我在 Ubuntu 20.04 上使用 BIND 9.16.1 运行权威服务器,最近我从 Ubuntu 16.04 升级,但在解析 A 记录和 PTR 记录时遇到了问题。在从 16.04 升级到 20.04 之前,一切都运行正常。我的 named.conf、named.conf.options、named.conf.local 等配置如下。非常感谢您的建议。命名状态
service named status
● named.service - BIND Domain Name Server
Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2021-08-17 13:15:22 EAT; 10s ago
Docs: man:named(8)
Main PID: 14052 (named)
Tasks: 14 (limit: 19110)
Memory: 73.3M
CGroup: /system.slice/named.service
└─14052 /usr/sbin/named -f -u bind
Aug 17 13:15:27 dns-1 named[14052]: zone_journal: managed-keys-zone/hotspots: enter
Aug 17 13:15:27 dns-1 named[14052]: zone_needdump: managed-keys-zone/hotspots: enter
Aug 17 13:15:27 dns-1 named[14052]: zone_settimer: managed-keys-zone/hotspots: enter
Aug 17 13:15:27 dns-1 named[14052]: managed-keys-zone/external: Unable to fetch DNSKEY set '.': SERVFAIL
Aug 17 13:15:27 dns-1 named[14052]: set_refreshkeytimer: managed-keys-zone/external: enter
Aug 17 13:15:27 dns-1 named[14052]: managed-keys-zone/external: next key refresh: 17-Aug-2021 14:10:47.520
Aug 17 13:15:27 dns-1 named[14052]: zone_settimer: managed-keys-zone/external: enter
Aug 17 13:15:27 dns-1 named[14052]: zone_journal: managed-keys-zone/external: enter
Aug 17 13:15:27 dns-1 named[14052]: zone_needdump: managed-keys-zone/external: enter
Aug 17 13:15:27 dns-1 named[14052]: zone_settimer: managed-keys-zone/external: enter
命名配置文件
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
logging {
channel default_syslog {
// Send most of the named messages to syslog.
syslog local2;
severity debug;
};
channel audit_log {
// Send the security related messages to a separate file.
file "/var/named/named.log" versions 5 size 20m;
severity debug;
print-time yes;
};
category default { default_syslog; };
category general { default_syslog; };
category security { audit_log; default_syslog; };
category config { default_syslog; };
category resolver { audit_log; };
category xfer-in { audit_log; };
category xfer-out { audit_log; };
category notify { audit_log; };
category client { audit_log; };
category network { audit_log; };
category update { audit_log; };
category queries { audit_log; };
category lame-servers { audit_log; };
};
//include "/etc/bind/bind.keys";
include "/etc/bind/named.conf.options";
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1918
// zone "0.0.127.in-addr.arpa" {
// type master;
// file "localhost.rev";
// };
// zone "com" { type delegation-only; };
// zone "net" { type delegation-only; };
// From the release notes:
// Because many of our users are uncomfortable receiving undelegated answers
// from root or top level domains, other than a few for whom that behaviour
// has been trusted and expected for quite some length of time, we have now
// introduced the "root-delegations-only" feature which applies delegation-only
// logic to all top level domains, and to the root domain. An exception list
// should be specified, including "MUSEUM" and "DE", and any other top level
// domains from whom undelegated responses are expected and trusted.
// root-delegation-only exclude { "DE"; "MUSEUM"; };
include "/etc/bind/named.conf.local";
命名的.conf.本地
match-clients { hotspots; };
// recursion yes;
allow-recursion { hotspots; };
zone "." {
type hint;
file "/var/named/root.cache";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "localhost.rev";
};
zone "hotspot.domain.com" IN {
type master;
file "named.redirect.hotspot";
};
zone "internet.domain.com" IN {
type slave;
file "slave/slave.internet.com";
masters {1.2.3.4;};
};
zone "ppg.domain.com" IN {
type slave;
file "slave/slave.ppg.com";
masters {1.2.3.4;};
};
};
view "external" {
match-clients { any; };
// recursion yes;
allow-recursion { recurseallow; };
// zone "example.com" {
// type master;
// file "externals/db.example.com";
// allow-transfer { slaves; };
// };
zone "." {
type hint;
file "/var/named/root.cache";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "localhost.rev";
};
zone "domain.com" in {
type master;
file "domain.com.zone";
allow-transfer { 5.6.7.8; };
};
[...]
