Bind Queries log file format
Mark Andrews
marka at isc.org
Wed Feb 8 03:06:24 UTC 2017
In message <DB6PR0501MB2309198D18749297D7EBAE41C0420 at DB6PR0501MB2309.eurprd05.p
rod.outlook.com>, Paul Roberts writes:
> I have to say I agree with the approach of putting this extra info into a sep
> arate file. I appreciate this could cause additional problems (disk utilisati
> on, extra I/O's, log rolling etc.) but I would prefer to keep the query log f
> ormat as stable as possible. I am still mopping up the last big change when I
> SC added the FQDN reference at the start of each message and I'm getting a li
> ttle tired of dealing with customers and their broken regex's when log format
> s change because they've upgraded BIND.
>
> There are also wider implications - there are products out there that hard co
> de the regex and it can't be modified, so that then requires dealing with ven
> dors, submitting bug reports/enhancement requests, providing evidence, busine
> ss impact statements, also I have to perform root cause analysis for customer
> s why their SIEM is no longer capturing the logs, which can have serious regu
> latory implications and consequences (banks etc.), then there's testing every
> upgrade in the lab before we run in production etc., I have enough work on m
> y plate as it is! :-)
>
> Basically there's a whole world of pain out there that can be avoided if you
> just keep the log format the same. :-)
>
> Thanks,
>
> Paul
Change happens. The DNS protocol has expanded enormously from the
original specification. To expect the summary log line to not
change with that change is just not realistic. We do try to keep
the format change to a .0 release. This one we missed.
We currently log:
client, qname, qclass, qtype, RD (+/-), was the request signed (S),
the EDNS with version, was it over TCP (T), was DO=1 set (D), was
CD=1 set (C), were DNS COOKIES in use and was it a valide server
cookie or just a client cookie (V, K). We log the interface it was
received on and if the ECS option.
Not everyone wants all of these details but someone wants everyone
of these.
9.1.0: client, qname, qclass, qtype
9.2.0: client, qname, qclass, qtype
9.3.0: client, qname, qclass, qtype, RD, signed, EDNS
9.4.0: client, qname, qclass, qtype, RD, signed, EDNS
9.5.0: client, qname, qclass, qtype, RD, signed, EDNS, DO, CD
9.6.0: client, qname, qclass, qtype, RD, signed, EDNS, DO, CD
9.7.0: client, qname, qclass, qtype, RD, signed, EDNS, TCP, DO, CD, local address
9.8.0: client, qname, qclass, qtype, RD, signed, EDNS, TCP, DO, CD, local address
9.9.0: client, qname, qclass, qtype, RD, signed, EDNS, TCP, DO, CD, local address
9.10.0: client, qname, qclass, qtype, RD, signed, EDNS, TCP, DO, CD, local address
9.11.0: client, qname, qclass, qtype, RD, signed, EDNS + version, TCP, DO, CD, cookies, local address
9.12.0: client, qname, qclass, qtype, RD, signed, EDNS + version, TCP, DO, CD, cookies, local address, ecs
That's basically 5 changes in 17 years.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list