<div dir="ltr">Currently set at 99 I guess:<div><br></div><div>geoff@NS1:~$ sudo rndc status | grep debug<br>debug level: 99</div></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Tue, Apr 22, 2025 at 9:47 PM Crist Clark <<a href="mailto:cjc%2Bbind-users@pumpky.net">cjc+bind-users@pumpky.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">What debug level is your server running at?<div><br></div><div>$ rndc status | grep debug</div><div><br></div><div>Do you need to raise the debug level?</div><div><br></div><div>$ rndc trace <debug_number><br><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Apr 22, 2025 at 1:27 AM The Gorf <<a href="mailto:thegorf%2Bbind9users@gmail.com" target="_blank">thegorf+bind9users@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>bind version:BIND 9.18.33-1~deb12u2-Debian (Extended Support Version) <id:></div><div><br></div>So it's pretty simple. Im getting a ton of SERVFAILs randomly and I can neither figure out why nor figure out how to get bind to give me debug information about why. The documentation here:<div><a href="https://kb.isc.org/docs/aa-01526" target="_blank">https://kb.isc.org/docs/aa-01526</a></div><div>Hurts my head to read and references stuff that I can't figure out where in the documentation it is to explain what it is. </div><div><br></div><div>I took the exact document on that page and switched everything to "debug" and I have reset the server, rebooted the server, nothing. Here is the exact one line bind produces in its logs for the query that is generating the SERVFAIL:</div><div><br></div><div>22-Apr-2025 01:08:17.138 queries: info: client @0x7ffa3cb78168 192.168.8.104#47099 (ksc.wiki): query: ksc.wiki IN A + (10.30.160.20)<br></div><div><br></div><div>Nothing. And here is the query-errors file:</div><div>geoff@NS1:/var/log/named$ cat query-errors | grep -i wiki</div><div>geoff@NS1:/var/log/named$</div><div>zilch.</div><div><br></div><div>So. what am I doing wrong here? Why can't I get any debug info out of this?<br><br>logging {<br> channel default_log {<br> file "/var/log/named/default" versions 3 size 20m;<br> print-time yes;<br> print-category yes;<br> print-severity yes;<br> severity debug;<br> };<br> channel auth_servers_log {<br> file "/var/log/named/auth_servers" versions 100 size 20m;<br> print-time yes;<br> print-category yes;<br> print-severity yes;<br> severity debug;<br> };<br> channel dnssec_log {<br> file "/var/log/named/dnssec" versions 3 size 20m;<br> print-time yes;<br> print-category yes;<br> print-severity yes;<br> severity debug;<br> };<br> channel zone_transfers_log {<br> file "/var/log/named/zone_transfers" versions 3 size 20m;<br> print-time yes;<br> print-category yes;<br> print-severity yes;<br> severity debug;<br> };<br> channel ddns_log {<br> file "/var/log/named/ddns" versions 3 size 20m;<br> print-time yes;<br> print-category yes;<br> print-severity yes;<br> severity debug;<br> };<br> channel client_security_log {<br> file "/var/log/named/client_security" versions 3 size 20m;<br> print-time yes;<br> print-category yes;<br> print-severity yes;<br> severity debug;<br> };<br> channel rate_limiting_log {<br> file "/var/log/named/rate_limiting" versions 3 size 20m;<br> print-time yes;<br> print-category yes;<br> print-severity yes;<br> severity debug;<br> };<br> channel rpz_log {<br> file "/var/log/named/rpz" versions 3 size 20m;<br> print-time yes;<br> print-category yes;<br> print-severity yes;<br> severity debug;<br> };<br> channel dnstap_log {<br> file "/var/log/named/dnstap" versions 3 size 20m;<br> print-time yes;<br> print-category yes;<br> print-severity yes;<br> severity debug;<br> };<br>//<br>// If you have the category ‘queries’ defined, and you don’t want query logging<br>// by default, make sure you add option ‘querylog no;’ - then you can toggle<br>// query logging on (and off again) using command ‘rndc querylog’<br>//<br> channel queries_log {<br> file "/var/log/named/queries" versions 600 size 20m;<br> print-time yes;<br> print-category yes;<br> print-severity yes;<br> severity debug;<br> };<br>//<br>// This channel is dynamic so that when the debug level is increased using<br>// rndc while the server is running, extra information will be logged about<br>// failing queries. Other debug information for other categories will be<br>// sent to the channel default_debug (which is also dynamic), but without<br>// affecting the regular logging.<br>//<br> channel query-errors_log {<br> file "/var/log/named/query-errors" versions 5 size 20m;<br> print-time yes;<br> print-category yes;<br> print-severity yes;<br> severity debug;<br> };<br>//<br>// This is the default syslog channel, defined here for clarity. You don’t<br>// have to use it if you prefer to log to your own channels.<br>// It sends to syslog’s daemon facility, and sends only logged messages<br>// of priority info and higher.<br>// (The options to print time, category and severity are non-default.)<br>//<br> channel default_syslog {<br> print-time yes;<br> print-category yes;<br> print-severity yes;<br> syslog daemon;<br> severity debug;<br> };<br>//<br>// This is the default debug output channel, defined here for clarity. You<br>// might want to redefine the output destination if it doesn’t fit with your<br>// local system administration plans for logging. It is also a special<br>// channel that only produces output if the debug level is non-zero.