-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Augie,
On 03/07/2012 09:41 PM, Augie Schwer wrote: > What is the best way to be notified of DNSSEC validation failures > in Unbound? > > If I set "verbosity" to "2" I receive a log entry of : > > "Could not establish a chain of trust to keys for > <dnssec-failed.org. DNSKEY IN>" > > When testing a failed host -- I could use this to be notified of > validation failures on specific domains. > > Is there a better way? in unbound.conf: val-log-level: 2 You then get single line with query name, and failure reason. Per failure. In contrib there is validation-reporter.sh - this is a tiny daemon that listens to the logfile and can send the validation failures elsewhere (where you have a 'central' failure list). No security on the transmission (plain tcp), because it assumes the failures are public information. This could be used to pool validation failures between different participants (or your set of servers). Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPWGzaAAoJEJ9vHC1+BF+NyhMP/0cF9EJmaHioSpxQQhSBmNZI WE1GCZ2tGLOV13AAbkvgc2mgEVrVCzh188SUhRJnUrfH1CpYZHbFvcWWJ4+gNp1G rHdL7nfnT6HXr4tkZc0AkjPCPxqAJZlF/E63nWEfJMBcvdbGGRUOZ3B6DJq7W2an S0pey01tRziulPt4w77700aqkB4iwnMLQuixAE8P0OrI/PWI5JNHjEXiMQUuTJMl RN8bvRDoUQh31AdfzmrdvBIZO3cnP76THnHdOueBD622egdGVR0+SLHgAbcBeW6D imhG6C5j++E6akiwlCzE3VmhaKg3/Kp9FRAF8jGwHokHVSaRUgD6vno7Lv4XRy0g PBUshKDosngphcfFPH0MKrl8QGhY2Mr2guRupL0Xe82XshZdKyTk/offBbz8VvJX /wvbtZp7Cvhqm4GO1OFS9dPmRzJSz+XBmDanPMjE5EqAK7yTjcXtmjK2Ez/Ro7jt oBdRmn7wIIu71488f+uEIiKegvD4emotWHUtQuFOEu13qtXDihH+FuDsHB7o0QLA iCPwa5wZnc4v5WW410q6gSsJAGPGjNGbskrjmbLexwY9RkiKqHzHmM/R1gLpvAYs AeDQoxrXb62D9sKOpT/8Fs9HfLXY9dJEGV6Gz9NyD0E4HVe20gZ3ezYf4964wlaK +VFyu4wDmxZTEU6+1G2s =B+/E -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
