Domain-Name-System
綁定:“nsupdate -l”失敗,狀態為“更新失敗:已拒絕”
我剛剛切換到具有 DNSSEC 條目的半自動管理的
bind9.9.5動態 DNSnsupdate功能,整個過程很順利,我的區域文件也更新得很好,但現在我無法通過工具更新或添加條目。
/etc/bind/named.conf.local: _// 1 view "localhost_view" { allow-query-on { 127.0.0.1; }; allow-query { localhost_acl; }; match-clients { localhost_acl; }; zone "somehost.tld" { type master; file "/etc/bind/db.somehost.tld_10"; }; zone "168.192.in-addr.arpa" { type master; notify no; file "/etc/bind/db.192.168.10"; }; // formerly named.conf.default-zones zone "." { type hint; file "/etc/bind/db.root"; }; zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; // formerly zones.rfc1918 zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "31.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; }; // 2 view "internal_10_view" { allow-query-on { 192.168.10.1; }; allow-query { internal_10_acl; }; match-clients { internal_10_acl; }; zone "somehost.tld" { type master; file "/etc/bind/db.somehost.tld_10"; }; zone "168.192.in-addr.arpa" { type master; notify no; file "/etc/bind/db.192.168.10"; }; // formerly named.conf.default-zones zone "." { type hint; file "/etc/bind/db.root"; }; zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; // formerly zones.rfc1918 zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "31.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; }; // 3 view "internal_150_view" { allow-query-on { 192.168.150.1; }; allow-query { internal_150_acl; }; match-clients { internal_150_acl; }; zone "somehost.tld" { type master; file "/etc/bind/db.somehost.tld_150"; }; zone "168.192.in-addr.arpa" { type master; notify no; file "/etc/bind/db.192.168.150"; }; // formerly named.conf.default-zones zone "." { type hint; file "/etc/bind/db.root"; }; zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; // formerly zones.rfc1918 zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "31.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; }; // 4 view "vpn_view" { allow-query-on { 192.168.200.1; }; allow-query { vpn_acl; }; match-clients { vpn_acl; }; zone "somehost.tld" { type master; file "/etc/bind/db.somehost.tld_vpn"; }; // formerly named.conf.default-zones zone "." { type hint; file "/etc/bind/db.root"; }; zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; // formerly zones.rfc1918 zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "32.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; }; // 5 view "global_view" { allow-query-on { 1.2.3.4; }; // match-clients { any; !localhost_acl; !internal_10_acl; !internal_150_acl; !vpn_acl; }; recursion no; zone "somehost.tld" { type master; update-policy local; auto-dnssec maintain; file "/etc/bind/db.somehost.tld_global"; key-directory "/etc/bind/keys"; }; zone "26/4.3.2.1.in-addr.arpa" IN { type master; file "/etc/bind/db.rev"; }; // formerly named.conf.default-zones zone "." { type hint; file "/etc/bind/db.root"; }; zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; // formerly zones.rfc1918 zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "32.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; };ACL:
acl localhost_acl { 127.0.0.0/8; }; acl internal_10_acl { 192.168.10.0/24; }; acl internal_150_acl { 192.168.150.0/24; }; acl vpn_acl { 192.168.200.2; 192.168.200.5; };所以在
update-policy local;這裡,/var/run/named/session.key已成功生成並且使用者bind可讀,但是當我通過nsupdate -l(以root身份)執行添加命令時,我總是得到update failed: REFUSED錯誤(這裡帶有調試消息):root@somehost:/etc/bind# nsupdate -l -v -D setup_system() Creating key... namefromtext keycreate reset_system() user_interaction() > ttl 46000 do_next_command() > zone somehost.tld. do_next_command() > update add whatever.somehost.tld. A 1.1.1.1 do_next_command() evaluate_update() update_addordelete() > send do_next_command() start_update() send_update() Sending update to 127.0.0.1#53 show_message() Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 15363 ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1 ;; ZONE SECTION: ;somehost.tld. IN SOA ;; UPDATE SECTION: whatever.somehost.tld. 46000 IN A 1.1.1.1 ;; TSIG PSEUDOSECTION: local-ddns. 0 ANY TSIG hmac-sha256. 1446539060 300 32 r2lt18dGihGnJepoUjvIKx8l5BPMohNJvsLoO+WQiBE = 15363 NOERROR 0 update_completed() tsig verification successful show_message() Reply from update query: ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 15363 ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 ;; ZONE SECTION: ;somehost.tld. IN SOA ;; TSIG PSEUDOSECTION: local-ddns. 0 ANY TSIG hmac-sha256. 1446539060 300 32 Cnh9Tgg5vhKngPRk2J8n0wiRzdBLlQrp0F0qmfUotN8 = 15363 NOERROR 0 done_update() reset_system() user_interaction() > quit這是某種許可問題?怎麼了?
