domain-name-system – bind9无法正确解析dnssec

前端之家收集整理的这篇文章主要介绍了domain-name-system – bind9无法正确解析dnssec前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。
我的dns服务器设置有问题.我的绑定服务器主要是缓存服务器,但也提供一些内部域.它只在我的专用网络上监听,并且只提供来自那里的请求.

今天我想启用绑定来验证DNSSEC,但不知怎的,它做得不正确.如果我解决了绑定linux机器本身的主机名,那么无效的DNSSEC就完全如此显示.但是,如果我尝试在网络中的其他计算机上再次使用相同的dig命令解析同一个域,则DNSSEC检查不会失败并且域可以很好地解析.我想要它做的是将正确的SERVFAIL发送到网络中的其他DNS客户端.

以下是您可能需要的所有信息(绑定版本,配置等).我会追加我最后做的挖掘.

操作系统版本

root@thor:/etc/bind# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 8.5 (jessie)
Release:        8.5
Codename:       jessie

root@thor:/etc/bind# uname -a
Linux thor.home.intranet 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt25-2 (2016-04-08) x86_64 GNU/Linux

绑定版本

BIND 9.9.5-9+deb8u6-Debian (Extended Support Version)

named.conf中

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

named.conf.options

options {
        directory "/var/cache/bind";

        forwarders {
                208.67.222.222; # resolver1.opendns.com
                208.67.220.220; # resolver2.opendns.com
#               8.8.8.8; # google-public-dns-a.google.com
#               8.8.4.4; # google-public-dns-b.google.com
        };

        dnssec-enable yes;
        dnssec-validation auto;
        auth-nxdomain no;    # conform to RFC1035

        listen-on {
                127.0.0.1;
                192.168.10.36;
        };

        recursion yes;
        allow-recursion { 127.0.0.0/8; 192.168.10.0/24; };

        max-ncache-ttl 0;
};

named.conf.local

zone "intranet" {
        type master;
        file "/etc/bind/master/db.intranet";
};

zone "10.168.192.in-addr.arpa" {
        type master;
        file "/etc/bind/master/db.10.168.192";
};

zone "Box" {
        type master;
        file "/etc/bind/master/db.Box";
};

named.conf.default-区

// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones,and for
// broadcast zones as per RFC 1912

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};

DNS结果
如果我要求服务器上的无效域(thor),我会得到以下内容

user@thor:/etc/bind$dig @192.168.10.36 sigfail.verteiltesysteme.net

; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> @192.168.10.36 sigfail.verteiltesysteme.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY,status: SERVFAIL,id: 11750
;; flags: qr rd ra; QUERY: 1,ANSWER: 0,AUTHORITY: 0,ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0,flags:; udp: 4096
;; QUESTION SECTION:
;sigfail.verteiltesysteme.net.  IN      A

;; Query time: 256 msec
;; SERVER: 192.168.10.36#53(192.168.10.36)
;; WHEN: Fri Jul 08 21:27:37 CEST 2016
;; MSG SIZE  rcvd: 57

如果我在使用cygwin运行Windows 10的客户端上执行完全相同的查询,我会得到:

user@COMPUTER:~$dig @192.168.10.36 sigfail.verteiltesysteme.net

; <<>> DiG 9.10.3-P4 <<>> @192.168.10.36 sigfail.verteiltesysteme.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY,status: NOERROR,id: 52681
;; flags: qr rd ra; QUERY: 1,ANSWER: 1,AUTHORITY: 2,ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0,flags:; udp: 4096
;; QUESTION SECTION:
;sigfail.verteiltesysteme.net.  IN      A

;; ANSWER SECTION:
sigfail.verteiltesysteme.net. 60 IN     A       134.91.78.139

;; AUTHORITY SECTION:
verteiltesysteme.net.   3600    IN      NS      ns1.verteiltesysteme.net.
verteiltesysteme.net.   3600    IN      NS      ns2.verteiltesysteme.net.

;; ADDITIONAL SECTION:
ns1.verteiltesysteme.net. 2910  IN      A       134.91.78.139
ns1.verteiltesysteme.net. 2910  IN      AAAA    2001:638:501:8efc::139
ns2.verteiltesysteme.net. 2910  IN      A       134.91.78.141
ns2.verteiltesysteme.net. 2910  IN      AAAA    2001:638:501:8efc::141

;; Query time: 52 msec
;; SERVER: 192.168.10.36#53(192.168.10.36)
;; WHEN: Fr Jul 08 21:27:46 CEST 2016
;; MSG SIZE  rcvd: 197

我希望你能帮助我.

