我在负载均衡器后面配置了两个 bind9 DNS 服务器。两周以来,它们都无法解析任何 .pl 域名。
root@arc01:/etc/bind# dig www.google.pl
; <<>> DiG 9.9.5-9+deb8u19-Debian <<>> www.google.pl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 64571
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.google.pl. IN A
;; Query time: 8 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon May 31 16:06:39 CEST 2021
;; MSG SIZE rcvd: 42
所有其他(测试了约 10 个)顶级域名均可以正常工作。
看起来该服务器在连接波兰根名称服务器时出现了问题:
root@arc01:/etc/bind# dig +trace +dnssec -4 www.google.pl
; <<>> DiG 9.9.5-9+deb8u19-Debian <<>> +trace +dnssec -4 www.google.pl
;; global options: +cmd
. 515765 IN NS m.root-servers.net.
. 515765 IN NS e.root-servers.net.
. 515765 IN NS b.root-servers.net.
. 515765 IN NS i.root-servers.net.
. 515765 IN NS l.root-servers.net.
. 515765 IN NS g.root-servers.net.
. 515765 IN NS c.root-servers.net.
. 515765 IN NS d.root-servers.net.
. 515765 IN NS k.root-servers.net.
. 515765 IN NS j.root-servers.net.
. 515765 IN NS h.root-servers.net.
. 515765 IN NS a.root-servers.net.
. 515765 IN NS f.root-servers.net.
. 518377 IN RRSIG NS 8 0 518400 20210613050000 20210531040000 14631 . bGi7CZJIdWLRScZDRv7wJ1ea7bQYNDph0Bfax9HgfaKjKsMQtxEKIUP2 gGOWuxgt1rfnkvLsaMsfNhYpTvdzjEuMpQoBtC02ORAjBNSJp6sN570f fqEADaCX+Ff6nTCI0BwfV+zf3pI+1YZ0r+GC7JEGdvy35F3HiKpDdF/P kUfuiiq0dgCDg2F8kXsS9HVaBT+M/kkvZa/5mI7mrC0WBr1ydux8QNNC eLNPLjrMyIoQTiTq0bwDk6neOsULJu7Ukwj/qscDmbmZtREU9OuxbV/y Apkfupa6Fej7gFJOk5vJ+NmzAZdvSHGMjMMgknsCXcbBc2VWQegHvRwv 4qQV/w==
;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms
pl. 172800 IN NS a-dns.pl.
pl. 172800 IN NS b-dns.pl.
pl. 172800 IN NS d-dns.pl.
pl. 172800 IN NS e-dns.pl.
pl. 172800 IN NS f-dns.pl.
pl. 172800 IN NS g-dns.pl.
pl. 172800 IN NS h-dns.pl.
pl. 172800 IN NS i-dns.pl.
pl. 86400 IN DS 51352 8 2 C4282918DE616A9E3BFFEC1F0652A41CF73DB7EF7F5785DB7359E9E5 9D40048C
pl. 86400 IN RRSIG DS 8 1 86400 20210613050000 20210531040000 14631 . URLj955qcr6Knn4L6U9AqIPEhWkN+2DyNZ1m24CUjxg/g5jwtREuQAMo r5LLK0cyrwTtFX4lEzr8DkOl11upGd7jyg7Wkydg6UWxC5VkFjcIsaOG X3kJlZ1cHvkOL9GE0XUPyKk1jyhDAvziYNvljiGtuBmZktY+nS4Mowg3 zNZirsj9TARfhhbYrL4zvZu11kew6J6z6TxU3BCD3/1SEhIPY+hlKjAl ka22+F/e1eQnSybx3RAK2peDj+LbmfwObF2+qsW2EVJEqlcM1ixxQqtw 9h8X8eQ8AtbqRGF4Ms0QyAkMgWk7hRdsPAOk79goySjrUBw6baaUYA0j EZAWcQ==
dig: couldn't get address for 'a-dns.pl': no more
但如果我尝试直接询问 a-dns.pl,它就可以工作:
root@arc01:/etc/bind# dig @m.root-servers.net a-dns.pl
; <<>> DiG 9.9.5-9+deb8u19-Debian <<>> @m.root-servers.net dns-a.pl
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55853
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 16
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dns-a.pl. IN A
;; AUTHORITY SECTION:
pl. 172800 IN NS i-dns.pl.
pl. 172800 IN NS a-dns.pl.
pl. 172800 IN NS b-dns.pl.
pl. 172800 IN NS g-dns.pl.
pl. 172800 IN NS h-dns.pl.
pl. 172800 IN NS f-dns.pl.
pl. 172800 IN NS e-dns.pl.
pl. 172800 IN NS d-dns.pl.
