PowerDNS - Glue 레코드가 서비스 실패를 반환함

tag-icon tag-icon domain-name-system internal-dns dns-zone powerdns powerdns-recursor
PowerDNS - Glue 레코드가 서비스 실패를 반환함

그래서 저는 내부 네트워크를 위한 PDNS Recursive and Authoritative 서버를 설정하는 과정을 진행했습니다. 재귀 서버는 포트 53에서 실행되고 권한 있는 서버는 5300에서 실행됩니다. 요청은 아래를 사용하여 전달됩니다.

forward-zones=example.com=127.0.0.1:5300, 30.168.192.in addr.arpa=127.0.0.1:5300  
forward-zones-recurse=.=8.8.8.8

AD DNS 시스템에 위임한 Active Directory 전용 하위 도메인이 있습니다.

v-dc-1.ad.example.com A 192.168.30.15

하위 도메인의 항목에 대해 발굴 쿼리를 수행하면 반복자가 AD 이름 서버와 올바르게 통신합니다. 그러나 NS IP를 조회하려고 할 때마다 'servfail'이 반환됩니다. 아래와 같이 쿼리를 추적했습니다.

Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Wants DNSSEC processing, auth data in query for A
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Looking for CNAME cache hit of 'v-dc-1.ad.example.com|CNAME'
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: No CNAME cache hit of 'v-dc-1.ad.example.com|CNAME' found
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: No cache hit for 'v-dc-1.ad.example.com|A', trying to find an appropriate NS record
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] : got TA for '.'
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] : setting cut state for . to Secure
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: initial validation status for v-dc-1.ad.example.com is Indeterminate
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Cache consultations done, have 1 NS to contact
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Domain has hardcoded nameserver
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Resolved 'example.com' NS (empty) to: 127.0.0.1
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Trying IP 127.0.0.1:5300, asking 'v-dc-1.ad.example.com|A'
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Got 3 answers from (empty) (127.0.0.1), rcode=0 (No Error), aa=0, in 2ms
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: accept answer 'ad.example.com|NS|v-dc-1.ad.example.com.' from 'example.com' nameservers? ttl=3600, place=2 YES! - This answer was received from a server we forward to.
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: accept answer 'v-dc-1.ad.example.com|A|192.168.30.15' from 'example.com' nameservers? ttl=3600, place=3 YES! - This answer was received from a server we forward to.
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: OPT answer '.' from 'example.com' nameservers
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] : got initial zone status Indeterminate for record ad.example.com
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] : got initial zone status Indeterminate for record v-dc-1.ad.example.com
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: determining status after receiving this packet
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: got NS record 'ad.example.com' -> 'v-dc-1.ad.example.com.'
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: status=did not resolve, got 1 NS, looping to them
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com.: Nameservers: v-dc-1.ad.example.com.(0.00ms)
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Using NS to resolve itself, but only using what we have in cache (1/1)
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Trying to resolve NS 'v-dc-1.ad.example.com' (1/1)
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343]    v-dc-1.ad.example.com: Wants DNSSEC processing, NO auth data in query for A
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343]    v-dc-1.ad.example.com: Recursion not requested for 'v-dc-1.ad.example.com|A', peeking at auth/forward zones
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343]    v-dc-1.ad.example.com: forwarding query to hardcoded nameserver '127.0.0.1:5300' for zone 'example.com'
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Failed to get IP for NS v-dc-1.ad.example.com, trying next if avaicomle
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Failed to resolve via any of the 1 offered NS at level 'ad.example.com'
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Ageing nameservers for level 'ad.example.com', next query might succeed
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: failed (res=-1)

누구든지 이것으로 올바른 방향을 알려줄 수 있습니까?

답변1

나는 똑같은 문제를 겪고 있었고 나에게 도움이 된 유일한 방법은 위임 외에는 다른 용도로 사용되지 않는 글루 레코드에 전용 호스트 이름을 사용하는 것이었습니다.

예를 들어 대신

subdomain.example.com.     IN NS dc.subdomain.example.com.
dc.subdomain.example.com.  IN A 192.0.2.10

대체 호스트 이름을 사용하되 DC와 동일한 IP 주소를 가리킵니다.

subdomain.example.com.     IN NS ns.subdomain.example.com.
ns.subdomain.example.com.  IN A 192.0.2.10

관련 정보