尝试将完整区域从PowerDNS服务器传输到Bind9服务器时出现问题.奇怪的是,PowerDNS服务器上有几个区域作为隐藏主站(带有
MySQL后端),但只有一个区域无法转移到Bind9服务器.
这两台服务器正在运行Ubuntu 16.04 LTS.附:
> Bind9版本= 9.10.3.dfsg.P4-8ubuntu1
> PowerDNS版本= 4.0.0~alpha2-3build1
Bind9从属区域配置如下:
zone "example.net" {
type slave;
file "/var/lib/bind/slaves/db.example.net";
masters {
10.0.0.1;
};
};
PowerDNS的DNS区域是:
% sudo pdnsutil show-zone example.net This is a Master zone Last SOA serial number we notified: 2016050801 == 2016050801 (serial in the database) Zone is not actively secured Metadata items: None No keys for zone 'example.net.'. % sudo pdnsutil list-zone example.net example.net. 10800 IN MX 10 mx1.example.org. example.net. 10800 IN MX 50 mx2.example.org. example.net. 10800 IN NS ns1.example.org. example.net. 10800 IN NS ns2.example.org. example.net. 86400 IN SOA ns1.example.org. hostmaster.example.org. 2016050801 28800 7200 604800 86400 ...
请注意此输出中.net和.org之间的区别.
以下是尝试将区域提供给Bind时日志中的PowerDNS输出.
May 9 00:44:14 hdns01 pdns[40494]: AXFR of domain 'example.net.' initiated by 10.0.0.2 May 9 00:44:14 hdns01 pdns[40494]: AXFR of domain 'example.net.' allowed: client IP 10.0.0.2 is in allow-axfr-ips May 9 00:44:14 hdns01 pdns[40494]: AXFR of domain 'example.net.' Failed: not authoritative
和Bind给出的相应日志.
May 9 00:44:14 rdns01 named[32973]: zone example.net/IN: refresh: unexpected rcode (REFUSED) from master 10.0.0.1#53 (source 0.0.0.0#0) May 9 00:44:14 rdns01 named[32973]: zone example.net/IN: Transfer started. May 9 00:44:14 rdns01 named[32973]: transfer of 'example.net/IN' from 10.0.0.1#53: connected using 10.0.0.2#55376 May 9 00:44:14 rdns01 named[32973]: transfer of 'example.net/IN' from 10.0.0.1#53: Failed while receiving responses: NOTAUTH May 9 00:44:14 rdns01 named[32973]: transfer of 'example.net/IN' from 10.0.0.1#53: Transfer status: NOTAUTH May 9 00:44:14 rdns01 named[32973]: transfer of 'example.net/IN' from 10.0.0.1#53: Transfer completed: 0 messages,0 records,0 bytes,0.004 secs (0 bytes/sec)
所以Bind9说服务器不具有权威性.那真是怪了.因此,让我们使用挖掘使事情变得有点清楚.
% dig @10.0.0.1 example.net. SOA ; <<>> DiG 9.10.3-P4-Ubuntu <<>> @10.0.0.1 example.net. SOA ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY,status: NOERROR,id: 47002 ;; flags: qr aa rd; QUERY: 1,ANSWER: 1,AUTHORITY: 0,ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; ednS: version: 0,flags:; udp: 1680 ;; QUESTION SECTION: ;example.net. IN SOA ;; ANSWER SECTION: example.net. 86400 IN SOA ns1.example.org. hostmaster.example.org. 2016050801 28800 7200 604800 86400 ;; Query time: 2 msec ;; SERVER: 10.0.0.1#53(10.0.0.1) ;; WHEN: Mon May 09 00:53:51 CEST 2016 ;; MSG SIZE rcvd: 104
对我来说似乎很有权威.所以在那之后我尝试用挖掘来做一个AXFR.令人惊讶的是……
% dig -t axfr example.net @10.0.0.1 ; <<>> DiG 9.10.3-P4-Ubuntu <<>> -t axfr example.net @10.0.0.1 ;; global options: +cmd example.net. 86400 IN SOA ns1.example.org. hostmaster.example.org. 2016050801 28800 7200 604800 86400 ... ;; Query time: 73 msec ;; SERVER: 10.0.0.1#53(10.0.0.1) ;; WHEN: Mon May 09 00:56:42 CEST 2016 ;; XFR size: 58 records (messages 3,bytes 1952)
我不知道在哪里看.
谢谢你的帮助.
更新:
来自数据包捕获的日志:
1 0.000000 10.0.0.2 10.0.0.1 DNS 82 Standard query 0xe0dd SOA example.net OPT 2 0.002902 10.0.0.1 10.0.0.2 DNS 82 Standard query response 0xe0dd Refused SOA example.net OPT 6 0.004506 10.0.0.2 10.0.0.1 DNS 97 Standard query 0x205c AXFR example.net 8 0.006432 10.0.0.1 10.0.0.2 DNS 97 Standard query response 0x205c Not authoritative AXFR example.net
PowerDNS从成功的手册AXFR记录:
May 9 08:19:51 hdns01 pdns[40494]: AXFR of domain 'example.net.' initiated by 10.0.0.2 May 9 08:19:51 hdns01 pdns[40494]: AXFR of domain 'example.net.' allowed: client IP 10.0.0.2 is in allow-axfr-ips May 9 08:19:52 hdns01 pdns[40494]: AXFR of domain 'example.net.' to 10.0.0.2 finished
PowerDNS配置文件:
################################# # allow-axfr-ips Allow zonetransfers only to these subnets # allow-axfr-ips=127.0.0.0/8,::1,10.0.0.2 ################################# # also-notify When notifying a domain,also notify these nameservers # also-notify=10.20.1.78,10.0.0.2 ################################# # daemon Operate as a daemon # daemon=yes ################################# # include-dir Include *.conf files from this directory # # include-dir= include-dir=/etc/powerdns/pdns.d ################################# # launch Which backends to launch and order to query them in # # launch= launch= ################################# # master Act as a master # master=yes ################################# # setgid If set,change group id to this gid for more security # setgid=pdns ################################# # setuid If set,change user id to this uid for more security # setuid=pdns
并且/etc/powerdns/pdns.d/目录中的MysqL后端配置部分.
# MysqL Configuration # # Launch gMysqL backend launch+=gMysqL # gMysqL parameters gMysqL-host=127.0.0.1 gMysqL-port= gMysqL-dbname=pdns gMysqL-user=MYUSER gMysqL-password=MYPASSWORD gMysqL-dnssec=yes # gMysqL-socket=
原文地址:https://www.jb51.cc/ubuntu/348086.html
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
