背景
我正在尝试使用dnssec-lookaside选项设置递归 DNSSec 服务器。遵循本指南。
错误信息
root@dnssec:/home/jose# systemctl status bind9
● bind9.service - BIND Domain Name Server
Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor preset: enabled)
Active: failed (Result: signal) since Sun 2020-01-19 18:54:09 UTC; 1s ago
Docs: man:named(8)
Process: 1617 ExecStart=/usr/sbin/named -f $OPTIONS (code=killed, signal=ABRT)
Main PID: 1617 (code=killed, signal=ABRT)
ene 19 18:54:09 dnssec named[1617]: #2 0x7f3fa9fd125e in ??
ene 19 18:54:09 dnssec named[1617]: #3 0x561ca9e89856 in ??
ene 19 18:54:09 dnssec named[1617]: #4 0x561ca9ecbc00 in ??
ene 19 18:54:09 dnssec named[1617]: #5 0x561ca9ecd343 in ??
ene 19 18:54:09 dnssec named[1617]: #6 0x7f3fa9b6fd99 in ??
ene 19 18:54:09 dnssec named[1617]: #7 0x7f3fa90e86db in ??
ene 19 18:54:09 dnssec named[1617]: #8 0x7f3fa881c88f in ??
ene 19 18:54:09 dnssec named[1617]: exiting (due to assertion failure)
ene 19 18:54:09 dnssec systemd[1]: bind9.service: Main process exited, code=killed, status=6/ABRT
ene 19 18:54:09 dnssec systemd[1]: bind9.service: Failed with result 'signal'.
绑定配置:
命名.conf
root@dnssec:/home/jose# cat /etc/bind/named.conf
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.options.dnssec";
zone "wetlands.cam"{
type master;
file "/etc/bind/db.wetlands.cam";
};
zone "30.20.10.in-addr.arpa"{
type master;
file "/etc/bind/db.30.20.10";
};
命名.conf.options
root@dnssec:/home/jose# cat /etc/bind/named.conf.options
acl homeLab {
10.20.30.0/24;
localhost;
localnets;
};
options {
directory "/var/cache/bind";
recursion yes;
allow-query { homeLab; };
forwarders {
10.20.30.1;
8.8.8.8;
8.8.4.4;
};
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside "." trust-anchor auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { none; };
dnssec-lookaside auto;
};
named.conf.options 还包括日志,如本文所述,但没有日志文件包含有关错误的信息,因此为了便于阅读,我省略了它。
命名.conf.dnssec
root@dnssec:/home/jose# cat /etc/bind/named.conf.options.dnssec
trusted-keys{
"." 257 3 8
"AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=";
"cat." 257 3 10
"AwEAAYA2JNjCp4vwA2YjEASi2AyxNSCB8RwAJveS44fCrcOsy3ejVzH4 s1bVKolZdObVAcZcjFd1uusnIZ6SRVpRxs2G9nflbYgCZ1oihfwPuuVE HExUDzu8nFEkivKTL4RBOT6EYNYgbVwG7JVRaCKU8/g1YR+by1cfTAl6 0SgdyMGapN3JlBcYBq9P3bMX0beYWdxTa+NSasAauLemmp84RJwBWtX3 YhAyF3LrCapSfLVkgakNb+kuUbQngnX1ABdioYD5BvFO3TjslwuFy+FU GH8HGaI2F4kwXfpIukUfjhGTnXihG1n1cI3Noy0wOL/twxy9SB66GbxT rNOnoXftnzk=";
"org." 257 3 7
"AwEAAZTjbIO5kIpxWUtyXc8avsKyHIIZ+LjC2Dv8naO+Tz6X2fqzDC1b dq7HlZwtkaqTkMVVJ+8gE9FIreGJ4c8G1GdbjQgbP1OyYIG7OHTc4hv5 T2NlyWr6k6QFz98Q4zwFIGTFVvwBhmrMDYsOTtXakK6QwHovA1+83BsU ACxlidpwB0hQacbD6x+I2RCDzYuTzj64Jv0/9XsX6AYV3ebcgn4hL1jI R2eJYyXlrAoWxdzxcW//5yeL5RVWuhRxejmnSVnCuxkfS4AQ485KH2tp dbWcCopLJZs6tw8q3jWcpTGzdh/v3xdYfNpQNcPImFlxAun3BtORPA2r 8ti6MNoJEHU=";
"dlv.isc.org." 257 3 5
"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh";
};
journalctl 输出
ene 19 18:54:09 dnssec systemd[1]: Started BIND Domain Name Server.
