Logging
Sten Carlsen
stenc at s-carlsen.dk
Tue Jan 8 13:37:44 UTC 2013
On 08/01/13 14:19, Timothe Litt wrote:
>> 1. Should ISC change the default logging for lame servers to disabled?
>
> Well, since you asked: the lame server logging goes back to when the
> internet was a small, collegial place and one wrote a quick note to a
> friend to fix these issues. And people who accidentally had a lame
> server were embarrassed. Those days, sadly, are gone.
>
> The current logging only tells the victim why a query failed; it's
> pretty much useless unless troubleshooting a persistent, impactful
> problem. And at that point, it's easy enough to turn on for the
> duration. So I'd vote for disabled - and the ability to enable for
> resolution of queries to specific domains/nameservers via rndc for
> troubleshooting.
>
> What I think would be more useful is if named actually reported the
> issues to where they'd do some good. Perhaps a DNS extension "I got
> an invalid message from you" - so it shows up in the log of the server
> (and administrator) with the problem. (I'd worry about denial of
> service, though if the server is in fact lame, it's not providing
> service - at least to that zone . Abuse of the reporting mechanism is
> the main risk, and avoiding it would take some careful engineering.)
If you have a lame server my guess is that the logs of that server are
never looked at, rather the server is neglected completely, forgotten.
The place to talk to is the next level up, they should probably stop
referring to the lame server and might be the people caring about
whether their web site is reachable.
It has been seen a number of times that, say 5 servers have been
delegated to and only 3 of those actually answer, the other 2 were there
for "historical reasons" (nobody knew why, so better not change).
>
> Or, perhaps logged to a 'troubled' list of nameservers like the email
> RBL blacklists. People don't like being on 'bad citizen' lists, so if
> that list sent the whois registered technical contact for the domain
> an e-mail once a week in addition to making the list public... maybe
> some shame would work. But it's probably a dream. And there'd be a
> lot of fingers pointed at client firewalls...
>
> Since choice 2 is out-of-band, it would be a lot easier to put in
> place - if someone (ISC?) volunteered to host the list...
>
> In general, logging is most useful when the data goes to someone who
> can do something about it. Logging at the victim is useful for
> isolating a problem - but if no-one is actually troubleshooting (and
> won't), it's largely wasted.
>
> DNSSEC is another area where issues need to be forwarded to the
> source, not the victim.
>
> That's my 3 cents.
Up to a Dime.
>
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Best regards
Sten Carlsen
No improvements come from shouting:
"MALE BOVINE MANURE!!!"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130108/9c60aa0a/attachment.html>
More information about the bind-users
mailing list