我在 LAN 上运行 DNS 服务器,因为我不希望出现解析一堆私有子域名的外部故障点,无论如何,这些子域名不需要在公共 DNS 中列出。
我已view
设置了一个可以解析我们的域名或转发到我们 ISP 的 DNS 服务器的服务器。
它通常可以正常工作,但目前无法达到任何.co域,除非 dnssec 被禁用,但我认为我不应该这样做。
我更新了/etc/bind/bind.keys
。
我该如何调试失败的原因?对我来说,这看起来就像是 RRSIG 记录中的 NS 数据有问题,或者服务器存在其他网络故障nsX.cctld.co
,但我几乎不知道该如何解决它。
# rndc validation check
DNSSEC validation is enabled (view privateservers)
# dig +trace do.co
; <<>> DiG 9.10.3-P4-Ubuntu <<>> +trace do.co
;; global options: +cmd
. 77153 IN NS g.root-servers.net.
. 77153 IN NS a.root-servers.net.
. 77153 IN NS m.root-servers.net.
. 77153 IN NS h.root-servers.net.
. 77153 IN NS k.root-servers.net.
. 77153 IN NS j.root-servers.net.
. 77153 IN NS c.root-servers.net.
. 77153 IN NS b.root-servers.net.
. 77153 IN NS f.root-servers.net.
. 77153 IN NS d.root-servers.net.
. 77153 IN NS e.root-servers.net.
. 77153 IN NS l.root-servers.net.
. 77153 IN NS i.root-servers.net.
;; Received 239 bytes from 192.168.20.1#53(192.168.20.1) in 1 ms
co. 172800 IN NS ns1.cctld.co.
co. 172800 IN NS ns2.cctld.co.
co. 172800 IN NS ns3.cctld.co.
co. 172800 IN NS ns4.cctld.co.
co. 172800 IN NS ns5.cctld.co.
co. 172800 IN NS ns6.cctld.co.
co. 86400 IN DS 21754 8 2 C30634014C0752DA93B0633ED4CE641B63826A5DED820027F4117CA0 C32050A0
co. 86400 IN DS 21754 8 1 8B9B8FDA21B4CF6FC3E97A31FC0D77C1CB7E70EE
co. 86400 IN DS 10384 8 1 DF157833AAD57F3561F3A47F178BA46E7E7183DC
co. 86400 IN DS 10384 8 2 A76358B4C22E95C2C4A56DB8ADC923779E0829142D7C51B04E54769C 86407D70
co. 86400 IN RRSIG DS 8 1 86400 20170826170000 20170813160000 15768 . N8hBVmcw3geU/EqNR2fqWH2rd9v5cdGfZ44h5sxPmreta1SZPupsq3RV FN37fZfKuzcwN7Obe3eE6k3Mxn0KyzGY/cF4wnqCD7HWBrvfz50b1yxD REitHlhKt6ZqC/NPaa5NGa6tWyeKuhD/D3tc74rK95eVnfCWmTY1PFth QoB8IZJFw2UIO8bS9Zpd82im1wHP9PRRF8nWUFYd4rOI6LU6ahCsckij HngqmuLFvfsZeRXY/yAzImy1REbSqAon/RGCsckoeuXs4rLBq7QUxLeA W2GcmczUkxspQciGsK71WgFrRyl2o6NrvlsmTO9XHQ2OVccSp8Ee29FY ukm6wA==
couldn't get address for 'ns1.cctld.co': failure
couldn't get address for 'ns2.cctld.co': failure
couldn't get address for 'ns3.cctld.co': failure
couldn't get address for 'ns4.cctld.co': failure
couldn't get address for 'ns5.cctld.co': failure
couldn't get address for 'ns6.cctld.co': failure
dig: couldn't get address for 'ns1.cctld.co': no more
然后我禁用验证并得到以下结果:
# rndc validation off
# dig +trace do.co
; <<>> DiG 9.10.3-P4-Ubuntu <<>> +trace do.co
;; global options: +cmd
. 84407 IN NS m.root-servers.net.
. 84407 IN NS g.root-servers.net.
. 84407 IN NS a.root-servers.net.
. 84407 IN NS k.root-servers.net.
. 84407 IN NS i.root-servers.net.
. 84407 IN NS b.root-servers.net.
. 84407 IN NS l.root-servers.net.
. 84407 IN NS f.root-servers.net.
. 84407 IN NS d.root-servers.net.
. 84407 IN NS j.root-servers.net.
