Aw: No "notify" category debug log entries anymore with Bind 9.11.3
OK I fixed the root issue by introducing a forwarding zone for example.com to get the resolution for ns{1,2,3}.example.com from internet nameservers: zone "example.com" IN { type forward; forwarders { 1.1.1.1; 8.8.8.8; }; }; Now, the notification can start at all, but then the notifies fail as expected and the notify debug log messages appear. Issue solved, but it would be better, if there had been a log message like e.g. "Cannot resolve addresses of to-be-notified nameservers, notification impossible.". > Gesendet: Mittwoch, 05. Januar 2022 um 16:34 Uhr > Von: "Hildegard Meier" > An: "Hildegard Meier" > Cc: bind-users@lists.isc.org > Betreff: Aw: No "notify" category debug log entries anymore with Bind 9.11.3 > > Additional difference between the old Bind 9.8.1 Host and the new Bind 9.11.3 > Host is that the new (test) Host cannot (and shall not) reach the external > DNS servers that are in the SOA records of the DNS zones we host as "hidden > primary" and notify to the external bind hosts. (because it is only for test) > > It looks like because the new host cannot reach the external nameservers, > also the address records of the nameservers of our hosted zones (in the SOA) > cannot be resolved, to which the notifies go to. > > So if I do a "rndc norify" to force a notification of the external > nameservers, their IP addresses are unknown to Bind, and therefore nothing > can be done. > > So this is a logging issue, because there should be a message I think of > severity "info" at least, if a notify cannot be started because unknown IP > addresses of the nameservers to be notified. > Instead as I have written, is just logged > > 29-Dec-2021 12:00:33.475 notify: info: zone example.com/IN: sending > > notifies (serial 2021021001) > > and nothing more. This is insufficient, even more when in debug log level. > > Is there a way to exclude > ns1.example.com > ns2.example.com > ns3.example.com > > from bind recursive resolving but give bind static A records for that names, > or alternatively tell bind to look in /etc/hosts for the IP addresses? > Then I would expect the test bind host to really start the notifies to the IP > addresses and then the notify failure messages would appear. > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Aw: No "notify" category debug log entries anymore with Bind 9.11.3
Additional difference between the old Bind 9.8.1 Host and the new Bind 9.11.3 Host is that the new (test) Host cannot (and shall not) reach the external DNS servers that are in the SOA records of the DNS zones we host as "hidden primary" and notify to the external bind hosts. (because it is only for test) It looks like because the new host cannot reach the external nameservers, also the address records of the nameservers of our hosted zones (in the SOA) cannot be resolved, to which the notifies go to. So if I do a "rndc norify" to force a notification of the external nameservers, their IP addresses are unknown to Bind, and therefore nothing can be done. So this is a logging issue, because there should be a message I think of severity "info" at least, if a notify cannot be started because unknown IP addresses of the nameservers to be notified. Instead as I have written, is just logged > 29-Dec-2021 12:00:33.475 notify: info: zone example.com/IN: sending notifies > (serial 2021021001) and nothing more. This is insufficient, even more when in debug log level. Is there a way to exclude ns1.example.com ns2.example.com ns3.example.com from bind recursive resolving but give bind static A records for that names, or alternatively tell bind to look in /etc/hosts for the IP addresses? Then I would expect the test bind host to really start the notifies to the IP addresses and then the notify failure messages would appear. > Gesendet: Mittwoch, 05. Januar 2022 um 15:08 Uhr > Von: "Hildegard Meier" > An: "Hildegard Meier" > Cc: bind-users@lists.isc.org > Betreff: Aw: No "notify" category debug log entries anymore with Bind 9.11.3 > > Please see my comments between the citates. > > > Betreff: No "notify" category debug log entries anymore with Bind 9.11.3 > > > > On old server with Ubuntu 12 and Bind 9.8.1 > > I got the following "notify" category log entries as expected (domain names > > and IP addresses redacted): > > > > 27-Dec-2021 12:58:51.786 notify: debug 3: zone example.com/IN: sending > > notify to 1.2.3.4#53 > > 27-Dec-2021 12:58:51.816 notify: debug 3: zone example.com/IN: notify > > response from 1.2.3.4#53: NOERROR > > > With new server Ubuntu 18 and Bind 9.11.3 > > there are no "notify" category debug log entries anymore. The log does only > > contain entries of severity "info", e.g. > > > > 29-Dec-2021 12:00:33.475 notify: info: zone example.com/IN: sending > > notifies (serial 2021021001) > > Looks to me like this is the code where the above "notify response..." debug > log message I am missing with Bind 9.11.3 is created: > > https://github.com/isc-projects/bind9/blob/v9_11_3_patch/lib/dns/zone.c > > 13862 if (result == ISC_R_SUCCESS) > 13863 notify_log(notify->zone, ISC_LOG_DEBUG(3), > 13864 "notify response from %s: %.