include "/var/named/reverse/named.conf.reverse";
};
命名的.conf.选项
options {
pid-file "/var/run/bind/run/named.pid";
directory "/var/cache/bind";
auth-nxdomain no;
allow-recursion { none; };
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
query-source address * port 53;
dnssec-validation auto;
listen-on-v6 { any; };
};
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
系统日志
Aug 17 12:09:32 ns2 named[10169]: client @0x7f2c481144d0 x.x.x.x#34752 (x.x.x.x.in-addr.arpa): view external: query failed (zone not loaded) for x.x.x.x.in-addr.arpa/IN/PTR at query.c:5430
Aug 17 12:09:32 ns2 named[10169]: client @0x7f2c4c0cb690 172.217.33.195#53951 (x.x.x.x.in-addr.arpa): view external: query failed (zone not loaded) for x.x.x.x.in-addr.arpa/IN/PTR at query.c:5430
Aug 17 12:09:32 ns2 named[10169]: client @0x7f2c50064bc0 82.148.111.5#41317 (x.x.x.x.in-addr.arpa): view external: query failed (zone not loaded) for x.x.x.x.in-addr.arpa/IN/PTR at query.c:5430
Aug 17 12:09:32 ns2 named[10169]: client @0x7f2c481144d0 62.28.40.174#57295 (x.x.x.x.in-addr.arpa): view external: query failed (zone not loaded) for x.x.x.x.in-addr.arpa/IN/PTR at query.c:5430
Aug 17 12:09:32 ns2 named[10169]: client @0x7f2c481144d0 x.x.x.x#34654 (x.x.x.x.in-addr.arpa): view external: query failed (zone not loaded) for x.x.x.x.in-addr.arpa/IN/PTR at query.c:5430
ailed (zone not loaded) for x.x.x.x.in-addr.arpa/IN/PTR at query.c:5430
Aug 17 12:09:32 ns2 named[10169]: client @0x7f2c50064bc0 82.148.111.5#41317 (x.x.x.x.in-addr.arpa): view external: query failed (zone not loaded) for x.x.x.x.in-addr.arpa/IN/PTR at query.c:5430
Aug 17 12:09:32 ns2 named[10169]: client @0x7f2c481144d0 62.28.40.174#57295 (x.x.x.x.in-addr.arpa): view external: query failed (zone not loaded) for x.x.x.x.in-addr.arpa/IN/PTR at query.c:5430
Aug 17 12:09:32 ns2 named[10169]: client @0x7f2c481144d0 x.x.x.x#34654 (x.x.x.x.in-addr.arpa): view external: query failed (zone not loaded) for x.x.x.x.in-addr.arpa/IN/PTR at query.c:5430
Aug 17 12:09:32 ns2 named[10169]: client @0x7f2c401962b0 162.13.174.235#60896 (x.x.x.x.in-addr.arpa): view external: query
命名检查区
# named-checkzone domain.com named.1.2.3
zone domain.com/IN: NS 'ns1.domain.com' has no address records (A or AAAA)
zone domain.com/IN: NS 'ns2.domain.com' has no address records (A or AAAA)
zone domain.com/IN: not loaded due to errors.
# named-checkzone domain.com /var/named/domain.com.zone
/var/named/domain.com.zone:4: SOA record not at top of zone (domain.com.domain.com)
/var/named/domain.com.zone:218: TTL set to prior TTL (3600)
zone domain.com/IN: loading from master file /var/named/domain.com.zone failed: not at top of zone
zone domain.com/IN: not loaded due to errors.
/var/named/domain.com.zone
$TTL 86400
$ORIGIN domain.com
@ IN SOA ns1.domain.com. techs.domain.com. (
2021081702 ; serial, todays date + todays
1H ; refresh, seconds
2H ; retry, seconds
2W ; expire, seconds
1H ) ; minimum, seconds
;IN NS
@ IN NS ns1.domain.com.
IN NS ns4.domain.tld.
; IN NS dns-1.domain.com.
; For the IronPort devices
domain.com. IN A 1.2.3.4
ns1 IN A 5.6.7.8
答案1
区域文件中的尾部点缺失。区域正在加载。