In this assignment you will set up a simple caching-only nameserver, implement your own .insec -domain, complete with a slave server - and finally a subdomain .not.insec, enhanced with Transaction SIGnatures. You will need at least two machines for this.

Material

Preparations

Assign static ip addresses to the eth1 interfaces on your assigned machines #1 and #2. Use addresses from the range 192.168.x.0/24 (we'll call this labnet).

Work tasks

Caching-only Nameserver

Setup Machine 1 to function as a caching-only nameserver. It will not be authoritative for any domain, and will only resolve queries on behalf of the clients, and cache the results.

Configure the nameserver to forward all queries for which it does not have a cached answer to the cse.hut.fi's primary name server. Only allow queries and recursion from labnet.

Start your nameserver and watch the logfile '/var/log/syslog' for any error messages. Check that you can resolve addresses through your own nameserver from a second machine. You can use dig(1) to do the lookups.

1.1 Explain the configuration you used.
2 p

1.2 What is a recursive query? How does it differ from an iterative query? 1 p

Create your own tld .insec

Configure Machine 1 to be the primary master for .insec domain. For that you will need to create zone definitions, reverse mappings, and to let your server know it will be authoritative for the zone.

Create a zone file for .insec with the following information:

Primary name server for the zone is ns.insec
Contact address should be hostmaster@insec
Use short refresh and retry time limits of 60 seconds
Put your machine's ip in ns.insec's A record

Similarly create a reverse mapping zone c.b.a.in-addr.arpa, where a, b and c are the first three numbers of the virtual machine's current IP address for eth1 (i.e. IP = a.b.c.xxx -> c.b.a.in-addr.arpa).

Add a master zone entry for .insec and c.b.a.in-addr.arpa (see above) in named.conf. Reload bind's configuration files and watch the log for errors. Try to resolve ns.insec.

2.1	Explain your configuration.	4 p
2.2	Provide the output of dig(1) for a successful query.	1 p
2.3	How would you add an IPv6 address entry to a zone file?	1 p

Create a slave server for .insec

Configure Machine 2 to work as a slave for .insec domain. Use a similar configuration as for the master, but don't create zone files.

On the master server, add an entry (A, PTR and NS -records) for your slave server. Don't forget to increment the serial number for the zone. Also allow zone transfers to your slave.

Reload configuration files in both machines and watch the logs. Verify that the zone files get transferred to the slave. Try to resolve machines in the .insec domain through both servers.

3.1	Demonstrate the succesful zone file transfer.	1 p
3.2	Explain the changes you made.	3 p
3.3	Provide the output of dig(1) for a successful query from the slave server. Are there any differences to the queries from the master?	1 p

Create a subdomain .not.insec.

Similarly as above, create a subdomain .not.insec, but reverse the roles of the servers - that is, use Machine 2 as a master, and Machine 1 as a slave. Remember to add an entry for subdomain NS in the .not.insec zone files.

Reload configuration files in both servers (watch the logs) and verify that the zone files get transferred to both slave servers. Try to resolve machines in .not.insec -domain from both the servers.

4.1	Explain the changes you made.	2 p
4.2	Provide the output of dig(1) for successful queries from both the servers.	1 p

Implement Transaction Signatures

One of the weak points of DNS is that the zone transfers are not authenticated, which opens up an opportunity to alter the zone files during updates. Prevent this by enhancing the .not.insec -domain to implement transaction signatures.

Generate a secret key to be shared between the master and slave with the command dnssec-keygen(8). Use HMAC-SHA1 as the algorithm, a key length of 160 bits and the nametype HOST.

Create a shared key file with the following template:

					key keyname. {
	algorithm hmac-sha1;
	secret "VxjnlBU8svn2IfxdEeaTmiWp/Yk=";
	};

Fill in the generated key and make it available to both the servers. Include the key file from both servers' named.conf files, and configure servers to only allow transfers signed with the key.

Try first an unauthenticated transfer - and then verify, that you can do authenticated transfers.

5.1	Explain the changes you made. Show the successful and the unsuccessful zone transfer in the log.	4 p
5.2	TSIG is one way to implement transaction signatures. DNSSEC describes another, SIG(0). Explain the differences.	1 p