downloading and installing BIND

• Why is it wise to use a signature to check your download?

To ensure the integrity of the file and ensures that it is the correct file I am downloading.

• Download the BIND 9.7.1-P2 tarball and check its validity using one of the signatures.

public key of isc found on page https://www.isc.org/files/pgpkey2009.txt

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.9 (NetBSD)

mQENBEoTO74BCAC7o5DwA+rKMksrNojiHniDJNk7z5OS9bsv/isVqQ2DgFlj9E0R
q4UC+AdZDlYM7sDjWicJXBhChAv13DcLi5Bt0hxaNZhJMucgQiiFbaJwJI02GrRN
u/sZAyFOFwWbarDG86Xa4AkwwXi9PFDXf8IIsaSNkQsZhwEMd1KQoImA07rFnx3X
osE/QgD9CHm1+pyFTV+PbfuMigEBrVW7CrxKgOcC1ofrxnUKCenMd1O1o08NkXc/
EOOpoDfSIWXb+NqRoC5JbMee3yvriYALvSc5IQE8T0KWHtD5BCiPJ1hSlDWGDy7j
G3px5/G5jaU1rO+DG6zRzH8OcPJn0O/5MBb3ABEBAAG0SkludGVybmV0IFN5c3Rl
bXMgQ29uc29ydGl1bSwgSW5jLiAoU2lnbmluZyBrZXksIDIwMDkpIDxwZ3BrZXky
MDA5QGlzYy5vcmc+iQE3BBMBAgAhBQJKEzu+AhsDBQkFo5qABgsJCAcKAgQVCggC
Ah4BAheAAAoJENgRtT8Le64ApVMH/3z5Dc2Z4JN9Zdu4QpJfyQ82iim2bXiwU9oG
bEoTx4IYIISX+h8AIILnE5tItd7RFRnuuscb2wTmjCnAlWGchRxRArsAF2dXFM7h
ou25dNRpk48LPOfplVy9DpDv4ztqXfgKzF/PaEuebhlueLjYdmBRx/eqXjiYkalv
pez2INi2+eaiQO/Jdb6G4za++AIMAi7ohv7R+WxHlQKthOTnZiNwmUft20jIHL5T
q0c4/sjHJKL7GvVaSKoUorOMmfyk1rIY6+VuzSbSenQ1H01TMrH8e0Kr/lJ7grED
5NfPJPO0pTPMzun9lnQKOErdgJleSpoWMbiLGAfJoBsohk47+3uJARwEEAECAAYF
AkoTPSkACgkQsnDngS3G/4L4PQf/Y1dyIXUp5DTklIaNfuumae69/FnL9l/yM59z
Zl38Ni9OBJuEYxEaJWwccV1lnH71SgyfKx/iYbGOXDycKu1cTlc+/ucTQ1Qy2RWD
UFkff4yXo90tTItJx1AOiTPyMb6JVBdHn4laIgwtaR/Vwz78OsKyo0Fh1+ew6gmb
U/rDLznbn2LCd4hCWeB+VDz9+yAkm+C63b7QveCBmQlcqvw6V8Lc/8xyIARX9Iwj
xP5pyNhn+S9A6wGmwd5ZJAk4B1z+S1pZkTgZIvuA9V9bNO4ZDl7vOfS5im27GeAq
beo1DH+7VP+HGumnYFAvccNS3MldRBnYk3K8jxribj6SLeTpRokBHAQQAQIABgUC
ShNA2gAKCRAjNBJOG8kebA8ECACEH8E0ydSy1Q90Ab5y6AI0xor/d1glueJgexSg
9I83Sj/YcBnuyGvR21MyYfnWY1+fi1khXj7gBzm0vfia8lzIsA9bSAD02WMGTo+7
F4tp47SMV6TZ0gFrAVB9xySLjSj4ZHwQN7cejiMcArPPzVrhscWlywVmNeEcY1XZ
CG27USAShTyeC/8pRQHUeYGlRv0Rg3BgEXsG1kQwuNM98p/24irT+C2w3Xx672uk
iQ2AQ2gC7ARJUsoHAGz25iaagyEG2qCMomkJdYCtT/rr8RjivBEB3BcRnQidTsmk
xnVRyqTBrAad+csTZCDLawvwISpE5lI7kE0dSV4H/uidJQ/eiEYEEBECAAYFAkoT
bzIACgkQ9JTZv8+YkPg1RACgoSf6ttCGUqIi+hj9ZEvPSedSD50AniUOZQifu5yd
ZVNUQw4UXz/onobZiEYEEBECAAYFAkoVx64ACgkQcXeLeWu2vmp5RgCglJ/MD0cs
BmtLpNWX4vgzZQI2ciYAnAyvGmaelAtKkH7IGDxJ6YesmlwxiEYEEBEIAAYFAkoT
dFcACgkQ00k+8NKXq46stwCeJhKJB8b8IZd2npbhl06/iyLx5YQAoJvlhoPyOWwg
q/P38StdJe0mhsJOuQENBEoTPIgBCAC8YNPUyYJA5dJt4Cx/rX0iBmW1lszq3Wnj
rcHYsAl7YElncF/SoeriEnQXiesHHA9QErP2kE6SHp/eR2R5Kkus/25NhN0vD8KB
Wyqes4RCEOluRnQpAga8QMmbmhp5jPqzAqIJzNWFwDPI/vk99BSAIJjlJaXyxvbh
l7rm5qeLD2/5XxU5FWjtUaIRejKv5lEQ+gFvuNvyKc8iYvoztkfx4EGnuFESxV9V
hyfjoF94sB2UOUtwtVTLu43Fd3iau9xB3/TBqBzUsA46z+0GzJo5lapUBQLopzEz
n01gFfmh2Fo2TNhURgOIBCw36TDQuJjTVA8TqseL+HW2T+zAFSm5ABEBAAGJASUE
GAECAA8FAkoTPIgCGwwFCQWjmoAACgkQ2BG1Pwt7rgDwBAf/RuFdGM9ozg0R/4ZT
/ZaQbELC1/ame5nOwdoVZqbuMNO70sIMjB0kI/S4W/Sc/8eF791Qa/n+gxqNSQ9A
JBg2I4BgSgjr3LhuzWLJlqKzK6e88eMHCFyvePjXBV9AbRqcOxaMJIzwbQ7ph/ev
IVxBWhHiSOnI05ZFLFnt4GAszmTbwJK9IX5anElB2C03THuqzh2Z4ZfKplmJFf+1
LDLjBwUoq8OnUCbgvtmqgBp+W+zxTp5O3J7GAuU3DcXCyEe5Xws2R97/fZZuudI/
aB3ijf+sJYUukaX/VDs9PitdiGmAqoW9E26V7rvtXcpWoIkuvlkXHqoovn8n9mGx
9S826w==
=5dkC
-----END PGP PUBLIC KEY BLOCK-----

