Domain-Name-System

威瑞信錯誤 -> 查詢 DNSKEY 超時或失敗

  • March 7, 2015

我正在嘗試在 Verisign dnssec 調試器 Verisign 調試器上找到我無法擺脫的錯誤的根源

探勘查詢伺服器就好了

dig ex-mailer.com ANY @108.61.190.64

在調試器模式下,我的所有日​​誌都是乾淨且無錯誤的 日誌輸出

事實上,任何不妥之處的唯一跡像是在數據包擷取中看起來像過度碎片化 線鯊

我的網卡上的 MTU 是 1500

vtnet0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
       options=6c03bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
       ether 56:00:00:05:53:09
       inet6 2001:19f0:6c00:8141::64 prefixlen 64
       inet6 fe80::5400:ff:fe05:5309%vtnet0 prefixlen 64 scopeid 0x1
       inet 108.61.190.64 netmask 0xffffff00 broadcast 108.61.190.255
       nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
       media: Ethernet 10Gbase-T <full-duplex>
       status: active

但 pmtu 看起來很笨拙:

ping -s 1500 -M do 108.61.190.64
From 192.168.0.68: icmp_seq=1 Frag needed and DF set (mtu = 1490)
From 192.168.0.68: icmp_seq=1 Frag needed and DF set (mtu = 1490)
From 192.168.0.68: icmp_seq=1 Frag needed and DF set (mtu = 1490)
From 192.168.0.68: icmp_seq=1 Frag needed and DF set (mtu = 1490)
From 192.168.0.68: icmp_seq=1 Frag needed and DF set (mtu = 1490)

我不知道還能去哪裡看。我很確定這個 MTU 碎片是錯誤的根源。

如何擺脫這個威瑞信 dns 錯誤?

主配置:

acl "trusted" {
       108.61.190.64;
       107.191.60.48;
       2001:19f0:7000:8945::64;
       2001:19f0:6c00:8141::64;
       108.61.10.10;
       127.0.0.1/32;
       ::1/128;
};

acl "outside" {
       any;
};

options {
       directory "/usr/local/etc/namedb/working/";
       pid-file "/var/run/named/named.pid";
       dnssec-enable yes;
       dnssec-validation auto;
       dnssec-lookaside auto;
       listen-on-v6 { ::1; 2001:19f0:6c00:8141::64;};
       listen-on { 127.0.0.1; 108.61.190.64;};
       max-cache-ttl 1600;
       version none;
       auth-nxdomain no;    # conform to RFC1035
       allow-recursion-on { any; };
       allow-recursion{ any; };
       allow-query-cache-on{ any; };
       allow-query-on{ any; };
       allow-update-forwarding{ any; };
       allow-query {
               any;
       };

       allow-query-cache {
               any;
       };

       allow-transfer {
               any;
       };
       //forward first;
       forwarders {
               108.61.10.10;
               108.61.190.64;
               107.191.60.48;
       };
};


logging {
       category default { default_log; };
       category queries { resolver_file; };
       channel default_log {
               file "/var/log/named/named.log" versions 5 size 50M;
               print-time yes;
               print-severity yes;
               print-category yes;
               severity debug;
       };
       channel resolver_file {
               file "/var/log/named/resolver.log" versions 3 size 5m;
               severity dynamic;
               print-time yes;
       };
       channel xfer-in_file {
               file "/var/log/named/xfer-in.log" versions 3 size 5m;
               severity dynamic;
               print-time yes;
       };
       category default { default_log; };
       category general { default_log; };
};


#include "/usr/local/etc/namedb/rndc.key";

controls {
       inet * port 953 allow { 127.0.0.1/32; ::1/128; 107.191.60.48; 108.61.190.64;} keys {"rndc-key"; };
};
key "rndc-key" {
       algorithm hmac-md5;
       secret "KcnxhOeXddg8dRNrn9Qfew==";
};


view "external" {
       match-clients { any; };
       match-destinations { any; };
       recursion yes;
       allow-query { any; };
       zone "." IN {
               type hint;
               file "/usr/local/etc/namedb/named.root";
       };
       zone "ex-mailer.com" {
               type master;
               allow-transfer { trusted; };
               also-notify { 108.61.190.64; };
               update-policy local;
               auto-dnssec allow;
               key-directory "/usr/local/etc/namedb/";
               file "/usr/local/etc/namedb/ex-mailer.com.external.signed";
       };
       zone "nyctelecomm.com" {
               type master;
               #allow-transfer {107.191.60.48;};
               also-notify {107.191.60.48;};
               key-directory "/usr/local/etc/namedb/";
               file "/usr/local/etc/namedb/nyctelecomm.com.external.signed";
       };
       zone "emailingu.com" {
               type master;
               update-policy local;
               auto-dnssec allow;
               key-directory "/usr/local/etc/namedb/";
               file "/usr/local/etc/namedb/emailingu.com.external.signed";
       };
       zone "instaknowit.com" {
               type master;
               update-policy local;
               auto-dnssec allow;
               key-directory "/usr/local/etc/namedb/";
               file "/usr/local/etc/namedb/instaknowit.com.external";
       };

       zone "zippy-mail.com" {
               type master;
               update-policy local;
               auto-dnssec allow;
               key-directory "/usr/local/etc/namedb/";
               file "/usr/local/etc/namedb/zippy-mail.com.external.signed";
       };

       zone "190.61.108.in-addr.arpa"{
               type master;
               file "/usr/local/etc/namedb/reverse.external";
       };
       zone "127.in-addr.arpa" {
               type master;
               file "/usr/local/etc/namedb/127.0.0.1";
       };

