Ubuntu

PowerDNS 和 Bind9 之間的區域傳輸

  • May 9, 2016

嘗試將完整區域從 PowerDNS 伺服器傳輸到 Bind9 伺服器時遇到問題。奇怪的是,PowerDNS 伺服器上有幾個區域用作隱藏的主伺服器(帶有 MySQL 後端),但只有一個區域無法傳輸到 Bind9 伺服器。

兩台伺服器都執行 Ubuntu 16.04 LTS。和:

  • Bind9 版本 = 9.10.3.dfsg.P4-8ubuntu1
  • PowerDNS 版本 = 4.0.0~alpha2-3build1

Bind9 從區配置如下:

zone "example.net" {
   type slave;
   file "/var/lib/bind/slaves/db.example.net";
   masters {
         10.0.0.1;
   };
};

PowerDNS 的 DNS 區域是:

% sudo pdnsutil show-zone example.net
This is a Master zone
Last SOA serial number we notified: 2016050801 == 2016050801 (serial in the database)
Zone is not actively secured
Metadata items: None
No keys for zone 'example.net.'.

% sudo pdnsutil list-zone example.net
example.net.    10800   IN  MX  10 mx1.example.org.
example.net.    10800   IN  MX  50 mx2.example.org.
example.net.    10800   IN  NS  ns1.example.org.
example.net.    10800   IN  NS  ns2.example.org.
example.net.    86400   IN  SOA ns1.example.org. hostmaster.example.org. 2016050801 28800 7200 604800 86400
...

請注意此輸出中**.net.org**之間的區別。這是在嘗試將區域提供給 Bind 時日誌中的 PowerDNS 輸出。

May  9 00:44:14 hdns01 pdns[40494]: AXFR of domain 'example.net.' initiated by 10.0.0.2
May  9 00:44:14 hdns01 pdns[40494]: AXFR of domain 'example.net.' allowed: client IP 10.0.0.2 is in allow-axfr-ips
May  9 00:44:14 hdns01 pdns[40494]: AXFR of domain 'example.net.' failed: not authoritative

以及Bind給出的對應日誌。

May  9 00:44:14 rdns01 named[32973]: zone example.net/IN: refresh: unexpected rcode (REFUSED) from master 10.0.0.1#53 (source 0.0.0.0#0)
May  9 00:44:14 rdns01 named[32973]: zone example.net/IN: Transfer started.
May  9 00:44:14 rdns01 named[32973]: transfer of 'example.net/IN' from 10.0.0.1#53: connected using 10.0.0.2#55376
May  9 00:44:14 rdns01 named[32973]: transfer of 'example.net/IN' from 10.0.0.1#53: failed while receiving responses: NOTAUTH
May  9 00:44:14 rdns01 named[32973]: transfer of 'example.net/IN' from 10.0.0.1#53: Transfer status: NOTAUTH
May  9 00:44:14 rdns01 named[32973]: transfer of 'example.net/IN' from 10.0.0.1#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.004 secs (0 bytes/sec)

所以Bind9是說伺服器不權威。這很奇怪。因此,讓我們使用dig讓事情變得更清晰。

% dig @10.0.0.1 example.net. SOA          

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @10.0.0.1 example.net. SOA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47002
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;example.net.           IN  SOA

;; ANSWER SECTION:
example.net.        86400   IN  SOA ns1.example.org. hostmaster.example.org. 2016050801 28800 7200 604800 86400

;; Query time: 2 msec
;; SERVER: 10.0.0.1#53(10.0.0.1)
;; WHEN: Mon May 09 00:53:51 CEST 2016
;; MSG SIZE  rcvd: 104

對我來說似乎很權威。所以在那之後我嘗試用 dig 做一個 AXFR。令人驚訝的是它有效……

% dig -t axfr example.net @10.0.0.1

; <<>> DiG 9.10.3-P4-Ubuntu <<>> -t axfr example.net @10.0.0.1
;; global options: +cmd
example.net.        86400   IN  SOA ns1.example.org. hostmaster.example.org. 2016050801 28800 7200 604800 86400
...
;; Query time: 73 msec
;; SERVER: 10.0.0.1#53(10.0.0.1)
;; WHEN: Mon May 09 00:56:42 CEST 2016
;; XFR size: 58 records (messages 3, bytes 1952)

我不知道該去哪裡找了。

謝謝你的幫助。

更新:

數據包擷取的日誌:

1   0.000000    10.0.0.2    10.0.0.1    DNS 82  Standard query 0xe0dd SOA example.net OPT
2   0.002902    10.0.0.1    10.0.0.2    DNS 82  Standard query response 0xe0dd Refused SOA example.net OPT
6   0.004506    10.0.0.2    10.0.0.1    DNS 97  Standard query 0x205c AXFR example.net
8   0.006432    10.0.0.1    10.0.0.2    DNS 97  Standard query response 0x205c Not authoritative AXFR example.net

來自成功的手動 AXFR 的 PowerDNS 日誌:

May  9 08:19:51 hdns01 pdns[40494]: AXFR of domain 'example.net.' initiated by 10.0.0.2
May  9 08:19:51 hdns01 pdns[40494]: AXFR of domain 'example.net.' allowed: client IP 10.0.0.2 is in allow-axfr-ips
May  9 08:19:52 hdns01 pdns[40494]: AXFR of domain 'example.net.' to 10.0.0.2 finished

PowerDNS 配置文件:

#################################
# allow-axfr-ips    Allow zonetransfers only to these subnets
#
allow-axfr-ips=127.0.0.0/8,::1,10.0.0.2

#################################
# also-notify   When notifying a domain, also notify these nameservers
#
also-notify=10.20.1.78,10.0.0.2

#################################
# daemon    Operate as a daemon
#
daemon=yes

#################################
# include-dir   Include *.conf files from this directory
#
# include-dir=
include-dir=/etc/powerdns/pdns.d

#################################
# launch    Which backends to launch and order to query them in
#
# launch=
launch=

#################################
# master    Act as a master
#
master=yes

#################################
# setgid    If set, change group id to this gid for more security
#
setgid=pdns

#################################
# setuid    If set, change user id to this uid for more security
#
setuid=pdns

*以及/etc/powerdns/pdns.d/*目錄中的 MySQL 後端配置部分。

# MySQL Configuration
#
# Launch gmysql backend
launch+=gmysql

# gmysql parameters
gmysql-host=127.0.0.1
gmysql-port=
gmysql-dbname=pdns
gmysql-user=MYUSER
gmysql-password=MYPASSWORD
gmysql-dnssec=yes
# gmysql-socket=

應我的要求,發帖人進入了我們的#powerdns IRC 頻道,我們很快發現主伺服器和從伺服器的域名之間實際上存在拼寫錯誤 - 在這裡提出問題時所做的混淆隱藏。

我猜在這裡,因為你基本上隱藏了所有有用的東西。你是否故意讓幫助你變得困難?

看起來example.net您的表格中有一個條目domains,但在表格中domain_id的條目下records,您放置了example.org記錄。pdnsutil check-all-zones(或者pdnssec如果您使用的是 3.x)可能會注意到這一點。

引用自:https://serverfault.com/questions/775539