lzIsA9bSAD02WMGTo+7 F4tp47SMV6TZ0gFrAVB9xySLjSj4ZHwQN7cejiMcArPPzVrhscWlywVmNeEcY1XZ CG27USAShTyeC/8pRQHUeYGlRv0Rg3BgEXsG1kQwuNM98p/24irT+C2w3Xx672uk iQ2AQ2gC7ARJUsoHAGz25iaagyEG2qCMomkJdYCtT/rr8RjivBEB3BcRnQidTsmk xnVRyqTBrAad+csTZCDLawvwISpE5lI7kE0dSV4H/uidJQ/eiEYEEBECAAYFAkoT bzIACgkQ9JTZv8+YkPg1RACgoSf6ttCGUqIi+hj9ZEvPSedSD50AniUOZQifu5yd ZVNUQw4UXz/onobZiEYEEBECAAYFAkoVx64ACgkQcXeLeWu2vmp5RgCglJ/MD0cs BmtLpNWX4vgzZQI2ciYAnAyvGmaelAtKkH7IGDxJ6YesmlwxiEYEEBEIAAYFAkoT dFcACgkQ00k+8NKXq46stwCeJhKJB8b8IZd2npbhl06/iyLx5YQAoJvlhoPyOWwg q/P38StdJe0mhsJOuQENBEoTPIgBCAC8YNPUyYJA5dJt4Cx/rX0iBmW1lszq3Wnj rcHYsAl7YElncF/SoeriEnQXiesHHA9QErP2kE6SHp/eR2R5Kkus/25NhN0vD8KB Wyqes4RCEOluRnQpAga8QMmbmhp5jPqzAqIJzNWFwDPI/vk99BSAIJjlJaXyxvbh l7rm5qeLD2/5XxU5FWjtUaIRejKv5lEQ+gFvuNvyKc8iYvoztkfx4EGnuFESxV9V hyfjoF94sB2UOUtwtVTLu43Fd3iau9xB3/TBqBzUsA46z+0GzJo5lapUBQLopzEz n01gFfmh2Fo2TNhURgOIBCw36TDQuJjTVA8TqseL+HW2T+zAFSm5ABEBAAGJASUE GAECAA8FAkoTPIgCGwwFCQWjmoAACgkQ2BG1Pwt7rgDwBAf/RuFdGM9ozg0R/4ZT /ZaQbELC1/ame5nOwdoVZqbuMNO70sIMjB0kI/S4W/Sc/8eF791Qa/n+gxqNSQ9A JBg2I4BgSgjr3LhuzWLJlqKzK6e88eMHCFyvePjXBV9AbRqcOxaMJIzwbQ7ph/ev IVxBWhHiSOnI05ZFLFnt4GAszmTbwJK9IX5anElB2C03THuqzh2Z4ZfKplmJFf+1 LDLjBwUoq8OnUCbgvtmqgBp+W+zxTp5O3J7GAuU3DcXCyEe5Xws2R97/fZZuudI/ aB3ijf+sJYUukaX/VDs9PitdiGmAqoW9E26V7rvtXcpWoIkuvlkXHqoovn8n9mGx 9S826w== =5dkC -----END PGP PUBLIC KEY BLOCK-----
imported it to my key ring by using the following gpg command
vic@rome:~$ gpg --import publickeyisc gpg: /home/vic/.gnupg/trustdb.gpg: trustdb created gpg: key 0B7BAE00: public key "Internet Systems Consortium, Inc. (Signing key, 2009) <pgpkey2009@isc.org>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) gpg: no ultimately trusted keys found
found the signature of the file
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (FreeBSD) iQEVAwUATIg8KdgRtT8Le64AAQpjcwf/bF1hB8Fu5ZNgkvfUdBcUB9AQv6bNsSSw iMUKBe3CaKZDFNkatxXWF3ssSeklQZIc1i9OWlo2WXMsRM+RYxfTXC7opj3Ng+3E mG0XQ95RjlJcrIOnO83h8udo8YnAC+Bi8n/CljTTNhV5NvWyN0t6zf/dxiMj6jfO s20AS4EyPZsMhPjqIycIaOHlXyUW7dAx9PDQEVeDnJE/QbOnGPHWm4Fp2Wr+QsVo uqWLSQER84OIalxirewAwKh8k8yheT033/2WrXya/lPiLWM76rI71s2EACZSwgfO 5Cyyxew7/KM+/XVSv+SMwH2QElJSECwwDdtyI4O42UI0Dcx5/mVw5A== =B/PS -----END PGP SIGNATURE-----
Then verify it by using the following gpg command
vic@rome:~$ gpg --verify key.sig bind-9.7.2.tar.gz gpg: Signature made Thu 09 Sep 2010 03:45:13 AM CEST using RSA key ID 0B7BAE00 gpg: Good signature from "Internet Systems Consortium, Inc. (Signing key, 2009) <pgpkey2009@isc.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: FA76 7A86 A371 E359 22F6 A5C8 D811 B53F 0B7B AE00
- Which signature is the best one to use? Why?
