동적 dhcp를 사용하도록 구성된 소규모 서버가 있습니다(dhcp는 dns의 호스트 이름을 자동으로 업데이트합니다). 잘 작동하지만 A 레코드 중 하나가 마술처럼 사라지고 PTR 레코드는 괜찮습니다. 이것이 내 구성입니다.
dhcpd 구성 파일
authoritative;
ddns-update-style interim;
ddns-updates on;
ddns-ttl 600;
update-static-leases on;
ddns-domainname "mydomain.example";
ddns-rev-domainname "in-addr.arpa";
ignore client-updates;
update-conflict-detection off;
include "/etc/dhcp/dhcp.mydomain.example";
ddns-hostname = pick-first-value(ddns-hostname, option host-name, binary-to-ascii(10,8, "-", leased-address));
max-lease-time 86400;
default-lease-time 14400;
option domain-name-servers 192.168.0.4, 192.168.0.1;
option domain-search-order code 119 = string;
option domain-search-order "mydomain.example fritz.box";
subnet 192.168.0.0 netmask 255.255.255.0 {
option broadcast-address 192.168.0.255;
option subnet-mask 255.255.255.0;
option routers 192.168.0.1;
option domain-search "mydomain.example";
class "ignored" {
match if substring(hardware,1,6) = ###################;
}
pool {
deny members of "ignored";
range 192.168.0.20 192.168.0.252;
}
}
#
#
# The subnet where the server is attached
host samba4 {
hardware ethernet #####################;
fixed-address 192.168.0.5;
ddns-hostname "samba4";
ddns-ttl 604800;
}
zone mydomain.example.
{
primary 192.168.0.4;
key dhcp.mydomain.example;
}
zone 0.168.192.in-addr.arpa.
{
primary 192.168.0.4;
key dhcp.mydomain.example;
}
이것은 이름이 .conf입니다.
options {
listen-on port 53 { 127.0.0.1; 192.168.0.4; };
listen-on-v6 port 53 { ::1; };
querylog yes;
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { localhost; 192.168.0.0/24; 10.2.0.0/24;};
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
allow-new-zones yes;
dnssec-must-be-secure "mydomain.example" yes;
dnssec-must-be-secure "0.168.192.in-addr.arpa" yes;
allow-transfer {127.0.0.1; };
allow-recursion {127.0.0.1; 192.168.0.0/24; 10.2.0.24; };
version "Proot";
tkey-gssapi-keytab "/etc/dns.keytab";
tkey-domain "MYDOMAIN.EXAMPLE";
};
server 10.3.0.2 {
keys { my-tsig; };
};
key dhcp.mydomain.example {
algorithm hmac-sha512;
secret "################";
};
key "my-tsig" {
algorithm HMAC-SHA512;
secret "################";
};
key "my-tsig2" {
algorithm HMAC-SHA512;
secret "################";
};
controls {
inet 192.168.0.4 port 953 allow { 192.168.0.4; 127.0.0.1; } keys { dhcp.mydomain.example; };
inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { dhcp.mydomain.example; };
};
zone "." IN {
type hint;
file "named.ca";
};
zone "mydomain.example." IN {
type master;
file "/var/named/data/mydomain.example.zone";
allow-transfer {key my-tsig2; };
update-policy {
grant dhcp.mydomain.example. wildcard * A TXT SRV CNAME MX DHCID;
grant [email protected] wildcard * A AAAA TXT SRV CNAME MX;
grant [email protected] wildcard * A AAAA TXT SRV CNAME MX;
grant [email protected] wildcard * A TXT SRV CNAME MX;
};
key-directory "/var/named/data";
auto-dnssec maintain;
inline-signing yes;
/*
* the list of principals and what they can change is created
* dynamically by Samba, based on the membership of the domain controllers
* group. The provision just creates this file as an empty file.
*/
#include "/var/lib/samba/private/named.conf.update";
/* we need to use check-names ignore so _msdcs A records can be created */
check-names ignore;
};
zone "0.168.192.in-addr.arpa" {
type master;
file "/var/named/data/0.168.192.in-addr.arpa";
allow-transfer {key my-tsig2; };
update-policy {
grant dhcp.mydomain.example. wildcard * PTR;
grant [email protected] wildcard * PTR;
grant [email protected] wildcard * PTR;
grant [email protected] wildcard * PTR;
};
auto-dnssec maintain;
key-directory "/var/named/data";
inline-signing yes;
};
zone "otherzone.priv." IN {
type slave;
masters {10.3.0.2; };
file "/var/named/data/otherzone.priv.zone";
key-directory "/var/named/data";
auto-dnssec maintain;
inline-signing yes;
/*
* the list of principals and what they can change is created
* dynamically by Samba, based on the membership of the domain controllers
* group. The provision just creates this file as an empty file.
*/
#include "/var/lib/samba/private/named.conf.update";
/* we need to use check-names ignore so _msdcs A records can be created */
check-names ignore;
};
zone "0.3.10.in-addr.arpa" {
type slave;
file "/var/named/data/0.3.10.in-addr.arpa.zone";
masters {10.3.0.2; };
auto-dnssec maintain;
key-directory "/var/named/data";
inline-signing yes;
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
로그에 이상한 점은 없습니다. 명명된 데이터 디렉터리를 탐색하면 내 A 누락 레코드가 존재하는 것 같지만 파고 보면 그렇지 않습니다.
grep -irl disappeared.mydomain.example *
0.168.192.in-addr.arpa
0.168.192.in-addr.arpa.signed
mydomain.example.zone.jnl
mydomain.example.zone.signed
mydomain.example.zone.signed.jnl
발굴이 사라졌습니다.mydomain.example
; <<>> DiG 9.11.26-RedHat-9.11.26-4.el8_4 <<>> disappeared.mydomain.example
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 192
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 172e90668acc5f522b6add4b617edbeb3909928cefd32999 (good)
;; QUESTION SECTION:
;disappeared.mydomain.example. IN A
;; AUTHORITY SECTION:
mydomain.example. 86400 IN SOA dns1.mydomain.example. root.mydomain.example. 2020140075 60 120 604800 86400
;; Query time: 0 msec
;; SERVER: 192.168.0.4#53(192.168.0.4)
;; WHEN: Sun Oct 31 19:09:47 CET 2021
;; MSG SIZE rcvd: 123
dig -x 192.168.0.32가 올바른 이름을 반환하도록 만드세요. 그것은 무엇입니까? dhcpd.leases 파일에서 임대를 수동으로 제거한 다음 클라이언트에서 Network Manager를 다시 시작하고 올바른 A 레코드를 다시 삽입하는 것을 볼 수 있습니다.
답변1
이 솔루션은 작동하는 것 같습니다.
ddns-ttl 600;
default-lease-time 14400;
조금 다른
두 가지 모두에 동일한 값을 사용해 보았습니다.
ddns-ttl 600;
default-lease-time 600;
작동하지만 임대 파일을 다시 만들어야 합니다.