BIND 递归无法解析某些域名

BIND 递归无法解析某些域名

我有一个递归缓存 BIND/named 设置,它不想解析某些域。我在日志文件中看到这些错误:

Dec 22 11:53:02 router2.lan named[301]: skipping nameserver 'ns0.flowerfire.com' because it is a CNAME, while resolving 'www.sawmill.net/AAAA'
Dec 22 11:53:02 router2.lan named[301]: SERVFAIL unexpected RCODE resolving 'www.sawmill.net/A/IN': 63.249.66.124#53
Dec 22 11:53:02 router2.lan named[301]: skipping nameserver 'ns0.flowerfire.com' because it is a CNAME, while resolving 'www.sawmill.net/A'
Dec 22 11:53:02 router2.lan named[301]: skipping nameserver 'ns1.flowerfire.com' because it is a CNAME, while resolving 'www.sawmill.net/A'
Dec 22 11:53:02 router2.lan named[301]: SERVFAIL unexpected RCODE resolving 'www.sawmill.net/AAAA/IN': 63.249.66.124#53
Dec 22 11:53:02 router2.lan named[301]: skipping nameserver 'ns0.flowerfire.com' because it is a CNAME, while resolving 'www.sawmill.net/AAAA'
Dec 22 11:53:02 router2.lan named[301]: skipping nameserver 'ns1.flowerfire.com' because it is a CNAME, while resolving 'www.sawmill.net/AAAA'

(该域名不是我的)
Google 的 8.8.8.8 可以正确解析该域名

这是我的 named.conf

options {
    directory "/var/named";
    pid-file "/run/named/named.pid";

    listen-on-v6 { any; };

    dnssec-validation auto;
    auth-nxdomain no;
    allow-query {
        any;
    };

    recursion yes;
    allow-recursion {
        any;
    };
    allow-transfer { none; };
    allow-update { none; };


    version none;
    hostname none;
    server-id none;

    max-cache-size 16M;
    max-ncache-ttl 3600;
};

和 BIND 版本:
BIND 9.11.0-P1

有人知道为什么会发生这种情况吗?

顺便说一句,服务器有防火墙,因此允许来自所有来源的递归没有坏处。

答案1

问题的关键就在于这两条信息:

Dec 22 11:53:02 router2.lan named[301]: skipping nameserver 'ns0.flowerfire.com' because it is a CNAME, while resolving 'www.sawmill.net/A'
Dec 22 11:53:02 router2.lan named[301]: skipping nameserver 'ns1.flowerfire.com' because it is a CNAME, while resolving 'www.sawmill.net/A'

BIND 非常严格地执行RFC 1034 规定记录NS“应始终”指向主名称而不是别名。某些名称服务器软件可能会选择绕过 Brain Damage,但它们应被视为例外,而不是规则。

BIND 最初会追踪 TLD 提供的粘合记录net.,但是当需要刷新记录时,如果遇到,NS它们就会从缓存中被逐出。CNAME


附注:这些 sawmill.net 名称服务器总体来说很糟糕。NS指向CNAME别名的记录、NS粘合中缺少的记录、四个NS重复 IP 且实际上只指向两个的记录、一个名称服务器返回意外的 rcode 以及忽略 BCP 16 的相邻 IP 地址。天哪。

相关内容