logging query results
JINMEI Tatuya / 神明達哉
Jinmei_Tatuya at isc.org
Tue Dec 2 23:49:18 UTC 2008
At Tue, 2 Dec 2008 15:55:45 MST,
"Bill Larson" <wllarso at swcp.com> wrote:
> Adding functionality for for the purpose of better operations is one thing.
> Including the capability of performing zone transfers inside BIND was a great
> addition rather than having a separate "named-xfer" tool. This made running
> in a chroot environment much simpler, easier, and secure. This is "good"
> additional functionality.
> Additional functionality, such as adding additional query logging
> capabilities that aren't critical to the operation of the basic system,
> simply increase complexity with the inherent decrease in security that makes
> this type of addition a drawback.
> Please, keep BIND as simple as possible (but not simpler). Leave additional
> capabilities to separate tools such as "dnscap".
I see your point. My original motivation about the additional logging
somehow relating queries was to provide more detailed information of
server failures so that the operator can (hopefully) identify the
cause of failures of specific queries. Since it's often very
difficult to identify the cause of server failures due to its
generality, and since the cause may not always be externally
observable (e.g. via a packet dump), I believe the benefit for better
operation outweighs implementation complexity.
Adding log messages for other query-related information is an
extension of this work, but I myself am not 100% sure if this makes
sense exactly for the reason you pointed out: these can be obtained by
other tools such as a packet capture tool. That's why I've been
soliciting opinions here.
Internet Systems Consortium, Inc.
More information about the bind-users