主页 / server / 问题 / 1095693
Accepted
peris
Asked: 2022-03-09 12:54:04 +0800 CST

突然 dig +nocmd pop3.pauperis.org aaaa +noall +answer 什么也没返回

  • 772

该命令dig +nocmd pop3.pauperis.org aaaa +noall +answer在我的笔记本电脑中返回以下内容:

pop3.pauperis.org.  3111    IN  CNAME   pauperis.org.
pauperis.org.       3111    IN  AAAA    2001:41d0:1:8ade::1

但是我的服务器上的相同命令,突然,在没有明显的配置更改后什么都不返回:

# dig +nocmd pop3.pauperis.org aaaa +noall +answer
#

这是我服务器上的响应,但有+trace选项:

dig +nocmd pop3.pauperis.org aaaa +noall +answer +trace
.           44679   IN  NS  e.root-servers.net.
.           44679   IN  NS  m.root-servers.net.
.           44679   IN  NS  l.root-servers.net.
.           44679   IN  NS  b.root-servers.net.
.           44679   IN  NS  g.root-servers.net.
.           44679   IN  NS  i.root-servers.net.
.           44679   IN  NS  a.root-servers.net.
.           44679   IN  NS  d.root-servers.net.
.           44679   IN  NS  h.root-servers.net.
.           44679   IN  NS  f.root-servers.net.
.           44679   IN  NS  j.root-servers.net.
.           44679   IN  NS  k.root-servers.net.
.           44679   IN  NS  c.root-servers.net.
.           44679   IN  RRSIG   NS 8 0 518400 20220316050000 20220303040000 9799 . WHZ//zKcRc0aFze+haFiC5a0GwaCwCsopDkMLzMZrOTTvejeb96R01h+ 2mlnsd4qivrbop0a7fBz+Vs/m+YVOPku+vCO/fnZ+NW/KgrtXpHoPopE WayXrfwtEC+Iu/G7gD1bePIhXqeEMSYlfLD84g7ezASeXc4q3Yrfw3+s SnKkG/vwlZ3IFcSw90bqyYoV597fRLZYdEoUzDjp9onU/NcwqmWJ6muV Ms2IO7kHTaUfMO7z6mgf5PGC2ylTywz+4WZLFd6t8QvZypEMGFwPSxJ2 W86Sdh2QJSDznW3V5CFW3tW+59ZzKsJHuGlHTwqem+egipZMXoMW9y+F 08ZVlg==
;; Received 1137 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

org.            172800  IN  NS  b2.org.afilias-nst.org.
org.            172800  IN  NS  a2.org.afilias-nst.info.
org.            172800  IN  NS  d0.org.afilias-nst.org.
org.            172800  IN  NS  a0.org.afilias-nst.info.
org.            172800  IN  NS  b0.org.afilias-nst.org.
org.            172800  IN  NS  c0.org.afilias-nst.info.
org.            86400   IN  DS  26974 8 2 4FEDE294C53F438A158C41D39489CD78A86BEB0D8A0AEAFF14745C0D 16E1DE32
org.            86400   IN  RRSIG   DS 8 1 86400 20220321170000 20220308160000 9799 . m3lulShGydigMRJiRixpAFeO9YBBkntgr2Gk42/sts9JLeGVavWmrAyd 5uFDMPf+DqWjgz65BCR1kipEpJAbETmqiwf17rrk9yDIXYGDfrdv04tg w5+4LjANeRzCqr9CH2FFokRt5cl2AdCSn2kNonndSM72Zfhots5ggn8G nTXyt3Aj3Hg4xagS1ZqPhodM15r95NVWw4ozPywSt76vI/oOgEBF6ckw Hz9AEg5i4MdSoLTwiT9fLE51KfiJQO6Xfp8ZANUFtwrydLb0pqJtXMbC BoJnhXjyjWzlOA5/ze5PR3nCh7tbtbTdxdowiB2Jrc3j5Cirfw7dAske TAjiiQ==
;; Received 817 bytes from 192.36.148.17#53(i.root-servers.net) in 3 ms

