Ubuntu
PowerDNS 和 Bind9 之間的區域傳輸
嘗試將完整區域從 PowerDNS 伺服器傳輸到 Bind9 伺服器時遇到問題。奇怪的是,PowerDNS 伺服器上有幾個區域用作隱藏的主伺服器(帶有 MySQL 後端),但只有一個區域無法傳輸到 Bind9 伺服器。
兩台伺服器都執行 Ubuntu 16.04 LTS。和:
- Bind9 版本 = 9.10.3.dfsg.P4-8ubuntu1
- PowerDNS 版本 = 4.0.0~alpha2-3build1
Bind9 從區配置如下:
zone "example.net" { type slave; file "/var/lib/bind/slaves/db.example.net"; masters { 10.0.0.1; }; };
PowerDNS 的 DNS 區域是:
% sudo pdnsutil show-zone example.net This is a Master zone Last SOA serial number we notified: 2016050801 == 2016050801 (serial in the database) Zone is not actively secured Metadata items: None No keys for zone 'example.net.'. % sudo pdnsutil list-zone example.net example.net. 10800 IN MX 10 mx1.example.org. example.net. 10800 IN MX 50 mx2.example.org. example.net. 10800 IN NS ns1.example.org. example.net. 10800 IN NS ns2.example.org. example.net. 86400 IN SOA ns1.example.org. hostmaster.example.org. 2016050801 28800 7200 604800 86400 ...
請注意此輸出中**.net和.org**之間的區別。這是在嘗試將區域提供給 Bind 時日誌中的 PowerDNS 輸出。
May 9 00:44:14 hdns01 pdns[40494]: AXFR of domain 'example.net.' initiated by 10.0.0.2 May 9 00:44:14 hdns01 pdns[40494]: AXFR of domain 'example.net.' allowed: client IP 10.0.0.2 is in allow-axfr-ips May 9 00:44:14 hdns01 pdns[40494]: AXFR of domain 'example.net.' failed: not authoritative
以及Bind給出的對應日誌。
May 9 00:44:14 rdns01 named[32973]: zone example.net/IN: refresh: unexpected rcode (REFUSED) from master 10.0.0.1#53 (source 0.0.0.0#0) May 9 00:44:14 rdns01 named[32973]: zone example.net/IN: Transfer started. May 9 00:44:14 rdns01 named[32973]: transfer of 'example.net/IN' from 10.0.0.1#53: connected using 10.0.0.2#55376 May 9 00:44:14 rdns01 named[32973]: transfer of 'example.net/IN' from 10.0.0.1#53: failed while receiving responses: NOTAUTH May 9 00:44:14 rdns01 named[32973]: transfer of 'example.net/IN' from 10.0.0.1#53: Transfer status: NOTAUTH May 9 00:44:14 rdns01 named[32973]: transfer of 'example.net/IN' from 10.0.0.1#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.004 secs (0 bytes/sec)
所以Bind9是說伺服器不權威。這很奇怪。因此,讓我們使用dig讓事情變得更清晰。
% dig @10.0.0.1 example.net. SOA ; <<>> DiG 9.10.3-P4-Ubuntu <<>> @10.0.0.1 example.net. SOA ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47002 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1680 ;; QUESTION SECTION: ;example.net. IN SOA ;; ANSWER SECTION: example.net. 86400 IN SOA ns1.example.org. hostmaster.example.org. 2016050801 28800 7200 604800 86400 ;; Query time: 2 msec ;; SERVER: 10.0.0.1#53(10.0.0.1) ;; WHEN: Mon May 09 00:53:51 CEST 2016 ;; MSG SIZE rcvd: 104
對我來說似乎很權威。所以在那之後我嘗試用 dig 做一個 AXFR。令人驚訝的是它有效……
% dig -t axfr example.net @10.0.0.1 ; <<>> DiG 9.10.3-P4-Ubuntu <<>> -t axfr example.net @10.0.0.1 ;; global options: +cmd example.net. 86400 IN SOA ns1.example.org. hostmaster.example.org. 2016050801 28800 7200 604800 86400 ... ;; Query time: 73 msec ;; SERVER: 10.0.0.1#53(10.0.0.1) ;; WHEN: Mon May 09 00:56:42 CEST 2016 ;; XFR size: 58 records (messages 3, bytes 1952)
我不知道該去哪裡找了。
謝謝你的幫助。
更新:
數據包擷取的日誌:
1 0.000000 10.0.0.2 10.0.0.1 DNS 82 Standard query 0xe0dd SOA example.net OPT 2 0.002902 10.0.0.1 10.0.0.2 DNS 82 Standard query response 0xe0dd Refused SOA example.net OPT 6 0.004506 10.0.0.2 10.0.0.1 DNS 97 Standard query 0x205c AXFR example.net 8 0.006432 10.0.0.1 10.0.0.2 DNS 97 Standard query response 0x205c Not authoritative AXFR example.net
來自成功的手動 AXFR 的 PowerDNS 日誌:
May 9 08:19:51 hdns01 pdns[40494]: AXFR of domain 'example.net.' initiated by 10.0.0.2 May 9 08:19:51 hdns01 pdns[40494]: AXFR of domain 'example.net.' allowed: client IP 10.0.0.2 is in allow-axfr-ips May 9 08:19:52 hdns01 pdns[40494]: AXFR of domain 'example.net.' to 10.0.0.2 finished
PowerDNS 配置文件:
################################# # allow-axfr-ips Allow zonetransfers only to these subnets # allow-axfr-ips=127.0.0.0/8,::1,10.0.0.2 ################################# # also-notify When notifying a domain, also notify these nameservers # also-notify=10.20.1.78,10.0.0.2 ################################# # daemon Operate as a daemon # daemon=yes ################################# # include-dir Include *.conf files from this directory # # include-dir= include-dir=/etc/powerdns/pdns.d ################################# # launch Which backends to launch and order to query them in # # launch= launch= ################################# # master Act as a master # master=yes ################################# # setgid If set, change group id to this gid for more security # setgid=pdns ################################# # setuid If set, change user id to this uid for more security # setuid=pdns
*以及/etc/powerdns/pdns.d/*目錄中的 MySQL 後端配置部分。
# MySQL Configuration # # Launch gmysql backend launch+=gmysql # gmysql parameters gmysql-host=127.0.0.1 gmysql-port= gmysql-dbname=pdns gmysql-user=MYUSER gmysql-password=MYPASSWORD gmysql-dnssec=yes # gmysql-socket=
應我的要求,發帖人進入了我們的#powerdns IRC 頻道,我們很快發現主伺服器和從伺服器的域名之間實際上存在拼寫錯誤 - 在這裡提出問題時所做的混淆隱藏。
我猜在這裡,因為你基本上隱藏了所有有用的東西。你是否故意讓幫助你變得困難?
看起來
example.net
您的表格中有一個條目domains
,但在表格中domain_id
的條目下records
,您放置了example.org
記錄。pdnsutil check-all-zones
(或者pdnssec
如果您使用的是 3.x)可能會注意到這一點。