先感谢您

– 编辑 –
感谢@HåkanLindqvist,我注意到配置非常糟糕.为了清理这个东西并摆脱所有这些错误,我抛弃了所有转发并立即自行解决.这不应该是一个很大的交易,因为服务器无论如何缓存它.
我的named.conf.options现在看起来如下:

options {
        directory "/var/cache/bind";

        dnssec-enable yes;
        dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on {
                127.0.0.1;
                192.168.10.36;
        };

        recursion yes;
        allow-recursion { 127.0.0.0/8; 192.168.10.0/24; };

        max-ncache-ttl 0;
};

日志显示没有更多奇怪的错误,现在正确记录了无效签名:

Jul  9 00:33:05 thor named[2940]: validating @0x7fd2d0391140: sigfail.verteiltesysteme.net A: no valid signature found
Jul  9 00:33:05 thor named[2940]: error (no valid RRSIG) resolving 'sigfail.verteiltesysteme.net/A/IN': 134.91.78.141#53

但我的结果不一致的问题仍然存在.两个客户端都使用相同的绑定服务器:

电脑:

user@COMPUTER:~$dig +short @192.168.10.36 hostname.bind CH TXT
"thor.home.intranet"
user@COMPUTER:~$dig +short @192.168.10.36 version.bind CH TXT
"9.9.5-9+deb8u6-Debian"

服务器:

user@thor:/etc/bind# dig @192.168.10.36 +short hostname.bind CH TXT
"thor.home.intranet"
user@thor:/etc/bind# dig @192.168.10.36 +short version.bind CH TXT
"9.9.5-9+deb8u6-Debian"

但结果仍然不同.
电脑:

user@COMPUTER:~$nslookup sigfail.verteiltesysteme.net
Server:         192.168.10.36
Address:        192.168.10.36#53

Non-authoritative answer:
Name:   sigfail.verteiltesysteme.net
Address: 134.91.78.139

服务器:

root@thor:/etc/bind# nslookup sigfail.verteiltesysteme.net
Server:         192.168.10.36
Address:        192.168.10.36#53

** server can't find sigfail.verteiltesysteme.net: SERVFAIL

需要注意的一点很重要(我认为):即使我在计算机上发送请求,我的服务器也会在日志中说没有有效的签名.这样它就明确地认识到,DNSSEC验证失败了..但它仍然会将NOERROR发送到我的电脑.

– EDIT2 –
即使明确设置了EDNS标志,我仍然得到一个结果.

user@COMPUTER:~$dig @192.168.10.36 +dnssec sigfail.verteiltesysteme.net

; <<>> DiG 9.10.3-P4 <<>> @192.168.10.36 +dnssec sigfail.verteiltesysteme.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY,id: 48091
;; flags: qr rd ra; QUERY: 1,ANSWER: 2,AUTHORITY: 3,ADDITIONAL: 9

;; OPT PSEUDOSECTION:
; EDNS: version: 0,flags: do; udp: 4096
;; QUESTION SECTION:
;sigfail.verteiltesysteme.net.  IN      A

;; ANSWER SECTION:
sigfail.verteiltesysteme.net. 60 IN     A       134.91.78.139
sigfail.verteiltesysteme.net. 60 IN     RRSIG   A 5 3 60 20200610081125 20150611081125 30665 verteiltesysteme.net. //This+RRSIG+is+deliberately+broken///For+more+informati on+please+go+to/http+//dnssec+vs+uni/hyphen/+due+de////r eplace+/hyphen/+with+character////////////////////////// //8=

;; AUTHORITY SECTION:
verteiltesysteme.net.   3600    IN      NS      ns2.verteiltesysteme.net.
verteiltesysteme.net.   3600    IN      NS      ns1.verteiltesysteme.net.
verteiltesysteme.net.   3600    IN      RRSIG   NS 5 2 3600 20200610081125 20150611081125 30665 verteiltesysteme.net. s4iS0q402GTqtpy1WWspX1KHY3hb0/SOq79qWzRL5PFacAAKK+2ltxWW PTuwsYOWP3l+uq7xu80G0UQNtWPmISa2SYnktvXoZWbdy8F7q8GOH5xw 2t+JokxheEz5Xe4Xy7TmONIxVGq7M9FX4hDBva62PztcGq7UMZMWgyNs P/o=

