resolver primina query complete: failure
BIND 9.18.24 (Extended Support Version) id: running on Linux aarch64 6.6.0-15.0.0.12.aarch64 #1 SMP Sat Mar 30 11:45:49 CST 2024
built by make with '--build=aarch64-linux-gnu' '--host=aarch64-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--localstatedir=/var' '--with-pic' '--disable-static' '--includedir=/usr/include/bind9' '--with-tuning=large' '--with-libidn2' '--with-gssapi=yes' '--with-lmdb=yes' '--with-json-c' '--with-cmocka' '--enable-fixed-rrset' '--enable-full-report' 'build_alias=aarch64-linux-gnu' 'host_alias=aarch64-linux-gnu' 'CFLAGS= -O2 -g -grecord-gcc-switches -pipe -fstack-protector-strong -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/generic-hardened-cc1 -fasynchronous-unwind-tables -fstack-clash-protection' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/generic-hardened-ld' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
compiled by GCC 12.3.1 (linux-gnu 12.3.1-18)
compiled with OpenSSL version: OpenSSL 3.0.12 24 Oct 2023
linked to OpenSSL version: OpenSSL 3.0.12 24 Oct 2023
compiled with libuv version: 1.47.0
linked to libuv version: 1.47.0
compiled with libnghttp2 version: 1.58.0
linked to libnghttp2 version: 1.58.0
compiled with libxml2 version: 2.11.5
linked to libxml2 version: 21105
compiled with json-c version: 0.17
linked to json-c version: 0.17
compiled with zlib version: 1.3.1
linked to zlib version: 1.3.1
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): yes
TKEY mode 3 support (GSS-API): yes
default paths:
named configuration: /etc/named.conf
rndc configuration: /etc/rndc.conf
DNSSEC root key: /etc/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/named.pid
named lock file: /var/run/named/named.lock
After upgrading from 9.16 to 9.18.24, I started the named process with the following configuration and found an extra log: resolver priming query complete: failure;
This Log Is Not Displayed When the 9.16 Version with the Same Configuration Is Used for Startup. Is This the Difference After the Upgrade?
[root@linux]# systemctl status named.service
named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; preset: disabled)
Active: active (running) since Tue 2024-03-26 20:00:25 CST; 8s ago
Process: 3633 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkc
Process: 3636 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS) Main PID: 3638 (named)
Tasks: 4 (Limit: 21569)
Memory: 4.2M ()
CGroup: /system.slice/named.service l3638 /usr/sbin/named -u named -C /etc/named.conf
3月 26 20:00:26 openEuler named[3638]: REFUSED unexpected RCODE resolving './NS/IN':
3月 26 20:00:26 openEuler named[3638]: REFUSED unexpected RCODE resolving './DNSKEY/I
3月 26 20:00:26 openEuler named[3638]: REFUSED unexpected RCODE resolving './NS/IN':
3月 26 20:00:26 openEuler named[3638]: REFUSED unexpected RCODE resolving ’./DNSKEY/I
3月 26 20:00:26 openEuler named[3638]: REFUSED unexpected RCODE resolving './NS/IN':
3月 26 20:00:26 openEuler named[3638]: REFUSED unexpected RCODE resolving './DNSKEY/I
3月 26 20:00:26 openEuler named[3638]: REFUSED unexpected RCODE resolving './NS/IN':
3月 26 20:00:26 openEuler named[3638]: resolver primina query complete: failure
3月 26 20:00:26 openEuler named[3638]: REFUSED unexpected RCODE resolving './DNSKEY/I
3月 26 20:00:26 openEuler named[3638]: managed-keys-zone: Unable to fetch DNSKEY set ' .': failure
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind\*/sample/ for example named configuration files. //
options {
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { localhost; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug { file "data/named.run"; severity dynamic; };
};
zone "." IN { type hint; file "named.ca"; };
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";