ene 19 18:54:09 dnssec named[1617]: starting BIND 9.11.3-1ubuntu1.11-Ubuntu (Extended Support Version) <id:a375815>
ene 19 18:54:09 dnssec named[1617]: running on Linux x86_64 4.15.0-74-generic #84-Ubuntu SMP Thu Dec 19 08:06:28 UTC 2019
ene 19 18:54:09 dnssec named[1617]: built with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--libexec
ene 19 18:54:09 dnssec named[1617]: running as: named -f -u bind
ene 19 18:54:09 dnssec named[1617]: ----------------------------------------------------
ene 19 18:54:09 dnssec named[1617]: BIND 9 is maintained by Internet Systems Consortium,
ene 19 18:54:09 dnssec named[1617]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
ene 19 18:54:09 dnssec named[1617]: corporation. Support and training for BIND 9 are
ene 19 18:54:09 dnssec named[1617]: available at https://www.isc.org/support
ene 19 18:54:09 dnssec named[1617]: ----------------------------------------------------
ene 19 18:54:09 dnssec named[1617]: adjusted limit on open files from 4096 to 1048576
ene 19 18:54:09 dnssec named[1617]: found 1 CPU, using 1 worker thread
ene 19 18:54:09 dnssec named[1617]: using 1 UDP listener per interface
ene 19 18:54:09 dnssec named[1617]: using up to 4096 sockets
ene 19 18:54:09 dnssec named[1617]: loading configuration from '/etc/bind/named.conf'
ene 19 18:54:09 dnssec named[1617]: /etc/bind/named.conf.options:27: dnssec-lookaside 'auto' is no longer supported
ene 19 18:54:09 dnssec named[1617]: /etc/bind/named.conf.options.dnssec:1: trusted-key for dlv.isc.org still present; dlv.isc.org has been shut down
ene 19 18:54:09 dnssec named[1617]: reading built-in trust anchors from file '/etc/bind/bind.keys'
ene 19 18:54:09 dnssec named[1617]: initializing GeoIP Country (IPv4) (type 1) DB
ene 19 18:54:09 dnssec named[1617]: GEO-106FREE 20180315 Build
ene 19 18:54:09 dnssec named[1617]: initializing GeoIP Country (IPv6) (type 12) DB
ene 19 18:54:09 dnssec named[1617]: GEO-106FREE 20180315 Build
ene 19 18:54:09 dnssec named[1617]: GeoIP City (IPv4) (type 2) DB not available
ene 19 18:54:09 dnssec named[1617]: GeoIP City (IPv4) (type 6) DB not available
ene 19 18:54:09 dnssec named[1617]: GeoIP City (IPv6) (type 30) DB not available
ene 19 18:54:09 dnssec named[1617]: GeoIP City (IPv6) (type 31) DB not available
ene 19 18:54:09 dnssec named[1617]: GeoIP Region (type 3) DB not available
ene 19 18:54:09 dnssec named[1617]: GeoIP Region (type 7) DB not available
ene 19 18:54:09 dnssec named[1617]: GeoIP ISP (type 4) DB not available
ene 19 18:54:09 dnssec named[1617]: GeoIP Org (type 5) DB not available
ene 19 18:54:09 dnssec named[1617]: GeoIP AS (type 9) DB not available
ene 19 18:54:09 dnssec named[1617]: GeoIP Domain (type 11) DB not available
ene 19 18:54:09 dnssec named[1617]: GeoIP NetSpeed (type 10) DB not available
ene 19 18:54:09 dnssec named[1617]: using default UDP/IPv4 port range: [32768, 60999]
ene 19 18:54:09 dnssec named[1617]: using default UDP/IPv6 port range: [32768, 60999]
ene 19 18:54:09 dnssec named[1617]: listening on IPv4 interface lo, 127.0.0.1#53
ene 19 18:54:09 dnssec named[1617]: listening on IPv4 interface enp0s3, 10.20.30.200#53
ene 19 18:54:09 dnssec named[1617]: listening on IPv4 interface enp0s8, 192.168.56.200#53
ene 19 18:54:09 dnssec named[1617]: generating session key for dynamic DNS
ene 19 18:54:09 dnssec named[1617]: sizing zone task pool based on 2 zones
ene 19 18:54:09 dnssec named[1617]: none:103: 'max-cache-size 90%' - setting to 886MB (out of 985MB)
ene 19 18:54:09 dnssec named[1617]: ../../../lib/isccfg/parser.c:1228: REQUIRE(obj != ((void *)0) && obj->type->rep == &cfg_rep_string) failed, back trace
ene 19 18:54:09 dnssec named[1617]: #0 0x561ca9ea1050 in ??
ene 19 18:54:09 dnssec named[1617]: #1 0x7f3fa9b477da in ??
ene 19 18:54:09 dnssec named[1617]: #2 0x7f3fa9fd125e in ??
ene 19 18:54:09 dnssec named[1617]: #3 0x561ca9e89856 in ??
ene 19 18:54:09 dnssec named[1617]: #4 0x561ca9ecbc00 in ??
ene 19 18:54:09 dnssec named[1617]: #5 0x561ca9ecd343 in ??
ene 19 18:54:09 dnssec named[1617]: #6 0x7f3fa9b6fd99 in ??
ene 19 18:54:09 dnssec named[1617]: #7 0x7f3fa90e86db in ??
ene 19 18:54:09 dnssec named[1617]: #8 0x7f3fa881c88f in ??
ene 19 18:54:09 dnssec named[1617]: exiting (due to assertion failure)
ene 19 18:54:09 dnssec systemd[1]: bind9.service: Main process exited, code=killed, status=6/ABRT
ene 19 18:54:09 dnssec systemd[1]: bind9.service: Failed with result 'signal'.
读取您的配置时,您的绑定服务器严重失败。尝试
named-checkconf -p
查看语法是否正确。你有/有的错误是一个断言,当程序员确定某事永远不会发生时,他们会使用它。所以最终你在bind中遇到了一个错误:正确的行为是检测配置错误并打印适当的错误消息。
如果您可以重现该错误,则应将其报告给绑定问题跟踪器。