Hi, What would be a good way to configure BIND-logging, or rather to filter DNSSEC-validation errors from that logging?
Unbound logs stuff like this: Mar 5 12:58:47 xs unbound: [16331:0] info: validation failure <example.nl. A IN>: No DNSKEY record from 203.0.113.5 for key example.nl.nl. while building chain of trust That's great for parsing and finding domain names with DNSSEC issues. BIND logs various, less unambiguous kinds of messages, like: dnssec.log:05-Mar-2015 12:58:24.767 dnssec: info: validating example.nl/A: got insecure response; parent indicates it should be secure and, for the same request: lame-servers.log:05-Mar-2015 12:58:24.742 lame-servers: info: insecurity proof failed resolving 'example.nl/A/IN': 203.0.113.5#53 It even logs an informational message when the domain is signed, but there is no DS-record in the parent (which to me does not count as a DNSSEC-validation problem): dnssec.log:05-Mar-2015 12:48:37.969 dnssec: info: validating www.example.nl/A: no valid signature found What would be the best, unambiguous string(s) to grep for, in order to find domain names that have validation-problems? Please advise. -- Marco
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
