主页 / server / 问题 / 1048376
Accepted
vinz
Asked: 2021-01-04 01:15:59 +0800 CST

NXDOMAIN 与 CNAME RR 在 ANSWER 部分

  • 772

如果我console.aws.amazon.com用解决dig,我得到:

; <<>> DiG 9.10.6 <<>> console.aws.amazon.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35338
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;console.aws.amazon.com.        IN  A

;; ANSWER SECTION:
console.aws.amazon.com. 4   IN  CNAME   lbr-optimized.console-l.amazonaws.com.
lbr-optimized.console-l.amazonaws.com. 4 IN CNAME us-east-1.console.aws.amazon.com.
us-east-1.console.aws.amazon.com. 4 IN  CNAME   gr.console-geo.us-east-1.amazonaws.com.
gr.console-geo.us-east-1.amazonaws.com. 4 IN CNAME console.us-east-1.amazonaws.com.
console.us-east-1.amazonaws.com. 59 IN  A   54.239.30.25

但是,在解决us-east-1.console.aws.amazon.com它时会得到一个NXDOMAIN

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 33652
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; ANSWER SECTION:
us-east-1.console.aws.amazon.com. 60 IN CNAME   gr.console-geo.us-east-1.amazonaws.com.

;; AUTHORITY SECTION:
us-east-1.amazonaws.com. 60 IN  SOA ns-912.amazon.com. root.amazon.com. 1609664924 3600 900 7776000 60

;; Received 147 bytes from 52.9.146.37#53(ns-912.amazon.com) in 270 ms

看起来,即使我们有一个NXDOMAINas 响应代码,它也会继续解析 CNAME。但是,根据 RFC(我在 #8020 中看到),如果有NXDOMAINas 响应代码,则意味着链末端的域不存在,因此我们假设继续,因为我们不打算获得任何 A RR...

我在这里有点困惑,为什么我们NXDOMAIN在链条中间。NXDOMAIN如果我们CNAME在 ANSWER 部分中有 a 并继续解析 CNAME 链,是否可以安全地忽略?

是否有解决此类问题的 RFC?

domain-name-system

1 个回答

  1. Best Answer

    如果服务器实际上知道规范名称(“目标”)的状态,则CNAME(answer) + SOA(authority) + (rcode) 类型的答案是有效的。 在这种情况下,似乎名称服务器设置为也有一个区域(此 CNAME 引导的区域),它在其中查找并得出结论认为规范名称不存在。问题是这不是世界使用的实际区域,真正的委托导致完全不同的名称服务器。NXDOMAINCNAME
    aws.amazon.comus-east-1.amazonaws.comus-east-1.amazonaws.comus-east-1.amazonaws.com

    查看相关答案(来自问题),请注意SOA权威部分(负面回应的一部分)以及它是如何来自“假”us-east-1.amazonaws.com区域的ns-912.amazon.com

    $ dig @ns-912.amazon.com us-east-1.console.aws.amazon.com +norec

; <<>> DiG 9.11.25-RedHat-9.11.25-2.fc33 <<>> @ns-912.amazon.com us-east-1.console.aws.amazon.com +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 19359
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;us-east-1.console.aws.amazon.com. IN   A

;; ANSWER SECTION:
us-east-1.console.aws.amazon.com. 60 IN CNAME   gr.console-geo.us-east-1.amazonaws.com.

;; AUTHORITY SECTION:
us-east-1.amazonaws.com. 60     IN      SOA     ns-912.amazon.com. root.amazon.com. 1609723312 3600 900 7776000 60

;; Query time: 152 msec
;; SERVER: 52.9.146.37#53(52.9.146.37)
;; WHEN: Mon Jan 04 01:21:54 UTC 2021
;; MSG SIZE  rcvd: 147

$

    “真实”us-east-1.amazonaws.com完全委托给别处(不是ns-912.amazon.com):

    us-east-1.amazonaws.com. 86400  IN      NS      ns2.p31.dynect.net.
us-east-1.amazonaws.com. 86400  IN      NS      ns4.p31.dynect.net.
us-east-1.amazonaws.com. 86400  IN      NS      pdns5.ultradns.info.
us-east-1.amazonaws.com. 86400  IN      NS      pdns3.ultradns.org.
us-east-1.amazonaws.com. 86400  IN      NS      ns1.p31.dynect.net.
us-east-1.amazonaws.com. 86400  IN      NS      ns3.p31.dynect.net.
us-east-1.amazonaws.com. 86400  IN      NS      pdns1.ultradns.net.
us-east-1.amazonaws.com. 86400  IN      NS      u2.amazonaws.com.
us-east-1.amazonaws.com. 86400  IN      NS      u6.amazonaws.com.
us-east-1.amazonaws.com. 86400  IN      NS      u3.amazonaws.com.
us-east-1.amazonaws.com. 86400  IN      NS      u5.amazonaws.com.
us-east-1.amazonaws.com. 86400  IN      NS      u1.amazonaws.com.
us-east-1.amazonaws.com. 86400  IN      NS      u4.amazonaws.com.

    并拥有完全不同的 SOA:

    us-east-1.amazonaws.com. 900    IN      SOA     dns-external-master.amazon.com. root.amazon.com. 8548 180 60 2592000 5

    至于尽管存在这种公然的错误配置,事情仍然运行得相对良好,我相信解析器只是看穿了这一声称NXDOMAIN,因为解析器通常只擅长在响应中信任“in bailiwick”数据。
    即,不信任响应中的附加数据,该响应声称属于实际上不在该名称服务器上托管的区域的名称。

    • 3

相关问题