<br>//<br> channel default_debug {<br> print-time yes;<br> print-category yes;<br> print-severity yes;<br> file "named.run";<br> severity debug;<br> };<br>//<br>// Log routine stuff to syslog and default log:<br>//<br> category default { default_syslog; default_debug; default_log; };<br> category config { default_syslog; default_debug; default_log; };<br> category dispatch { default_syslog; default_debug; default_log; };<br> category network { default_syslog; default_debug; default_log; };<br> category general { default_syslog; default_debug; default_log; };<br>//<br>// From BIND 9.12 and newer, you can direct zone load logging to another<br>// channel with the new zoneload logging category. If this would be useful<br>// then firstly, configure the new channel, and then edit the line below<br>// to direct the category there instead of to syslog and default log:<br>//<br> category zoneload { default_syslog; default_debug; default_log; };<br>//<br>// Log messages relating to what we got back from authoritative servers during<br>// recursion (if lame-servers and edns-disabled are obscuring other messages<br>// they can be sent to their own channel or to null). Sometimes these log<br>// messages will be useful to research why some domains don’t resolve or<br>// don’t resolve reliably<br>//<br> category resolver { auth_servers_log; default_debug; }; <br> category cname { auth_servers_log; default_debug; }; <br> category delegation-only { auth_servers_log; default_debug; };<br> category lame-servers { auth_servers_log; default_debug; };<br> category edns-disabled { auth_servers_log; default_debug; };<br>//<br>// Log problems with DNSSEC:<br>//<br> category dnssec { dnssec_log; default_debug; };<br>//<br>// Log together all messages relating to authoritative zone propagation<br>//<br> category notify { zone_transfers_log; default_debug; }; <br> category xfer-in { zone_transfers_log; default_debug; }; <br> category xfer-out { zone_transfers_log; default_debug; };<br>//<br>// Log together all messages relating to dynamic updates to DNS zone data:<br>//<br> category update{ ddns_log; default_debug; };<br> category update-security { ddns_log; default_debug; };<br>//<br>// Log together all messages relating to client access and security.<br>// (There is an additional category ‘unmatched’ that is by default sent to<br>// null but which can be added here if you want more than the one-line<br>// summary that is logged for failures to match a view).<br>//<br> category client{ client_security_log; default_debug; }; <br> category security { client_security_log; default_debug; };<br>//<br>// Log together all messages that are likely to be related to rate-limiting.<br>// This includes RRL (Response Rate Limiting) - usually deployed on authoritative<br>// servers and fetches-per-server|zone. Note that it does not include<br>// logging of changes for clients-per-query (which are logged in category<br>// resolver). Also note that there may on occasions be other log messages<br>// emitted by the database category that don’t relate to rate-limiting<br>// behaviour by named.<br>//<br> category rate-limit { rate_limiting_log; default_debug; }; <br> category spill { rate_limiting_log; default_debug; }; <br> category database { rate_limiting_log; default_debug; };<br>//<br>// Log DNS-RPZ (Response Policy Zone) messages (if you are not using DNS-RPZ<br>// then you may want to comment out this category and associated channel)<br>//<br> category rpz { rpz_log; default_debug; };<br>//<br>// Log messages relating to the "dnstap" DNS traffic capture system (if you<br>// are not using dnstap, then you may want to comment out this category and<br>// associated channel).<br>//<br> category dnstap { dnstap_log; default_debug; };<br>//<br>// If you are running a server (for example one of the Internet root<br>// nameservers) that is providing RFC 5011 trust anchor updates, then you<br>// may be interested in logging trust anchor telemetry reports that your<br>// server receives to analyze anchor propagation rates during a key rollover. <br>// If this would be useful then firstly, configure the new channel, and then<br>// un-comment and the line below to direct the category there instead of to<br>// syslog and default log:<br>//<br>//<br> category trust-anchor-telemetry { default_syslog; default_debug; default_log; };<br>//<br>// If you have the category ‘queries’ defined, and you don’t want query logging<br>// by default, make sure you add option ‘querylog no;’ - then you can toggle<br>// query logging on (and off again) using command ‘rndc querylog’<br>//<br> category queries { queries_log; };<br>//<br>// This logging category will only emit messages at debug levels of 1 or<br>// higher - it can be useful to troubleshoot problems where queries are<br>// resulting in a SERVFAIL response.<br>//<br> category query-errors {query-errors_log; };<br>};<br></div></div>
-- <br>
Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" rel="noreferrer" target="_blank">https://www.isc.org/contact/</a> for more information.<br>
<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</blockquote></div>
</blockquote></div>