Bind Queries log file format

[Larry Stone]

> On Feb 7, 2017, at 11:07 PM, Mark Andrews <marka at isc.org> wrote:
> 
> 
> No, we have a field that has more information in it.  Same field E -> E(version)
> 
> 08-Feb-2017 15:15:44.532 client @0x7fc1c803c600 127.0.0.1#57982/key external (rock.dv.isc.org): view external: query: rock.dv.isc.org IN A -SE(0)DV (127.0.0.1)
> 
> Or with ECS
> 
> 08-Feb-2017 15:56:27.109 client @0x7fc1c503e800 127.0.0.1#63454 (.): view external: query: . IN SOA -E(0)DV (127.0.0.1) [ECS 127.0.0.0/8/0]
> 
> Or from a stub resolver.
> 
> 08-Feb-2017 16:02:22.971 client @0x7fc1c490dc00 127.0.0.1#61028 (sprocket.isc.org): view secure: query: sprocket.isc.org IN A + (127.0.0.1)

Fair enough, provided depending on how the format of the log record is defined (columns or by field delimiters), it’s still the same format and E(version) is something that will make sense (for however you would define sense here) to an older program expecting just E.

But in my haste in my original posting, I picked up on E to E(version) change but missed that in going from 9.10.0 to 9.11.0, you inserted cookies between CD and local address. That should have gone on the end (perhaps that’s what this whole thing is about - I rarely look at BIND log files and when I do, it’s just me reading them, no parsing program involved). So restating what I originally posted, instead of:
9.10.0: client, qname, qclass, qtype, RD, signed, EDNS, TCP, DO, CD, local address
9.11.0: client, qname, qclass, qtype, RD, signed, EDNS + version, TCP, DO, CD, cookies, local address
9.12.0: client, qname, qclass, qtype, RD, signed, EDNS + version, TCP, DO, CD, cookies, local address, ecs


it should have been
9.10.0: client, qname, qclass, qtype, RD, signed, EDNS, TCP, DO, CD, local address
9.11.0: client, qname, qclass, qtype, RD, signed, EDNS + version, TCP, DO, CD, local address, cookies
9.12.0: client, qname, qclass, qtype, RD, signed, EDNS + version, TCP, DO, CD, local address, cookies, ecs

-- 
Larry Stone
lstone19 at stonejongleux.com