带有 Bind9 和 BIND_DLZ 的动态 DNS 无法启动?

带有 Bind9 和 BIND_DLZ 的动态 DNS 无法启动?

我有一个运行 Samba 的设备作为 Active Directory 域控制器,使用 BIND_DLZ 作为后端。

最重要的是,我正在运行一个辅助设备,该设备也配置为 Active Directory 域控制器,并使用 BIND_DLZ 作为后端以实现冗余目的。

IP 地址由 ISC DHCP 服务器分配,该服务器能够使用加密密钥 (TSIG) 更新 DNS 资源记录。

不管怎样:谈谈我的问题。

这是我当前的设置

命名的.conf.选项:

options 
{
     directory "/var/cache/bind";

     forwarders {
            2001:4860:4860::8888;
            2001:4860:4860::8844;
            8.8.8.8;
            8.8.4.4;
     };

     auth-nxdomain no;    # conform to RFC1035
     listen-on-v6 { any; };

     listen-on port 53 { 192.168.1.240; };
     listen-on port 5353 { 127.0.0.1; }; <-- Used for Netflix IPv6 filter only.

     tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
     minimal-responses yes;
     recursion yes;
};

acl "home-net"
{
    127.0.0.1;
    192.168.1.0/24;
    2001:db8:cafe:beef::/56; # <-- I am using a IPv6 range from Tunnelbroker in real life.
};

view "normal"
{
    include "/etc/bind/named.conf.default-zones";
    include "/etc/bind/named.conf.internal";

    # Netflix really dislike Tunnelbroker IPv6, so I am dropping any Netflix AAAA ressources records.
    include "/etc/bind/netflix-ipv6-blackhole.conf";  

    match-clients
    {
        home-net; # <-- Only respond to queries originating from my own network.
    };

    dnssec-enable yes;
    dnssec-validation auto;

    allow-query { any; };
    allow-query-cache { home-net; };
    allow-recursion { home-net; };

    forwarders {
      8.8.8.8;
      8.8.4.4;
      2001:4860:4860::8888;
      2001:4860:4860::8844;
   };
};

命名.conf.内部:

zone "1.168.192.in-addr.arpa"
{
    type master;
    file "/etc/bind/db.192.168.1.rev";
    notify yes;

    allow-query { any; };
    allow-transfer { xfer; };

    # If allow-update is enabled instead of the include named.conf.update line, 
    # then Dynamic DNS works fine due to ISC DHCP can update the ressource records. 
    #
    # Sadly you can't have both lines enabled. It is either / or.

    // allow-update { key ddns-key; };

    include "/var/lib/samba/bind-dns/named.conf.update"; # <-- Having issues with THIS line only.
};

include "/var/lib/samba/bind-dns/named.conf";

/var/lib/samba/bind-dns/named.conf:

dlz "AD DNS Zone" {
    # For BIND 9.11.x
    database "dlopen /usr/lib/arm-linux-gnueabihf/samba/bind9/dlz_bind9_11.so";
};

/var/lib/samba/bind-dns/named.conf.update:

/* this file is auto-generated - do not edit */
update-policy {
        grant EXAMPLE.COM ms-self * A AAAA;
        grant [email protected] wildcard * A AAAA SRV CNAME;

        # Main Active Directory Domain Controller
        grant [email protected] wildcard * A AAAA SRV CNAME;

        # Backup Active Directory Domain Controller
        grant [email protected] wildcard * A AAAA SRV CNAME;
};

如果我尝试使用此配置启动绑定,我会收到一个我无法弄清楚的相当奇怪的错误:

/var/lib/samba/bind-dns/named.conf.update:3: name field not set to placeholder value '.'

有谁能告诉我 named.conf.update 出了什么问题?

答案1

好的,您有两个 Samba AD DC 使用 Bind9 作为 DNS 服务器,并且您在 DNS 方面遇到了问题,我想知道这是否与您的错误绑定文件有关?

一个主要问题是您在平面文件中有反向区域,这是不允许的,您需要创建 AD,您可以使用 samba-tool 来执行此操作。您也不能使用“视图”

尝试这些 bind9 conf 文件:

/etc/bind/named.conf

包括“/etc/bind/named.conf.options”;包括“/etc/bind/named.conf.local”;包括“/etc/bind/named.conf.default-zones”;

/etc/bind/named.conf.options

选项 {

directory "/var/cache/bind";
notify no;
empty-zones-enable no;
allow-query { 127.0.0.1; 192.168.1.0/24; };
allow-recursion { 192.168.1.0/24; 127.0.0.1/32; };
forwarders {
        2001:4860:4860::8888;
        2001:4860:4860::8844;
        8.8.8.8;
        8.8.4.4;
};
allow-transfer { none; };
dnssec-validation no;
dnssec-enable no;
dnssec-lookaside no;
listen-on-v6 { any; };
listen-on port 53 { 192.168.1.240; };
listen-on port 53 { 192.168.1.240; 127.0.0.1; };
listen-on port 5353 { 127.0.0.1; }; <-- Used for Netflix IPv6 filter only.

tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
minimal-responses yes;

};

/etc/bind/named.conf.local

包括“/var/lib/samba/bind-dns/named.conf”;

// Netflix 真的不喜欢 Tunnelbroker IPv6,所以我放弃了任何 Netflix AAAA 资源记录。

包括“/etc/bind/netflix-ipv6-blackhole.conf”;

如果你备份了 /var/lib/samba/bind-dns/named.conf.update 然后从备份中恢复。如果没有,则将其更改为:

/* 此文件是自动生成的 - 请勿编辑 */ update-policy {

grant EXAMPLE.COM ms-self * A AAAA;
grant [email protected] wildcard * A AAAA SRV CNAME;
grant [email protected] wildcard * A AAAA SRV CNAME;
grant [email protected] wildcard * A AAAA SRV CNAME;

};

相关内容