BIND DNS Enable audit logs - Authoritative

Dave Warren dw at thedave.ca
Fri Jan 11 19:33:17 UTC 2019


On 2019-01-11 11:55, Kevin Darcy wrote:
> I don't believe there is any logging category for this, even when zones 
> are enabled for Dynamic Update, in which case the versioning is done 
> automatically. There used to be a "journalprint" utility that one could 
> run against the .jnl files to show the update history. But, even if the 
> journaling mechanism and the "journalprint" utility still exist as I 
> remember it, it would most likely only work for Dynamic-Update-enabled 
> zones. I don't believe .jnl files are created for 
> non-Dynamic-Update-enabled zones, although I could be wrong on that -- 
> maybe named synthesizes .jnl files for purposes of IXFR (???).

Interestingly enough, it does, but with some limitations/quirks that 
occasionally require you to manually delete your jnl file (and of course 
force a AXFR-style IXFR transfer in these situations).

I don't recall the exact trigger, I think it related to when a zone is 
updated when BIND is offline (or at least, my notes say that it happens 
when the billing system removes a zone from named.conf and later re-adds 
the same zone). I do have something monitoring the log to detect the 
situation and clear the appropriate jnl files, such that if there are 
other situations where this occurs, I wouldn't notice.



More information about the bind-users mailing list