因此,我一直在為內部網路設定 PDNS 遞歸和權威伺服器。遞歸伺服器在連接埠 53 上運行,權威伺服器在 5300 上運行。
forward-zones=example.com=127.0.0.1:5300, 30.168.192.in addr.arpa=127.0.0.1:5300
forward-zones-recurse=.=8.8.8.8
我有一個專門用於 Active Directory 的子網域,已將其委託給 AD DNS 系統
v-dc-1.ad.example.com A 192.168.30.15
當我對子網域中的任何內容執行 dig 查詢時,遞歸器會正確地與 AD 名稱伺服器進行對話。然而,每當我嘗試查找 NS IP 時,都會返回“servfail”。我追蹤了查詢,如下:
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Wants DNSSEC processing, auth data in query for A
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Looking for CNAME cache hit of 'v-dc-1.ad.example.com|CNAME'
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: No CNAME cache hit of 'v-dc-1.ad.example.com|CNAME' found
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: No cache hit for 'v-dc-1.ad.example.com|A', trying to find an appropriate NS record
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] : got TA for '.'
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] : setting cut state for . to Secure
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: initial validation status for v-dc-1.ad.example.com is Indeterminate
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Cache consultations done, have 1 NS to contact
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Domain has hardcoded nameserver
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Resolved 'example.com' NS (empty) to: 127.0.0.1
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Trying IP 127.0.0.1:5300, asking 'v-dc-1.ad.example.com|A'
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Got 3 answers from (empty) (127.0.0.1), rcode=0 (No Error), aa=0, in 2ms
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: accept answer 'ad.example.com|NS|v-dc-1.ad.example.com.' from 'example.com' nameservers? ttl=3600, place=2 YES! - This answer was received from a server we forward to.
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: accept answer 'v-dc-1.ad.example.com|A|192.168.30.15' from 'example.com' nameservers? ttl=3600, place=3 YES! - This answer was received from a server we forward to.
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: OPT answer '.' from 'example.com' nameservers
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] : got initial zone status Indeterminate for record ad.example.com
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] : got initial zone status Indeterminate for record v-dc-1.ad.example.com
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: determining status after receiving this packet
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: got NS record 'ad.example.com' -> 'v-dc-1.ad.example.com.'
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: status=did not resolve, got 1 NS, looping to them
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com.: Nameservers: v-dc-1.ad.example.com.(0.00ms)
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Using NS to resolve itself, but only using what we have in cache (1/1)
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Trying to resolve NS 'v-dc-1.ad.example.com' (1/1)
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Wants DNSSEC processing, NO auth data in query for A
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Recursion not requested for 'v-dc-1.ad.example.com|A', peeking at auth/forward zones
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: forwarding query to hardcoded nameserver '127.0.0.1:5300' for zone 'example.com'
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Failed to get IP for NS v-dc-1.ad.example.com, trying next if avaicomle
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Failed to resolve via any of the 1 offered NS at level 'ad.example.com'
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: Ageing nameservers for level 'ad.example.com', next query might succeed
Jan 20 16:42:23 v-dns-1 pdns_recursor[1174]: [343] v-dc-1.ad.example.com: failed (res=-1)
誰能指出我正確的方向嗎?
答案1
我遇到了完全相同的問題,唯一對我有用的是為粘合記錄使用專用主機名,該主機名除了委託之外不用於其他任何用途。
例如,而不是
subdomain.example.com. IN NS dc.subdomain.example.com.
dc.subdomain.example.com. IN A 192.0.2.10
使用備用主機名,但指向與 DC 相同的 IP 位址:
subdomain.example.com. IN NS ns.subdomain.example.com.
ns.subdomain.example.com. IN A 192.0.2.10