. 84407 IN NS c.root-servers.net.
. 84407 IN NS h.root-servers.net.
. 84407 IN NS e.root-servers.net.
;; Received 239 bytes from 192.168.20.1#53(192.168.20.1) in 1 ms
co. 172800 IN NS ns1.cctld.co.
co. 172800 IN NS ns2.cctld.co.
co. 172800 IN NS ns3.cctld.co.
co. 172800 IN NS ns4.cctld.co.
co. 172800 IN NS ns5.cctld.co.
co. 172800 IN NS ns6.cctld.co.
co. 86400 IN DS 10384 8 1 DF157833AAD57F3561F3A47F178BA46E7E7183DC
co. 86400 IN DS 10384 8 2 A76358B4C22E95C2C4A56DB8ADC923779E0829142D7C51B04E54769C 86407D70
co. 86400 IN DS 21754 8 1 8B9B8FDA21B4CF6FC3E97A31FC0D77C1CB7E70EE
co. 86400 IN DS 21754 8 2 C30634014C0752DA93B0633ED4CE641B63826A5DED820027F4117CA0 C32050A0
co. 86400 IN RRSIG DS 8 1 86400 20170826170000 20170813160000 15768 . N8hBVmcw3geU/EqNR2fqWH2rd9v5cdGfZ44h5sxPmreta1SZPupsq3RV FN37fZfKuzcwN7Obe3eE6k3Mxn0KyzGY/cF4wnqCD7HWBrvfz50b1yxD REitHlhKt6ZqC/NPaa5NGa6tWyeKuhD/D3tc74rK95eVnfCWmTY1PFth QoB8IZJFw2UIO8bS9Zpd82im1wHP9PRRF8nWUFYd4rOI6LU6ahCsckij HngqmuLFvfsZeRXY/yAzImy1REbSqAon/RGCsckoeuXs4rLBq7QUxLeA W2GcmczUkxspQciGsK71WgFrRyl2o6NrvlsmTO9XHQ2OVccSp8Ee29FY ukm6wA==
;; Received 867 bytes from 192.5.5.241#53(f.root-servers.net) in 19 ms
do.co. 7200 IN NS walt.ns.cloudflare.com.
do.co. 7200 IN NS kim.ns.cloudflare.com.
131vnuv1malje6dnud9fsaqdrqcs5i91.co. 86400 IN NSEC3 1 1 1 F873A2F5 1356V3361NJ2BQROG5HKD76E66S04L02 NS SOA RRSIG DNSKEY NSEC3PARAM
131vnuv1malje6dnud9fsaqdrqcs5i91.co. 86400 IN RRSIG NSEC3 8 2 86400 20170821234143 20170722233946 63993 co. E8Sg+iSMx1zSNIfC7eDVbBE+TSIg4W58SDPqwXA04EjPlpdubb7cakdv bvwdjBdWpyb+No7SLByqKNnQN7BsYvvdmLsDpbAEGcQ+agXmUwImddDa 9J/2VkOiNkiKYgI174elEuitoWhQH6PVSwO6Nb1nBl4o9em0v9zGhbYA 2Jy6VLKWNYL6bh9CNSGJsl4NthISx9nBZKwBQ7vNnZ/mrQ==
pte00qfgi7b6087qivojmk9kqr2u6gka.co. 86400 IN NSEC3 1 1 1 F873A2F5 PTRFFSEIBU5MCNK4CRV8JFRTQ7QB3I0G NS DS RRSIG
pte00qfgi7b6087qivojmk9kqr2u6gka.co. 86400 IN RRSIG NSEC3 8 2 86400 20170827152341 20170728142341 63993 co. hSH7UQuVYYdfZdKjh8q98boxNOVaE/j8DlWVHcWT17Q3Zb5+m7xDJRQ9 42KaaIla3rZ6e7RYy1qXWh+6VFB5KRxv9ec2RAuYPNB/9XJe2IdlnsE4 t1IqGFo+O4ZY5mlj+QxMcLrx3FlM9ZzSzat9SlS6sSxv7w+0s/yuIMqv 3ZjXqjHYdDgshA+g71QjoSqS3jz0a/muAiznNfuc+Qclcw==
;; Received 643 bytes from 156.154.101.25#53(ns2.cctld.co) in 229 ms
do.co. 300 IN A 67.199.248.13
do.co. 300 IN A 67.199.248.12
;; Received 66 bytes from 173.245.59.148#53(walt.ns.cloudflare.com) in 27 ms