Bind Nameserver mit DLZ, fuehlt sich nicht autoritativ



  • Hallo Leute,

    Ich moechte einen dynamischen DNS Dienst betreiben. Dafuer habe ich einen Bind als Nameserver und diesen mittels DLZ an eine MySQL Datenbank angebunden. In der Datenbank befinden sich der SOA Record, die NS Records, die Glue A-Records fuer die NS Server, sowie der A-Record fuer die Domain selbst und ein CNAME-Record auf @. Diese Records koennen alle erfolgreich abgefragt werden. Allerdings fuehlt sich Bind offensichtlich nicht zustaendig, erlaubt naemlich keine Zonentransfers.

    Meine Datenbanktabelle sieht so aus (select * from dns_records):

    +----+----------------+-----+-------+------+-------------+---------------------+---------------------+-----------------------+--------+---------+-------+--------+---------+
    | id | zone           | ttl | type  | host | mx_priority | data                | primary_ns          | resp_contact          | serial | refresh | retry | expire | minimum |
    +----+----------------+-----+-------+------+-------------+---------------------+---------------------+-----------------------+--------+---------+-------+--------+---------+
    |  1 | meinedomain.at | 300 | SOA   | @    |        NULL | NULL                | ns1.meinedomain.at. | admin.meinedomain.at. |      5 |     300 |    30 |  86400 |     300 |
    |  2 | meinedomain.at | 300 | NS    | @    |        NULL | ns1.meinedomain.at. | NULL                | NULL                  |   NULL |    NULL |  NULL |   NULL |    NULL |
    |  3 | meinedomain.at | 300 | NS    | @    |        NULL | ns2.meinedomain.at. | NULL                | NULL                  |   NULL |    NULL |  NULL |   NULL |    NULL |
    |  4 | meinedomain.at | 300 | NS    | @    |        NULL | ns3.meinedomain.at. | NULL                | NULL                  |   NULL |    NULL |  NULL |   NULL |    NULL |
    |  5 | meinedomain.at | 300 | NS    | @    |        NULL | ns4.meinedomain.at. | NULL                | NULL                  |   NULL |    NULL |  NULL |   NULL |    NULL |
    |  6 | meinedomain.at | 300 | A     | ns1  |        NULL | 11.11.11.11         | NULL                | NULL                  |   NULL |    NULL |  NULL |   NULL |    NULL |
    |  7 | meinedomain.at | 300 | A     | ns2  |        NULL | 22.22.22.22         | NULL                | NULL                  |   NULL |    NULL |  NULL |   NULL |    NULL |
    |  8 | meinedomain.at | 300 | A     | ns3  |        NULL | 33.33.33.33         | NULL                | NULL                  |   NULL |    NULL |  NULL |   NULL |    NULL |
    |  9 | meinedomain.at | 300 | A     | ns4  |        NULL | 44.44.44.44         | NULL                | NULL                  |   NULL |    NULL |  NULL |   NULL |    NULL |
    | 10 | meinedomain.at | 300 | A     | @    |        NULL | 11.11.11.11         | NULL                | NULL                  |   NULL |    NULL |  NULL |   NULL |    NULL |
    | 11 | meinedomain.at | 300 | CNAME | www  |        NULL | @                   | NULL                | NULL                  |   NULL |    NULL |  NULL |   NULL |    NULL |
    +----+----------------+-----+-------+------+-------------+---------------------+---------------------+-----------------------+--------+---------+-------+--------+---------+
    

    Versuche ich nun einen Zonen-Transfer von der selben Maschine aus, bekomme ich folgendes Ergebnis:

    # dig -t axfr @localhost meinedomain.at
    
    ; <<>> DiG 9.8.6-P1 <<>> -t axfr @localhost meinedomain.at
    ; (1 server found)
    ;; global options: +cmd
    ; Transfer failed.
    

