服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 绑定:“nsupdate -l”失败,状态为“更新失败:拒绝”
Intereting Posts
kill SIGABRT不会从crontab启动的守护进程生成核心文件 我有nginx的多个实例,但不知道哪一个是“正确的” node.js如何绑定到不存在的环回IP? Postgresql优化 httpd – 虚拟主机转到同一个网站 笔记本作为服务器 IPtables路由器减速连接多less? Raid控制器在删除后不识别硬盘。 Poweredge 6950 在HTTP头中隐藏Apache条目 不带值的Cacti rrdtoolgraphics,Nar在.rrd文件中 我可以将Bugzilla与现有的网站和SVN服务器整合吗? 是否有可能在不同的操作系统上恢复Oracle数据库? 服务器上的高电子邮件/networkingstream量 – SBS 2008 Python-jinja2不能在RHEL 6.4 ibm power machine ppc64上安装 Linux logrotate偏移延迟

绑定:“nsupdate -l”失败,状态为“更新失败:拒绝”

我刚刚切换到bind 9.9.5 dynamicDNSfunction与DNSSEC条目的半自动pipe理,整个过程进展顺利,我的区域文件更新得很好,但现在我无法通过nsupdate工具更新或添加条目。

/etc/bind/named.conf.local

 // 1 view "localhost_view" { allow-query-on { 127.0.0.1; }; allow-query { localhost_acl; }; match-clients { localhost_acl; }; zone "somehost.tld" { type master; file "/etc/bind/db.somehost.tld_10"; }; zone "168.192.in-addr.arpa" { type master; notify no; file "/etc/bind/db.192.168.10"; }; // formerly named.conf.default-zones zone "." { type hint; file "/etc/bind/db.root"; }; zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; // formerly zones.rfc1918 zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "31.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; }; // 2 view "internal_10_view" { allow-query-on { 192.168.10.1; }; allow-query { internal_10_acl; }; match-clients { internal_10_acl; }; zone "somehost.tld" { type master; file "/etc/bind/db.somehost.tld_10"; }; zone "168.192.in-addr.arpa" { type master; notify no; file "/etc/bind/db.192.168.10"; }; // formerly named.conf.default-zones zone "." { type hint; file "/etc/bind/db.root"; }; zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; // formerly zones.rfc1918 zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "31.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; }; // 3 view "internal_150_view" { allow-query-on { 192.168.150.1; }; allow-query { internal_150_acl; }; match-clients { internal_150_acl; }; zone "somehost.tld" { type master; file "/etc/bind/db.somehost.tld_150"; }; zone "168.192.in-addr.arpa" { type master; notify no; file "/etc/bind/db.192.168.150"; }; // formerly named.conf.default-zones zone "." { type hint; file "/etc/bind/db.root"; }; zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; // formerly zones.rfc1918 zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "31.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; }; // 4 view "vpn_view" { allow-query-on { 192.168.200.1; }; allow-query { vpn_acl; }; match-clients { vpn_acl; }; zone "somehost.tld" { type master; file "/etc/bind/db.somehost.tld_vpn"; }; // formerly named.conf.default-zones zone "." { type hint; file "/etc/bind/db.root"; }; zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; // formerly zones.rfc1918 zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "32.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; }; // 5 view "global_view" { allow-query-on { 1.2.3.4; }; // match-clients { any; !localhost_acl; !internal_10_acl; !internal_150_acl; !vpn_acl; }; recursion no; zone "somehost.tld" { type master; update-policy local; auto-dnssec maintain; file "/etc/bind/db.somehost.tld_global"; key-directory "/etc/bind/keys"; }; zone "26/4.3.2.1.in-addr.arpa" IN { type master; file "/etc/bind/db.rev"; }; // formerly named.conf.default-zones zone "." { type hint; file "/etc/bind/db.root"; }; zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; // formerly zones.rfc1918 zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "32.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; };

访问控制列表: 

 acl localhost_acl { 127.0.0.0/8; }; acl internal_10_acl { 192.168.10.0/24; }; acl internal_150_acl { 192.168.150.0/24; }; acl vpn_acl { 192.168.200.2; 192.168.200.5; };

所以update-policy local; 在这里,/ /var/run/named/session.key被成功生成并且用户bind可读,但是当我通过nsupdate -l (以root身份)执行add命令时,我总是得到update failed: REFUSED错误(这里带有debugging消息): 

 root@somehost:/etc/bind# nsupdate -l -v -D setup_system() Creating key... namefromtext keycreate reset_system() user_interaction() > ttl 46000 do_next_command() > zone somehost.tld. do_next_command() > update add whatever.somehost.tld. A 1.1.1.1 do_next_command() evaluate_update() update_addordelete() > send do_next_command() start_update() send_update() Sending update to 127.0.0.1#53 show_message() Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 15363 ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1 ;; ZONE SECTION: ;somehost.tld. IN SOA ;; UPDATE SECTION: whatever.somehost.tld. 46000 IN A 1.1.1.1 ;; TSIG PSEUDOSECTION: local-ddns. 0 ANY TSIG hmac-sha256. 1446539060 300 32 r2lt18dGihGnJepoUjvIKx8l5BPMohNJvsLoO+WQiBE = 15363 NOERROR 0 update_completed() tsig verification successful show_message() Reply from update query: ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 15363 ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 ;; ZONE SECTION: ;somehost.tld. IN SOA ;; TSIG PSEUDOSECTION: local-ddns. 0 ANY TSIG hmac-sha256. 1446539060 300 32 Cnh9Tgg5vhKngPRk2J8n0wiRzdBLlQrp0F0qmfUotN8 = 15363 NOERROR 0 done_update() reset_system() user_interaction() > quit

这是一种权限问题? 怎么了?

