PTR 配置嘗試後的 SERVFAIL (BIND 9)

我在設置反向 DNS 時遇到問題。

我擁有上述公共 IP 地址。

更改named.conf後（添加區域 “1.198.193.in-addr.arpa” ）

options {
       directory "/var/cache/bind";

       auth-nxdomain no;    # conform to RFC1035

       listen-on { 193.198.1.6; };
       listen-on-v6 { "none"; };

       recursion no;

       allow-transfer { 193.198.1.9; };
       also-notify { 193.198.1.9; };
};

controls {
       inet 127.0.0.1 allow { localhost; };
};

zone "gkr.hr" {
       type master;
       file "/etc/bind/zones/gkr.hr.db";
};

zone "gkri.hr" {
       type master;
       file "/etc/bind/zones/gkri.hr.db";
};


zone "1.198.193.in-addr.arpa" in {
       type master;
       file "/etc/bind/193.198.1.gkri.rev";
       allow-transfer {
               193.198.1.9;
       };
       allow-query { any; };

};

並創建一個新的 .rev 文件

/etc/bind/193.198.1.gkri.rev 的內容

$TTL 1D

@       SOA     a.ns.gkr.hr. admin.gkr.hr. (

       2016091201 ; Serial
       10800      ; Refresh
       3600       ; Retry
       2419200    ; Expire
       14400)     ; Minimum

@       NS      a.ns.gkr.hr.
@       NS      b.ns.gkr.hr.

11      PTR     mail.gkri.hr.

在我執行此配置後：

root@a:/home/admin# nslookup 193.198.1.11

我明白了

;; Got SERVFAIL reply from 161.53.123.3, trying next server
;; Got SERVFAIL reply from 161.53.160.3, trying next server
;; connection timed out; no servers could be reached

但是當我跑步時

root@a:/home/admin# nslookup mail.gkri.hr

mail.gkri.hr 位於 193.198.1.11

Server:     161.53.123.3
Address:    161.53.123.3#53

Non-authoritative answer:
Name:   mail.gkri.hr
Address: 193.198.1.11

還有一些其他有價值的資訊

root@a:/home/admin# named-checkzone 1.198.193.in-addr.arpa /etc/bind/193.198.1.gkri.rev

zone 1.198.193.in-addr.arpa/IN: loaded serial 2016091201
OK
root@a:/home/admin# named-checkconf -z
zone gkr.hr/IN: loaded serial 2016091201
zone gkri.hr/IN: loaded serial 2016091203
zone 11.1.198.193.in-addr.arpa/IN: loaded serial 2016091201

root@a:/home/admin# host -t any 11.1.198.193.in-addr.arpa a.ns.gkr.hr

Using domain server:
Name: a.ns.gkr.hr
Address: 193.198.1.6#53
Aliases: 

11.1.198.193.in-addr.arpa has SOA record a.ns.gkr.hr. admin.gkr.hr. 2016091201 10800 3600 2419200 14400
11.1.198.193.in-addr.arpa name server a.ns.gkr.hr.
11.1.198.193.in-addr.arpa name server b.ns.gkr.hr.

執行 dig 我得到

root@a:/etc/bind# dig -x 193.198.1.11

; <<>> DiG 9.7.3 <<>> -x 193.198.1.11
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 11421
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;11.1.198.193.in-addr.arpa. IN  PTR

;; ANSWER SECTION:
11.1.198.193.in-addr.arpa. 14400 IN CNAME   11.0/27.1.198.193.in-addr.arpa.

;; Query time: 33 msec
;; SERVER: 161.53.123.3#53(161.53.123.3)
;; WHEN: Tue Sep 13 11:56:47 2016
;; MSG SIZE  rcvd: 65

root@a:/home/admin# dig -x 193.198.1.11 +trace

     ; <<>> DiG 9.7.3 <<>> -x 193.198.1.11 +trace
       ;; global options: +cmd
       .           3599800 IN  NS  e.root-servers.net.
       .           3599800 IN  NS  k.root-servers.net.
       .           3599800 IN  NS  j.root-servers.net.
       .           3599800 IN  NS  i.root-servers.net.
       .           3599800 IN  NS  c.root-servers.net.
       .           3599800 IN  NS  m.root-servers.net.
       .           3599800 IN  NS  b.root-servers.net.
       .           3599800 IN  NS  l.root-servers.net.
       .           3599800 IN  NS  a.root-servers.net.
       .           3599800 IN  NS  f.root-servers.net.
       .           3599800 IN  NS  g.root-servers.net.
       .           3599800 IN  NS  d.root-servers.net.
       .           3599800 IN  NS  h.root-servers.net.
       ;; Received 241 bytes from 161.53.123.3#53(161.53.123.3) in 15 ms

       in-addr.arpa.       172800  IN  NS  e.in-addr-servers.arpa.
       in-addr.arpa.       172800  IN  NS  f.in-addr-servers.arpa.
       in-addr.arpa.       172800  IN  NS  d.in-addr-servers.arpa.
       in-addr.arpa.       172800  IN  NS  c.in-addr-servers.arpa.
       in-addr.arpa.       172800  IN  NS  b.in-addr-servers.arpa.
       in-addr.arpa.       172800  IN  NS  a.in-addr-servers.arpa.
       ;; Received 419 bytes from 198.41.0.4#53(a.root-servers.net) in 35 ms

