我在局域网上运行一个DNS服务器,因为我不想要一个外部的失败点来解决一堆私有的子域名,无论如何这个子域名不需要在公有DNS中列出。
我有一个解决scheme来解决我们的域名,或者转发到我们的ISP的DNS服务器。
它通常没有问题,但目前无法达到任何.co域,除非dnssec被禁用,我认为我不应该这样做。
我更新了/etc/bind/bind.keys 。
我如何debugging失败的原因? 对我来说,它看起来像RRSIGlogging有狡猾的NS数据,或者有一些其他的networking故障与nsX.cctld.co服务器,但我不知道足够的解决它。
# rndc validation check DNSSEC validation is enabled (view privateservers) # dig +trace do.co ; <<>> DiG 9.10.3-P4-Ubuntu <<>> +trace do.co ;; global options: +cmd . 77153 IN NS g.root-servers.net. . 77153 IN NS a.root-servers.net. . 77153 IN NS m.root-servers.net. . 77153 IN NS h.root-servers.net. . 77153 IN NS k.root-servers.net. . 77153 IN NS j.root-servers.net. . 77153 IN NS c.root-servers.net. . 77153 IN NS b.root-servers.net. . 77153 IN NS f.root-servers.net. . 77153 IN NS d.root-servers.net. . 77153 IN NS e.root-servers.net. . 77153 IN NS l.root-servers.net. . 77153 IN NS i.root-servers.net. ;; Received 239 bytes from 192.168.20.1#53(192.168.20.1) in 1 ms co. 172800 IN NS ns1.cctld.co. co. 172800 IN NS ns2.cctld.co. co. 172800 IN NS ns3.cctld.co. co. 172800 IN NS ns4.cctld.co. co. 172800 IN NS ns5.cctld.co. co. 172800 IN NS ns6.cctld.co. co. 86400 IN DS 21754 8 2 C30634014C0752DA93B0633ED4CE641B63826A5DED820027F4117CA0 C32050A0 co. 86400 IN DS 21754 8 1 8B9B8FDA21B4CF6FC3E97A31FC0D77C1CB7E70EE co. 86400 IN DS 10384 8 1 DF157833AAD57F3561F3A47F178BA46E7E7183DC co. 86400 IN DS 10384 8 2 A76358B4C22E95C2C4A56DB8ADC923779E0829142D7C51B04E54769C 86407D70 co. 86400 IN RRSIG DS 8 1 86400 20170826170000 20170813160000 15768 . N8hBVmcw3geU/EqNR2fqWH2rd9v5cdGfZ44h5sxPmreta1SZPupsq3RV FN37fZfKuzcwN7Obe3eE6k3Mxn0KyzGY/cF4wnqCD7HWBrvfz50b1yxD REitHlhKt6ZqC/NPaa5NGa6tWyeKuhD/D3tc74rK95eVnfCWmTY1PFth QoB8IZJFw2UIO8bS9Zpd82im1wHP9PRRF8nWUFYd4rOI6LU6ahCsckij HngqmuLFvfsZeRXY/yAzImy1REbSqAon/RGCsckoeuXs4rLBq7QUxLeA W2GcmczUkxspQciGsK71WgFrRyl2o6NrvlsmTO9XHQ2OVccSp8Ee29FY ukm6wA== couldn't get address for 'ns1.cctld.co': failure couldn't get address for 'ns2.cctld.co': failure couldn't get address for 'ns3.cctld.co': failure couldn't get address for 'ns4.cctld.co': failure couldn't get address for 'ns5.cctld.co': failure couldn't get address for 'ns6.cctld.co': failure dig: couldn't get address for 'ns1.cctld.co': no more
然后我禁用validation,我得到这个:
# rndc validation off # dig +trace do.co ; <<>> DiG 9.10.3-P4-Ubuntu <<>> +trace do.co ;; global options: +cmd . 84407 IN NS m.root-servers.net. . 84407 IN NS g.root-servers.net. . 84407 IN NS a.root-servers.net. . 84407 IN NS k.root-servers.net. . 84407 IN NS i.root-servers.net. . 84407 IN NS b.root-servers.net. . 84407 IN NS l.root-servers.net. . 84407 IN NS f.root-servers.net. . 84407 IN NS d.root-servers.net. . 84407 IN NS j.root-servers.net. . 84407 IN NS c.root-servers.net. . 84407 IN NS h.root-servers.net. . 84407 IN NS e.root-servers.net. ;; Received 239 bytes from 192.168.20.1#53(192.168.20.1) in 1 ms co. 172800 IN NS ns1.cctld.co. co. 172800 IN NS ns2.cctld.co. co. 172800 IN NS ns3.cctld.co. co. 172800 IN NS ns4.cctld.co. co. 172800 IN NS ns5.cctld.co. co. 172800 IN NS ns6.cctld.co. co. 86400 IN DS 10384 8 1 DF157833AAD57F3561F3A47F178BA46E7E7183DC co. 86400 IN DS 10384 8 2 A76358B4C22E95C2C4A56DB8ADC923779E0829142D7C51B04E54769C 86407D70 co. 86400 IN DS 21754 8 1 8B9B8FDA21B4CF6FC3E97A31FC0D77C1CB7E70EE co. 86400 IN DS 21754 8 2 C30634014C0752DA93B0633ED4CE641B63826A5DED820027F4117CA0 C32050A0 co. 86400 IN RRSIG DS 8 1 86400 20170826170000 20170813160000 15768 . N8hBVmcw3geU/EqNR2fqWH2rd9v5cdGfZ44h5sxPmreta1SZPupsq3RV FN37fZfKuzcwN7Obe3eE6k3Mxn0KyzGY/cF4wnqCD7HWBrvfz50b1yxD REitHlhKt6ZqC/NPaa5NGa6tWyeKuhD/D3tc74rK95eVnfCWmTY1PFth QoB8IZJFw2UIO8bS9Zpd82im1wHP9PRRF8nWUFYd4rOI6LU6ahCsckij HngqmuLFvfsZeRXY/yAzImy1REbSqAon/RGCsckoeuXs4rLBq7QUxLeA W2GcmczUkxspQciGsK71WgFrRyl2o6NrvlsmTO9XHQ2OVccSp8Ee29FY ukm6wA== ;; Received 867 bytes from 192.5.5.241#53(f.root-servers.net) in 19 ms do.co. 7200 IN NS walt.ns.cloudflare.com. do.co. 7200 IN NS kim.ns.cloudflare.com. 131vnuv1malje6dnud9fsaqdrqcs5i91.co. 86400 IN NSEC3 1 1 1 F873A2F5 1356V3361NJ2BQROG5HKD76E66S04L02 NS SOA RRSIG DNSKEY NSEC3PARAM 131vnuv1malje6dnud9fsaqdrqcs5i91.co. 86400 IN RRSIG NSEC3 8 2 86400 20170821234143 20170722233946 63993 co. E8Sg+iSMx1zSNIfC7eDVbBE+TSIg4W58SDPqwXA04EjPlpdubb7cakdv bvwdjBdWpyb+No7SLByqKNnQN7BsYvvdmLsDpbAEGcQ+agXmUwImddDa 9J/2VkOiNkiKYgI174elEuitoWhQH6PVSwO6Nb1nBl4o9em0v9zGhbYA 2Jy6VLKWNYL6bh9CNSGJsl4NthISx9nBZKwBQ7vNnZ/mrQ== pte00qfgi7b6087qivojmk9kqr2u6gka.co. 86400 IN NSEC3 1 1 1 F873A2F5 PTRFFSEIBU5MCNK4CRV8JFRTQ7QB3I0G NS DS RRSIG pte00qfgi7b6087qivojmk9kqr2u6gka.co. 86400 IN RRSIG NSEC3 8 2 86400 20170827152341 20170728142341 63993 co. hSH7UQuVYYdfZdKjh8q98boxNOVaE/j8DlWVHcWT17Q3Zb5+m7xDJRQ9 42KaaIla3rZ6e7RYy1qXWh+6VFB5KRxv9ec2RAuYPNB/9XJe2IdlnsE4 t1IqGFo+O4ZY5mlj+QxMcLrx3FlM9ZzSzat9SlS6sSxv7w+0s/yuIMqv 3ZjXqjHYdDgshA+g71QjoSqS3jz0a/muAiznNfuc+Qclcw== ;; Received 643 bytes from 156.154.101.25#53(ns2.cctld.co) in 229 ms do.co. 300 IN A 67.199.248.13 do.co. 300 IN A 67.199.248.12 ;; Received 66 bytes from 173.245.59.148#53(walt.ns.cloudflare.com) in 27 ms