pauperis.org.       86400   IN  NS  ns111.ovh.net.
pauperis.org.       86400   IN  NS  dns111.ovh.net.
pauperis.org.       86400   IN  DS  18975 7 2 9CE6DA2D7883298D589BDBD5DFD29BB76FB24329C12B453A055F06F6 4EEC0C0C
pauperis.org.       86400   IN  RRSIG   DS 8 2 86400 20220322152315 20220301142315 30573 org. mE8EiULvqr8ZBCDb6rQnXHlxVoZtaTzbLjMtRi9w2jyGYYcKbX0m8N7R +b4NmqrsiQa7nz3DBbDDwt8IbXZfEIqVmGLJrx7Gp+uMDECa54mz06kG Xz1LWb6j/B6CA+1+fa+MyDBJt7A6inBLZQix8Fr9xkWRYznsQqyeeHnW YYo=
;; Received 305 bytes from 199.19.57.1#53(d0.org.afilias-nst.org) in 83 ms

pop3.pauperis.org.  3600    IN  CNAME   pauperis.org.
pop3.pauperis.org.  3600    IN  RRSIG   CNAME 8 3 3600 20220403112323 20220304112323 37698 pauperis.org. OhXaHFQ1xfLU2T3zjUIBpKsW6k62NZVlnCf4aQKUhbtDcVTGbWDNbwo7 MkpsDh2zpwG3vIqzqdw9t0Uuq7A1U+TDH0SetnBDVvlR1dNNZRbEiWBd C1dJiNuItE37iDNexAebRBvSnM/9hfjDUwDaX7Q78iQS836gxkTSV/g7 Bys=
pauperis.org.       3600    IN  AAAA    2001:41d0:1:8ade::1
pauperis.org.       3600    IN  RRSIG   AAAA 8 2 3600 20220403112323 20220304112323 37698 pauperis.org. dZP/Vxls3u1x8lMQ4A4NULX/UMrf7M+YkBNim4pJ/O9qkHCHn3N19Fku JciU5LCsWd4dw856ejt6CLBDy1c5RSADfrP+q3O3x9kstsgrH+Wf0pP8 cU2y/mTJRSQWPp+6jBUITshXJvcuV+XFpHeA931570XelUGN7ZuEStzD COc=
;; Received 432 bytes from 2001:41d0:1:4a9b::1#53(dns111.ovh.net) in 3 ms

有人能告诉我可能出了什么问题吗?

非常感谢你在高级:)

domain-name-system internal-dns dns-zone dig

1 个回答

  1. Best Answer

    请参阅https://dnsviz.net/d/pop3.pauperis.org/YifJYQ/dnssec/DS此名称具有巨大的 DNSSEC 错误配置(父 aka 注册中心的记录 不匹配的典型案例,以及在DNSKEY子节点中找到的记录)。这需要在整个域正常工作之前解决。

    通过验证解析器(因此使用 DNSSEC 验证)比较正常答案,然后明确禁止 DNSSEC 验证,也很容易发现:

    $ dig pop3.pauperis.org @9.9.9.9

; <<>> DiG 9.18.0 <<>> pop3.pauperis.org @9.9.9.9
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39260
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: c145784edda54901
;; QUESTION SECTION:
;pop3.pauperis.org. IN A

;; QUERY SIZE: 58

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39260
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
; EDE: 9 (DNSKEY Missing)

    SERVFAIL可以是很多东西但是 DNSSEC 致命错误总是SERVFAIL错误代码,然后在传递时注意扩展 DNS 错误:DNSKEY Missing

    然后同样绕过 DNSSEC(感谢 dig+cd标志):

    $ dig pop3.pauperis.org @9.9.9.9 +cd

; <<>> DiG 9.18.0 <<>> pop3.pauperis.org @9.9.9.9 +cd
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1480
;; flags: rd ad cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: c028e114f2c210f8
;; QUESTION SECTION:
;pop3.pauperis.org. IN A

;; QUERY SIZE: 58

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1480
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;pop3.pauperis.org. IN A

;; ANSWER SECTION:
pop3.pauperis.org.  1h IN CNAME pauperis.org.
pauperis.org.       1h IN A 91.121.85.222

    现在你得到NOERROR. 删除 DNSSEC 验证的简单事实可以很好地证明该错误与 DNSSEC 相关。

    • 1

相关问题