imported it to my key ring by using the following gpg command

vic@rome:~$ gpg --import publickeyisc
gpg: /home/vic/.gnupg/trustdb.gpg: trustdb created
gpg: key 0B7BAE00: public key "Internet Systems Consortium, Inc. (Signing key, 2009) <pgpkey2009@isc.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg: no ultimately trusted keys found

found the signature of the file

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (FreeBSD)

iQEVAwUATIg8KdgRtT8Le64AAQpjcwf/bF1hB8Fu5ZNgkvfUdBcUB9AQv6bNsSSw
iMUKBe3CaKZDFNkatxXWF3ssSeklQZIc1i9OWlo2WXMsRM+RYxfTXC7opj3Ng+3E
mG0XQ95RjlJcrIOnO83h8udo8YnAC+Bi8n/CljTTNhV5NvWyN0t6zf/dxiMj6jfO
s20AS4EyPZsMhPjqIycIaOHlXyUW7dAx9PDQEVeDnJE/QbOnGPHWm4Fp2Wr+QsVo
uqWLSQER84OIalxirewAwKh8k8yheT033/2WrXya/lPiLWM76rI71s2EACZSwgfO
5Cyyxew7/KM+/XVSv+SMwH2QElJSECwwDdtyI4O42UI0Dcx5/mVw5A==
=B/PS
-----END PGP SIGNATURE-----

