我对此了解得足够多,以至于很危险。我在 22.04 Server 上运行了 bind9。我注意到系统日志中有许多来自命名的条目,例如这个......
Aug 23 16:40:39 homesvr01 named[29547]: validating sync.adtelligent.com/CNAME: no valid signature found
Aug 23 16:40:39 homesvr01 named[29547]: validating sync.vertamedia.com/CNAME: no valid signature found
Aug 23 16:47:06 homesvr01 named[29547]: message repeated 3 times: [ validating sync.vertamedia.com/CNAME: no valid signature found]
Aug 23 16:47:35 homesvr01 named[29547]: validating plex.tv/A: no valid signature found
然而,当我在记录的站点上运行 dig 时,它会返回一个答案。
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28686
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;plex.tv. IN A
;; ANSWER SECTION:
plex.tv. 19 IN A 52.212.244.29
plex.tv. 19 IN A 54.229.5.9
;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Wed Aug 23 16:50:37 EDT 2023
;; MSG SIZE rcvd: 68
命名.conf.本地...
//include "/etc/bind/zones.rfc1918";
zone "bender.int" {
type master;
file "/etc/bind/forward.bender.int.db";
allow-update { none; };
};
zone "71.168.192.in-addr.arpa" {
type master;
file "/etc/bind/reverse.bender.int.db";
allow-update { none; };
};
命名.conf.选项...
acl "trusted" {
192.168.71.0/24;
};
options {
directory "/var/cache/bind";
recursion yes;
allow-recursion { trusted; };
listen-on { 192.168.71.202; };
allow-transfer { none; };
forwarders {
8.8.8.8;
8.8.4.4;
};
};
我不太清楚该如何处理。这些消息不断出现在我的系统日志中。如有任何建议,不胜感激。
答案1
该消息只是一条信息,而不是错误,表示所请求站点的 DNSKEY RRset 不安全。然后 Bind9 会返回到不安全证明。您可以在以下位置找到此验证的示例日志https://gitlab.isc.org/isc-projects/bind9/-/issues/2680#note_211560。我能看到的唯一真正的解决方案是 DNS 域的所有者应该使用有效的签名进行注册。