我在 Debian Lenny 上设置了一个使用 bind9 的域,作为我的 DNS 托管提供商服务器的从属。我认为具体情况无关紧要,但我已允许在我的注册商/DNS 主机的 Web 界面上将数据转移到我的服务器的 IP。这是我的 /etc/bind/named.conf.local 中的:
zone "wanners.net" in{
type slave;
file "/etc/bind/zones/slave.wanners.net.db";
masters {64.68.200.91;};
};
并在所述路径处有一个空文件。启动 bind9 后,我在 /etc/log/syslog 中看到以下内容:
Jan 23 22:09:46 wanners named[14828]: starting BIND 9.6-ESV-R3 -u bind
Jan 23 22:09:46 wanners named[14828]: built with '--prefix=/usr' '--build=arm-linux-gnueabi' '--host=arm-linux-gnueabi' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var/run/bind' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-dlz-postgres=no' '--with-dlz-mysql=no' '--with-dlz-bdb=yes' '--with-dlz-filesystem=yes' '--with-dlz-ldap=yes' '--with-dlz-stub=yes' '--enable-ipv6' 'build_alias=arm-linux-gnueabi' 'host_alias=arm-linux-gnueabi' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -DNS_RUN_PID_DIR=0 -O2' 'LDFLAGS=' 'CPPFLAGS='
Jan 23 22:09:46 wanners named[14828]: adjusted limit on open files from 1024 to 1048576
Jan 23 22:09:46 wanners named[14828]: found 1 CPU, using 1 worker thread
Jan 23 22:09:46 wanners named[14828]: using up to 4096 sockets
Jan 23 22:09:46 wanners named[14828]: loading configuration from '/etc/bind/named.conf'
Jan 23 22:09:46 wanners named[14828]: using default UDP/IPv4 port range: [1024, 65535]
Jan 23 22:09:46 wanners named[14828]: using default UDP/IPv6 port range: [1024, 65535]
Jan 23 22:09:46 wanners named[14828]: listening on IPv6 interfaces, port 53
Jan 23 22:09:46 wanners named[14828]: listening on IPv4 interface lo, 127.0.0.1#53
Jan 23 22:09:46 wanners named[14828]: listening on IPv4 interface eth0, 192.168.1.1#53
Jan 23 22:09:46 wanners named[14828]: listening on IPv4 interface eth1, 68.226.67.198#53
Jan 23 22:09:46 wanners named[14828]: listening on IPv4 interface tun0, 10.8.0.1#53
Jan 23 22:09:46 wanners named[14828]: automatic empty zone: 254.169.IN-ADDR.ARPA
Jan 23 22:09:46 wanners named[14828]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Jan 23 22:09:46 wanners named[14828]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
Jan 23 22:09:46 wanners named[14828]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Jan 23 22:09:46 wanners named[14828]: automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Jan 23 22:09:46 wanners named[14828]: automatic empty zone: D.F.IP6.ARPA
Jan 23 22:09:46 wanners named[14828]: automatic empty zone: 8.E.F.IP6.ARPA
Jan 23 22:09:46 wanners named[14828]: automatic empty zone: 9.E.F.IP6.ARPA
Jan 23 22:09:46 wanners named[14828]: automatic empty zone: A.E.F.IP6.ARPA
Jan 23 22:09:46 wanners named[14828]: automatic empty zone: B.E.F.IP6.ARPA
Jan 23 22:09:46 wanners named[14828]: command channel listening on 127.0.0.1#953
Jan 23 22:09:46 wanners named[14828]: command channel listening on ::1#953
Jan 23 22:09:46 wanners named[14828]: zone 0.in-addr.arpa/IN: loaded serial 1
Jan 23 22:09:46 wanners named[14828]: zone 127.in-addr.arpa/IN: loaded serial 1
Jan 23 22:09:46 wanners named[14828]: zone 1.168.192.in-addr.arpa/IN: loaded serial 1
Jan 23 22:09:46 wanners named[14828]: zone 255.in-addr.arpa/IN: loaded serial 1
Jan 23 22:09:46 wanners named[14828]: zone lo/IN: loaded serial 1
Jan 23 22:09:46 wanners named[14828]: zone localhost/IN: loaded serial 2
Jan 23 22:09:46 wanners named[14828]: zone wanners.net/IN: has 0 SOA records
Jan 23 22:09:46 wanners named[14828]: zone wanners.net/IN: has no NS records
Jan 23 22:09:46 wanners named[14828]: running
Jan 23 22:09:46 wanners named[14828]: zone wanners.net/IN: Transfer started.
