Domain-Name-System
威瑞信錯誤 -> 查詢 DNSKEY 超時或失敗
我正在嘗試在 Verisign dnssec 調試器 Verisign 調試器上找到我無法擺脫的錯誤的根源
探勘查詢伺服器就好了
dig ex-mailer.com ANY @108.61.190.64
在調試器模式下,我的所有日誌都是乾淨且無錯誤的 日誌輸出
事實上,任何不妥之處的唯一跡像是在數據包擷取中看起來像過度碎片化
我的網卡上的 MTU 是 1500
vtnet0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=6c03bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6> ether 56:00:00:05:53:09 inet6 2001:19f0:6c00:8141::64 prefixlen 64 inet6 fe80::5400:ff:fe05:5309%vtnet0 prefixlen 64 scopeid 0x1 inet 108.61.190.64 netmask 0xffffff00 broadcast 108.61.190.255 nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL> media: Ethernet 10Gbase-T <full-duplex> status: active
但 pmtu 看起來很笨拙:
ping -s 1500 -M do 108.61.190.64 From 192.168.0.68: icmp_seq=1 Frag needed and DF set (mtu = 1490) From 192.168.0.68: icmp_seq=1 Frag needed and DF set (mtu = 1490) From 192.168.0.68: icmp_seq=1 Frag needed and DF set (mtu = 1490) From 192.168.0.68: icmp_seq=1 Frag needed and DF set (mtu = 1490) From 192.168.0.68: icmp_seq=1 Frag needed and DF set (mtu = 1490)
我不知道還能去哪裡看。我很確定這個 MTU 碎片是錯誤的根源。
如何擺脫這個威瑞信 dns 錯誤?
主配置:
acl "trusted" { 108.61.190.64; 107.191.60.48; 2001:19f0:7000:8945::64; 2001:19f0:6c00:8141::64; 108.61.10.10; 127.0.0.1/32; ::1/128; }; acl "outside" { any; }; options { directory "/usr/local/etc/namedb/working/"; pid-file "/var/run/named/named.pid"; dnssec-enable yes; dnssec-validation auto; dnssec-lookaside auto; listen-on-v6 { ::1; 2001:19f0:6c00:8141::64;}; listen-on { 127.0.0.1; 108.61.190.64;}; max-cache-ttl 1600; version none; auth-nxdomain no; # conform to RFC1035 allow-recursion-on { any; }; allow-recursion{ any; }; allow-query-cache-on{ any; }; allow-query-on{ any; }; allow-update-forwarding{ any; }; allow-query { any; }; allow-query-cache { any; }; allow-transfer { any; }; //forward first; forwarders { 108.61.10.10; 108.61.190.64; 107.191.60.48; }; }; logging { category default { default_log; }; category queries { resolver_file; }; channel default_log { file "/var/log/named/named.log" versions 5 size 50M; print-time yes; print-severity yes; print-category yes; severity debug; }; channel resolver_file { file "/var/log/named/resolver.log" versions 3 size 5m; severity dynamic; print-time yes; }; channel xfer-in_file { file "/var/log/named/xfer-in.log" versions 3 size 5m; severity dynamic; print-time yes; }; category default { default_log; }; category general { default_log; }; }; #include "/usr/local/etc/namedb/rndc.key"; controls { inet * port 953 allow { 127.0.0.1/32; ::1/128; 107.191.60.48; 108.61.190.64;} keys {"rndc-key"; }; }; key "rndc-key" { algorithm hmac-md5; secret "KcnxhOeXddg8dRNrn9Qfew=="; }; view "external" { match-clients { any; }; match-destinations { any; }; recursion yes; allow-query { any; }; zone "." IN { type hint; file "/usr/local/etc/namedb/named.root"; }; zone "ex-mailer.com" { type master; allow-transfer { trusted; }; also-notify { 108.61.190.64; }; update-policy local; auto-dnssec allow; key-directory "/usr/local/etc/namedb/"; file "/usr/local/etc/namedb/ex-mailer.com.external.signed"; }; zone "nyctelecomm.com" { type master; #allow-transfer {107.191.60.48;}; also-notify {107.191.60.48;}; key-directory "/usr/local/etc/namedb/"; file "/usr/local/etc/namedb/nyctelecomm.com.external.signed"; }; zone "emailingu.com" { type master; update-policy local; auto-dnssec allow; key-directory "/usr/local/etc/namedb/"; file "/usr/local/etc/namedb/emailingu.com.external.signed"; }; zone "instaknowit.com" { type master; update-policy local; auto-dnssec allow; key-directory "/usr/local/etc/namedb/"; file "/usr/local/etc/namedb/instaknowit.com.external"; }; zone "zippy-mail.com" { type master; update-policy local; auto-dnssec allow; key-directory "/usr/local/etc/namedb/"; file "/usr/local/etc/namedb/zippy-mail.com.external.signed"; }; zone "190.61.108.in-addr.arpa"{ type master; file "/usr/local/etc/namedb/reverse.external"; }; zone "127.in-addr.arpa" { type master; file "/usr/local/etc/namedb/127.0.0.1"; }; };
