Postfix
PTR 配置嘗試後的 SERVFAIL (BIND 9)
我在設置反向 DNS 時遇到問題。
我擁有上述公共 IP 地址。
更改named.conf後(添加區域 “1.198.193.in-addr.arpa” )
options { directory "/var/cache/bind"; auth-nxdomain no; # conform to RFC1035 listen-on { 193.198.1.6; }; listen-on-v6 { "none"; }; recursion no; allow-transfer { 193.198.1.9; }; also-notify { 193.198.1.9; }; }; controls { inet 127.0.0.1 allow { localhost; }; }; zone "gkr.hr" { type master; file "/etc/bind/zones/gkr.hr.db"; }; zone "gkri.hr" { type master; file "/etc/bind/zones/gkri.hr.db"; }; zone "1.198.193.in-addr.arpa" in { type master; file "/etc/bind/193.198.1.gkri.rev"; allow-transfer { 193.198.1.9; }; allow-query { any; }; };
並創建一個新的 .rev 文件
/etc/bind/193.198.1.gkri.rev 的內容
$TTL 1D @ SOA a.ns.gkr.hr. admin.gkr.hr. ( 2016091201 ; Serial 10800 ; Refresh 3600 ; Retry 2419200 ; Expire 14400) ; Minimum @ NS a.ns.gkr.hr. @ NS b.ns.gkr.hr. 11 PTR mail.gkri.hr.
在我執行此配置後:
root@a:/home/admin# nslookup 193.198.1.11
我明白了
;; Got SERVFAIL reply from 161.53.123.3, trying next server ;; Got SERVFAIL reply from 161.53.160.3, trying next server ;; connection timed out; no servers could be reached
但是當我跑步時
root@a:/home/admin# nslookup mail.gkri.hr
mail.gkri.hr 位於 193.198.1.11
Server: 161.53.123.3 Address: 161.53.123.3#53 Non-authoritative answer: Name: mail.gkri.hr Address: 193.198.1.11
還有一些其他有價值的資訊
root@a:/home/admin# named-checkzone 1.198.193.in-addr.arpa /etc/bind/193.198.1.gkri.rev
zone 1.198.193.in-addr.arpa/IN: loaded serial 2016091201 OK root@a:/home/admin# named-checkconf -z zone gkr.hr/IN: loaded serial 2016091201 zone gkri.hr/IN: loaded serial 2016091203 zone 11.1.198.193.in-addr.arpa/IN: loaded serial 2016091201
root@a:/home/admin# host -t any 11.1.198.193.in-addr.arpa a.ns.gkr.hr
Using domain server: Name: a.ns.gkr.hr Address: 193.198.1.6#53 Aliases: 11.1.198.193.in-addr.arpa has SOA record a.ns.gkr.hr. admin.gkr.hr. 2016091201 10800 3600 2419200 14400 11.1.198.193.in-addr.arpa name server a.ns.gkr.hr. 11.1.198.193.in-addr.arpa name server b.ns.gkr.hr.
執行 dig 我得到
root@a:/etc/bind# dig -x 193.198.1.11
; <<>> DiG 9.7.3 <<>> -x 193.198.1.11 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 11421 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;11.1.198.193.in-addr.arpa. IN PTR ;; ANSWER SECTION: 11.1.198.193.in-addr.arpa. 14400 IN CNAME 11.0/27.1.198.193.in-addr.arpa. ;; Query time: 33 msec ;; SERVER: 161.53.123.3#53(161.53.123.3) ;; WHEN: Tue Sep 13 11:56:47 2016 ;; MSG SIZE rcvd: 65
root@a:/home/admin# dig -x 193.198.1.11 +trace
; <<>> DiG 9.7.3 <<>> -x 193.198.1.11 +trace ;; global options: +cmd . 3599800 IN NS e.root-servers.net. . 3599800 IN NS k.root-servers.net. . 3599800 IN NS j.root-servers.net. . 3599800 IN NS i.root-servers.net. . 3599800 IN NS c.root-servers.net. . 3599800 IN NS m.root-servers.net. . 3599800 IN NS b.root-servers.net. . 3599800 IN NS l.root-servers.net. . 3599800 IN NS a.root-servers.net. . 3599800 IN NS f.root-servers.net. . 3599800 IN NS g.root-servers.net. . 3599800 IN NS d.root-servers.net. . 