Domain-Name-System
突然 dig +nocmd pop3.pauperis.org aaaa +noall +answer 什麼也沒返回
該命令
dig +nocmd pop3.pauperis.org aaaa +noall +answer
在我的筆記型電腦中返回以下內容:pop3.pauperis.org. 3111 IN CNAME pauperis.org. pauperis.org. 3111 IN AAAA 2001:41d0:1:8ade::1
但是我的伺服器上的相同命令,突然,在沒有明顯的配置更改後什麼都不返回:
# dig +nocmd pop3.pauperis.org aaaa +noall +answer #
這是我伺服器上的響應,但有
+trace
選項:dig +nocmd pop3.pauperis.org aaaa +noall +answer +trace . 44679 IN NS e.root-servers.net. . 44679 IN NS m.root-servers.net. . 44679 IN NS l.root-servers.net. . 44679 IN NS b.root-servers.net. . 44679 IN NS g.root-servers.net. . 44679 IN NS i.root-servers.net. . 44679 IN NS a.root-servers.net. . 44679 IN NS d.root-servers.net. . 44679 IN NS h.root-servers.net. . 44679 IN NS f.root-servers.net. . 44679 IN NS j.root-servers.net. . 44679 IN NS k.root-servers.net. . 44679 IN NS c.root-servers.net. . 44679 IN RRSIG NS 8 0 518400 20220316050000 20220303040000 9799 . WHZ//zKcRc0aFze+haFiC5a0GwaCwCsopDkMLzMZrOTTvejeb96R01h+ 2mlnsd4qivrbop0a7fBz+Vs/m+YVOPku+vCO/fnZ+NW/KgrtXpHoPopE WayXrfwtEC+Iu/G7gD1bePIhXqeEMSYlfLD84g7ezASeXc4q3Yrfw3+s SnKkG/vwlZ3IFcSw90bqyYoV597fRLZYdEoUzDjp9onU/NcwqmWJ6muV Ms2IO7kHTaUfMO7z6mgf5PGC2ylTywz+4WZLFd6t8QvZypEMGFwPSxJ2 W86Sdh2QJSDznW3V5CFW3tW+59ZzKsJHuGlHTwqem+egipZMXoMW9y+F 08ZVlg== ;; Received 1137 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms org. 172800 IN NS b2.org.afilias-nst.org. org. 172800 IN NS a2.org.afilias-nst.info. org. 172800 IN NS d0.org.afilias-nst.org. org. 172800 IN NS a0.org.afilias-nst.info. org. 172800 IN NS b0.org.afilias-nst.org. org. 172800 IN NS c0.org.afilias-nst.info. org. 86400 IN DS 26974 8 2 4FEDE294C53F438A158C41D39489CD78A86BEB0D8A0AEAFF14745C0D 16E1DE32 org. 86400 IN RRSIG DS 8 1 86400 20220321170000 20220308160000 9799 . m3lulShGydigMRJiRixpAFeO9YBBkntgr2Gk42/sts9JLeGVavWmrAyd 5uFDMPf+DqWjgz65BCR1kipEpJAbETmqiwf17rrk9yDIXYGDfrdv04tg w5+4LjANeRzCqr9CH2FFokRt5cl2AdCSn2kNonndSM72Zfhots5ggn8G nTXyt3Aj3Hg4xagS1ZqPhodM15r95NVWw4ozPywSt76vI/oOgEBF6ckw Hz9AEg5i4MdSoLTwiT9fLE51KfiJQO6Xfp8ZANUFtwrydLb0pqJtXMbC BoJnhXjyjWzlOA5/ze5PR3nCh7tbtbTdxdowiB2Jrc3j5Cirfw7dAske TAjiiQ== ;; Received 817 bytes from 192.36.148.17#53(i.root-servers.net) in 3 ms pauperis.org. 86400 IN NS ns111.ovh.net. pauperis.org. 86400 IN NS dns111.ovh.net. pauperis.org. 86400 IN DS 18975 7 2 9CE6DA2D7883298D589BDBD5DFD29BB76FB24329C12B453A055F06F6 4EEC0C0C pauperis.org. 86400 IN RRSIG DS 8 2 86400 