Lesson plan
-----------

Title: DNS session 3

Time available: 2 hours + additional for practical as required
Students: CEDIA Track 1, approx 40 students. English not first language.

General objective: To be able to configure authoritative nameservers

Specific objectives:
After the lesson, the learner will be able to:
1. Configure bind as a master and slave authoritative nameserver
2. Create valid zone files
3. List common errors when setting up DNS
4. Delegate zones using glue records only where necessary

Resources:
Computer lab with Linux installed (using default bind-9.x installation)
PC projector with presentation available
Whiteboard

Time	Teaching Point (/ Learner Activity)

0:00	Recap from previous session
	- DNS is distributed database
	- resolver asks cache for information
	- cache traverses the DNS delegation tree to find authoritative
	  server which has the information requested
	- bad configuration of authoritative servers can result in
	  a broken domain

0:05	[Slides]
	We need more than one authoritative nameserver (RFC2812)
	Data is entered on one server (master) and replicated to the
	others (slaves)
	Outside world cannot tell the difference between a master and slave.
	(NS records are returned in random order. Equal load share)

0:10	Slave copies data from master (not master pushing to slave)
	When?
	- Slave periodically checks for a new zone ("Refresh interval")
	- Master can notify slaves when a change has occurred
	(newer versions of BIND, not reliable)

0:15	Every zone file has a serial number.
	Slave will only copy data when this number INCREASES.
	(UDP query to check SOA, TCP connection to transfer data)
	It is your responsibility to increase the serial number after
	every change; otherwise slaves and master will be inconsistent.
	Standard serial number format: YYYYMMDDNN
	If you ever decrease the serial number, the slaves will NEVER
	update until the serial number has gone up again.

0:20	Serial number is a 32-bit unsigned number
		0 - 4,294,967,295
	Any value larger than this is silently wrapped
	e.g.	20040303000
	=         4AA7EC198 (hex)
	=          AA7EC198 (32 bits)
	=        2860433816

0:25	Configuration of master:
	- named.conf entry points to zone file [manually created]
	- keep files in logical place, e.g.
	/var/named/m/tiscali.co.uk
	/var/named/m/uk.co.tiscali

0:30	Configuration of slave:
	- named.conf points to master and to zone file
	- keep files in logical place, e.g.
	/var/named/s/tiscali.co.uk
	- don't touch them
	Note on allow-transfer { none; }

0:30	Structure of zone file
	Global options ($TTL), SOA RR, NS RRs, other RRs

0:35	Structure of RR
		www	3600	IN	A	212.74.112.80

	Omit TTL: takes default value ($TTL)
	Omit class: defaults to IN

	If you miss the domain name, it comes from the line above.
	If the a domain name does not end with a period, the current domain
	(ORIGIN) is appended.
	A domain of '@' means the current domain.

	@	IN	SOA	( ... )
		IN	NS	ns0
		IN	NS	ns0.as9105.com.
	www	IN	A	212.74.112.80
		IN	MX 10	internal.mail.uk.tiscali.com.

	becomes:

	tiscali.co.uk.		IN	SOA	( ... )
	tiscali.co.uk.		IN	NS	ns0.tiscali.co.uk.
	tiscali.co.uk.		IN	NS	ns0.as9105.com.
	www.tiscali.co.uk.	IN	A	212.74.112.80
	www.tiscali.co.uk.	IN	MX 10   internal.mail.uk.tiscali.com.

0:45	@	1h	IN	SOA	ns0.tiscali.co.uk. hostmaster.uk.tiscali.com. (
			serial, refresh, retry, expire, minimum )
	Explain the parameters.
	Every zone must have one SOA.
	RIPE-203 / http://www.ripe.net/ripe/docs/dns-soa.html

	@	IN	NS	name.of.host.
		IN	NS	name.of.host.
	Must be HOSTNAME not IP ADDRESS

0:50	Other records
		IN	A	x.x.x.x
		IN	MX	nn   dom.ain.name.
		IN	CNAME	dom.ain.name.
		IN	PTR	dom.ain.name.
		IN	TXT	"some text"
	
0:55	Once a new zone has been added:
		named-checkzone dom.ain.name
		(correct any errors!)
		rndc reload
	or	rndc reload dom.ain.name
		tail /var/log/messages

1:00	If there are errors, named will still run but not be authoritative
	- hence important to check after every change

	Checking nameserver is authoritative (both master and slave)
		dig @me dom.ain.name. soa (check for 'aa')
		dig @me dom.ain.name. axfr

1:05	None of this will work until you have delegation from the level
	above
	- they list the NS records which point to your servers
	- you also list your NS records within the zone
	- the two should match

1:10	Top ten errors - see also RFC1912
	(1) Forgot to increment serial number, or
	    Decremented serial number [see RFC1912 sec 3.1 for recovery]
	(2) Comments in zone files with '#' instead of ';'
	(3) Syntax error in named.conf or zone file leads to lame
	delegation (number missing from MX record)
	(4) Missing the trailing dot
	[zone mydomain.com]
	@	IN	MX 10	mailhost.mydomain.com
	@	IN	MX 10	mailhost.mydomain.com.mydomain.com.

	[zone 2.0.192.in-addr.arpa.]
	1	IN	PTR	www.foo.com
	1	IN	PTR	www.foo.com.2.0.192.in-addr.arpa.
	(5) NS and MX records must point to hostname, not IP address
	(6) Slave can't contact master [e.g. ipfilters]
	 or Slave IP address not permitted for zone transfer
	(7) Delegation to slave which has not been configured as slave
	(8) or no delegation at all!
	(9) Out-of-date glue records [see later]
	(10) Not reducing TTL before changes

1:30	Practical - 2 hours?

If time available:

3:30	Reverse DNS
	If you have at least a /24, provider will delegate to you
	(example).
	If you have more than a /24, you will get a separate zone for
	each /24 (unless you have a /16!)
	If you have less than /24, follow the procedure in RFC2317
	Nothing special about reverse DNS - still relies on correct
	delegation being in place.
	Make sure reverse and forward DNS matches though.

3:40	How to delegate a subdomain
	- just put in NS records
	- check using dig that the subdomain is configured properly
	- it's your domain; a bad subdomain reflects badly on you!

3:45	The glue problem
	- affects example.com delegated to ns.example.com
	- can't recursively lookup ns.example.com

3:50	Recap and end