<div dir="ltr">Also, I believe the SERVFAILs you are seeing are from zones that your server is not authoritative for, more than likely. I believe there is some discussion on this list about amending this behavior (and responding with Refused, if memory serves me correctly, which it rarely does).<div>
<br></div><div>Cheers,</div><div>Will Pressly<br><div><br></div><div><br></div></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Feb 17, 2014 at 10:45 PM, Will Pressly <span dir="ltr"><<a href="mailto:will@edgecast.com" target="_blank">will@edgecast.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Those log lines are old school BIND 8 stats lines (deprecated in BIND 9.1.0, I believe). These were very common and alot of people understood the log format and had tools and parsers built over it, so I guess it was a design decision of netlabs to support it in NSD precisely because of this existing understanding in the world. <div>
<br></div><div>Specifically, The NSTATS line tells you this: current time, start time of server, then counts of each individual RR type. The XSTATS line tells you more in depth about issues with queries. I believe that almost every stat in the XSTATS that starts with an uppercase R is for a recursive server, and is largely irrelevant for NSD (as NSD is authoritative only). It is just in there for those parsers and tools that I mentioned in the first paragraph (so those tools worked on NSD's log format out of the box). You can see this in the code for the logging, where many of the stats are hard-coded zero:</div>
<div><pre style="white-space:pre-wrap;word-wrap:break-word"> /* XSTATS */
/* Only print it if we're in the main daemon or have anything to report... */
if (nsd->server_kind == NSD_SERVER_MAIN
|| nsd->st.dropped || nsd->st.raxfr || (nsd->st.qudp + nsd->st.qudp6 - nsd->st.dropped)
|| nsd->st.txerr || nsd->st.opcode[OPCODE_QUERY] || nsd->st.opcode[OPCODE_IQUERY]
|| nsd->st.wrongzone || nsd->st.ctcp + nsd->st.ctcp6 || nsd->st.rcode[RCODE_SERVFAIL]
|| nsd->st.rcode[RCODE_FORMAT] || nsd->st.nona || nsd->st.rcode[RCODE_NXDOMAIN]
|| nsd->st.opcode[OPCODE_UPDATE]) {
log_msg(LOG_INFO, "XSTATS %lld %lu"
" RR=%lu RNXD=%lu RFwdR=%lu RDupR=%lu RFail=%lu RFErr=%lu RErr=%lu RAXFR=%lu"
" RLame=%lu ROpts=%lu SSysQ=%lu SAns=%lu SFwdQ=%lu SDupQ=%lu SErr=%lu RQ=%lu"
" RIQ=%lu RFwdQ=%lu RDupQ=%lu RTCP=%lu SFwdR=%lu SFail=%lu SFErr=%lu SNaAns=%lu"
" SNXD=%lu RUQ=%lu RURQ=%lu RUXFR=%lu RUUpd=%lu",
(long long) now, (unsigned long) nsd->st.boot,
nsd->st.dropped, (unsigned long)0, (unsigned long)0, (unsigned long)0, (unsigned long)0,
(unsigned long)0, (unsigned long)0, nsd->st.raxfr, (unsigned long)0, (unsigned long)0,
(unsigned long)0, nsd->st.qudp + nsd->st.qudp6 - nsd->st.dropped, (unsigned long)0,
(unsigned long)0, nsd->st.txerr,
nsd->st.opcode[OPCODE_QUERY], nsd->st.opcode[OPCODE_IQUERY], nsd->st.wrongzone,
(unsigned long)0, nsd->st.ctcp + nsd->st.ctcp6,
(unsigned long)0, nsd->st.rcode[RCODE_SERVFAIL], nsd->st.rcode[RCODE_FORMAT],
nsd->st.nona, nsd->st.rcode[RCODE_NXDOMAIN],
(unsigned long)0, (unsigned long)0, (unsigned long)0, nsd->st.opcode[OPCODE_UPDATE]);
}</pre></div><div>Those variable descriptions are fairly self-explanatory, but here is a link to some in depth descriptions (the last quarter of the page is what you are looking for):</div><div><a href="http://docstore.mik.ua/orelly/networking_2ndEd/dns/ch07_06.htm" target="_blank">http://docstore.mik.ua/orelly/networking_2ndEd/dns/ch07_06.htm</a></div>
<div><br></div><div>Cheers,</div><div>Will Pressly</div><div><br></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Feb 17, 2014 at 5:39 PM, cam <span dir="ltr"><<a href="mailto:ESOUQcWEt5QXZwMWQYa8g7DiWPxFLIB3@sauros.net" target="_blank">ESOUQcWEt5QXZwMWQYa8g7DiWPxFLIB3@sauros.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Wouter,<br>
<br>
Thanks for your note. After going through my syslog-ng configuration file, I<br>
realized that it was not listening on any socket. Creating a socket<br>
/var/nsd/dev/log solved the issue, even when chroot-ing to "/var/nsd/"<br>
<br>
Apart from this, I was wondering if you could help demystifying the log<br>
messages that I get:<br>
host nsd[16191]: NSTATS 1392687148 1392630857 A=71 NS=1 CNAME=5 MX=38 AAAA=32 DNSKEY=5 TYPE251=32 TYPE252=64 TYPE255=85<br>
