我的dns服务器设置有问题.我的绑定服务器主要是缓存服务器,但也提供一些内部域.它只在我的专用网络上监听,并且只提供来自那里的请求.
今天我想启用绑定来验证DNSSEC,但不知怎的,它做得不正确.如果我解决了绑定linux机器本身的主机名,那么无效的DNSSEC就完全如此显示.但是,如果我尝试在网络中的其他计算机上再次使用相同的dig命令解析同一个域,则DNSSEC检查不会失败并且域可以很好地解析.我想要它做的是将正确的SERVFAIL发送到网络中的其他DNS客户端.
以下是您可能需要的所有信息(绑定版本,配置等).我会追加我最后做的挖掘.
操作系统版本
root@thor:/etc/bind# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 8.5 (jessie)
Release: 8.5
Codename: jessie
root@thor:/etc/bind# uname -a
Linux thor.home.intranet 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt25-2 (2016-04-08) x86_64 GNU/Linux
绑定版本
BIND 9.9.5-9+deb8u6-Debian (Extended Support Version)
named.conf中
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
named.conf.options
options {
directory "/var/cache/bind";
forwarders {
208.67.222.222; # resolver1.opendns.com
208.67.220.220; # resolver2.opendns.com
# 8.8.8.8; # google-public-dns-a.google.com
# 8.8.4.4; # google-public-dns-b.google.com
};
dnssec-enable yes;
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on {
127.0.0.1;
192.168.10.36;
};
recursion yes;
allow-recursion { 127.0.0.0/8; 192.168.10.0/24; };
max-ncache-ttl 0;
};
named.conf.local
zone "intranet" {
type master;
file "/etc/bind/master/db.intranet";
};
zone "10.168.192.in-addr.arpa" {
type master;
file "/etc/bind/master/db.10.168.192";
};
zone "box" {
type master;
file "/etc/bind/master/db.box";
};
named.conf.default-区
// prime the server with knowledge of the root servers
zone "." {
type hint;
file