Hi Marco Great question and I'm looking forward to any advice you get.
I'm currently using the following regex on our BIND resolvers but they are broken: header => 'DNSSEC error: parent indicates it should be secure', pattern => 'validating \@0x\w+: (.*): got insecure response; parent indicates it should be secure', header => 'DNSSEC warning: RRSIG has expired', pattern => 'validating @0x\w+: (.*): verify failed due to bad signature \(.*\): RRSIG has expired', header => 'DNSSEC warning: RRSIG validity period has not begun', pattern => 'validating @0x\w+: (.*): verify failed due to bad signature \(.*\): RRSIG validity period has not begun', header => 'DNSSEC notice: bad cache hit', pattern => 'validating @0x\w+: (.*): bad cache hit \(.*\)', header => 'DNSSEC notice: invalid signature, possibly island of security', pattern => 'validating @0x\w+: (.*): no valid signature found', The only good ones are the "verify failed due to bad signature" log entries. All others are error prone and contain false positives. e.g.: Mar 5 06:24:27 bagana named[6776]: 05-Mar-2015 06:24:27.103 dnssec: info: validating @0x7ffad63d1080: com SOA: got insecure response; parent indicates it should be secure Mar 5 13:32:52 bagana named[6776]: 05-Mar-2015 13:32:52.225 dnssec: info: validating @0x7ffad60ccd20: com SOA: got insecure response; parent indicates it should be secure Daniel On 05.03.15 13:55, Marco Davids (SIDN) wrote: > Hi, > > What would be a good way to configure BIND-logging, or rather to filter > DNSSEC-validation errors from that logging? > > Unbound logs stuff like this: > > Mar 5 12:58:47 xs unbound: [16331:0] info: validation failure <example.nl. A > IN>: No DNSKEY record from 203.0.113.5 for key example.nl.nl. while building > chain of trust > > That's great for parsing and finding domain names with DNSSEC issues. > > BIND logs various, less unambiguous kinds of messages, like: > > dnssec.log:05-Mar-2015 12:58:24.767 dnssec: info: validating example.nl/A: > got insecure response; parent indicates it should be secure > > and, for the same request: > > lame-servers.log:05-Mar-2015 12:58:24.742 lame-servers: info: insecurity > proof failed resolving 'example.nl/A/IN': 203.0.113.5#53 > > It even logs an informational message when the domain is signed, but there is > no DS-record in the parent (which to me does not count as a DNSSEC-validation > problem): > > dnssec.log:05-Mar-2015 12:48:37.969 dnssec: info: validating > www.example.nl/A: no valid signature found > > What would be the best, unambiguous string(s) to grep for, in order to find > domain names that have validation-problems? > > Please advise. > > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- SWITCH Daniel Stirnimann, SWITCH-CERT Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland phone +41 44 268 15 15, direct +41 44 268 16 24 daniel.stirnim...@switch.ch, http://www.switch.ch _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users