Then verify it by using the following gpg command

vic@rome:~$ gpg --verify key.sig bind-9.7.2.tar.gz
gpg: Signature made Thu 09 Sep 2010 03:45:13 AM CEST using RSA key ID 0B7BAE00
gpg: Good signature from "Internet Systems Consortium, Inc. (Signing key, 2009) <pgpkey2009@isc.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: FA76 7A86 A371 E359 22F6  A5C8 D811 B53F 0B7B AE00

• Which signature is the best one to use? Why?

I chose SHA512. it is the strongest among all of the available ones.

• Compile and then install BIND in the directory /usr/local/. Make sure BIND will look for its conguration les in /etc/ and have BIND write its state information such as the named.pid le in /var/run. You can find more information in the README file.

the first run of ./configure did not work as C compiler is not installed. so apt-get install gcc

That solves the problem. it is configured but still with error, cannot fine openssl in any folder.

OK, apt-get install openssl, still error. goolged a bit found out that we need the dev kit of ssl. apt-get install libssl-dev. This works!

./configure --prefix="/usr/local/" --sysconfdir="/etc/" --localstatedir="/var/"
make
make install

• Why are \caching only“ nameservers still useful?
  • They do not participate in zone transfer, and therefore there is no zone transfer traffic
  • They can be placed on the far side of a slow WAN link and provide host name resolution for remote offices that do not require a high level of host name resolution support
  • They can be implemented to provide secure host name resolution when configured as Forwarders
  • Best of all, easy, well, easier to setup.

• Create a simple configuration file for a \caching only” nameserver.
  

/etc/named.conf

options {
directory "/etc/named"; // Working directory
forwarders { 145.100.96.11; 145.100.96.22; };
 
};
// caching only DNS server
zone "." {
type hint;
file "named.cache";
};
// Provide a reverse mapping for the loopback address 127.0.0.1
zone "0.0.127.in-addr.arpa" {
type master;
file "named.local";
notify no;
};

As instructed in the assignment I download the named.root (the root hint file) from ftp://ftp.rs.internic.net/domain, put it in the /etc/named/ with name “named.cache” .

• Why does the program only return a result value?

It is easier for the administrator to automate the work flow. He can give different action to the corresponding value.

if named-checkconf; then echo t; else echo f; fi
t

• Configure named to write debug information to a log file.

redirect of the log file is done through the logging section. I added the following line to named.conf

logging {
               channel update_debug {
                    file "/usr/local/log/named_update.log";
                    severity debug 5;
                    print-time yes;
                    print-severity yes;
                    print-category yes;
               };
               channel security_info {
                    file "/usr/local/log/security_info.log";
                    severity notice;
                    print-time yes;
                    print-severity yes;
                    print-category yes;
               };
               channel info {
                    file "/usr/local/log/named_info.log";
                    severity info;
                    print-time yes;
                    print-severity yes;
                    print-category yes;
               };

               category update { update_debug; };
               category security { security_info; };
               category queries { info; };
        };

• Configure named to be able to use rndc

in order to be able to use rndc we have to create a key first. But the rndc-confgen did not work on my machine. Googled again a bit on the internet, found one post saying that certain version of BIND might have problem with the tool. In stead I have to add a random file to the command so:

rndc-confgen -r /dev/urandom -a

This did help. the rndc.key is generated in /etc.
It looks like

key "key" {
        algorithm hmac-md5;
        secret "PeVIja4CdJBu40tdcULVxg==";
};

I added the following lines to rndc.conf

options {
        default-server  localhost;
        default-key     "key";
        default-port 953;
};
 
include "/etc/rndc.key";

And the following lines to named.conf

include "/etc/rndc.key";
 
controls {
       inet 127.0.0.1 port 953
               allow { 127.0.0.1; } keys { "key"; };
};