從配置:
acl "trusted" { 108.61.190.64; 107.191.60.48; 2001:19f0:7000:8945::64; 2001:19f0:6c00:8141::64; 108.61.10.10; 127.0.0.1/32; ::1/128; }; acl "outside" { any; }; options { directory "/usr/local/etc/namedb/working/"; pid-file "/var/run/named/named.pid"; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; auth-nxdomain no; listen-on-v6 { ::1; 2001:19f0:7000:8945::64;}; listen-on { 127.0.0.1; 107.191.60.48;}; max-cache-ttl 1600; version none; notify yes; also-notify { 108.61.190.64; }; allow-notify { 107.191.60.48; }; allow-recursion { any; }; allow-recursion-on { any; }; allow-query-cache-on{ any; }; allow-query-on{ any; }; allow-update-forwarding{ any; }; allow-transfer { any; }; allow-query { any; }; allow-query-cache { any; }; allow-update { trusted; }; //forward first; forwarders { 108.61.10.10; 108.61.190.64; 107.191.60.48; }; }; logging { category default { default_log; }; category queries { resolver_file; }; channel default_log { file "/var/log/named/named.log" versions 5 size 50M; print-time yes; print-severity yes; print-category yes; severity debug; }; channel general_file { file "/var/log/named/general.log" versions 3 size 5m; severity dynamic; print-time yes; }; channel config_file { file "/var/log/named/config.log" versions 3 size 5m; severity dynamic; print-time yes; }; channel resolver_file { file "/var/log/named/resolver.log" versions 3 size 5m; severity dynamic; print-time yes; }; channel xfer-in_file { file "/var/log/named/xfer-in.log" versions 3 size 5m; severity dynamic; print-time yes; }; category default { default_log; }; category general { default_log; }; }; #include "/usr/local/etc/namedb/rndc.key"; controls { inet * port 953 allow { 127.0.0.1/32; ::1/128; 108.61.190.64; 107.191.60.48; } keys {"rndc-key"; }; }; key "rndc-key" { algorithm hmac-md5; secret "N/SB9HZwr5yRIBwtRjcA6A=="; }; view "external" { match-clients { outside; }; match-destinations { outside; }; recursion yes; allow-recursion { any; }; allow-query { outside; }; zone "." IN { type hint; file "/usr/local/etc/namedb/named.root"; }; #include "/usr/local/etc/namedb/tmp/zonelist.db"; zone "nyctelecomm.com" { type slave; masters {108.61.190.64;}; allow-notify { trusted; }; allow-transfer { any; }; notify yes; auto-dnssec allow; key-directory "/usr/local/etc/namedb/"; file "/usr/local/etc/namedb/nyctelecomm.com.external.signed"; }; zone "ex-mailer.com" { type slave; masters {108.61.190.64; }; #transfer-source { 108.61.190.64; }; allow-notify{ trusted; }; notify yes; allow-transfer { any; }; auto-dnssec allow; key-directory "/usr/local/etc/namedb/"; file "/usr/local/etc/namedb/ex-mailer.com.external.signed"; }; zone "emailingu.com" { masters {108.61.190.64; }; type slave; auto-dnssec allow; key-directory "/usr/local/etc/namedb/"; file "/usr/local/etc/namedb/emailingu.com.external.signed"; }; zone "zippy-mail.com" { type slave; masters {108.61.190.64; }; auto-dnssec allow; key-directory "/usr/local/etc/namedb/"; file "/usr/local/etc/namedb/zippy-mail.com.external.signed"; }; zone "190.61.108.in-addr.arpa"{ type master; allow-update {none;}; file "/usr/local/etc/namedb/reverse.external"; }; zone "127.in-addr.arpa" { type master; allow-update {none;}; file "/usr/local/etc/namedb/127.0.0.1"; }; };
感謝您發布所有這些資訊,它幫助很大。
Verisign 工具在以下位置出錯:
Query to yoda.ex-mailer.com/108.61.175.48 for ex-mailer.com/A timed out or failed
您感興趣的域正在發布兩個不同的 NS 記錄。
ex-mailer.com nameserver = yoda.ex-mailer.com. ex-mailer.com nameserver = r2d2.ex-mailer.com.
從我自己的網路,我可以連接到 r2d2 並查詢 yoda 的 IP。當我嘗試連接到 yoda 時,我什麼也得不到。這就是威瑞信所指出的。當我看得更深一點時,我看到我與 yoda 的連接嘗試正在
ICMP Destination Unreachable
從 108.61.175.20 上的 yoda 本身獲取數據包。有趣的是,r2d2 將 Yoda 的 IP 地址顯示為
108.61.175.48
,但您的配置文件建議它應該是108.61.190.64
or108.61.10.10
。在這兩個中,第一個響應成功。看起來像兩件事之一。
- ‘yoda’ 的 A 記錄已關閉。應該是
108.61.190.64
,不是108.61.175.48
- NS 記錄應該指向 A 記錄
108.61.190.64
。