I chose SHA512. it is the strongest among all of the available ones.
- Compile and then install BIND in the directory /usr/local/. Make sure BIND will look for its con guration les in /etc/ and have BIND write its state information such as the named.pid le in /var/run. You can find more information in the README file.
the first run of ./configure did not work as C compiler is not installed. so apt-get install gcc
That solves the problem. it is configured but still with error, cannot fine openssl in any folder.
OK, apt-get install openssl, still error. goolged a bit found out that we need the dev kit of ssl. apt-get install libssl-dev. This works!
./configure --prefix="/usr/local/" --sysconfdir="/etc/" --localstatedir="/var/" make make install
- Why are \caching only“ nameservers still useful?
- They do not participate in zone transfer, and therefore there is no zone transfer traffic
- They can be placed on the far side of a slow WAN link and provide host name resolution for remote offices that do not require a high level of host name resolution support
- They can be implemented to provide secure host name resolution when configured as Forwarders
- Best of all, easy, well, easier to setup.
- Create a simple configuration file for a \caching only” nameserver.
/etc/named.conf
options { directory "/etc/named"; // Working directory forwarders { 145.100.96.11; 145.100.96.22; }; }; // caching only DNS server zone "." { type hint; file "named.cache"; }; // Provide a reverse mapping for the loopback address 127.0.0.1 zone "0.0.127.in-addr.arpa" { type master; file "named.local"; notify no; };
As instructed in the assignment I download the named.root (the root hint file) from ftp://ftp.rs.internic.net/domain, put it in the /etc/named/ with name “named.cache” .
- Why does the program only return a result value?
It is easier for the administrator to automate the work flow. He can give different action to the corresponding value.
if named-checkconf; then echo t; else echo f; fi t
- Con figure named to write debug information to a log file.
redirect of the log file is done through the logging section. I added the following line to named.conf
logging {
channel update_debug {
file "/usr/local/log/named_update.log";
severity debug 5;
print-time yes;
print-severity yes;
print-category yes;
};
channel security_info {
file "/usr/local/log/security_info.log";
severity notice;
print-time yes;
print-severity yes;
print-category yes;
};
channel info {
file "/usr/local/log/named_info.log";
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
category update { update_debug; };
category security { security_info; };
category queries { info; };
};
- Configure named to be able to use rndc
in order to be able to use rndc we have to create a key first. But the rndc-confgen did not work on my machine. Googled again a bit on the internet, found one post saying that certain version of BIND might have problem with the tool. In stead I have to add a random file to the command so:
rndc-confgen -r /dev/urandom -a
This did help. the rndc.key is generated in /etc.