    Im Log-File, das ich konfiguriert habe, finden sich folgende Zeilen:

    11-Mar-2014 11:32:34.761 database: debug 1: 
    Query String: SELECT zone FROM dns_records where zone = 'meinedomain.at' group by zone
    
    11-Mar-2014 11:32:34.761 xfer-out: info: client 127.0.0.1#48587: bad zone transfer request: 'meinedomain.at/IN': non-authoritative zone (NOTAUTH)
    

    Kommt ein Zonen-Tranfer-Request von den Sekundaeren Nameservern, sehen die Log-Eintraege wie folgt aus:

    11-Mar-2014 11:41:01.344 database: debug 1: 
    Query String: SELECT zone FROM dns_records where zone = 'meinedomain.at' group by zone
    
    11-Mar-2014 11:41:01.344 database: debug 1: 
    Query String: SELECT ttl, type, mx_priority, IF(type = 'TXT', CONCAT('"',data,'"'), data) AS data FROM dns_records WHERE zone = 'meinedomain.at' AND host = '@' AND type <> 'SOA' AND type <> 'NS'
    
    11-Mar-2014 11:41:01.344 database: debug 1: 
    Query String: SELECT ttl, type, data, primary_ns, resp_contact, serial, refresh, retry, expire, minimum FROM dns_records WHERE zone = 'meinedomain.at' AND (type = 'SOA' OR type='NS')
    
    11-Mar-2014 11:41:01.344 database: debug 1: 
    Query String: SELECT ttl, type, mx_priority, IF(type = 'TXT', CONCAT('"',data,'"'), data) AS data FROM dns_records WHERE zone = 'meinedomain.at' AND host = '@' AND type <> 'SOA' AND type <> 'NS'
    
    11-Mar-2014 11:41:01.345 database: debug 1: 
    Query String: SELECT ttl, type, data, primary_ns, resp_contact, serial, refresh, retry, expire, minimum FROM dns_records WHERE zone = 'meinedomain.at' AND (type = 'SOA' OR type='NS')
    
    11-Mar-2014 11:41:01.345 database: debug 1: 
    Query String: SELECT zone FROM dns_records where zone = 'meinedomain.at' group by zone
    
    11-Mar-2014 11:41:01.345 xfer-out: info: client 22.22.22.22#55932: bad zone transfer request: 'meinedomain.at/IN': non-authoritative zone (NOTAUTH)
    

    Mein Config-File sieht so aus:

    options
    {
    	directory "/etc/named";
    
    	empty-zones-enable no;
    
    	allow-transfer
    	{
    		22.22.22.22;
    		33.33.33.33;
    		44.44.44.44;
    		127.0.0.1;
    	};
    
    	allow-update { none; };
    
    	allow-recursion { any; };
    	allow-query { any; };
    	allow-query-cache { any; };
    };
    
    logging
    {
    	channel default_file
    	{
    		file "/var/log/named.log";
    		severity debug;
    		print-time yes;
    		print-severity yes;
    		print-category yes;
    	};
    
    	category default { default_file; };
    };
    
    zone "." IN
    {
    	type hint;
    	file "/etc/named/root.hints";
    };
    
    dlz "mydlz"
    {
    	database "mysql
    	{host=localhost dbname=mydb user=myuser pass=mypass}
    	{SELECT zone FROM dns_records where zone = '$zone$' group by zone}
    	{SELECT ttl, type, mx_priority, IF(type = 'TXT', CONCAT('\"',data,'\"'), data) AS data FROM dns_records WHERE zone = '$zone$' AND host = '$record$' AND type <> 'SOA' AND type <> 'NS'}
    	{SELECT ttl, type, data, primary_ns, resp_contact, serial, refresh, retry, expire, minimum FROM dns_records WHERE zone = '$zone$' AND (type = 'SOA' OR type='NS')}
    	{SELECT ttl, type, host, mx_priority, IF(type = 'TXT', CONCAT('\"',data,'\"'), data) AS data, resp_contact, serial, refresh, retry, expire, minimum FROM dns_records WHERE zone = '$zone$' AND type <> 'SOA' AND type <> 'NS'}";
    };
    