• What other commands/functions does rndc provide?

root@rome:/etc# rndc
Usage: rndc [-c config] [-s server] [-p port]
        [-k key-file ] [-y key] [-V] command

command is one of the following:

  reload        Reload configuration file and zones.
  reload zone [class [view]]
                Reload a single zone.
  refresh zone [class [view]]
                Schedule immediate maintenance for a zone.
  retransfer zone [class [view]]
                Retransfer a single zone without checking serial number.
  freeze        Suspend updates to all dynamic zones.
  freeze zone [class [view]]
                Suspend updates to a dynamic zone.
  thaw          Enable updates to all dynamic zones and reload them.
  thaw zone [class [view]]
                Enable updates to a frozen dynamic zone and reload it.
  notify zone [class [view]]
                Resend NOTIFY messages for the zone.
  reconfig      Reload configuration file and new zones only.
  sign zone [class [view]]
                Update zone keys, and sign as needed.
  stats         Write server statistics to the statistics file.
  querylog      Toggle query logging.
  dumpdb [-all|-cache|-zones] [view ...]
                Dump cache(s) to the dump file (named_dump.db).
  secroots [view ...]
                Write security roots to the secroots file.
  stop          Save pending updates to master files and stop the server.
  stop -p       Save pending updates to master files and stop the server
                reporting process id.
  halt          Stop the server without saving pending updates.
  halt -p       Stop the server without saving pending updates reporting
                process id.
  trace         Increment debugging level by one.
  trace level   Change the debugging level.
  notrace       Set debugging level to 0.
  flush         Flushes all of the server's caches.
  flush [view]  Flushes the server's cache for a view.
  flushname name [view]
                Flush the given name from the server's cache(s)
  status        Display status of the server.
  recursing     Dump the queries that are currently recursing (named.recursing)
  validation newstate [view]
                Enable / disable DNSSEC validation.
  *restart      Restart the server.
  addzone ["file"] zone [class [view]] { zone-options }
                Add zone to given view. Requires new-zone-file option.
  delzone ["file"] zone [class [view]]
                Removes zone from given view. Requires new-zone-file option.

* == not yet implemented
Version: 9.7.2

• To use your own name server you will need to adapt resolv.conf.
• What do you need to put in resolv.conf to use your own name server?

I added the following line to resolv.conf

nameserver localhost

The dhcpclient will always request the information from dhcp server so the resolv.conf will always be rewritten. I have to change the /etc/dhcp3/dhcpclient.conf, just un-comment the following line

prepend domain-name-servers 127.0.0.1;

• Now use the tools and scripts provided with your BIND distribution to test your nameserver.

nslookup - rome.studlab.os3.nl
Default Server:  rome.studlab.os3.nl
Address:  145.100.104.58
 
> google.nl
Server:  rome.studlab.os3.nl
Address:  145.100.104.58
 
Non-authoritative answer:
Name:    google.nl
Addresses:  74.125.79.99
          74.125.79.104
          74.125.79.147
 
>

Delegation

I got subdomain rome.practicum.os3.nl. I firstly added a zone in my bind config file

nano /etc/named.conf
 
// my zone
zone "rome.practicum.os3.nl" {
  type master;
  notify no;
  file "rome.practicum.os3.nl.db";
};

Bind will load the zone file named rome.practicum.os3.nl.db in the working directory.

The I have to create the file and add the content

touch rome.practicum.os3.nl
 
;
; Zone file for rome.practicum.os3.nl
;
; The full zone file
;
$TTL 1h
@       IN      SOA     rome.practicum.os3.nl. hostmaster.rome.practicum.os3.nl$
                        199802151       ; serial, todays date + todays serial #
                        8H              ; refresh, seconds
                        2H              ; retry, seconds
                        4W              ; expire, seconds
                        1D )            ; minimum, seconds
;
                NS      rome.studlab.os3.nl.    ; Inet Address of name server
                MX      10 rome.studlab.os3.nl. ; Primary Mail Exchanger
                MX      20 mail.rome.studlab.os3.nl.   ; Secondary Mail Exchang$
;
webservice       A       145.100.104.58
                TXT "permernent address of the web service"
 
ns              A       145.100.104.58
                TXT "name server"
 
mail            A       145.100.104.58
                TXT "mail server"
 
idea    A   145.100.104.58
        TXT "creative address"
 
www  cname webservice
wwww cname webservice

It works!!!