;; ADDITIONAL SECTION:
a-dns.pl. 172800 IN A 194.181.87.156
b-dns.pl. 172800 IN A 192.195.72.53
d-dns.pl. 172800 IN A 185.159.197.48
e-dns.pl. 172800 IN A 46.28.245.82
f-dns.pl. 172800 IN A 194.0.25.29
g-dns.pl. 172800 IN A 149.156.1.252
h-dns.pl. 172800 IN A 185.159.198.48
i-dns.pl. 172800 IN A 156.154.100.15
a-dns.pl. 172800 IN AAAA 2001:a10:121:1::156
b-dns.pl. 172800 IN AAAA 2001:7f9:c::53
d-dns.pl. 172800 IN AAAA 2620:10a:80aa::48
f-dns.pl. 172800 IN AAAA 2001:678:20::29
g-dns.pl. 172800 IN AAAA 2001:6d8:1001:1::252
h-dns.pl. 172800 IN AAAA 2620:10a:80ab::48
i-dns.pl. 172800 IN AAAA 2001:502:2eda::15
;; Query time: 15 msec
;; SERVER: 202.12.27.33#53(202.12.27.33)
;; WHEN: Mon May 31 16:11:10 CEST 2021
;; MSG SIZE rcvd: 521
root@arc01:/etc/bind# dig @194.181.87.156 www.google.pl
; <<>> DiG 9.9.5-9+deb8u19-Debian <<>> @194.181.87.156 www.google.pl
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21146
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.google.pl. IN A
;; AUTHORITY SECTION:
google.pl. 86400 IN NS ns1.google.com.
google.pl. 86400 IN NS ns2.google.com.
google.pl. 86400 IN NS ns3.google.com.
google.pl. 86400 IN NS ns4.google.com.
;; Query time: 19 msec
;; SERVER: 194.181.87.156#53(194.181.87.156)
;; WHEN: Mon May 31 16:13:00 CEST 2021
;; MSG SIZE rcvd: 124
我的服务器应该从根名称服务器附加部分获取 a-dns.pl 的 IP,但这似乎不起作用。
修改以修复该问题(但没有成功):
- 重启绑定
- 实施某个时间的配置,其中它仍然有效
- 更新根提示
- tcpdump 检查网络流量(似乎没有其他信息)
为了使其更加有线,它仅限于 .pl 域名...非常欢迎任何建议...
Request:
root@arc01:~# dig www.google.pl
; <<>> DiG 9.9.5-9+deb8u19-Debian <<>> www.google.pl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 42641
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.google.pl. IN A
;; Query time: 5540 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon May 31 20:04:21 CEST 2021
;; MSG SIZE rcvd: 42
日志条目:
31-May-2021 20:04:15.937 queries: info: client 127.0.0.1#45782 (www.google.pl): view internal: query: www.google.pl IN A +E (127.0.0.1)
31-May-2021 20:04:17.937 queries: info: client 172.x.x.x#34880 (www.google.pl): view internal: query: www.google.pl IN A +E (172.x.x.x)
31-May-2021 20:04:21.477 dnssec: info: validating @0x7f0d8c985740: www.google.pl A: bad cache hit (google.pl/DS)
类似这样的情况可能是问题的根源: https://kb.isc.org/docs/aa-00912 Bind9:DNS 解析暂时丢失
我尝试了配置选项组合 dnssec-enable、dnssec-validation(“是”到“否”)以及 rndc flush && service bind9 restart,但没有帮助。
更新 2:这是一个验证问题。使用 dig +cd 有效:
root@arc01:~# dig +cd www.google.pl
; <<>> DiG 9.9.5-9+deb8u19-Debian <<>> +cd www.google.pl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28904
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 9
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.google.pl. IN A
;; ANSWER SECTION:
www.google.pl. 216 IN A 172.217.18.99
;; AUTHORITY SECTION:
google.pl. 60975 IN NS ns1.google.com.
google.pl. 60975 IN NS ns3.google.com.
google.pl. 60975 IN NS ns2.google.com.
google.pl. 60975 IN NS ns4.google.com.
;; ADDITIONAL SECTION:
ns1.google.com. 320030 IN A 216.239.32.10
ns1.google.com. 320030 IN AAAA 2001:4860:4802:32::a
ns2.google.com. 320030 IN A 216.239.34.10
ns2.google.com. 320030 IN AAAA 2001:4860:4802:34::a
ns3.google.com. 320030 IN A 216.239.36.10
ns3.google.com. 320030 IN AAAA 2001:4860:4802:36::a
ns4.google.com. 320030 IN A 216.239.38.10
ns4.google.com. 320030 IN AAAA 2001:4860:4802:38::a
;; Query time: 1 msec
;; SERVER: 192.168.32.17#53(192.168.32.17)
;; WHEN: Mon May 31 21:28:40 CEST 2021
;; MSG SIZE rcvd: 316
明天继续...
答案1
这是同样的行为bind9 无法正确解析 dnssec
因为配置错误,直到今天我才意识到这一点。