Logging
Timothe Litt
litt at acm.org
Tue Jan 8 13:19:56 UTC 2013
> 1. Should ISC change the default logging for lame servers to disabled?
Well, since you asked: the lame server logging goes back to when the
internet was a small, collegial place and one wrote a quick note to a
friend to fix these issues. And people who accidentally had a lame
server were embarrassed. Those days, sadly, are gone.
The current logging only tells the victim why a query failed; it's
pretty much useless unless troubleshooting a persistent, impactful
problem. And at that point, it's easy enough to turn on for the
duration. So I'd vote for disabled - and the ability to enable for
resolution of queries to specific domains/nameservers via rndc for
troubleshooting.
What I think would be more useful is if named actually reported the
issues to where they'd do some good. Perhaps a DNS extension "I got an
invalid message from you" - so it shows up in the log of the server (and
administrator) with the problem. (I'd worry about denial of service,
though if the server is in fact lame, it's not providing service - at
least to that zone . Abuse of the reporting mechanism is the main risk,
and avoiding it would take some careful engineering.)
Or, perhaps logged to a 'troubled' list of nameservers like the email
RBL blacklists. People don't like being on 'bad citizen' lists, so if
that list sent the whois registered technical contact for the domain an
e-mail once a week in addition to making the list public... maybe some
shame would work. But it's probably a dream. And there'd be a lot of
fingers pointed at client firewalls...
Since choice 2 is out-of-band, it would be a lot easier to put in place
- if someone (ISC?) volunteered to host the list...
In general, logging is most useful when the data goes to someone who can
do something about it. Logging at the victim is useful for isolating a
problem - but if no-one is actually troubleshooting (and won't), it's
largely wasted.
DNSSEC is another area where issues need to be forwarded to the source,
not the victim.
That's my 3 cents.
--
Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5159 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130108/cda1dcb2/attachment.bin>
More information about the bind-users
mailing list