[Unbound-users] Logging DNSsec errors

W.C.A. Wijngaards wouter at nlnetlabs.nl
Fri Feb 8 08:01:19 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Michiel,

On 02/07/2013 11:19 PM, Michiel Piscaer wrote:
> Hi,
> 
> Our unbound installation is handeling 2044 DNS query's per seconde,
> on this installation we do DNSsec validation. In the .nl zone
> DNSsec is actively used. For a lot of domain administrators DNSsec
> is a new protocol. This results in zones that are mis-configured
> for DNSsec. This way our client can not visit the website. The
> client checks why he can't vite the website with friends or google
> DNS. Those services are not validating with DNSSec so the website
> is reachable.
> 
> This results in an question on our helpdesk by the client.
> 
> Now my question:
> 
> I want to know two this.
> 
> 1. Is it possible to get statistics about ServFails because of
> DNSSec?

Yes, unbound-control stats prints out the num.answer.bogus and
num.rrset.bogus counts.  man unbound-control documents it.

> 2. I whould like to generate an log file or syslog message what
> query is not DNSsec valid?

use val-log-level: 1 to printout just the queries that have problems.
with val-log-level: 2 it prints out the query names with detailed
error messages (exactly what failed that caused it to be classified as
bogus by unbound).

Best regards,
   Wouter

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRFLDPAAoJEJ9vHC1+BF+Niq8P/RrVkYVhPnuYgIv7lmkw/Oo8
6VHy8w/WoQb8FBpbqVUzFOhvs6zx29z0Vxd1/WvDz0AoAPjZTY6LlIwzr6/WE0rO
8+X6BjGkJCzjrHA7aRxnnWUl+DWMxdJGVRL1M7oH5h9sc2ZKBHN7nLgF4DrLK/co
cWXlOoqohFgJj6LtZwtiZ+8OoM6Jun1JLUvlvPqhnNJgUTEY0ykNT6krFR9te2bT
zbwQMXha/f78FX4W/2G67Yoh3XcTbu6vHDxHklg4iiaaZZRr7h9DlO1NXxUsBwFP
8xWFYzeHjzx5cdPUJ2EBm428WXjoSdUtHWIZ8MabTP4mK5qqvYPLnJy2czhD2uzD
FkUh/hRLrRJNd/8mLNctYeTm5lxClBHEbwpO2GkCnpKgJluzgPkT+ZlHl4TOT83n
tlF09XKgQASGJrHw/vvHgA/XGGvYXB5zVY+MLSSf8jB7zLQ6bH35Il9Pd62SB6fM
QFuoQAo6APN2BZieqwG1BEOjx1y8DyTHiYi42M6mDRYgVWrJe1yasbRyaxKmoIEQ
4P0Qgd9A8Jy5kYshQ00oRSjTgLoYNAtONulQQ1yvPX7P8lzgUu1ropC6vCjP92IJ
NPEk5DNWj7FNkeuldXd8iCHYn46NtbKSKla4RxQqbRxOICudnjbUFMa23LZRrjUi
p6v2rHhPyUq5wsKBw4bq
=I/k7
-----END PGP SIGNATURE-----

More information about the Unbound-users mailing list