为什么我的DNS服务器不能转发？

我已经设置绑定像这样：

// // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { listen-on port 53 { any; }; # listen-on-v6 port 53 { ::1; }; directory "/var/named"; forwarders { 10.90.0.135; 10.90.0.174; }; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; recursion yes; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; zone "appletop.local" IN { type master; file "appletop.local"; allow-update { none; }; };

但它不会转发？

如果我只是把DNS服务器地址放在另一台机器上的resolv.conf ，我会得到正确的查询，所以DNS服务器必须能够为我解决，但是如果我把另一台机器指向这个机器，它不能parsing名称。

怎么了？

MadHatterbuild议更改后：

现在，它开始，但挂在挖+跟踪，不转发 – 为什么我没有看到下面的转发地址？

 [root@ns1 ~]# ping www.yahoo.com ^C [root@ns1 ~]# cd /etc/ [root@ns1 etc]# cp named.conf named.conf.last [root@ns1 etc]# vi named.conf [root@ns1 etc]# /etc/init.d/named reload Reloading named-sdb: [ OK ] [root@ns1 etc]# service named stop Stopping named: . [ OK ] [root@ns1 etc]# /etc/init.d/named start Starting named: [ OK ] [root@ns1 etc]# nslookup www.yahoo.com ;; connection timed out; trying next origin Server: 10.138.10.30 Address: 10.138.10.30#53 ** server can't find www.yahoo.com: NXDOMAIN

并用+ trace挖一下：

 [root@ns1 etc]# dig +trace www.yahoo.com ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.0.2.el6_4.6 <<>> +trace www.yahoo.com ;; global options: +cmd . 518400 IN NS E.ROOT-SERVERS.NET. . 518400 IN NS M.ROOT-SERVERS.NET. . 518400 IN NS I.ROOT-SERVERS.NET. . 518400 IN NS F.ROOT-SERVERS.NET. . 518400 IN NS G.ROOT-SERVERS.NET. . 518400 IN NS K.ROOT-SERVERS.NET. . 518400 IN NS B.ROOT-SERVERS.NET. . 518400 IN NS A.ROOT-SERVERS.NET. . 518400 IN NS C.ROOT-SERVERS.NET. . 518400 IN NS L.ROOT-SERVERS.NET. . 518400 IN NS J.ROOT-SERVERS.NET. . 518400 IN NS H.ROOT-SERVERS.NET. . 518400 IN NS D.ROOT-SERVERS.NET.

我的整个文件看起来像这样 – 什么错了？

 options { listen-on port 53 { any; }; # listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; recursion yes; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type forward; forward first; forwarders { 10.90.0.135; 10.90.0.174; } ; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; zone "appletop.local" IN { type master; file "appletop.local"; allow-update { none; }; };

你已经告诉它什么转发器使用，但不是何时使用它们。如果你想让它用于一切，而不是

 zone "." IN { type hint; file "named.ca"; };

尝试

 zone "." { type forward; forward first; forwarders { 10.90.0.135; 10.90.0.174; } ; } ;

编辑：好的，请尝试上面的代替。但是，我不明白你的意思是“先尝试本地解决”，但是，你说你想要它转发。

为了防止下面的OP的评论，MadHatter的回应并不清楚，“问题是dnssec”，我发布了这个答案，因为我也发现它解决了我的问题。

我已经设置了caching，只转发BIND服务器，而不是转发。查询以几秒钟的时间到达根服务器。禁用dnssec选项可以解决这个问题，现在它按照预期工作。

 dnssec-enable no; dnssec-validation no; dnssec-lookaside auto;

在我的情况下，问题是通过只改变dnssec-validation yes;解决的dnssec-validation yes; 到dnssec-validation no;