PowerDNS 從屬伺服器在收到通知後未更新

我正在使用 PowerDNS 執行兩台機器，一台是主機（SQL），一台是從機（綁定後端）。

在我修改域並碰撞序列後，我在日誌中得到了這個：

Sep 30 22:13:20 localhost pdns[6884]: 1 domain for which we are master needs notifications
Sep 30 22:13:20 localhost pdns[6884]: Queued notification of domain 'netly.io' to 146.185.146.149
Sep 30 22:13:20 localhost pdns[6884]: Queued notification of domain 'netly.io' to 146.185.147.74
Sep 30 22:13:20 localhost pdns[6884]: Received NOTIFY for netly.io from 146.185.146.149 but slave support is disabled in the configuration
Sep 30 22:13:21 localhost pdns[6884]: Received unsuccessful notification report for 'netly.io' from 146.185.146.149:53, rcode: 4
Sep 30 22:13:21 localhost pdns[6884]: Removed from notification list: 'netly.io' to 146.185.146.149:53
Sep 30 22:13:23 localhost pdns[6884]: No master domains need notifications

我知道它正在通知自己（146.185.146.149），因為它被設置為名稱伺服器，並且可以忽略這些錯誤。它（看起來）也會通知其他伺服器（146.185.147.74 或 162.243.29.199）。

但是，從伺服器在該時間範圍內的日誌中沒有顯示任何內容，當我對域文件進行分類時，我可以看到舊的序列號和子域沒有被更新。

dig @slave-server 還顯示舊設置。

告訴它重新載入也不會更新綁定區域文件：

slave-server # pdns_control reload
Ok
slave-server # tail -f /var/log/daemon.log 
Sep 30 22:21:28 node-e31401 pdns[2259]: Zone 'netly.io' (/etc/powerdns/bind/netly.io.) needs reloading
Sep 30 22:21:28 node-e31401 pdns[2259]: Zone 'netly.io' (/etc/powerdns/bind/netly.io.) reloaded

但是，當我完全重新啟動 PDNS 時，它最終發現它已過時並正確獲取更新的區域：

slave-server # /etc/init.d/pdns restart
[ ok ] Restarting PowerDNS Authoritative Name Server: pdns.
slave-server # tail -f /var/log/daemon.log 
Sep 30 22:23:48 node-e31401 pdns[2911]: 2 slave domains need checking, 0 queued for AXFR
Sep 30 22:23:48 node-e31401 pdns[2911]: Received serial number updates for 2 zones, had 0 timeouts
Sep 30 22:23:48 node-e31401 pdns[2911]: Domain netly.io is stale, master serial 2013093004, our serial 2013093003
Sep 30 22:23:48 node-e31401 pdns[2911]: Domain titify.com is fresh (not presigned, no RRSIG check)
Sep 30 22:23:48 node-e31401 pdns[2911]: No master domains need notifications
Sep 30 22:23:48 node-e31401 pdns[2911]: Initiating transfer of 'netly.io' from remote '146.185.146.149'
Sep 30 22:23:48 node-e31401 pdns[2911]: AXFR started for 'netly.io', transaction started
Sep 30 22:23:48 node-e31401 pdns[2911]: Zone 'netly.io' (/etc/powerdns/bind/netly.io.) reloaded
Sep 30 22:23:48 node-e31401 pdns[2911]: AXFR done for 'netly.io', zone committed with serial number 2013093004
Sep 30 22:23:48 node-e31401 pdns[2911]: Done launching threads, ready to distribute questions

我在這裡想念什麼？是什麼導致主伺服器正確通知從伺服器，但從伺服器沒有獲取新區域？

編輯：

• 從站配置：https ://static.0x04.com/2013/10/slave.pdns_.txt
• 主配置：https ://static.0x04.com/2013/10/master.pdns_.txt

tcpdump：

node-fd1d01 ~ # tcpdump -n 'host 146.185.146.149 and port 53'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
09:51:38.042713 IP 146.185.146.149.42478 > 162.243.29.199.53: 61745 notify [b2&3=0x2400] SOA? netly.io. (26)
09:51:41.043323 IP 146.185.146.149.42478 > 162.243.29.199.53: 61745 notify [b2&3=0x2400] SOA? netly.io. (26)
09:51:46.044145 IP 146.185.146.149.42478 > 162.243.29.199.53: 61745 notify [b2&3=0x2400] SOA? netly.io. (26)
09:51:52.049533 IP 146.185.146.149.42478 > 162.243.29.199.53: 59408 notify [b2&3=0x2400] SOA? netly.io. (26)
09:51:55.050715 IP 146.185.146.149.42478 > 162.243.29.199.53: 61745 notify [b2&3=0x2400] SOA? netly.io. (26)
09:51:55.050753 IP 146.185.146.149.42478 > 162.243.29.199.53: 59408 notify [b2&3=0x2400] SOA? netly.io. (26)
09:52:00.053327 IP 146.185.146.149.42478 > 162.243.29.199.53: 59408 notify [b2&3=0x2400] SOA? netly.io. (26)
09:52:09.056321 IP 146.185.146.149.42478 > 162.243.29.199.53: 59408 notify [b2&3=0x2400] SOA? netly.io. (26)

