[bind10-dev] Tracking queries and other data, was: NSAS Using Authority/Additional Information?

Fri Dec 3 09:47:48 UTC 2010

Hello

On Thu, Dec 02, 2010 at 05:07:24PM +0100, Shane Kerr wrote:
> In the context of logging, if you want to make sense out of what is
> going on I think you need to have some unique identifier that you can
> include in each log message that reflects the various events that the
> log message may apply to. Please ignore the specific syntax, but
> something like this:
> 
>         client query WWW.ISC.ORG AAAA                <- query arrives
>           new query tag: q20101202T163557.034731-00
>         WWW.ISC.ORG AAAA not in cache 
>           query tag: q20101202T163557.034731-00
>
> [ ... ]

Seems to make sense. I'll leave out the technical details for now (grepping the
log is easier if it is the same line, generating the ids, etc…). I think we need
some kind of this tracking.

> Anyway, my thinking is that a design for a logging system should allow
> for such tracking. This will help administrators answer questions like
> "why is my system sending packets to machine X?" or "why am I never
> seeing any packets to my authoritative server Y?"

Agreed.

> So, 17 queries to authoritative servers to look up one MX record. It
> could have been more, it could have been less, depending on which
> servers are chosen. And this is without any drops, lameness, firewall
> nonsense, and so on. AND without anything in cache.

Looking at the example, I think we can cut it down a little bit. For example, in
NSAS, I try to use anything I have as soon as possible (if I get a glue, I want
to return it right away and keep getting the other nameserver addresses in
background for future use). So that should shorten the direct path to answering
the query, but some of them would be generated on the background (which probably
means other kind of tags in the log as well).

Also, I think we might want logging system to turn this on and off somehow at
runtime, maybe some kind of random-ish sampling (pick a query once every 10
seconds, output the trace for picked queries only, do not spam with the rest).

Anyway, to my original question, do you think this can be done without carrying
any kind of context with the query? I think we need to carry something, the tags
for example. Then we might want to do some operations on the contexts (generate
a new tag into it, unify two contexts because we do something for more than one
query, etc, but not proposing the exact look of the context or information
inside). Does it sound sensible? Or is it usually done in a different way?

Thanks

-- 
chown -R us $BASE

Michal 'vorner' Vaner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind10-dev/attachments/20101203/09dfc939/attachment.bin>