verisign错误 – >查询到DNSKEY超时或失败

我试图find一个错误的起源，我无法摆脱verisigndebugging器Verisigndebugging器

挖查询服务器就好了

dig ex-mailer.com ANY @108.61.190.64

我的所有日志在debugging器模式下都是干净的，没有错误的日志输出

事实上，任何不妥之处都在于数据包捕获，看起来像是过度分裂 Wireshark的

我的网卡上的MTU是1500

 vtnet0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=6c03bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6> ether 56:00:00:05:53:09 inet6 2001:19f0:6c00:8141::64 prefixlen 64 inet6 fe80::5400:ff:fe05:5309%vtnet0 prefixlen 64 scopeid 0x1 inet 108.61.190.64 netmask 0xffffff00 broadcast 108.61.190.255 nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL> media: Ethernet 10Gbase-T <full-duplex> status: active

但pmtu看起来顶着：

 ping -s 1500 -M do 108.61.190.64 From 192.168.0.68: icmp_seq=1 Frag needed and DF set (mtu = 1490) From 192.168.0.68: icmp_seq=1 Frag needed and DF set (mtu = 1490) From 192.168.0.68: icmp_seq=1 Frag needed and DF set (mtu = 1490) From 192.168.0.68: icmp_seq=1 Frag needed and DF set (mtu = 1490) From 192.168.0.68: icmp_seq=1 Frag needed and DF set (mtu = 1490)

我不确定在哪里可以看。我很确定这个MTU碎片是错误的来源。

我如何摆脱这个verisign DNS错误？

主configuration：

 acl "trusted" { 108.61.190.64; 107.191.60.48; 2001:19f0:7000:8945::64; 2001:19f0:6c00:8141::64; 108.61.10.10; 127.0.0.1/32; ::1/128; }; acl "outside" { any; }; options { directory "/usr/local/etc/namedb/working/"; pid-file "/var/run/named/named.pid"; dnssec-enable yes; dnssec-validation auto; dnssec-lookaside auto; listen-on-v6 { ::1; 2001:19f0:6c00:8141::64;}; listen-on { 127.0.0.1; 108.61.190.64;}; max-cache-ttl 1600; version none; auth-nxdomain no; # conform to RFC1035 allow-recursion-on { any; }; allow-recursion{ any; }; allow-query-cache-on{ any; }; allow-query-on{ any; }; allow-update-forwarding{ any; }; allow-query { any; }; allow-query-cache { any; }; allow-transfer { any; }; //forward first; forwarders { 108.61.10.10; 108.61.190.64; 107.191.60.48; }; }; logging { category default { default_log; }; category queries { resolver_file; }; channel default_log { file "/var/log/named/named.log" versions 5 size 50M; print-time yes; print-severity yes; print-category yes; severity debug; }; channel resolver_file { file "/var/log/named/resolver.log" versions 3 size 5m; severity dynamic; print-time yes; }; channel xfer-in_file { file "/var/log/named/xfer-in.log" versions 3 size 5m; severity dynamic; print-time yes; }; category default { default_log; }; category general { default_log; }; }; #include "/usr/local/etc/namedb/rndc.key"; controls { inet * port 953 allow { 127.0.0.1/32; ::1/128; 107.191.60.48; 108.61.190.64;} keys {"rndc-key"; }; }; key "rndc-key" { algorithm hmac-md5; secret "KcnxhOeXddg8dRNrn9Qfew=="; }; view "external" { match-clients { any; }; match-destinations { any; }; recursion yes; allow-query { any; }; zone "." IN { type hint; file "/usr/local/etc/namedb/named.root"; }; zone "ex-mailer.com" { type master; allow-transfer { trusted; }; also-notify { 108.61.190.64; }; update-policy local; auto-dnssec allow; key-directory "/usr/local/etc/namedb/"; file "/usr/local/etc/namedb/ex-mailer.com.external.signed"; }; zone "nyctelecomm.com" { type master; #allow-transfer {107.191.60.48;}; also-notify {107.191.60.48;}; key-directory "/usr/local/etc/namedb/"; file "/usr/local/etc/namedb/nyctelecomm.com.external.signed"; }; zone "emailingu.com" { type master; update-policy local; auto-dnssec allow; key-directory "/usr/local/etc/namedb/"; file "/usr/local/etc/namedb/emailingu.com.external.signed"; }; zone "instaknowit.com" { type master; update-policy local; auto-dnssec allow; key-directory "/usr/local/etc/namedb/"; file "/usr/local/etc/namedb/instaknowit.com.external"; }; zone "zippy-mail.com" { type master; update-policy local; auto-dnssec allow; key-directory "/usr/local/etc/namedb/"; file "/usr/local/etc/namedb/zippy-mail.com.external.signed"; }; zone "190.61.108.in-addr.arpa"{ type master; file "/usr/local/etc/namedb/reverse.external"; }; zone "127.in-addr.arpa" { type master; file "/usr/local/etc/namedb/127.0.0.1"; }; };