    Und hier sind die entsprechenden Eintraege in meinem syslog:

    Mar 11 10:53:31 Ubuntu-1204-precise-64-minimal named[29554]: starting BIND 9.8.6-P1 -u named
    Mar 11 10:53:31 Ubuntu-1204-precise-64-minimal named[29554]: built with '--with-dlz-mysql' '--prefix' '/usr/local/named' '--sysconfdir=/etc/named' '--with-openssl'
    Mar 11 10:53:31 Ubuntu-1204-precise-64-minimal named[29554]: ----------------------------------------------------
    Mar 11 10:53:31 Ubuntu-1204-precise-64-minimal named[29554]: BIND 9 is maintained by Internet Systems Consortium,
    Mar 11 10:53:31 Ubuntu-1204-precise-64-minimal named[29554]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
    Mar 11 10:53:31 Ubuntu-1204-precise-64-minimal named[29554]: corporation.  Support and training for BIND 9 are
    Mar 11 10:53:31 Ubuntu-1204-precise-64-minimal named[29554]: available at https://www.isc.org/support
    Mar 11 10:53:31 Ubuntu-1204-precise-64-minimal named[29554]: ----------------------------------------------------
    Mar 11 10:53:31 Ubuntu-1204-precise-64-minimal named[29554]: using up to 4096 sockets
    Mar 11 10:53:31 Ubuntu-1204-precise-64-minimal named[29554]: loading configuration from '/etc/named/named.conf'
    Mar 11 10:53:31 Ubuntu-1204-precise-64-minimal named[29554]: reading built-in trusted keys from file '/etc/named/bind.keys'
    Mar 11 10:53:31 Ubuntu-1204-precise-64-minimal named[29554]: using default UDP/IPv4 port range: [1024, 65535]
    Mar 11 10:53:31 Ubuntu-1204-precise-64-minimal named[29554]: using default UDP/IPv6 port range: [1024, 65535]
    Mar 11 10:53:31 Ubuntu-1204-precise-64-minimal named[29554]: listening on IPv4 interface lo, 127.0.0.1#53
    Mar 11 10:53:31 Ubuntu-1204-precise-64-minimal named[29554]: listening on IPv4 interface eth0, 11.11.11.11#53
    Mar 11 10:53:31 Ubuntu-1204-precise-64-minimal named[29554]: generating session key for dynamic DNS
    Mar 11 10:53:31 Ubuntu-1204-precise-64-minimal named[29554]: sizing zone task pool based on 1 zones
    Mar 11 10:53:31 Ubuntu-1204-precise-64-minimal named[29554]: Loading 'mydlz' using driver mysql
    Mar 11 10:53:31 Ubuntu-1204-precise-64-minimal named[29554]: set up managed keys zone for view _default, file 'managed-keys.bind'
    Mar 11 10:53:31 Ubuntu-1204-precise-64-minimal named[29554]: open: /etc/named/rndc.key: file not found
    Mar 11 10:53:31 Ubuntu-1204-precise-64-minimal named[29554]: couldn't add command channel 127.0.0.1#953: file not found
    Mar 11 10:53:31 Ubuntu-1204-precise-64-minimal named[29554]: open: /etc/named/rndc.key: file not found
    Mar 11 10:53:31 Ubuntu-1204-precise-64-minimal named[29554]: couldn't add command channel ::1#953: file not found
    

    Domain und IPs habe ich ueberall unkenntlich gemacht.

    Schon langsam bin ich echt ratlos. Ich habe schon alles probiert und gegoogelt und keine Loesung fuer das Problem gefunden. Ich waere echt dankbar, wenn jemand einen Tipp fuer mich haette.

    Der Kellerautomat



  • Du brauchst zone_type master für deine Zone.
    Siehe http://www.zytrax.com/books/dns/ch7/zone.html#type



  • Ein type Statement funktioniert innerhalb eines dlz-Blocks meines wissens nach nicht. Wo muss das hin?



