Revision [1105]

This is an old revision of Tier0ServerConfig made by ChristopherTheodore on 2008-02-04 21:09:24.

 

aka

This tutorial presumes that:
  1. You have Bind 9 installed and it is being run in a chroot located at /var/named and that named.conf reside at /var/named/etc/namedb/named.conf,
  2. You have rndc working and know how to use it.
  3. Your server is configured as a Tier 2 server or cache server. See the Tier2ServerConfig
  4. You have read the main portions of the BIND 9 Administrator Reference Manual and that you comprehend the subtle difference between a "domain" and a "zone".
  5. You have at least one static IP Address
  6. You have a 24/7 DSL internet connection or better.
  7. You have both a mail server and a web server up an running. (this can all be done on a single machine if that is all you have)

A Tier 0 Server or root server, is any server that is an authoritative name server and can provide an IXFR/AXFR for the root zone, ".", and can be configured as either a Primary Master (zone "type master;") or a Secondary Masters (zone "type slave;"). This tutorial will be focused on configuring the root zone as, 1st) a Primary Master in the legacy DNS, and, 2nd) as both a Primary Master, and then a Secondary Master in the alt-DNS on Bind 9.

As a quick note: The term "Tier", while being used to describe a name server, is not a "type of name server", it is referring to a name server that is an authoritative name server for a particular "Zone". There is the single Tier 0 zone (or "Root Zone" - ie: . ), and then there are a few Tier 1 zones (or "Top Level Domain Zone" - ie com. org. geek. oss. ukg. etc...), and then there many Tier 2 zones (or Domain Name Zones - ie: example.com.).

Also note, before one sets up a Tier 0 zone on a server in the alt-root, you should know the basics of how it is done in the legacy root.

While your server will not be included in the legacy named.hint file by ICANN/IANA or have a Resource Record for the "." zone (root zone or Tier 0 zone) created for it and will not technically be one of the root servers, it will function much like a root server for the legacy root would. By understanding the basics of how a legacy DNS root server is setup, it will make it easer to understand how we do this in the alt-root.


First, you will need the legacy root.zone file. You can get a current copy of this file from Internic.net at the following location: ftp://rs.internic.net/domain/root.zone.gz

Once you have downloaded and gunzip'ed a copy of this file to the working directory of named (/var/named/etc/namedb/root.zone) take a look at it. You will find that there are A/AAAA records and NS records for all the legacy TLDs (both gTLDs and ccTLDs).

As you can see, this is not the named.hint/named.cache file that comes with Bind 9 used for the "type hint;" config for the Tier 0 zone.

Now it is time to edit the zone "." root in /var/named/etc/namedb/named.conf. It is presumed that you already have a working cache server setup and resolving domain names and in named.conf you will have an entry that looks like this:

named.conf
options {
    directory "/etc/namedb";
    pid-file "/var/run/named/pid";
    version "BIND - alt-DNS";
    listen-on { 127.0.0.1; 10.0.0.1; 12.34.56.78; }; # use the correct lan IP address and your static IP address[es] here
    allow-query { any; };
    query-source address * port 53;
    transfer-format many-answers;
    multi-master yes;
    recursion yes; # you may decide later to disable this, leave it alone for now.
    provide-ixfr yes;
    request-ixfr yes;
};

<... snip ...>

zone "." IN {
      type hint;
      file "named.hint";
};

<... snip ...>


Make sure you add the above options if you don't have them, and change the above zone to this:

named.conf
<... snip ...>

zone "." IN {
      type master;
      file "root.zone";
      notify no;
};

<... snip ...>


Now restart named, or if you have rndc configured (which you should), simply: rndc reload

You should now be able to: dig @localhost ANY . ; dig @localhost ANY com.

You should get output from dig that looks like this:

root# dig @localhost ANY .

; <<>> DiG 9.3.3 <<>> @localhost ANY .
; (2 servers found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54076
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;.                              IN      ANY

;; ANSWER SECTION:
.                       86400   IN      SOA     A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. 2008012701 1800 900 604800 86400
.                       518400  IN      NS      L.ROOT-SERVERS.NET.
.                       518400  IN      NS      M.ROOT-SERVERS.NET.
.                       518400  IN      NS      A.ROOT-SERVERS.NET.
.                       518400  IN      NS      B.ROOT-SERVERS.NET.
.                       518400  IN      NS      C.ROOT-SERVERS.NET.
.                       518400  IN      NS      D.ROOT-SERVERS.NET.
.                       518400  IN      NS      E.ROOT-SERVERS.NET.
.                       518400  IN      NS      F.ROOT-SERVERS.NET.
.                       518400  IN      NS      G.ROOT-SERVERS.NET.
.                       518400  IN      NS      H.ROOT-SERVERS.NET.
.                       518400  IN      NS      I.ROOT-SERVERS.NET.
.                       518400  IN      NS      J.ROOT-SERVERS.NET.
.                       518400  IN      NS      K.ROOT-SERVERS.NET.

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jan 28 02:36:16 2008
;; MSG SIZE  rcvd: 285


root# dig @localhost ANY com.

; <<>> DiG 9.3.3 <<>> @localhost ANY com.
; (2 servers found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63776
;; flags: qr rd ra; QUERY: 1, ANSWER: 14, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;com.                           IN      ANY

;; ANSWER SECTION:
com.                    900     IN      SOA     a.gtld-servers.net. nstld.verisign-grs.com. 1201513063 1800 900 604800 900
com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.

