DNSSE logging and parsing it

Marco Davids (SIDN) marco.davids at sidn.nl
Thu Mar 5 12:55:22 UTC 2015


What would be a good way to configure BIND-logging, or rather to filter DNSSEC-validation errors from that logging?

Unbound logs stuff like this:

Mar  5 12:58:47 xs unbound: [16331:0] info: validation failure <example.nl. A IN>: No DNSKEY record from for key example.nl.nl. while building chain of trust

That's great for parsing and finding domain names with DNSSEC issues.

BIND logs various, less unambiguous kinds of messages, like:

dnssec.log:05-Mar-2015 12:58:24.767 dnssec: info: validating example.nl/A: got insecure response; parent indicates it should be secure

and, for the same request: 

lame-servers.log:05-Mar-2015 12:58:24.742 lame-servers: info: insecurity proof failed resolving 'example.nl/A/IN':

It even logs an informational message when the domain is signed, but there is no DS-record in the parent (which to me does not count as a DNSSEC-validation problem):

dnssec.log:05-Mar-2015 12:48:37.969 dnssec: info: validating www.example.nl/A: no valid signature found

What would be the best, unambiguous string(s) to grep for, in order to find domain names that have validation-problems?

Please advise.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4245 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150305/807753e4/attachment.bin>

More information about the bind-users mailing list