Question about some oddities in the logs

Eivind Olsen eivind at aminor.no
Tue Feb 22 00:41:45 UTC 2011 

Hello. I've recently put into production a new recursive nameserver, and
decided to take a look in the logfiles (the old servers didn't have
logging enabled so I can't really compare the current logs with whatever
the old ones would have been).
I understand most of the entries in the logs + statistics, but there's a
couple of things I'm not sure about - my hope is that someone here can
shed some light on these, and perhaps also tell me if it's expected to see
these in the wild.

The nameserver is running BIND 9.7.2-P3 btw, and yes I know 9.7.3 is out -
it will be upgraded soon.

We're not talking about query logging btw, only a fairly simple logging
channel:

channel default_debug {
    file "logs/named.run" versions 20 size 500m;
    print-time yes;
    print-category yes;
    print-severity yes;
    severity dynamic;
};

Now, to the log entries (I've removed timestamps + IP-addresses):

1) notify: notice: client x.x.x.x#n: notify question section contains no SOA
Should I be seeing these normally? They only seem to make up a small part
of the full logfiles, still seeing a couple of thousand of these in just a
few days time.

2) security: info: client x.x.x.x#n: query (cache) './A/CH' denied
Not many of these either, but they still seemed a bit weird. Could they be
caused somehow by me running a slave of the root "." defined as:
zone "." IN {
    type slave;
    file "slave/root.zone";
    masters {
        ...a couple of the root-servers.net servers
    };
    notify no;
};
I wouldn't expect that to be the cause though, as it's defined as class IN
and not CH.

3) And finally, in the normal statistics file, I see mention of some
RESERVED counters, but I haven't found any corresponding mention in the
logfiles.
For example, the "Incoming Requests" section lists the number of QUERY,
IQUERY, UPDATE etc, but it also lists a small number of RESERVED13 and
RESERVED14. The "Incoming Queries" lists a couple of RESERVED0, and
"Outgoing Queries" lists some RESERVED0 as well.
Should I expect to see these out in the wild? Or should I only really
worry if they're listed in bigger numbers?

Regards
Eivind Olsen

More information about the bind-users mailing list