您正在使用nsupdate -l将更新消息发送到localhost (详细输出确认它使用了环回地址,正如所料,将Sending update to 127.0.0.1#53 )。

但是,您尝试更新的区域不在此更新消息将会触及的视图中。 你的第一个视图( localhost_view )有match-clients { localhost_acl; }; match-clients { localhost_acl; };

 acl localhost_acl { 127.0.0.0/8; };

您尝试更新的区域位于configuration稍后定义的视图global_view中。

如果你检查你的日志,我会认为这个失败会被logging下来,日志信息可能会包含关于哪个视图(根据你的configuration应该是localhost_view )的信息。

重要的是要注意,视图是有序的,第一个匹配的视图将会收到任何给定的消息。

从手册中的观点部分 :

每个视图语句都定义了一个将被一部分客户端看到的DNS名称空间的视图。 如果客户端的源IP地址与视图的match-clients子句的address_match_list匹配,并且其目的IP地址与视图的match-destinations子句的address_match_list匹配,则客户端匹配该视图。 如果未指定,匹配客户端和匹配目的地默认匹配所有地址。 除了检查IP地址匹配 – 客户端和匹配目的地也可以采取为客户端提供select视图的机制的密钥。 也可以将视图指定为仅匹配recursion,这意味着只有来自匹配客户端的recursion请求才会匹配该视图。 视图语句的顺序非常重要 – 客户端请求将在匹配的第一个视图的上下文中解决。

正如在引用的解释中提到的,如果有帮助(通过调整match-client ),您可以通过TSIG密钥而不是IP进行match-client

值得注意的是, address_match_list (例如match-client的参数types)接受IP地址和密钥。 也就是说,很像意见,按照第一个匹配要素来决定结果。 先放any其他元素在列表中是毫无意义的。

终于搞明白了。 感谢@HåkanLindqvist的灵感。

第一个解决scheme

(使用ddns-confgen )。

我有很多的意见localhost_viewglobal_view等),其中一些具有公共区域 (在我的例子somehost.tld )。 如果我想dynamic更新它们,那么在nsupdate时应该使用server XXXX命令。 因此, nsupdate会将更新请求发送到适当的接口,相应的视图将处理它。

update-policy local; 在此configuration中不适用,因为它禁止在nsupdate使用server命令。 因此,需要生成一个DDNS密钥,并在所有的区域声明中指定它,这应该由nsupdatedynamic更新。 在Debian的世界里有一个ddns-confgen命令,它简化了这个任务: 

 me@somehost:~$ ddns-confgen # To activate this key, place the following in named.conf, and # in a separate keyfile on the system or systems from which nsupdate # will be run: key "ddns-key" { algorithm hmac-sha256; secret "pXohPnPR7dyri9ADfDLtSz+lHw/QliISyiEe0wg0a14="; }; # Then, in the "zone" statement for each zone you wish to dynamically # update, place an "update-policy" statement granting update permission # to this key. For example, the following statement grants this key # permission to update any name within the zone: update-policy { grant ddns-key zonesub ANY; }; # After the keyfile has been placed, the following command will # execute nsupdate using this key: nsupdate -k <keyfile>

这个命令的输出是相当自我描述的。 需要将key...片段添加到/etc/bind/named.conf 使用任何名称将文件分隔开,并将update-policy...片段添加到每个zone声明中,由nsupdate进行pipe理。

要在多视图BIND环境中正确使用nsupdate工具,需要在执行任何其他命令之前显式指定server伪指令。 因此,为了更新localhost_viewsomehost.tld区域(考虑到key... snippet保存在/etc/bind/ddns-key.key ),命令如下(注意server 127.0.0.1 ): 

 me@somehost:~$ nsupdate -k /etc/bind/ddns-key.key > server 127.0.0.1 > zone somehost.tld > update add something.somehost.tld. 86400 A 1.1.1.1 > send > quit

而操纵global_viewsomehost.tld区域的命令本质上是相同的,但是与不同的server 。 在这种情况下,需要使用公有IP(本例中为1.2.3.4 ): 

 me@somehost:~$ nsupdate -k /etc/bind/ddns-key.key > server 1.2.3.4 > zone somehost.tld > update add something.somehost.tld. 86400 A 1.1.1.1 > send > quit

因此, nsupdate发送一个请求到一个适当的接口(可能是本地的,也可能不是本地的),一个特定的视图可以工作。

第二个解决scheme

(使用update-policy local; )。

你可能实际上使用update-policy local; 指令/etc/bind/named.conf.local在每个你想要的区域声明,限制来自互联网或局域网的更新请求,以获得更好的安全性。 在这种情况下,密钥是自动生成的,如果使用-l选项运行, nsupdate将使用它。 应该使用local XXXX而不是server XXXX命令。 如果它是系统本地的,它甚至会接受公有IP作为参数。 注意 :关键是不可读的,所以使用sudo 。 例: 

 me@somehost:~$ sudo nsupdate -l > local 1.2.3.4 > zone somehost.tld > update add something.somehost.tld. 86400 A 1.1.1.1 > send > quit