It looks like
key "key" { algorithm hmac-md5; secret "PeVIja4CdJBu40tdcULVxg=="; };
I added the following lines to rndc.conf
options { default-server localhost; default-key "key"; default-port 953; }; include "/etc/rndc.key";
And the following lines to named.conf
include "/etc/rndc.key"; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "key"; }; };
- What other commands/functions does rndc provide?
root@rome:/etc# rndc
Usage: rndc [-c config] [-s server] [-p port]
[-k key-file ] [-y key] [-V] command
command is one of the following:
reload Reload configuration file and zones.
reload zone [class [view]]
Reload a single zone.
refresh zone [class [view]]
Schedule immediate maintenance for a zone.
retransfer zone [class [view]]
Retransfer a single zone without checking serial number.
freeze Suspend updates to all dynamic zones.
freeze zone [class [view]]
Suspend updates to a dynamic zone.
thaw Enable updates to all dynamic zones and reload them.
thaw zone [class [view]]
Enable updates to a frozen dynamic zone and reload it.
notify zone [class [view]]
Resend NOTIFY messages for the zone.
reconfig Reload configuration file and new zones only.
sign zone [class [view]]
Update zone keys, and sign as needed.
stats Write server statistics to the statistics file.
querylog Toggle query logging.
dumpdb [-all|-cache|-zones] [view ...]
Dump cache(s) to the dump file (named_dump.db).
secroots [view ...]
Write security roots to the secroots file.
stop Save pending updates to master files and stop the server.
stop -p Save pending updates to master files and stop the server
reporting process id.
halt Stop the server without saving pending updates.
halt -p Stop the server without saving pending updates reporting
process id.
trace Increment debugging level by one.
trace level Change the debugging level.
notrace Set debugging level to 0.
flush Flushes all of the server's caches.
flush [view] Flushes the server's cache for a view.
flushname name [view]
Flush the given name from the server's cache(s)
status Display status of the server.
recursing Dump the queries that are currently recursing (named.recursing)
validation newstate [view]
Enable / disable DNSSEC validation.
*restart Restart the server.
addzone ["file"] zone [class [view]] { zone-options }
Add zone to given view. Requires new-zone-file option.
delzone ["file"] zone [class [view]]
Removes zone from given view. Requires new-zone-file option.
* == not yet implemented
Version: 9.7.2
- To use your own name server you will need to adapt resolv.conf.
- What do you need to put in resolv.conf to use your own name server?
I added the following line to resolv.conf
nameserver localhost
The dhcpclient will always request the information from dhcp server so the resolv.conf will always be rewritten. I have to change the /etc/dhcp3/dhcpclient.conf, just un-comment the following line
prepend domain-name-servers 127.0.0.1;
- Now use the tools and scripts provided with your BIND distribution to test your nameserver.
nslookup - rome.studlab.os3.nl Default Server: rome.studlab.os3.nl Address: 145.100.104.58 > google.nl Server: rome.studlab.os3.nl Address: 145.100.104.58 Non-authoritative answer: Name: google.nl Addresses: 74.125.79.99 74.125.79.104 74.125.79.147 >
Delegation
I got subdomain rome.practicum.os3.nl. I firstly added a zone in my bind config file
nano /etc/named.conf // my zone zone "rome.practicum.os3.nl" { type master; notify no; file "rome.practicum.os3.nl.db"; };
Bind will load the zone file named rome.practicum.os3.nl.db in the working directory.
The I have to create the file and add the content
touch rome.practicum.os3.nl ; ; Zone file for rome.practicum.os3.nl ; ; The full zone file ; $TTL 1h @ IN SOA rome.practicum.os3.nl. hostmaster.rome.practicum.os3.nl$ 199802151 ; serial, todays date + todays serial # 8H ; refresh, seconds 2H ; retry, seconds 4W ; expire, seconds 1D ) ; minimum, seconds ; NS rome.studlab.os3.nl. ; Inet Address of name server MX 10 rome.studlab.os3.nl. ; Primary Mail Exchanger MX 20 mail.rome.studlab.os3.nl. ; Secondary Mail Exchang$ ; webservice A 145.100.104.58 TXT "permernent address of the web service" ns A 145.100.104.58 TXT "name server" mail A 145.100.104.58 TXT "mail server" idea A 145.100.104.58 TXT "creative address" www cname webservice wwww cname webservice
It works!!!
