尝试将完整区域从 PowerDNS 服务器传输到 Bind9 服务器时遇到问题。奇怪的是,PowerDNS 服务器上有几个区域用作隐藏的主服务器(带有 MySQL 后端),但只有一个区域无法传输到 Bind9 服务器。
两台服务器都运行 Ubuntu 16.04 LTS。和:
- Bind9 版本 = 9.10.3.dfsg.P4-8ubuntu1
- PowerDNS 版本 = 4.0.0~alpha2-3build1
Bind9 从区配置如下:
zone "example.net" {
type slave;
file "/var/lib/bind/slaves/db.example.net";
masters {
10.0.0.1;
};
};
PowerDNS 的 DNS 区域是:
% sudo pdnsutil show-zone example.net
This is a Master zone
Last SOA serial number we notified: 2016050801 == 2016050801 (serial in the database)
Zone is not actively secured
Metadata items: None
No keys for zone 'example.net.'.
% sudo pdnsutil list-zone example.net
example.net. 10800 IN MX 10 mx1.example.org.
example.net. 10800 IN MX 50 mx2.example.org.
example.net. 10800 IN NS ns1.example.org.
example.net. 10800 IN NS ns2.example.org.
example.net. 86400 IN SOA ns1.example.org. hostmaster.example.org. 2016050801 28800 7200 604800 86400
...
请注意此输出中.net和.org之间的区别。这是在尝试将区域提供给 Bind 时日志中的 PowerDNS 输出。
May 9 00:44:14 hdns01 pdns[40494]: AXFR of domain 'example.net.' initiated by 10.0.0.2
May 9 00:44:14 hdns01 pdns[40494]: AXFR of domain 'example.net.' allowed: client IP 10.0.0.2 is in allow-axfr-ips
May 9 00:44:14 hdns01 pdns[40494]: AXFR of domain 'example.net.' failed: not authoritative
以及Bind给出的对应日志。
May 9 00:44:14 rdns01 named[32973]: zone example.net/IN: refresh: unexpected rcode (REFUSED) from master 10.0.0.1#53 (source 0.0.0.0#0)
May 9 00:44:14 rdns01 named[32973]: zone example.net/IN: Transfer started.
May 9 00:44:14 rdns01 named[32973]: transfer of 'example.net/IN' from 10.0.0.1#53: connected using 10.0.0.2#55376
May 9 00:44:14 rdns01 named[32973]: transfer of 'example.net/IN' from 10.0.0.1#53: failed while receiving responses: NOTAUTH
May 9 00:44:14 rdns01 named[32973]: transfer of 'example.net/IN' from 10.0.0.1#53: Transfer status: NOTAUTH
May 9 00:44:14 rdns01 named[32973]: transfer of 'example.net/IN' from 10.0.0.1#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.004 secs (0 bytes/sec)
所以Bind9是说服务器不权威。这很奇怪。因此,让我们使用dig让事情变得更清晰。
% dig @10.0.0.1 example.net. SOA
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @10.0.0.1 example.net. SOA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47002
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;example.net. IN SOA
;; ANSWER SECTION:
example.net. 86400 IN SOA ns1.example.org. hostmaster.example.org. 2016050801 28800 7200 604800 86400
;; Query time: 2 msec
;; SERVER: 10.0.0.1#53(10.0.0.1)
;; WHEN: Mon May 09 00:53:51 CEST 2016
;; MSG SIZE rcvd: 104
对我来说似乎很权威。所以在那之后我尝试用 dig 做一个 AXFR。令人惊讶的是它有效......
% dig -t axfr example.net @10.0.0.1
; <<>> DiG 9.10.3-P4-Ubuntu <<>> -t axfr example.net @10.0.0.1
;; global options: +cmd
example.net. 86400 IN SOA ns1.example.org. hostmaster.example.org. 2016050801 28800 7200 604800 86400
...
;; Query time: 73 msec
;; SERVER: 10.0.0.1#53(10.0.0.1)
;; WHEN: Mon May 09 00:56:42 CEST 2016
;; XFR size: 58 records (messages 3, bytes 1952)
我不知道该去哪里找了。
谢谢你的帮助。
更新:
数据包捕获的日志:
1 0.000000 10.0.0.2 10.0.0.1 DNS 82 Standard query 0xe0dd SOA example.net OPT
2 0.002902 10.0.0.1 10.0.0.2 DNS 82 Standard query response 0xe0dd Refused SOA example.net OPT
6 0.004506 10.0.0.2 10.0.0.1 DNS 97 Standard query 0x205c AXFR example.net
8 0.006432 10.0.0.1 10.0.0.2 DNS 97 Standard query response 0x205c Not authoritative AXFR example.net
来自成功的手动 AXFR 的 PowerDNS 日志:
May 9 08:19:51 hdns01 pdns[40494]: AXFR of domain 'example.net.' initiated by 10.0.0.2
May 9 08:19:51 hdns01 pdns[40494]: AXFR of domain 'example.net.' allowed: client IP 10.0.0.2 is in allow-axfr-ips
May 9 08:19:52 hdns01 pdns[40494]: AXFR of domain 'example.net.' to 10.0.0.2 finished
PowerDNS 配置文件:
#################################
# allow-axfr-ips Allow zonetransfers only to these subnets
#
allow-axfr-ips=127.0.0.0/8,::1,10.0.0.2
#################################
# also-notify When notifying a domain, also notify these nameservers
#
also-notify=10.20.1.78,10.0.0.2
#################################
# daemon Operate as a daemon
#
daemon=yes
#################################
# include-dir Include *.conf files from this directory
#
# include-dir=
include-dir=/etc/powerdns/pdns.d
#################################
# launch Which backends to launch and order to query them in
#
# launch=
launch=
#################################
# master Act as a master
#
master=yes
#################################
# setgid If set, change group id to this gid for more security
#
setgid=pdns
#################################
# setuid If set, change user id to this uid for more security
#
setuid=pdns
以及/etc/powerdns/pdns.d/目录中的 MySQL 后端配置部分。
# MySQL Configuration
#
# Launch gmysql backend
launch+=gmysql
# gmysql parameters
gmysql-host=127.0.0.1
gmysql-port=
gmysql-dbname=pdns
gmysql-user=MYUSER
gmysql-password=MYPASSWORD
gmysql-dnssec=yes
# gmysql-socket=
在我的要求下,发帖人进入了我们的#powerdns IRC 频道,我们很快发现主服务器和从服务器的域名之间实际上存在拼写错误 - 在这里提出问题时进行了混淆处理。
我猜在这里,因为你基本上隐藏了所有有用的东西。你是否故意让帮助你变得困难?
看起来
example.net您的表格中有一个条目domains,但在表格中domain_id的条目下records,您放置了example.org记录。pdnsutil check-all-zones(或者pdnssec如果您使用的是 3.x)可能会注意到这一点。