*s", > 13865 addrbuf, (int)buf.used, rcode); > 13866 else > 13867 notify_log(notify->zone, ISC_LOG_DEBUG(2), > 13868 "notify to %s failed: %s", addrbuf, > 13869 dns_result_totext(result)); > > So the code seems to be there, with debug level 3 and 2, and either if the > notify was success or failed (the second case of failure I expect because of > firewall restriction) there should be an according debug log message. > > I guess I have a simple logging config error. Any idea why I do not see the > notify debug log messages? > > Can somebody please try to reproduce with Bind 9.11.3 ? > > Why did I see the debug log messages with the same config in Bind 9.8.1 ? > > > > Log config in /etc/bind/named.conf.options with Bind 9.11.3 is exactly the > > same as on the old server with Bind 9.8.1: > > > > logging { > > > > channel transfer_logfile { > > file "/var/log/named/transfer.log" versions 7 size 10m; > > severity debug 6; > > print-time yes; > > print-category yes; > > print-severity yes; > > }; > > > > category notify { transfer_logfile; }; > > }; > > > > I tested with "severity debug 16" but that did not help. > > I tested with "severity notice", that lead to the "info" log entries to > > disappear, so there is just nothing logged anymore for "notify" category, > > as expected. > > > > I also run "rndc trace" six times, so in named.log was logged "general: > > info: debug level is now 6" and did a zone reload, but again, no "notify" > > debug log entries. > > > > I also tested with "severity debug 6" in the default log channel, that lead > > to debug log entries for categories like "database" etc., so debug log is > > generally working. > > > > How can I get the log entries "sending notify to ..." and "notify response > > from ..." back again in the "notify" category log? > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list
Aw: No "notify" category debug log entries anymore with Bind 9.11.3
Please see my comments between the citates. > Betreff: No "notify" category debug log entries anymore with Bind 9.11.3 > > On old server with Ubuntu 12 and Bind 9.8.1 > I got the following "notify" category log entries as expected (domain names > and IP addresses redacted): > > 27-Dec-2021 12:58:51.786 notify: debug 3: zone example.com/IN: sending notify > to 1.2.3.4#53 > 27-Dec-2021 12:58:51.816 notify: debug 3: zone example.com/IN: notify > response from 1.2.3.4#53: NOERROR > With new server Ubuntu 18 and Bind 9.11.3 > there are no "notify" category debug log entries anymore. The log does only > contain entries of severity "info", e.g. > > 29-Dec-2021 12:00:33.475 notify: info: zone example.com/IN: sending notifies > (serial 2021021001) Looks to me like this is the code where the above "notify response..." debug log message I am missing with Bind 9.11.3 is created: https://github.com/isc-projects/bind9/blob/v9_11_3_patch/lib/dns/zone.c 13862 if (result == ISC_R_SUCCESS) 13863 notify_log(notify->zone, ISC_LOG_DEBUG(3), 13864 "notify response from %s: %.*s", 13865 addrbuf, (int)buf.used, rcode); 13866 else 13867 notify_log(notify->zone, ISC_LOG_DEBUG(2), 13868 "notify to %s failed: %s", addrbuf, 13869 dns_result_totext(result)); So the code seems to be there, with debug level 3 and 2, and either if the notify was success or failed (the second case of failure I expect because of firewall restriction) there should be an according debug log message. I guess I have a simple logging config error. Any idea why I do not see the notify debug log messages? Can somebody please try to reproduce with Bind 9.11.3 ? Why did I see the debug log messages with the same config in Bind 9.8.1 ? > Log config in /etc/bind/named.conf.options with Bind 9.11.3 is exactly the > same as on the old server with Bind 9.8.1: > > logging { > > channel transfer_logfile { > file "/var/log/named/transfer.log" versions 7 size 10m; > severity debug 6; > print-time yes; > print-category yes; > print-severity yes; > }; > > category notify { transfer_logfile; }; > }; > > I tested with "severity debug 16" but that did not help. > I tested with "severity notice", that lead to the "info" log entries to > disappear, so there is just nothing logged anymore for "notify" category, as > expected. > > I also run "rndc trace" six times, so in named.log was logged "general: info: > debug level is now 6" and did a zone reload, but again, no "notify" debug log > entries. > > I also tested with "severity debug 6" in the default log channel, that lead > to debug log entries for categories like "database" etc., so debug log is > generally working. > > How can I get the log entries "sending notify to ..." and "notify response > from ..." back again in the "notify" category log? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Nice new logging feature
> On 20 Dec 2021, at 17:56, Reindl Harald wrote: > > > > Am 20.12.21 um 17:53 schrieb Petr Menšík: >> sure I confused that. I read it wrong way and thought they are present >> on *BSD but not on Fedora. I know some messages are removed in Fedora >> builds. I apologize for a confusion. Nobody complained on Fedora builds, >> that is a good message to me. > > OP was "I am trying 9.17 at home and I just noticed a very useful new > lame-servers log message: 2021-12-16T08:08:20.505Z lame-servers: timed out > resolving ’stupiddomain.com/ANY/IN': X.Y.Z.T#53. I haven’t seen this on 9.16" > > i looked at my Fedora lame-log and answered with "exists in 9.16 here and i > doubt Fedora has backports for this" Old thread, I know. The differente is just that 9.16 doesn´t log timeouts in the lame-server category. All of the rest do work, like unreachable or connection refused. 9.17 does log timeouts which is very useful. Borja. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to show run the active configuration on bind
Mik J via bind-users wrote: > How can I check which variables are loaded in memory and considered as active. As Ray said, usually it isn't ambiguous. But there are a couple of semi-relevant tools that are worth knowing about: You can use `named-checkconf -p` to canonicalize your configuration (so you don't have to chase down include files, etc.), plus the -x option strips out secrets (TSIG keys) which is handy for tech support cases. And the statistics channel has loads of details, some of which are config-related. `curl http://SERVER:8053/json/v1 | gron | less` is a good way to get an idea of what it contains. Tony. -- f.anthony.n.finchhttps://dotat.at/ Humber, Thames: Northwest 7 to severe gale 9, decreasing 5 later. Rough or very rough, becoming moderate or rough later. Showers. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users