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\vic>nslookup - rome.studlab.os3.nl
Default Server: rome.studlab.os3.nl
Address: 145.100.104.58
> google.com
Server: rome.studlab.os3.nl
Address: 145.100.104.58
Non-authoritative answer:
Name: google.com
Addresses: 74.125.79.99
74.125.79.104
74.125.79.147
> rome.practicum.os3.nl
Server: rome.studlab.os3.nl
Address: 145.100.104.58
Name: rome.practicum.os3.nl
> exit
C:\Users\vic>nslookup - rome.studlab.os3.nl
Default Server: rome.studlab.os3.nl
Address: 145.100.104.58
> rome.practicum.os3.nl
Server: rome.studlab.os3.nl
Address: 145.100.104.58
Name: rome.practicum.os3.nl
> www.rome.practicum.os3.nl
Server: rome.studlab.os3.nl
Address: 145.100.104.58
Name: webservice.rome.practicum.os3.nl
Address: 145.100.104.58
Aliases: www.rome.practicum.os3.nl
> mail.rome.practicum.os3.nl
Server: rome.studlab.os3.nl
Address: 145.100.104.58
Name: mail.rome.practicum.os3.nl
Address: 145.100.104.58
> ns.rome.practicum.os3.nl
Server: rome.studlab.os3.nl
Address: 145.100.104.58
Name: ns.rome.practicum.os3.nl
Address: 145.100.104.58
> idea.rome.practicum.os3.nl
Server: rome.studlab.os3.nl
Address: 145.100.104.58
Name: idea.rome.practicum.os3.nl
Address: 145.100.104.58
> wwww.rome.practicum.os3.nl
Server: rome.studlab.os3.nl
Address: 145.100.104.58
Name: webservice.rome.practicum.os3.nl
Address: 145.100.104.58
Aliases: wwww.rome.practicum.os3.nl
>
- If Niels had not yet implemented the delegation, what information would you need to give him so that he can implement it?
- Give my ip address and FQDN of my DNS server. He can delegate to my server, and use my ip address to create an A-record as glue record.
- only my ip address. He can still delegate to my server. But he has to create glue record using a non-existence FQDN and create A-record for that domain and point it to my ip address. (I think he choose this one)
- Describe the official delegation process for a domain in the netherlands (requesting / assignment / denial / testing / etcetera). What organisations are involved (other than you and your registrar)?
Anyone may register a .nl domain name with SIDN. The procedure is described below.
- Choose a domain name
- A properly chosen domain name should comply to the standard.
- Choose a registrar
- As individual, you do not/cannot register your domain. For doing that you need a registrar. And the following steps are mostly carried out by the registrar on your behavior. As an user, you have to file a contract with registrar first.
- Close a (registration) contract
- Of course, you have to agree with the Term and Condition, and sign whatever paper you see
- Provide your contact details
- You contact info will be visible in the whois later.
- Registrar submits application
- Let's hope it will be approved. SIDN can reject application and revoke registration based on previous records.
- Application is processed by SIDN
- Information recorded in SIDN’s database / Whois
Now, the domain should be fully registered and assigned to you. However, if you fail to fulfill the requirement, like provide up-to-date contact information, misuse of the domain, SIDN can revoke the assignment. And it can also affect later domain application from you.
- What important requisite is not yet met for your sub-domain?
- it is not registered with SIDN
- it is not listed in the whois database
- hence, no contact or technical support information available
However, I wonder if SIDN will do such assignment for my sub-domain, as they delegated it already to os3.nl. If they do it will be a kind of double registration.