};

從配置:

acl "trusted" {
       108.61.190.64;
       107.191.60.48;
       2001:19f0:7000:8945::64;
       2001:19f0:6c00:8141::64;
       108.61.10.10;
       127.0.0.1/32;
       ::1/128;
};

acl "outside" {
       any;
};

options {
       directory "/usr/local/etc/namedb/working/";
       pid-file "/var/run/named/named.pid";
       dnssec-enable yes;
       dnssec-validation yes;
       dnssec-lookaside auto;
       auth-nxdomain no;
       listen-on-v6 { ::1; 2001:19f0:7000:8945::64;};
       listen-on { 127.0.0.1; 107.191.60.48;};
       max-cache-ttl 1600;
       version none;
       notify yes;
       also-notify { 108.61.190.64; };
       allow-notify { 107.191.60.48; };
       allow-recursion { any; };
       allow-recursion-on { any; };
       allow-query-cache-on{ any; };
       allow-query-on{ any; };
       allow-update-forwarding{ any; };
       allow-transfer { any; };
       allow-query {
               any;
       };
       allow-query-cache {
               any;
       };

       allow-update {
               trusted;
       };

       //forward first;
       forwarders {
               108.61.10.10;
               108.61.190.64;
               107.191.60.48;
       };
};


logging {
       category default { default_log; };
       category queries { resolver_file; };
       channel default_log {
               file "/var/log/named/named.log" versions 5 size 50M;
               print-time yes;
               print-severity yes;
               print-category yes;
               severity debug;
       };
       channel general_file {
               file "/var/log/named/general.log" versions 3 size 5m;
               severity dynamic;
               print-time yes;
       };
       channel config_file {
               file "/var/log/named/config.log" versions 3 size 5m;
               severity dynamic;
               print-time yes;
       };
       channel resolver_file {
               file "/var/log/named/resolver.log" versions 3 size 5m;
               severity dynamic;
               print-time yes;
       };
       channel xfer-in_file {
               file "/var/log/named/xfer-in.log" versions 3 size 5m;
               severity dynamic;
               print-time yes;
       };
       category default { default_log; };
       category general { default_log; };
};


#include "/usr/local/etc/namedb/rndc.key";

controls {
       inet * port 953 allow { 127.0.0.1/32; ::1/128; 108.61.190.64; 107.191.60.48; } keys {"rndc-key"; };
};

key "rndc-key" {
       algorithm hmac-md5;
       secret "N/SB9HZwr5yRIBwtRjcA6A==";
};

view "external" {
       match-clients { outside; };
       match-destinations { outside; };
       recursion yes;
       allow-recursion { any; };
       allow-query { outside; };
       zone "." IN {
               type hint;
               file "/usr/local/etc/namedb/named.root";
       };

       #include "/usr/local/etc/namedb/tmp/zonelist.db";

       zone "nyctelecomm.com" {
               type slave;
               masters {108.61.190.64;};
               allow-notify { trusted; };
               allow-transfer { any; };
               notify yes;
               auto-dnssec allow;
               key-directory "/usr/local/etc/namedb/";
               file "/usr/local/etc/namedb/nyctelecomm.com.external.signed";
       };
       zone "ex-mailer.com" {
               type slave;
               masters {108.61.190.64; };
               #transfer-source { 108.61.190.64; };
               allow-notify{ trusted; };
               notify yes;
               allow-transfer { any; };
               auto-dnssec allow;
               key-directory "/usr/local/etc/namedb/";
               file "/usr/local/etc/namedb/ex-mailer.com.external.signed";
       };

       zone "emailingu.com" {
               masters {108.61.190.64; };
               type slave;
               auto-dnssec allow;
               key-directory "/usr/local/etc/namedb/";
               file "/usr/local/etc/namedb/emailingu.com.external.signed";
       };
       zone "zippy-mail.com" {
               type slave;
               masters {108.61.190.64; };
               auto-dnssec allow;
               key-directory "/usr/local/etc/namedb/";
               file "/usr/local/etc/namedb/zippy-mail.com.external.signed";
       };

       zone "190.61.108.in-addr.arpa"{
               type master;
               allow-update {none;};
               file "/usr/local/etc/namedb/reverse.external";
       };
       zone "127.in-addr.arpa" {
               type master;
               allow-update {none;};
               file "/usr/local/etc/namedb/127.0.0.1";
       };

};

感謝您發布所有這些資訊,它幫助很大。

Verisign 工具在以下位置出錯:

Query to yoda.ex-mailer.com/108.61.175.48 for ex-mailer.com/A timed out or failed

您感興趣的域正在發布兩個不同的 NS 記錄。

ex-mailer.com   nameserver = yoda.ex-mailer.com.
ex-mailer.com   nameserver = r2d2.ex-mailer.com.

從我自己的網路,我可以連接到 r2d2 並查詢 yoda 的 IP。當我嘗試連接到 yoda 時,我什麼也得不到。這就是威瑞信所指出的。當我看得更深一點時,我看到我與 yoda 的連接嘗試正在ICMP Destination Unreachable從 108.61.175.20 上的 yoda 本身獲取數據包。

有趣的是,r2d2 將 Yoda 的 IP 地址顯示為108.61.175.48,但您的配置文件建議它應該是108.61.190.64or 108.61.10.10。在這兩個中,第一個響應成功。

看起來像兩件事之一。

  1. ‘yoda’ 的 A 記錄已關閉。應該是108.61.190.64,不是108.61.175.48
  2. NS 記錄應該指向 A 記錄108.61.190.64

引用自:https://serverfault.com/questions/673699