;; AUTHORITY SECTION:
com.                    172800  IN      NS      m.gtld-servers.net.
com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.

;; Query time: 777 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jan 28 02:37:59 2008
;; MSG SIZE  rcvd: 482

root#


And now you have a functioning legacy DNS root server, *kind of*. ;-)


The next step to transist to an alt-root and setup an alt-DNS root server. There are many ways to do this. For sake of simplicity, and to clarify why it is called the alt-root you need to comprehend that it is because we use an alternative root zone file.

While the setting up a TLD is gone into in more detail in the Tier1ServerSetup page we need to have one setup for this to work, so in the following examples, it is going to be presumed that in addition to the root zone, that you also have a Top Level Domain for ".TEST", and that there is a zone "type master;" in named.conf for "TEST." AND that you have a minimum set of resource records for "TEST." in the zone file, "var/named/etc/namedb/master/TEST/TEST.db".

/var/named/etc/namedb/named.conf
zone "." IN {
      type master;
      file "root.zone";
      notify no;
};

zone "TEST." IN {
      type master;
      file "master/TEST/TEST.db";
};


To make the "TEST." zone work here is a basic file that can be used as is. A more complex example of this file will be explained in the Tier1ServerSetup but for now just grab this and save it as a plain text file: /var/named/etc/namedb/master/TEST/TEST.db

/var/named/etc/namedb/master/TEST/TEST.db
$TTL 1h
TEST.                    IN SOA  ns0.dns.TEST. hostmaster.mail.dns.TEST. ( 2008000001 1800 900 604800 900 )
                          IN NS   ns0.dns.TEST.
                          IN TXT  ".TEST - Serving as an Example - http://www.dns.TEST"

dns.TEST.              A         12.34.56.78  ; .TLD zone Primary Master Static IP address
dns.TEST.              MX 10   mail.dns.TEST.
dns.TEST.              TXT      ".TEST - Serving as an Example - http://www.dns.TEST"

mail.dns.TEST.       A         12.34.56.78  ; .TLD zone Primary Master Static IP address
ns0.dns.TEST.        A         12.34.56.78  ; .TLD zone Primary Master Static IP address
                         MX 10   mail.dns.TEST.
                         TXT      ".TEST - Serving as an Example - http://www.dns.TEST"
www.dns.TEST.      CNAME  ns0.dns.TEST.


Now, before you restart named, you need to edit root.zone and make ns0.dns.TEST the Source of Authority SOA. You can not use ICANNS root-servers because they know nothing about .TEST and will fail to resolve any domain names for the .TEST Top Level Domain. So fire up you favorite editor, and open /var/named/etc/namedb/root.zone.

The ONLY part of this file we are concerned with editing is the SOA and the root zone "." NS records (don't mess with anything else because we want our root server to be able to resolve domain names in the legacy root as well as additional TLDs for the alt-root - this is how we maintain "Universal Resolvability"):

/var/named/etc/namedb/root.zone
. IN    SOA     A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. (
                                  2008012701 ;serial
                                  1800 ;refresh every 30 min
                                  900 ;retry every 15 min
                                  604800 ;expire after a week
                                  86400 ;minimum of a day
                                  )
$TTL 518400
.      NS      A.ROOT-SERVERS.NET.
.      NS      B.ROOT-SERVERS.NET.
.      NS      C.ROOT-SERVERS.NET.
.      NS      D.ROOT-SERVERS.NET.
.      NS      E.ROOT-SERVERS.NET.
.      NS      F.ROOT-SERVERS.NET.
.      NS      G.ROOT-SERVERS.NET.
.      NS      H.ROOT-SERVERS.NET.
.      NS      I.ROOT-SERVERS.NET.
.      NS      J.ROOT-SERVERS.NET.
.      NS      K.ROOT-SERVERS.NET.
.      NS      L.ROOT-SERVERS.NET.
.      NS      M.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. A 198.41.0.4
H.ROOT-SERVERS.NET. A 128.63.2.53
C.ROOT-SERVERS.NET. A 192.33.4.12
G.ROOT-SERVERS.NET. A 192.112.36.4
<... snip ...>


We simply change the above to:

. IN    SOA     ns0.dns.TEST. hostmaster.mail.dns.TEST. (
	                              2008012702 ; serial
	                              1800 ;refresh every 30 min
	                              900 ;retry every 15 min
	                              604800 ;expire after a week
	                              86400 ;minimum of a day
	                              )
$TTL 518400
.                   NS      ns0.dns.TEST.
ns0.dns.TEST.   A        12.34.56.78

; START OF ICANN RESOURCE RECORDS - DON'T CHANGE THESE OR THE REST OF THE FILE
A.ROOT-SERVERS.NET. A 198.41.0.4
H.ROOT-SERVERS.NET. A 128.63.2.53
C.ROOT-SERVERS.NET. A 192.33.4.12
G.ROOT-SERVERS.NET. A 192.112.36.4
<... snip ...>


Don't for get to increase the serial number by one.

Now save the file and restart named.
There are no comments on this page.
Valid XHTML :: Valid CSS: :: Powered by WikkaWiki