  • Habe noch nie DLZ verwendet - schau halt dort in die Doku. In normalen Bind ist es eben type:master - aber DLZ hält die Config logischerweise in der DB, ergo müssen die Werte auch in der DB stehen.

    Siehe zB
    http://bind-dlz.sourceforge.net/mysql_example.html
    ganz unten.
    Die raten aber davon ab.



  • Danke schon mal an dich, du hast mich schon weitergebracht.

    Ich habe das jetzt konfiguriert, allerdings bekomme ich einen Error fuer die Konfiguration.

    Mar 12 13:46:05 Ubuntu-1204-precise-64-minimal named[28201]: ----------------------------------------------------
    Mar 12 13:46:05 Ubuntu-1204-precise-64-minimal named[28201]: BIND 9 is maintained by Internet Systems Consortium,
    Mar 12 13:46:05 Ubuntu-1204-precise-64-minimal named[28201]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
    Mar 12 13:46:05 Ubuntu-1204-precise-64-minimal named[28201]: corporation.  Support and training for BIND 9 are
    Mar 12 13:46:05 Ubuntu-1204-precise-64-minimal named[28201]: available at https://www.isc.org/support
    Mar 12 13:46:05 Ubuntu-1204-precise-64-minimal named[28201]: ----------------------------------------------------
    Mar 12 13:46:05 Ubuntu-1204-precise-64-minimal named[28201]: using up to 4096 sockets
    Mar 12 13:46:05 Ubuntu-1204-precise-64-minimal named[28201]: loading configuration from '/etc/named/named.conf'
    Mar 12 13:46:05 Ubuntu-1204-precise-64-minimal named[28201]: reading built-in trusted keys from file '/etc/named/bind.keys'
    Mar 12 13:46:05 Ubuntu-1204-precise-64-minimal named[28201]: using default UDP/IPv4 port range: [1024, 65535]
    Mar 12 13:46:05 Ubuntu-1204-precise-64-minimal named[28201]: using default UDP/IPv6 port range: [1024, 65535]
    Mar 12 13:46:05 Ubuntu-1204-precise-64-minimal named[28201]: listening on IPv4 interface lo, 127.0.0.1#53
    Mar 12 13:46:05 Ubuntu-1204-precise-64-minimal named[28201]: listening on IPv4 interface eth0, 11.11.11.11#53
    Mar 12 13:46:05 Ubuntu-1204-precise-64-minimal named[28201]: generating session key for dynamic DNS
    Mar 12 13:46:05 Ubuntu-1204-precise-64-minimal named[28201]: sizing zone task pool based on 1 zones
    Mar 12 13:46:05 Ubuntu-1204-precise-64-minimal named[28201]: Loading 'mysql' using driver mysql
    Mar 12 13:46:05 Ubuntu-1204-precise-64-minimal named[28201]: Required token $client$ not found.
    Mar 12 13:46:05 Ubuntu-1204-precise-64-minimal named[28201]: Could not build allow xfr query list
    Mar 12 13:46:05 Ubuntu-1204-precise-64-minimal named[28201]: mysql driver could not create database instance object.
    Mar 12 13:46:05 Ubuntu-1204-precise-64-minimal named[28201]: SDLZ driver failed to load.
    Mar 12 13:46:05 Ubuntu-1204-precise-64-minimal named[28201]: DLZ driver failed to load.
    Mar 12 13:46:05 Ubuntu-1204-precise-64-minimal named[28201]: loading configuration: failure
    Mar 12 13:46:05 Ubuntu-1204-precise-64-minimal named[28201]: exiting (due to fatal error)
    