20220322152315 20220301142315 30573 org. mE8EiULvqr8ZBCDb6rQnXHlxVoZtaTzbLjMtRi9w2jyGYYcKbX0m8N7R +b4NmqrsiQa7nz3DBbDDwt8IbXZfEIqVmGLJrx7Gp+uMDECa54mz06kG Xz1LWb6j/B6CA+1+fa+MyDBJt7A6inBLZQix8Fr9xkWRYznsQqyeeHnW YYo= ;; Received 305 bytes from 199.19.57.1#53(d0.org.afilias-nst.org) in 83 ms pop3.pauperis.org. 3600 IN CNAME pauperis.org. pop3.pauperis.org. 3600 IN RRSIG CNAME 8 3 3600 20220403112323 20220304112323 37698 pauperis.org. OhXaHFQ1xfLU2T3zjUIBpKsW6k62NZVlnCf4aQKUhbtDcVTGbWDNbwo7 MkpsDh2zpwG3vIqzqdw9t0Uuq7A1U+TDH0SetnBDVvlR1dNNZRbEiWBd C1dJiNuItE37iDNexAebRBvSnM/9hfjDUwDaX7Q78iQS836gxkTSV/g7 Bys= pauperis.org. 3600 IN AAAA 2001:41d0:1:8ade::1 pauperis.org. 3600 IN RRSIG AAAA 8 2 3600 20220403112323 20220304112323 37698 pauperis.org. dZP/Vxls3u1x8lMQ4A4NULX/UMrf7M+YkBNim4pJ/O9qkHCHn3N19Fku JciU5LCsWd4dw856ejt6CLBDy1c5RSADfrP+q3O3x9kstsgrH+Wf0pP8 cU2y/mTJRSQWPp+6jBUITshXJvcuV+XFpHeA931570XelUGN7ZuEStzD COc= ;; Received 432 bytes from 2001:41d0:1:4a9b::1#53(dns111.ovh.net) in 3 ms
有人能告訴我可能出了什麼問題嗎?
非常感謝你在高級:)
請參閱https://dnsviz.net/d/pop3.pauperis.org/YifJYQ/dnssec/
DS
此名稱具有巨大的 DNSSEC 錯誤配置(父 aka 註冊中心的記錄 不匹配的典型案例,以及在DNSKEY
子節點中找到的記錄)。這需要在整個域正常工作之前解決。通過驗證解析器(因此使用 DNSSEC 驗證)比較正常答案,然後明確禁止 DNSSEC 驗證,也很容易發現:
$ dig pop3.pauperis.org @9.9.9.9 ; <<>> DiG 9.18.0 <<>> pop3.pauperis.org @9.9.9.9 ;; global options: +cmd ;; Sending: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39260 ;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: c145784edda54901 ;; QUESTION SECTION: ;pop3.pauperis.org. IN A ;; QUERY SIZE: 58 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39260 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ; EDE: 9 (DNSKEY Missing)
SERVFAIL
可以是很多東西但是 DNSSEC 致命錯誤總是SERVFAIL
錯誤程式碼,然後在傳遞時注意擴展 DNS 錯誤:DNSKEY Missing
。然後同樣繞過 DNSSEC(感謝 dig
+cd
標誌):$ dig pop3.pauperis.org @9.9.9.9 +cd ; <<>> DiG 9.18.0 <<>> pop3.pauperis.org @9.9.9.9 +cd ;; global options: +cmd ;; Sending: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1480 ;; flags: rd ad cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: c028e114f2c210f8 ;; QUESTION SECTION: ;pop3.pauperis.org. IN A ;; QUERY SIZE: 58 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1480 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;pop3.pauperis.org. IN A ;; ANSWER SECTION: pop3.pauperis.org. 1h IN CNAME pauperis.org. pauperis.org. 1h IN A 91.121.85.222
現在你得到
NOERROR
. 刪除 DNSSEC 驗證的簡單事實可以很好地證明該錯誤與 DNSSEC 相關。