我正在尝试让 nsupdate/RFC2136 为远程 BIND 服务器工作,但是我已经绞尽脑汁两天了,想弄清楚到底发生了什么。
BIND 9.16.23 在内部服务器上运行,没有 apparmor,没有防火墙。以下是 BIND 配置的相关部分:
options {
directory "/var/cache/named";
listen-on { any; };
allow-query { any; };
recursion no;
blackhole { acl_bogusnets; };
// DNSSEC
dnssec-validation yes;
// hide version
version "not provided";
key-directory "/etc/named/keys";
auth-nxdomain no;
};
controls {
inet 192.168.131.21 port 953 allow { any; } keys { "key_ddns"; };
inet 192.168.131.21 allow { any; } keys { "key_ddns"; };
inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; };
};
zone "mydomain.com" IN {
type master;
file "/var/named/primary/com/mydomain/db.mydomain.com";
update-policy {
grant key_ddns name _acme-challenge.www.mydomain.com. txt;
};
notify yes;
dnssec-policy "default";
inline-signing yes;
key-directory "/var/named/keys";
};
我首先将两个密钥(rndc 和 key_ddns)复制到本地文件夹,然后使用 nsupdate 命令创建了一个文件来添加记录(add.txt):
server 127.0.0.1
debug yes
zone mydomain.com
update add _acme-challenge.www.mydomain.com. 300 IN TXT "TEST"
show
send
以下是执行的不同命令及其相关结果。以下所有内容均在本地 BIND 服务器上执行。
nsupdate -k ./rndc.key add.txt or nsupdate -k ./rndc.key -v add.txt
update: info: client @0x7ff7a0636e18 127.0.0.1#49496/key rndc-key: view view_primary_ns: updating zone 'mydomain.com/IN': update failed: rejected by secure update (REFUSED)
nsupdate -k ./key_ddns.key add.txt or nsupdate -k ./key_ddns.key -v add.txt
update: info: client @0x7ff7a061a0e8 127.0.0.1#37881/key key_ddns: view view_primary_ns: updating zone 'mydomain.com/IN': adding an RR at '_acme-challenge.www.mydomain.com' TXT "TEST"
因此,我认为这意味着 key_ddns 密钥按预期工作,因为记录已成功添加。这就是我遇到困难的地方。如果将 add.txt 从 127.0.0.1 更改为私有 IP 192.168.131.21,则会发生以下情况:
nsupdate -k ./rndc.key add.txt or nsupdate -k ./key_ddns.key add.txt
nsupdate error: Communication with 192.168.131.21#53 failed: timed out
nsupdate -k ./rndc.key -v add.txt or nsupdate -k ./key_ddns.key -v add.txt
nsupdate error: Communication with 192.168.131.21#53 failed: unexpected error
Bind logs:
general: error: Accepting TCP connection failed: connection refused
general: error: TCP connection failed: connection refused
如果将 add.txt 从 192.168.131.21 更改为 192.168.131.21 953,则会发生以下情况:
nsupdate -k ./rndc.key add.txt or nsupdate -k ./key_ddns.key add.txt
nsupdate error: Communication with 192.168.131.21#53 failed: timed out
nsupdate -k ./rndc.key -v add.txt or nsupdate -k ./key_ddns.key -v add.txt
nsupdate error: Communication with 192.168.131.21#53 failed: unexpected error
Bind logs:
general: error: invalid command from 192.168.131.21#39997: out of range
我完全不明白为什么我不能让 nsupdate 使用它的私有 IP。