我有一个域(xanderflood.com),其DNS由Route 53进行管理。我想将test.xanderflood.com的DNS委托给位于ns.test.xanderflood.com的服务器,所以我添加了两条记录:
test.xanderflood.com IN NS ns.test.xanderflood.com
ns.test.xanderflood.com IN A 198.51.100.234
运行dig +trace @75.75.75.75 media.test.xanderflood.com时,我得到
; <<>> DiG 9.11.3-1ubuntu1.7-Ubuntu <<>> +trace @75.75.75.75
media.test.xanderflood.com
; (1 server found)
;; global options: +cmd
. 503150 IN NS k.root-servers.net.
. 503150 IN NS l.root-servers.net.
. 503150 IN NS m.root-servers.net.
. 503150 IN NS a.root-servers.net.
. 503150 IN NS b.root-servers.net.
. 503150 IN NS c.root-servers.net.
. 503150 IN NS d.root-servers.net.
. 503150 IN NS e.root-servers.net.
. 503150 IN NS f.root-servers.net.
. 503150 IN NS g.root-servers.net.
. 503150 IN NS h.root-servers.net.
. 503150 IN NS i.root-servers.net.
. 503150 IN NS j.root-servers.net.
. 503150 IN RRSIG NS 8 0 518400 20190704170000 20190621160000 25266 . D5+HDC+b5kZ625Ac27BUxuBSBTATMWEGyjPXTJIR1WaWkb3uGBhNYV5G CC/aFJtwJZ0M5ki9mWfDMBr2TTr4ij9KViXbr7PDVDLHnqixT864P+8t KmHPL1uYIb94DkJza8gTMcJZoQlFEj+gEl2+qPBRc5oZbl4GkVva+La4 T/64g96mORdS8vZGn9aQSCZnPg8Ckt6sTIaELWLAnI3zTFrosg+zrG8D zVJFmFy55SmleFq6Gzs3BMk1DIs8FqrVjS5PPVVIGsjAMhLMeS0Sclps AFf8kjEMzXoREz4DeNYWgmf2nE3HUXSxd/XR7VAlzJmOUt8Suz0YkDr3 OGS+Ig==
;; Received 1041 bytes from 75.75.75.75#53(75.75.75.75) in 12 ms
com. 172800 IN NS m.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com. 86400 IN RRSIG DS 8 1 86400 20190704170000 20190621160000 25266 . lc916tqVraGg10FCUk6/B5E0xeEbP4c5rnt3bPICTdHmSHgAZ/SpA8MF pIO426+YZ12p/lozYA2nUo6B7lVrjinglyNAnTBrVxYPtiC078gPU1Bq g8gEG6OZHoe/+UdYfvVtblW/ioSExKeyc9/C6KYfzZuD++T05/izeHov iiE+4ViTmaFaDgI+xSpqttRJT/nYRpn1tN9/35MV/rhXDhEGIUdLM98e wscQUzDbfkifK6NKb9Z6Vp689y2N7WV9dJKcDeNqcoRrMrWW9ioWOLqE Kxhv4O6AzL9clubwuzi+ufirwk6euOD8n6q6u51bcRhK8PdgUs2xy2Ms uVcCMQ==
;; Received 1214 bytes from 199.9.14.201#53(b.root-servers.net) in 60 ms
xanderflood.com. 172800 IN NS ns-426.awsdns-53.com.
xanderflood.com. 172800 IN NS ns-823.awsdns-38.net.
xanderflood.com. 172800 IN NS ns-1657.awsdns-15.co.uk.