    Meine DLZ:

    dlz "mydlz"
    {
            database "mysql
            {host=myhost dbname=mydb user=myuser pass=mypass}
            {SELECT zone FROM dns_records where zone = '$zone$' group by zone}
            {SELECT ttl, type, mx_priority, IF(type = 'TXT', CONCAT('\"',data,'\"'), data) AS data FROM dns_records WHERE zone = '$zone$' AND host = '$record$' AND type <> 'SOA' AND type <> 'NS'}
            {}
            {SELECT ttl, type, host, mx_priority, IF(type = 'TXT', CONCAT('\"',data,'\"'), data) AS data, resp_contact, serial, refresh, retry, expire, minimum FROM dns_records WHERE zone = '$zone$' AND type <> 'SOA' AND type <> 'NS'}
            {SELECT zone FROM xfr WHERE zone = '$zone$' AND client = '$client$'}";
    };
    

    Der Token "clientclient" ist doch genau da? Was uebersehe ich? 😕

    Gruesse,
    Der Kellerautomat

    P.S.: Dass es suboptimal ist ist mir klar, ich habe allerdings im Moment keine andere Moeglichkeit.

    Edit: Geloest, hatte aus versehen ein ueberschuessiges Zeichen in der Config.



  • Also irgendwie klappt das immer noch nicht so ganz. Folgende DLZ-Konfig:

    dlz "mydlz"
    {
            database "mysql
            {host=myhost dbname=mydb user=myuser pass=mypass}
            {SELECT zone FROM dns_records where zone = '$zone$' group by zone}
            {SELECT ttl, type, mx_priority, CASE WHEN lower(type)='txt' THEN concat('\"', data, '\"') WHEN lower(type) = 'soa' THEN concat_ws(' ', data, resp_contact, serial, refresh, retry, expire, minimum) ELSE data END FROM dns_records WHERE zone = '$zone$' AND host = '$record$'}
            {}
            {SELECT ttl, type, host, mx_priority, CASE WHEN lower(type)='txt' THEN concat('\"', data, '\"') ELSE data END, resp_contact, serial, refresh, retry, expire, minimum FROM dns_records WHERE zone = '$zone$'}
            {SELECT zone FROM xfr WHERE zone = '$zone$' AND client = '$client$'}";
    };
    

    Fuehre ich nun einen Zonentransfer durch, dann bekomme ich:

    13-Mar-2014 15:05:52.413 database: debug 1:
    Query String: SELECT zone FROM dns_records where zone = 'meinedomain.at' group by zone
    
    13-Mar-2014 15:05:52.413 database: debug 1:
    Query String: SELECT zone FROM xfr WHERE zone = 'meinedomain.at' AND client = '127.0.0.1'
    
    13-Mar-2014 15:05:52.413 database: debug 1:
    Query String: SELECT ttl, type, mx_priority, CASE WHEN lower(type)='txt' THEN concat('"', data, '"') WHEN lower(type) = 'soa' THEN concat_ws(' ', data, resp_contact, serial, refresh, retry, expire, minimum) ELSE data END FROM dns_records WHERE zone = 'meinedomain.at' AND host = '@'
    
    13-Mar-2014 15:05:52.414 general: error: dns_rdata_fromtext: buffer-0x7fff5bdb45a0:1: near eof: unexpected end of input
    13-Mar-2014 15:05:52.414 database: error: dns_sdlz_putrr returned error. Error code was: unexpected end of input
    13-Mar-2014 15:05:52.414 database: debug 1:
    Query String: SELECT ttl, type, mx_priority, CASE WHEN lower(type)='txt' THEN concat('"', data, '"') WHEN lower(type) = 'soa' THEN concat_ws(' ', data, resp_contact, serial, refresh, retry, expire, minimum) ELSE data END FROM dns_records WHERE zone = 'meinedomain.at' AND host = '*'
    
    13-Mar-2014 15:05:52.414 general: error: journal.c:171: unexpected error:
    13-Mar-2014 15:05:52.414 general: error: missing SOA
    

    "unexpected end of input"? Und warum startet er eine zweite Query mit host='*'? 😕


Anmelden zum Antworten