DNSSE logging and parsing it
Marco Davids (SIDN)
marco.davids at sidn.nl
Thu Mar 5 12:55:22 UTC 2015
What would be a good way to configure BIND-logging, or rather to filter DNSSEC-validation errors from that logging?
Unbound logs stuff like this:
Mar 5 12:58:47 xs unbound: [16331:0] info: validation failure <example.nl. A IN>: No DNSKEY record from 203.0.113.5 for key example.nl.nl. while building chain of trust
That's great for parsing and finding domain names with DNSSEC issues.
BIND logs various, less unambiguous kinds of messages, like:
dnssec.log:05-Mar-2015 12:58:24.767 dnssec: info: validating example.nl/A: got insecure response; parent indicates it should be secure
and, for the same request:
lame-servers.log:05-Mar-2015 12:58:24.742 lame-servers: info: insecurity proof failed resolving 'example.nl/A/IN': 203.0.113.5#53
It even logs an informational message when the domain is signed, but there is no DS-record in the parent (which to me does not count as a DNSSEC-validation problem):
dnssec.log:05-Mar-2015 12:48:37.969 dnssec: info: validating www.example.nl/A: no valid signature found
What would be the best, unambiguous string(s) to grep for, in order to find domain names that have validation-problems?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4245 bytes
Desc: S/MIME Cryptographic Signature
More information about the bind-users