奴隶configuration：

 acl "trusted" { 108.61.190.64; 107.191.60.48; 2001:19f0:7000:8945::64; 2001:19f0:6c00:8141::64; 108.61.10.10; 127.0.0.1/32; ::1/128; }; acl "outside" { any; }; options { directory "/usr/local/etc/namedb/working/"; pid-file "/var/run/named/named.pid"; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; auth-nxdomain no; listen-on-v6 { ::1; 2001:19f0:7000:8945::64;}; listen-on { 127.0.0.1; 107.191.60.48;}; max-cache-ttl 1600; version none; notify yes; also-notify { 108.61.190.64; }; allow-notify { 107.191.60.48; }; allow-recursion { any; }; allow-recursion-on { any; }; allow-query-cache-on{ any; }; allow-query-on{ any; }; allow-update-forwarding{ any; }; allow-transfer { any; }; allow-query { any; }; allow-query-cache { any; }; allow-update { trusted; }; //forward first; forwarders { 108.61.10.10; 108.61.190.64; 107.191.60.48; }; }; logging { category default { default_log; }; category queries { resolver_file; }; channel default_log { file "/var/log/named/named.log" versions 5 size 50M; print-time yes; print-severity yes; print-category yes; severity debug; }; channel general_file { file "/var/log/named/general.log" versions 3 size 5m; severity dynamic; print-time yes; }; channel config_file { file "/var/log/named/config.log" versions 3 size 5m; severity dynamic; print-time yes; }; channel resolver_file { file "/var/log/named/resolver.log" versions 3 size 5m; severity dynamic; print-time yes; }; channel xfer-in_file { file "/var/log/named/xfer-in.log" versions 3 size 5m; severity dynamic; print-time yes; }; category default { default_log; }; category general { default_log; }; }; #include "/usr/local/etc/namedb/rndc.key"; controls { inet * port 953 allow { 127.0.0.1/32; ::1/128; 108.61.190.64; 107.191.60.48; } keys {"rndc-key"; }; }; key "rndc-key" { algorithm hmac-md5; secret "N/SB9HZwr5yRIBwtRjcA6A=="; }; view "external" { match-clients { outside; }; match-destinations { outside; }; recursion yes; allow-recursion { any; }; allow-query { outside; }; zone "." IN { type hint; file "/usr/local/etc/namedb/named.root"; }; #include "/usr/local/etc/namedb/tmp/zonelist.db"; zone "nyctelecomm.com" { type slave; masters {108.61.190.64;}; allow-notify { trusted; }; allow-transfer { any; }; notify yes; auto-dnssec allow; key-directory "/usr/local/etc/namedb/"; file "/usr/local/etc/namedb/nyctelecomm.com.external.signed"; }; zone "ex-mailer.com" { type slave; masters {108.61.190.64; }; #transfer-source { 108.61.190.64; }; allow-notify{ trusted; }; notify yes; allow-transfer { any; }; auto-dnssec allow; key-directory "/usr/local/etc/namedb/"; file "/usr/local/etc/namedb/ex-mailer.com.external.signed"; }; zone "emailingu.com" { masters {108.61.190.64; }; type slave; auto-dnssec allow; key-directory "/usr/local/etc/namedb/"; file "/usr/local/etc/namedb/emailingu.com.external.signed"; }; zone "zippy-mail.com" { type slave; masters {108.61.190.64; }; auto-dnssec allow; key-directory "/usr/local/etc/namedb/"; file "/usr/local/etc/namedb/zippy-mail.com.external.signed"; }; zone "190.61.108.in-addr.arpa"{ type master; allow-update {none;}; file "/usr/local/etc/namedb/reverse.external"; }; zone "127.in-addr.arpa" { type master; allow-update {none;}; file "/usr/local/etc/namedb/127.0.0.1"; }; };

感谢张贴所有这些信息，它帮助很大。

Verisign工具出错：

 Query to yoda.ex-mailer.com/108.61.175.48 for ex-mailer.com/A timed out or failed

您感兴趣的域名正在发布两个不同的NSlogging。

 ex-mailer.com nameserver = yoda.ex-mailer.com. ex-mailer.com nameserver = r2d2.ex-mailer.com.

从我自己的networking上，我可以连接到r2d2并查询yoda的IP。当我尝试连接yoda时，我什么也没有得到。这是Verisign指出的。当我看起来更深一点时，我看到我的连接尝试yoda是108.09.175.20从yoda本身获取ICMP Destination Unreachable数据包。

有趣的是，r2d2显示Yoda的IP地址是108.61.175.48 ，但是你的configuration文件build议它应该是108.61.190.64或108.61.10.10 。其中的第一个成功回应。

看起来像是两件事情之一。

“yoda”的Alogging已closures。应该是108.61.190.64 ，而不是108.61.175.48
NSlogging应该指向108.61.190.64的Alogging。