我在 bind 9.9.4 (RHEL7) 上有 3 个 dns 服务器,配置为 1 个主服务器和 2 个从服务器。今天我发现请求域名“desktop.telegram.org”会导致所有这些服务器都出现 SERVFAIL。请求其他域名仍然有效。
# dig @127.0.0.1 desktop.telegram.org +trace
工作正常。
下面是一些调试输出:
# rndc trace 9
# grep '127.0.0.1' /var/named/data/named.run
31-May-2017 15:41:25.683 client 127.0.0.1#56542: UDP request
31-May-2017 15:41:25.684 client 127.0.0.1#56542: using view '_default'
31-May-2017 15:41:25.684 client 127.0.0.1#56542: request is not signed
31-May-2017 15:41:25.684 client 127.0.0.1#56542: recursion available
31-May-2017 15:41:25.684 client 127.0.0.1#56542: query
31-May-2017 15:41:25.684 client 127.0.0.1#56542 (desktop.telegram.org): query (cache) 'desktop.telegram.org/A/IN' approved
31-May-2017 15:41:25.684 client 127.0.0.1#56542 (desktop.telegram.org): replace
31-May-2017 15:41:30.684 client 127.0.0.1#56542: UDP request
31-May-2017 15:41:30.684 client 127.0.0.1#56542: using view '_default'
31-May-2017 15:41:30.684 client 127.0.0.1#56542: request is not signed
31-May-2017 15:41:30.684 client 127.0.0.1#56542: recursion available
31-May-2017 15:41:30.684 client 127.0.0.1#56542: query
31-May-2017 15:41:30.684 client 127.0.0.1#56542 (desktop.telegram.org): query (cache) 'desktop.telegram.org/A/IN' approved
31-May-2017 15:41:30.684 client 127.0.0.1#56542 (desktop.telegram.org): replace
31-May-2017 15:41:30.684 client 127.0.0.1#56542 (desktop.telegram.org): next
31-May-2017 15:41:30.684 client 127.0.0.1#56542 (desktop.telegram.org): request failed: duplicate query
31-May-2017 15:41:30.684 client 127.0.0.1#56542 (desktop.telegram.org): endrequest
31-May-2017 15:41:35.684 client 127.0.0.1#56542: UDP request
31-May-2017 15:41:35.684 client 127.0.0.1#56542: using view '_default'
31-May-2017 15:41:35.684 client 127.0.0.1#56542: request is not signed
31-May-2017 15:41:35.684 client 127.0.0.1#56542: recursion available
31-May-2017 15:41:35.684 client 127.0.0.1#56542: query
31-May-2017 15:41:35.684 client 127.0.0.1#56542 (desktop.telegram.org): query (cache) 'desktop.telegram.org/A/IN' approved
31-May-2017 15:41:35.684 client 127.0.0.1#56542 (desktop.telegram.org): replace
31-May-2017 15:41:35.684 client 127.0.0.1#56542 (desktop.telegram.org): next
31-May-2017 15:41:35.684 client 127.0.0.1#56542 (desktop.telegram.org): request failed: duplicate query
31-May-2017 15:41:35.684 client 127.0.0.1#56542 (desktop.telegram.org): endrequest
31-May-2017 15:41:35.684 client 127.0.0.1#56542 (desktop.telegram.org): query failed (SERVFAIL) for desktop.telegram.org/IN/A at query.c:7003
31-May-2017 15:41:35.684 client 127.0.0.1#56542 (desktop.telegram.org): error
31-May-2017 15:41:35.684 client 127.0.0.1#56542 (desktop.telegram.org): send
31-May-2017 15:41:35.684 client 127.0.0.1#56542 (desktop.telegram.org): sendto
31-May-2017 15:41:35.684 client 127.0.0.1#56542 (desktop.telegram.org): senddone
31-May-2017 15:41:35.684 client 127.0.0.1#56542 (desktop.telegram.org): next
31-May-2017 15:41:35.684 client 127.0.0.1#56542 (desktop.telegram.org): endrequest
命名的.conf:
options {
listen-on port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
version "none";
allow-recursion{ 127.0.0.1; my.internal.dns.server.ip1; my.internal.dns.server.ip2; };
dnssec-enable yes;
dnssec-validation auto;
notify no;
allow-transfer { none; };
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
print-time yes;
};
};
include "/etc/rndc.key";
controls {
inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};
zone "." IN {
type hint;
file "/var/named/named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
zone "mydomain.com" {
type slave;
file "mydomain.com";
masters { master.server.ip; };
};
zone ... (my domains)
UPD:守护进程重启后,问题消失。我没有在其中一个服务器上重启守护进程,以便在必要时重现该问题。