       193.in-addr.arpa.   86400   IN  NS  tinnie.arin.net.
       193.in-addr.arpa.   86400   IN  NS  pri.authdns.ripe.net.
       193.in-addr.arpa.   86400   IN  NS  sns-pb.isc.org.
       193.in-addr.arpa.   86400   IN  NS  sec3.apnic.net.
       ;; Received 156 bytes from 193.0.9.1#53(f.in-addr-servers.arpa) in 30 ms

       198.193.in-addr.arpa.   172800  IN  NS  dns1.carnet.hr.
       198.193.in-addr.arpa.   172800  IN  NS  dns2.carnet.hr.
       198.193.in-addr.arpa.   172800  IN  NS  ns.ripe.net.
       ;; Received 159 bytes from 202.12.28.140#53(sec3.apnic.net) in 238 ms

11.1.198.193.in-addr.arpa. 14400 IN CNAME   11.0/27.1.198.193.in-addr.arpa.
0/27.1.198.193.in-addr.arpa. 14400 IN   NS  ns.ri.carnet.hr.
0/27.1.198.193.in-addr.arpa. 14400 IN   NS  ns.gkri.hr.
;; Received 116 bytes from 161.53.160.2#53(dns2.carnet.hr) in 3 ms

這是 /etc/init.d/bind9 重啟後我的系統日誌

root@a:/var/log# cat /var/log/syslog | grep 命名

Sep 13 10:12:37 a named[934]: received control channel command 'stop -p'
Sep 13 10:12:37 a named[934]: shutting down: flushing changes
Sep 13 10:12:37 a named[934]: stopping command channel on 127.0.0.1#953
Sep 13 10:12:37 a named[934]: no longer listening on 193.198.1.6#53
Sep 13 10:12:37 a named[934]: exiting
Sep 13 10:12:38 a named[1187]: starting BIND 9.7.3 -4 -u bind
Sep 13 10:12:38 a named[1187]: built with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-dlz-postgres=no' '--with-dlz-mysql=no' '--with-dlz-bdb=yes' '--with-dlz-filesystem=yes' '--with-dlz-ldap=yes' '--with-dlz-stub=yes' '--with-geoip=/usr' '--enable-ipv6' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2' 'LDFLAGS=' 'CPPFLAGS='
Sep 13 10:12:38 a named[1187]: adjusted limit on open files from 1024 to 1048576
Sep 13 10:12:38 a named[1187]: found 1 CPU, using 1 worker thread
Sep 13 10:12:38 a named[1187]: using up to 4096 sockets
Sep 13 10:12:38 a named[1187]: loading configuration from '/etc/bind/named.conf'
Sep 13 10:12:38 a named[1187]: using default UDP/IPv4 port range: [1024, 65535]
Sep 13 10:12:38 a named[1187]: using default UDP/IPv6 port range: [1024, 65535]
Sep 13 10:12:38 a named[1187]: no IPv6 interfaces found
Sep 13 10:12:38 a named[1187]: listening on IPv4 interface eth0, 193.198.1.6#53
Sep 13 10:12:38 a named[1187]: generating session key for dynamic DNS
Sep 13 10:12:38 a named[1187]: set up managed keys zone for view _default, file 'managed-keys.bind'
Sep 13 10:12:38 a named[1187]: command channel listening on 127.0.0.1#953
Sep 13 10:12:38 a named[1187]: zone 11.1.198.193.in-addr.arpa/IN: loaded serial 2016091201
Sep 13 10:12:38 a named[1187]: zone gkr.hr/IN: loaded serial 2016091201
Sep 13 10:12:38 a named[1187]: zone gkri.hr/IN: loaded serial 2016091203
Sep 13 10:12:38 a named[1187]: managed-keys-zone ./IN: loading from master file managed-keys.bind failed: file not found
Sep 13 10:12:38 a named[1187]: managed-keys-zone ./IN: loaded serial 0
Sep 13 10:12:38 a named[1187]: running
Sep 13 10:12:38 a named[1187]: zone 11.1.198.193.in-addr.arpa/IN: sending notifies (serial 2016091201)
Sep 13 10:12:38 a named[1187]: zone gkr.hr/IN: sending notifies (serial 2016091201)
Sep 13 10:12:38 a named[1187]: zone gkri.hr/IN: sending notifies (serial 2016091203)

有人知道出了什麼問題嗎？

可能是Bind 9 的 DNSSEC 關鍵資訊嗎？

*在 syslog (managed-keys.bind) 中提到

您的區域是“0/27.1.198.193.in-addr.arpa”，因此將您在 named.conf 中的區域更改為：

zone "0/27.1.198.193.in-addr.arpa" in {

重新啟動 BIND。

引用自：https://serverfault.com/questions/802748