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\vic>nslookup - rome.studlab.os3.nl
Default Server:  rome.studlab.os3.nl
Address:  145.100.104.58

> google.com
Server:  rome.studlab.os3.nl
Address:  145.100.104.58

Non-authoritative answer:
Name:    google.com
Addresses:  74.125.79.99
          74.125.79.104
          74.125.79.147

> rome.practicum.os3.nl
Server:  rome.studlab.os3.nl
Address:  145.100.104.58

Name:    rome.practicum.os3.nl

> exit

C:\Users\vic>nslookup - rome.studlab.os3.nl
Default Server:  rome.studlab.os3.nl
Address:  145.100.104.58

> rome.practicum.os3.nl
Server:  rome.studlab.os3.nl
Address:  145.100.104.58

Name:    rome.practicum.os3.nl

> www.rome.practicum.os3.nl
Server:  rome.studlab.os3.nl
Address:  145.100.104.58

Name:    webservice.rome.practicum.os3.nl
Address:  145.100.104.58
Aliases:  www.rome.practicum.os3.nl

> mail.rome.practicum.os3.nl
Server:  rome.studlab.os3.nl
Address:  145.100.104.58

Name:    mail.rome.practicum.os3.nl
Address:  145.100.104.58

> ns.rome.practicum.os3.nl
Server:  rome.studlab.os3.nl
Address:  145.100.104.58

Name:    ns.rome.practicum.os3.nl
Address:  145.100.104.58

> idea.rome.practicum.os3.nl
Server:  rome.studlab.os3.nl
Address:  145.100.104.58

Name:    idea.rome.practicum.os3.nl
Address:  145.100.104.58

> wwww.rome.practicum.os3.nl
Server:  rome.studlab.os3.nl
Address:  145.100.104.58

Name:    webservice.rome.practicum.os3.nl
Address:  145.100.104.58
Aliases:  wwww.rome.practicum.os3.nl

>

• If Niels had not yet implemented the delegation, what information would you need to give him so that he can implement it?

1. Give my ip address and FQDN of my DNS server. He can delegate to my server, and use my ip address to create an A-record as glue record.
2. only my ip address. He can still delegate to my server. But he has to create glue record using a non-existence FQDN and create A-record for that domain and point it to my ip address. (I think he choose this one)

• Describe the official delegation process for a domain in the netherlands (requesting / assignment / denial / testing / etcetera). What organisations are involved (other than you and your registrar)?

Anyone may register a .nl domain name with SIDN. The procedure is described below.

1. Choose a domain name
   
   1. A properly chosen domain name should comply to the standard.
2. Choose a registrar
   
   1. As individual, you do not/cannot register your domain. For doing that you need a registrar. And the following steps are mostly carried out by the registrar on your behavior. As an user, you have to file a contract with registrar first.
3. Close a (registration) contract
   
   1. Of course, you have to agree with the Term and Condition, and sign whatever paper you see
4. Provide your contact details
   
   1. You contact info will be visible in the whois later.
5. Registrar submits application
   
   1. Let's hope it will be approved. SIDN can reject application and revoke registration based on previous records.
6. Application is processed by SIDN
   
7. Information recorded in SIDN’s database / Whois
   

Now, the domain should be fully registered and assigned to you. However, if you fail to fulfill the requirement, like provide up-to-date contact information, misuse of the domain, SIDN can revoke the assignment. And it can also affect later domain application from you.

• What important requisite is not yet met for your sub-domain?
  • it is not registered with SIDN
  • it is not listed in the whois database
  • hence, no contact or technical support information available

However, I wonder if SIDN will do such assignment for my sub-domain, as they delegated it already to os3.nl. If they do it will be a kind of double registration.