終於想通了。感謝@Håkan Lindqvist的啟發。
這些解決方案可能是特定於 Debian/Ubuntu 的,並且沒有在其他發行版中進行測試。
- 第一個解決方案 ==========
(使用
update-policy local;)。您實際上可以
update-policy local;在所需的每個區域聲明中使用指令/etc/bind/named.conf.local,它限制來自 Internet 或 LAN 的更新請求以提高安全性。在這種情況下,密鑰是自動生成的,如果使用選項nsupdate執行,將使用它。-l而不是
server X.X.X.X命令一個應該使用local X.X.X.X. 如果它是系統本地的,它甚至接受公共 IP 作為參數!注意:密鑰不是世界可讀的,所以使用
sudo.例子:
me@somehost:~$ sudo nsupdate -l > local 1.2.3.4 > zone somehost.tld > update add something.somehost.tld. 86400 A 1.1.1.1 > send > quit
- 第二個解決方案 ==========
(使用
ddns-confgen)。我有很多視圖(
localhost_view等global_view),其中一些具有公共區域(somehost.tld在我的範例中)。如果我想動態更新它們,我應該server X.X.X.X在 do 時使用命令nsupdate。因此nsupdate將向適當的介面發送更新請求,並由適當的視圖處理它。
update-policy local;不適合這種配置,因為它禁止server使用nsupdate. 因此需要生成一個 DDNS 密鑰並在所有區域聲明中指定它,該聲明應由nsupdate. 在 Debian 世界中,有一個ddns-confgen命令可以大大簡化此任務:me@somehost:~$ ddns-confgen # To activate this key, place the following in named.conf, and # in a separate keyfile on the system or systems from which nsupdate # will be run: key "ddns-key" { algorithm hmac-sha256; secret "pXohPnPR7dyri9ADfDLtSz+lHw/QliISyiEe0wg0a14="; }; # Then, in the "zone" statement for each zone you wish to dynamically # update, place an "update-policy" statement granting update permission # to this key. For example, the following statement grants this key # permission to update any name within the zone: update-policy { grant ddns-key zonesub ANY; }; # After the keyfile has been placed, the following command will # execute nsupdate using this key: nsupdate -k <keyfile>這個命令的輸出是非常自我描述的。需要將
key...片段添加到具有任何名稱的/etc/bind/named.conf單獨文件中,並將update-policy...片段添加到每個zone聲明中,這將由nsupdate.
nsupdate要在多視圖 BIND 環境中正確使用工具,需要server在執行任何其他命令之前顯式指定指令。因此,為了更新localhost_view的somehost.tld區域(考慮到key...程式碼段已保存到/etc/bind/ddns-key.key),命令如下(注意server 127.0.0.1):me@somehost:~$ nsupdate -k /etc/bind/ddns-key.key > server 127.0.0.1 > zone somehost.tld > update add something.somehost.tld. 86400 A 1.1.1.1 > send > quit而要操作
global_view’ssomehost.tldzone 的命令本質上是相同的,但具有不同的server. 在這種情況下,需要使用公共 IP(1.2.3.4在我的範例中):me@somehost:~$ nsupdate -k /etc/bind/ddns-key.key > server 1.2.3.4 > zone somehost.tld > update add something.somehost.tld. 86400 A 1.1.1.1 > send > quit因此
nsupdate,將請求發送到適當的介面(可能是本地介面,也可能不是本地介面)並且特定視圖有效。