日誌沒有顯示任何新內容（最新於 09h48）：

node-fd1d01 /etc/powerdns/bind # tail -f /var/log/daemon.log 
Oct  2 09:47:59 localhost pdns[2253]: Domain netly.io is fresh (not presigned, no RRSIG check)
Oct  2 09:47:59 localhost pdns[2253]: Domain titify.com is fresh (not presigned, no RRSIG check)
Oct  2 09:47:59 localhost pdns[2253]: No master domains need notifications
Oct  2 09:47:59 localhost pdns[2253]: Done launching threads, ready to distribute questions
Oct  2 09:48:00 localhost ntpd[2144]: Listen normally on 6 tun0 172.17.24.1 UDP 123
Oct  2 09:48:00 localhost ntpd[2144]: Listen normally on 7 tun1 172.17.16.1 UDP 123
Oct  2 09:48:00 localhost ntpd[2144]: peers refreshed
Oct  2 09:48:12 localhost dbus[2093]: [system] Activating service name='org.freedesktop.ConsoleKit' (using servicehelper)
Oct  2 09:48:12 localhost dbus[2093]: [system] Successfully activated service 'org.freedesktop.ConsoleKit'
Oct  2 09:48:59 localhost pdns[2253]: No new unfresh slave domains, 0 queued for AXFR already

但是當我 cat 區域文件（以綁定格式）時，它沒有更新。

問題是埠 53 從外部埠被防火牆，但不是在 localhost 或 VPN 介面上。我沒有註意到，因為我通常嘗試過dig @localhost。

如果我理解正確，master 會向 UDP/53（通過 Stefan）發送一條消息。因此，這被部分防火牆並導致了問題。

掌握：

Oct  3 18:56:25 localhost pdns[6884]: gmysql Connection successful
Oct  3 18:56:25 localhost pdns[6884]: AXFR of domain 'netly.io' initiated by 162.243.25.159
Oct  3 18:56:25 localhost pdns[6884]: AXFR of domain 'netly.io' allowed: client IP 162.243.25.159 is in allow-axfr-ips
Oct  3 18:56:25 localhost pdns[6884]: gmysql Connection successful
Oct  3 18:56:25 localhost pdns[6884]: gmysql Connection successful
Oct  3 18:56:25 localhost pdns[6884]: AXFR of domain 'netly.io' to 162.243.25.159 finished
Oct  3 18:56:25 localhost pdns[6884]: Received unsuccessful notification report for 'netly.io' from 146.185.146.149:53, rcode: 4
Oct  3 18:56:25 localhost pdns[6884]: Removed from notification list: 'netly.io' to 146.185.146.149:53
Oct  3 18:56:25 localhost pdns[6884]: Removed from notification list: 'netly.io' to 162.243.25.159:53 (was acknowledged)
Oct  3 18:56:27 localhost pdns[6884]: No master domains need notifications

奴隸：

Oct  3 18:56:25 localhost pdns[2263]: 1 slave domain needs checking, 0 queued for AXFR
Oct  3 18:56:25 localhost pdns[2263]: Received serial number updates for 1 zones, had 0 timeouts
Oct  3 18:56:25 localhost pdns[2263]: Domain netly.io is stale, master serial 2013100302, our serial 2013100301
Oct  3 18:56:25 localhost pdns[2263]: Initiating transfer of 'netly.io' from remote '146.185.146.149'
Oct  3 18:56:25 localhost pdns[2263]: AXFR started for 'netly.io', transaction started
Oct  3 18:56:25 localhost pdns[2263]: Zone 'netly.io' (/etc/powerdns/bind/netly.io.) reloaded
Oct  3 18:56:25 localhost pdns[2263]: AXFR done for 'netly.io', zone committed with serial number 2013100302

我們遇到了這種情況，事實證明 DNS 通知消息的目標實際上是拒絕該消息。

請注意下面的“通知拒絕”。替換了虛假的伺服器和區域名稱。

   # tcpdump -v -r notify.pcap
reading from file notify.pcap, link-type LINUX_SLL (Linux cooked)
00:00:33.210137 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 61) master.dns.server.46861 > slave.dns.server.domain: 49437 notify SOA? zoneinquestion.com. (33)
00:00:33.236488 IP (tos 0x0, ttl 55, id 17352, offset 0, flags [none], proto UDP (17), length 61) slave.dns.server.domain > master.dns.server.46861: 49437 notify Refused- 0/0/0 (33)
00:00:36.244057 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 61) master.dns.server.46861 > slave.dns.server.domain: 48449 notify SOA? zoneinquestion.com. (33)
00:00:36.269682 IP (tos 0x0, ttl 55, id 17353, offset 0, flags [none], proto UDP (17), length 61) slave.dns.server.domain > master.dns.server.46861: 48449 notify Refused- 0/0/0 (33)
00:00:36.519361 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 61) master.dns.server.46861 > slave.dns.server.domain: 65128 notify SOA? zoneinquestion.com. (33)
00:00:36.544391 IP (tos 0x0, ttl 55, id 17354, offset 0, flags [none], proto UDP (17), length 61) slave.dns.server.domain > master.dns.server.46861: 65128 notify Refused- 0/0/0 (33)

使用以下內容在主設備上擷取此輸出：

tcpdump -U -i any -w notify.pcap -s 1600 host slave.dns.server

引用自：https://serverfault.com/questions/542806