;; ADDITIONAL SECTION:
ns1.verteiltesysteme.net. 69    IN      A       134.91.78.139
ns1.verteiltesysteme.net. 69    IN      AAAA    2001:638:501:8efc::139
ns2.verteiltesysteme.net. 69    IN      A       134.91.78.141
ns2.verteiltesysteme.net. 69    IN      AAAA    2001:638:501:8efc::141
ns1.verteiltesysteme.net. 69    IN      RRSIG   A 5 3 3600 20200610081125 20150611081125 30665 verteiltesysteme.net. kIcbu+YRC6xby461JYrNE3WSOQmTM6UstxKYo8uO1mEysvfDUs23Yuv6 nG+yMo3enmdIg89pPuLWIsz16uYxswl4DlplCYYPP9nT4d+9bjbMHu5S 7hi/uTlYEFwUCDlyQn38sEwnDHwbBnuW0uvYwV/TPTTjtcfYEw0R8zGI QQU=
ns1.verteiltesysteme.net. 69    IN      RRSIG   AAAA 5 3 3600 20200610081125 20150611081125 30665 verteiltesysteme.net. PzZiFVbjYHb1+xpIfZGbbtogY94uNvpqHBBibk0Sp7n5BLz4PJZ+dJYc rlikoNK1KyhnHugqCzh6Cr/t23lpioXUPjMWHFYcHsV4kcldTzt7Pl9Q 8h/IvlvtC33TYXnopmmGoV9vbjgpmgpAt//dY8UdNlXD/Dh6CDver+XT 34A=
ns2.verteiltesysteme.net. 69    IN      RRSIG   A 5 3 3600 20200610081125 20150611081125 30665 verteiltesysteme.net. PVIDSVFi0GLHavnTFj2JnHn+1A/wOAKS8fMzavMhkFycWjudxDuC19uW Ak9vCV5dR/3ZW4UGQUjZFgVI45fQP2yCJ5H98Z7vfn4FF9gxKwGy+TDt dLeOzcdorOF70aYHEWyYWK5tcq1SqXLXJQMp3G/MY362vqCzbFiIUk32 3q4=
ns2.verteiltesysteme.net. 69    IN      RRSIG   AAAA 5 3 3600 20200610081125 20150611081125 30665 verteiltesysteme.net. Fhg3JLyBsuXG4UCvG3y48gL8lz2Tu5Hx+ClxoXf4NjWs2MK/XScHEzwb UdOhz4aHnZbfWORoXHSD3DR92vBooix+522Z2GhCg1eiXBP66VDyypqT Ar7kUTXJHmsa70k/ubYHC6P6Imy68CbIi5xPr+OFZHrL/CTv9fcLVg3A ikU=

;; Query time: 53 msec
;; SERVER: 192.168.10.36#53(192.168.10.36)
;; WHEN: Sa Jul 09 01:07:08 CEST 2016
;; MSG SIZE  rcvd: 1277

– EDIT3 –
我在调试级别10上启用了查询日志,以确保正在发送正确的查询.查询“dig @ 192.168.10.36 dnssec sigfail.verteiltesysteme.net”生成以下三个条目

09-Jul-2016 01:23:50.419 client 192.168.10.36#47038 (sigfail.verteiltesysteme.net): query: sigfail.verteiltesysteme.net IN A +ED (192.168.10.36)
09-Jul-2016 01:23:59.620 client 192.168.10.2#64858 (sigfail.verteiltesysteme.net): query: sigfail.verteiltesysteme.net IN A +ED (192.168.10.36)
09-Jul-2016 01:24:32.417 client 192.168.10.2#54071 (sigfail.verteiltesysteme.net): query: sigfail.verteiltesysteme.net IN A +ED (192.168.10.36)

192.168.10.2是我的计算机,192.168.10.36是绑定运行的服务器.
我还按照你的建议从isc.org下载了当前的绑定版本并运行它.结果与cygwin相同.上面日志中的第三个结果是由isc.org bind生成的.

– 编辑4 –

作为一个非常晚但最后编辑:我终于找到了解决方案.
我使用Avast作为我的AV,似乎拦截了DNS流量并将其转发给他们的Avast“安全服务器”.
卸载Avast并运行Windows Defender解决了这个问题.

解决方法

您配置的转发器只会在运行验证解析程序时出现问题,因为Opendns服务器在进行DNSSEC验证时不合作.

我认为它可能对你来说无论如何都是有效的,因为你没有指定前向,所以命名将回退到自己或多或少地解决事情,因为转发器不能产生有用的结果.但即使它有点工作,它仍然会使你的日志完全混乱.

为了演示,如果我只设置前进并使用相同的转发器,则会发生以下情况:

named[20057]: error (no valid RRSIG) resolving 'net/DS/IN': 208.67.220.220#53
named[20057]: error (no valid RRSIG) resolving 'net/DS/IN': 208.67.222.222#53
named[20057]: error (no valid DS) resolving 'sigfail.verteiltesysteme.net/A/IN': 208.67.222.222#53
named[20057]: validating @0x7f36805ecb10: sigfail.verteiltesysteme.net A: bad cache hit (net/DS)
named[20057]: error (broken trust chain) resolving 'sigfail.verteiltesysteme.net/A/IN': 208.67.220.2

正如你所看到的,它失败了,但完全是错误的原因. (它在DS网上失败了,而不是在sigfail.verteiltesysteme.net上验证实际损坏的签名时.)

我希望你的日志目前混合了上面的东西,结合实际相关的条目,从命名回落到查询正常工作的服务器.解决这个问题应该有助于排除故障.

至于不一致的结果,我不确定配置中的任何内容是否能真正解释这一点.
你是肯定的,它实际上是回答查询的同一个命名实例吗?没有奇怪的NAT规则或类似的东西会导致客户端透明地与某些不同的服务器交谈或诸如此类的东西?

查询如dig @ 192.168.10.36 version.bind CH TXT和挖掘@ 192.168.10.36 hostname.bind CH TXT可能会暴露这样的事情.

猜你在找的HTML相关文章