Jan 23 22:09:46 wanners named[14828]: transfer of 'wanners.net/IN' from 64.68.200.91#53: connected using 68.226.67.198#51368
Jan 23 22:09:46 wanners named[14828]: dumping master file: /etc/bind/zones/tmp-dysZfOWkDE: open: permission denied
Jan 23 22:09:46 wanners named[14828]: transfer of 'wanners.net/IN' from 64.68.200.91#53: failed while receiving responses: permission denied
Jan 23 22:09:46 wanners named[14828]: transfer of 'wanners.net/IN' from 64.68.200.91#53: Transfer completed: 0 messages, 13 records, 0 bytes, 0.130 secs (0 bytes/sec)
[snip cronjobs]
Jan 23 22:10:45 wanners named[14828]: zone wanners.net/IN: Transfer started.
Jan 23 22:10:45 wanners named[14828]: transfer of 'wanners.net/IN' from 64.68.200.91#53: connected using 68.226.67.198#42435
Jan 23 22:10:45 wanners named[14828]: dumping master file: /etc/bind/zones/tmp-lWrePAOaFH: open: permission denied
Jan 23 22:10:45 wanners named[14828]: transfer of 'wanners.net/IN' from 64.68.200.91#53: failed while receiving responses: permission denied
Jan 23 22:10:45 wanners named[14828]: transfer of 'wanners.net/IN' from 64.68.200.91#53: Transfer completed: 0 messages, 13 records, 0 bytes, 0.107 secs (0 bytes/sec)
因此,它可以很好地获取记录,甚至可以刷新记录;只是没有回答有关它们的查询。这是为什么?我应该怎么做才能解决这个问题?下面是证明这一点的挖掘:
marcus@wanners ~ $ dig -6 wanners.net
; <<>> DiG 9.6-ESV-R3 <<>> -6 wanners.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 33846
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;wanners.net. IN A
;; Query time: 2 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sun Jan 23 22:18:46 2011
;; MSG SIZE rcvd: 29
[我在测试中使用 IPv6,因为服务器将在 IPv6 上提供服务。对于 wanners.net 或子域下的任何记录,结果都是相同的,即使从站外查询也是如此]
答案1
将 /etc/bind/zones/ 文件夹的所有权更改为 BIND 用户的所有权。Bind 无法写入该目录。
1 月 23 日 22:09:46 wanners 命名[14828]: 从 64.68.200.91#53 传输 'wanners.net/IN': 使用 68.226.67.198#51368 连接
1 月 23 日 22:09:46 wanners 命名 [14828]: 转储主文件:/etc/bind/zones/tmp-dysZfOWkDE:打开:权限被拒绝
1 月 23 日 22:09:46 wanners 命名 [14828]: 从 64.68.200.91#53 传输“wanners.net/IN”: 接收响应时失败:权限被拒绝
答案2
就我而言,所有权限都是正确的,我甚至对目录执行了 restorecon,但它仅在 selinux 允许或禁用时才会起作用。
我从中找到的解决方案错误码 545128曾是
setsebool -P named_write_master_zones=1
答案3
更改权限虽然有效,但并不是解决此问题的最佳方法。
该问题是由文件语句中的绝对路径引起的....
file "/etc/bind/zones/slave.wanners.net.db";
将其更改为基本文件名
file "slave.wanners.net.db";
然后 bind 会将文件写入 /var/cache/bind ,那里有正确的权限,也是存储临时文件和工作文件的地方。
完整内容请参见https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=209022