xanderflood.com. 172800 IN NS ns-1471.awsdns-55.org.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20190628044430 20190621033430 3800 com. E0fw9vzA0DqWNYImFXrvmV/qH2cH6hDM5E7X6/pCKrhCZp7Qb6iCkp3u PdwVPv5HIs65MaMNSGA9gXCs4JcXBjUx6cmjKUbUfGX2kQffmFm6dGfA WvtjYvzFfG1o/0SUU5awr6hes1fa/G1RxwVW8a4AAdhZ/cPpFS2RTlar i/0=
50C5NFS5N8S46COAHN2QFK40EQF0U3HS.com. 86400 IN NSEC3 1 1 0 - 50C7M61IFHEGFKLIRHD1569DD1CM9NV5 NS DS RRSIG
50C5NFS5N8S46COAHN2QFK40EQF0U3HS.com. 86400 IN RRSIG NSEC3 8 2 86400 20190626053147 20190619042147 3800 com. eYnghQKgo9br7ORy1m6Ago7kBLi6Hj5yYumps4YQNJs/CMlgLt8yuzhw SGIAyzMuRuCnW8N+rH813tURS/zaR8cOWqxqxG/sj7xDZ++kMveCA7VW MQZq8CCplfYqAMpaNqDf3Qi/21612pfQnRnVe1XNwS99rqv/wt7L/OaE 6Ek=
;; Received 693 bytes from 192.55.83.30#53(m.gtld-servers.net) in 25 ms
test.xanderflood.com. 300 IN NS ns.test.xanderflood.com.
^Ccouldn't get address for 'ns.test.xanderflood.com': not found
dig: couldn't get address for 'ns.test.xanderflood.com': no more
在最后阶段,route53服务器似乎没有将粘合记录与NS记录一起发送。但是,当我通过运行dig @ns-1471.awsdns-55.org test.test.xanderflood.com具体检查时,它确实记录了粘合记录:
; <<>> DiG 9.11.3-1ubuntu1.7-Ubuntu <<>> @ns-1471.awsdns-55.org test.test.xanderflood.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52944
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test.test.xanderflood.com. IN A
;; AUTHORITY SECTION:
test.xanderflood.com. 300 IN NS ns.test.xanderflood.com.
;; ADDITIONAL SECTION:
ns.test.xanderflood.com. 300 IN A 198.51.100.234
;; Query time: 26 msec
;; SERVER: 205.251.197.191#53(205.251.197.191)
;; WHEN: Fri Jun 21 18:58:54 EDT 2019
;; MSG SIZE rcvd: 87
我尝试了所有列出的四个AWS名称服务器,它们都包含了粘合记录。同样,如果我向AWS服务器查询ns.test.xanderflood.com,则会得到A记录,但是当我使用dig +trace并向ISP递归服务器查询时,它将到达NS记录,并且可以不要再走了。有什么想法吗?
答案 0 :(得分:1)
问题不在于+trace。由于对名称服务器名称的简单请求会收到错误:
$ dig ns.test.xanderflood.com
; <<>> DiG 9.10.3-P4-Debian <<>> ns.test.xanderflood.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 6793
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;ns.test.xanderflood.com. IN A
;; Query time: 4625 msec
因为问题在于此特定的名称服务器根本不答复!
父母正确提供了胶水:
$ dig @ns-1657.awsdns-15.co.uk. ns.test.xanderflood.com | grep 'IN A '
ns.test.xanderflood.com. 5m IN A 198.51.100.234
(+short不起作用,因为该信息在附加部分中,而不是答案中)
但是然后:
$ dig @198.51.100.234 ns.test.xanderflood.com
; <<>> DiG 9.12.0 <<>> @198.51.100.234 ns.test.xanderflood.com
; (1 server found)
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30129
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: f266724ac73b2e54
;; QUESTION SECTION:
;ns.test.xanderflood.com. IN A
;; QUERY SIZE: 64
;; connection timed out; no servers could be reached
(通常的故障排除包括尝试+tcp / +notcp调试UDP / TCP问题和+dnssec/+nodnssec涉及DNSSEC相关问题。没有选项可以改变上述结果,服务器不会回复)
此服务器不回复。 dig +trace首先询问此服务器,但未得到答复,因此是最终错误。
此名称服务器开始回复DNS查询后,您的问题就会消失。
您还可以查看监视服务:http://dnsviz.net/d/ns.test.xanderflood.com/dnssec/ 名称上的弹出窗口显示:没有通过UDP从服务器接收到响应(尝试12次。)
顺便说一句,肯定是显而易见的,但是要确保:将域委派给单个名称服务器(尤其是如果没有广播的话)是一个坏主意