我有一个递归缓存 BIND/named 设置,它不想解析某些域。我在日志文件中看到这些错误:
Dec 22 11:53:02 router2.lan named[301]: skipping nameserver 'ns0.flowerfire.com' because it is a CNAME, while resolving 'www.sawmill.net/AAAA'
Dec 22 11:53:02 router2.lan named[301]: SERVFAIL unexpected RCODE resolving 'www.sawmill.net/A/IN': 63.249.66.124#53
Dec 22 11:53:02 router2.lan named[301]: skipping nameserver 'ns0.flowerfire.com' because it is a CNAME, while resolving 'www.sawmill.net/A'
Dec 22 11:53:02 router2.lan named[301]: skipping nameserver 'ns1.flowerfire.com' because it is a CNAME, while resolving 'www.sawmill.net/A'
Dec 22 11:53:02 router2.lan named[301]: SERVFAIL unexpected RCODE resolving 'www.sawmill.net/AAAA/IN': 63.249.66.124#53
Dec 22 11:53:02 router2.lan named[301]: skipping nameserver 'ns0.flowerfire.com' because it is a CNAME, while resolving 'www.sawmill.net/AAAA'
Dec 22 11:53:02 router2.lan named[301]: skipping nameserver 'ns1.flowerfire.com' because it is a CNAME, while resolving 'www.sawmill.net/AAAA'
(该域名不是我的)
Google 的 8.8.8.8 可以正确解析该域名
这是我的 named.conf
options {
directory "/var/named";
pid-file "/run/named/named.pid";
listen-on-v6 { any; };
dnssec-validation auto;
auth-nxdomain no;
allow-query {
any;
};
recursion yes;
allow-recursion {
any;
};
allow-transfer { none; };
allow-update { none; };
version none;
hostname none;
server-id none;
max-cache-size 16M;
max-ncache-ttl 3600;
};
和 BIND 版本:
BIND 9.11.0-P1
有人知道为什么会发生这种情况吗?
顺便说一句,服务器有防火墙,因此允许来自所有来源的递归没有坏处。
答案1
问题的关键就在于这两条信息:
Dec 22 11:53:02 router2.lan named[301]: skipping nameserver 'ns0.flowerfire.com' because it is a CNAME, while resolving 'www.sawmill.net/A'
Dec 22 11:53:02 router2.lan named[301]: skipping nameserver 'ns1.flowerfire.com' because it is a CNAME, while resolving 'www.sawmill.net/A'
BIND 非常严格地执行RFC 1034 规定记录NS
“应始终”指向主名称而不是别名。某些名称服务器软件可能会选择绕过 Brain Damage,但它们应被视为例外,而不是规则。
BIND 最初会追踪 TLD 提供的粘合记录net.
,但是当需要刷新记录时,如果遇到,NS
它们就会从缓存中被逐出。CNAME
附注:这些 sawmill.net 名称服务器总体来说很糟糕。NS
指向CNAME
别名的记录、NS
粘合中缺少的记录、四个NS
重复 IP 且实际上只指向两个的记录、一个名称服务器返回意外的 rcode 以及忽略 BCP 16 的相邻 IP 地址。天哪。