3599800 IN NS h.root-servers.net. ;; Received 241 bytes from 161.53.123.3#53(161.53.123.3) in 15 ms in-addr.arpa. 172800 IN NS e.in-addr-servers.arpa. in-addr.arpa. 172800 IN NS f.in-addr-servers.arpa. in-addr.arpa. 172800 IN NS d.in-addr-servers.arpa. in-addr.arpa. 172800 IN NS c.in-addr-servers.arpa. in-addr.arpa. 172800 IN NS b.in-addr-servers.arpa. in-addr.arpa. 172800 IN NS a.in-addr-servers.arpa. ;; Received 419 bytes from 198.41.0.4#53(a.root-servers.net) in 35 ms 193.in-addr.arpa. 86400 IN NS tinnie.arin.net. 193.in-addr.arpa. 86400 IN NS pri.authdns.ripe.net. 193.in-addr.arpa. 86400 IN NS sns-pb.isc.org. 193.in-addr.arpa. 86400 IN NS sec3.apnic.net. ;; Received 156 bytes from 193.0.9.1#53(f.in-addr-servers.arpa) in 30 ms 198.193.in-addr.arpa. 172800 IN NS dns1.carnet.hr. 198.193.in-addr.arpa. 172800 IN NS dns2.carnet.hr. 198.193.in-addr.arpa. 172800 IN NS ns.ripe.net. ;; Received 159 bytes from 202.12.28.140#53(sec3.apnic.net) in 238 ms 11.1.198.193.in-addr.arpa. 14400 IN CNAME 11.0/27.1.198.193.in-addr.arpa. 0/27.1.198.193.in-addr.arpa. 14400 IN NS ns.ri.carnet.hr. 0/27.1.198.193.in-addr.arpa. 14400 IN NS ns.gkri.hr. ;; Received 116 bytes from 161.53.160.2#53(dns2.carnet.hr) in 3 ms
這是 /etc/init.d/bind9 重啟後我的系統日誌
root@a:/var/log# cat /var/log/syslog | grep 命名
Sep 13 10:12:37 a named[934]: received control channel command 'stop -p' Sep 13 10:12:37 a named[934]: shutting down: flushing changes Sep 13 10:12:37 a named[934]: stopping command channel on 127.0.0.1#953 Sep 13 10:12:37 a named[934]: no longer listening on 193.198.1.6#53 Sep 13 10:12:37 a named[934]: exiting Sep 13 10:12:38 a named[1187]: starting BIND 9.7.3 -4 -u bind Sep 13 10:12:38 a named[1187]: built with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-dlz-postgres=no' '--with-dlz-mysql=no' '--with-dlz-bdb=yes' '--with-dlz-filesystem=yes' '--with-dlz-ldap=yes' '--with-dlz-stub=yes' '--with-geoip=/usr' '--enable-ipv6' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2' 'LDFLAGS=' 'CPPFLAGS=' Sep 13 10:12:38 a named[1187]: adjusted limit on open files from 1024 to 1048576 Sep 13 10:12:38 a named[1187]: found 1 CPU, using 1 worker thread Sep 13 10:12:38 a named[1187]: using up to 4096 sockets Sep 13 10:12:38 a named[1187]: loading configuration from '/etc/bind/named.conf' Sep 13 10:12:38 a named[1187]: using default UDP/IPv4 port range: [1024, 65535] Sep 13 10:12:38 a named[1187]: using default UDP/IPv6 port range: [1024, 65535] Sep 13 10:12:38 a named[1187]: no IPv6 interfaces found Sep 13 10:12:38 a named[1187]: listening on IPv4 interface eth0, 193.198.1.6#53 Sep 13 10:12:38 a named[1187]: generating session key for dynamic DNS Sep 13 10:12:38 a named[1187]: set up managed keys zone for view _default, file 'managed-keys.bind' Sep 13 10:12:38 a named[1187]: command channel listening on 127.0.0.1#953 Sep 13 10:12:38 a named[1187]: zone 11.1.198.193.in-addr.arpa/IN: loaded serial 2016091201 Sep 13 10:12:38 a named[1187]: zone gkr.hr/IN: loaded serial 2016091201 Sep 13 10:12:38 a named[1187]: zone gkri.hr/IN: loaded serial 2016091203 Sep 13 10:12:38 a named[1187]: managed-keys-zone ./IN: loading from master file managed-keys.bind failed: file not found Sep 13 10:12:38 a named[1187]: managed-keys-zone ./IN: loaded serial 0 Sep 13 10:12:38 a named[1187]: running Sep 13 10:12:38 a named[1187]: zone 11.1.198.193.in-addr.arpa/IN: sending notifies (serial 2016091201) Sep 13 10:12:38 a named[1187]: zone gkr.hr/IN: sending notifies (serial 2016091201) Sep 13 10:12:38 a named[1187]: zone gkri.hr/IN: sending notifies (serial 2016091203)
有人知道出了什麼問題嗎?
可能是Bind 9 的 DNSSEC 關鍵資訊嗎?
*在 syslog (managed-keys.bind) 中提到
您的區域是“0/27.1.198.193.in-addr.arpa”,因此將您在 named.conf 中的區域更改為:
zone "0/27.1.198.193.in-addr.arpa" in {
重新啟動 BIND。