DNSSE logging and parsing it
Daniel Stirnimann
daniel.stirnimann at switch.ch
Thu Mar 5 13:20:15 UTC 2015
Hi Marco
Great question and I'm looking forward to any advice you get.
I'm currently using the following regex on our BIND resolvers but they
are broken:
header => 'DNSSEC error: parent indicates it should be secure',
pattern => 'validating \@0x\w+: (.*): got insecure response; parent
indicates it should be secure',
header => 'DNSSEC warning: RRSIG has expired',
pattern => 'validating @0x\w+: (.*): verify failed due to bad signature
\(.*\): RRSIG has expired',
header => 'DNSSEC warning: RRSIG validity period has not begun',
pattern => 'validating @0x\w+: (.*): verify failed due to bad signature
\(.*\): RRSIG validity period has not begun',
header => 'DNSSEC notice: bad cache hit',
pattern => 'validating @0x\w+: (.*): bad cache hit \(.*\)',
header => 'DNSSEC notice: invalid signature, possibly island of security',
pattern => 'validating @0x\w+: (.*): no valid signature found',
The only good ones are the "verify failed due to bad signature" log
entries. All others are error prone and contain false positives. e.g.:
Mar 5 06:24:27 bagana named[6776]: 05-Mar-2015 06:24:27.103 dnssec:
info: validating @0x7ffad63d1080: com SOA: got insecure response;
parent indicates it should be secure
Mar 5 13:32:52 bagana named[6776]: 05-Mar-2015 13:32:52.225 dnssec:
info: validating @0x7ffad60ccd20: com SOA: got insecure response;
parent indicates it should be secure
Daniel
On 05.03.15 13:55, Marco Davids (SIDN) wrote:
> Hi,
>
> What would be a good way to configure BIND-logging, or rather to filter DNSSEC-validation errors from that logging?
>
> Unbound logs stuff like this:
>
> Mar 5 12:58:47 xs unbound: [16331:0] info: validation failure <example.nl. A IN>: No DNSKEY record from 203.0.113.5 for key example.nl.nl. while building chain of trust
>
> That's great for parsing and finding domain names with DNSSEC issues.
>
> BIND logs various, less unambiguous kinds of messages, like:
>
> dnssec.log:05-Mar-2015 12:58:24.767 dnssec: info: validating example.nl/A: got insecure response; parent indicates it should be secure
>
> and, for the same request:
>
> lame-servers.log:05-Mar-2015 12:58:24.742 lame-servers: info: insecurity proof failed resolving 'example.nl/A/IN': 203.0.113.5#53
>
> It even logs an informational message when the domain is signed, but there is no DS-record in the parent (which to me does not count as a DNSSEC-validation problem):
>
> dnssec.log:05-Mar-2015 12:48:37.969 dnssec: info: validating www.example.nl/A: no valid signature found
>
> What would be the best, unambiguous string(s) to grep for, in order to find domain names that have validation-problems?
>
> Please advise.
>
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
--
SWITCH
Daniel Stirnimann, SWITCH-CERT
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 15, direct +41 44 268 16 24
daniel.stirnimann at switch.ch, http://www.switch.ch
More information about the bind-users
mailing list