host nsd[16191]: XSTATS 1392687148 1392630857 RR=0 RNXD=0 RFwdR=0 RDupR=0 RFail=0 RFErr=0 RErr=0 RAXFR=0 RLame=0 ROpts=0 SSysQ=0 SAns=235 SFwdQ=0 SDupQ=0 SErr=0 RQ=333 RIQ=0 RFwdQ=0 RDupQ=0 RTCP=98 SFwdR=0 SFail=89 SFErr=0 SNaAns=0 SNXD=1 RUQ=0 RURQ=0 RUXFR=0 RUUpd=0<br>
<br>
Is there a document somewhere explaining the above codes (RR, RDupR etc.)?<br>
Also, I see Sfail=89, sounds like something is wrong?<br>
<br>
Thanks again,<br>
<br>
Cheers,<br>
cam<br>
<div><div><br>
On Mon, 17/02/2014 10:14 +0100, W.C.A. Wijngaards wrote:<br>
> -----BEGIN PGP SIGNED MESSAGE-----<br>
> Hash: SHA1<br>
><br>
> Hi Cam,<br>
><br>
> On 02/16/2014 07:27 AM, cam wrote:<br>
> > Hi,<br>
> ><br>
> > Running NSD on OpenBSD 5.4, I notice that nsd does not log to<br>
> > SYSLOG unless it is run on the command line with the "-d -V 9"<br>
> > flags.<br>
> ><br>
> >> From the manpages:<br>
> > -l logfile Log messages to the specified logfile. The default is to<br>
> > log to stderr and syslog. If a zonesdir: is specified in the<br>
> > config file this path can be relative to that directory.<br>
> ><br>
> > Running it as a normal daemon with "-V 2" flags should<br>
> > theoretically log to SYSLOG but it is not the case. When running,<br>
> > no socket file is created in the /var/nsd/dev/ directory (even if I<br>
> > changed the permission to _nsd:_nsd), is this normal?<br>
> ><br>
> > Would appreciate any hint or help,<br>
><br>
> The chroot is likely the culprit. With chroot: "" you disable that,<br>
> and try to see if that fixes the logging.<br>
><br>
> Syslog on OpenBSD may need something in the chroot to function<br>
> properly, perhaps as user root makedev a device node or open a<br>
> named-pipe in a directory and then tell syslog to connect to it; or<br>
> something along those lines. If it does not have that, then NSD can<br>
> call the syslog call, but that routine cannot do anything. Usually<br>
> this is performed by the rc.d/nsd startup scripts. These scripts are<br>
> OS specific, and I guess the OpenBSD one does not setup the<br>
> prerequisites for syslog?<br>
><br>
> (That script should also setup for: timezone information (for printing<br>
> the time to the log), and randomness device (for entropy to see the<br>
> secure random generator); but again not all OSes need it because they<br>
> use a different implementation for those things).<br>
><br>
> Best regards,<br>
> Wouter<br>
><br>
><br>
> > Cheers, cam<br>
> ><br>
> > Some info: # nsd -v NSD version 3.2.15 Written by NLnet Labs.<br>
> ><br>
> > Copyright (C) 2001-2011 NLnet Labs. This is free software. There<br>
> > is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A<br>
> > PARTICULAR PURPOSE.<br>
> ><br>
> > # l /var/nsd/ total 28 drwxr-xr-x 7 root wheel 512 Feb 16 11:29<br>
> > . drwxr-xr-x 25 root wheel 512 Feb 16 11:23 .. drwxr-xr-x 2<br>
> > root wheel 512 Feb 13 19:32 db drwxr-xr-x 2 root wheel 512<br>
> > Jul 31 2013 dev drwxrwxr-x 2 root _nsd 512 Feb 16 14:14 run<br>
> > drwxr-xr-x 2 root wheel 512 Jul 31 2013 zones<br>
> ><br>
> > # cat /etc/nsd.conf server: ip-address: 0.0.0.0 port: 53<br>
> > server-count: 1 statistics: 120 verbosity: 2 ip4-only: yes<br>
> > hide-version: yes identity: "ns1.domain.tld"<br>
> > _______________________________________________ nsd-users mailing<br>
> > list nsd-users@NLnetLabs.nl<br>
> > <a href="http://open.nlnetlabs.nl/mailman/listinfo/nsd-users" target="_blank">http://open.nlnetlabs.nl/mailman/listinfo/nsd-users</a><br>
> ><br>
><br>
> -----BEGIN PGP SIGNATURE-----<br>
> Version: GnuPG v1<br>
> Comment: Using GnuPG with Thunderbird - <a href="http://www.enigmail.net/" target="_blank">http://www.enigmail.net/</a><br>
><br>
> iQIcBAEBAgAGBQJTAdLhAAoJEJ9vHC1+BF+NDEAP/AzI7A3MJr7O5WE/jehs8iaS<br>
> 0WqpwOYeVhfUGuL3Bu1TGTPUOtBFp8arJSsrhue4hj5pQZ+RFJK1GPKElXz4uvih<br>
> sgpkKFJY/C4ec2QuecS/mVPUhQI7Io8qXOR+MbspIQ5A0CAJeSrxk/EXv5no5yHh<br>
> l06Odtg7OHnQhZvVjQ5j8TIH7Ogc+OyTTwL5joIX11gGOsBZZcpFLaED5Y3w7RrB<br>
> RNh+g5ygovfozCr5uUQvmx8LdId3oItIdKkAtdexZw2TQ8Pv4d3/u/EiDy1X1fwZ<br>
> JOWTrIoNMptbp18b53W8pFEWFln4XB1fTvap9bD8PHFL5SYenstXU0kedQ0M7i6N<br>
> wUmX8PSZayg2Y0hp7u0KDXwZkii1AZO9lOLXkNYUayg56F+qM5dx5EzI/sV/HzSH<br>
> Cpej0EC43+2CLvzJeyWqrNES443AIDi8oru694nTa5Cbun1q6POndFZueUBYTkJT<br>
> 3Z59Tyox0eW7h5RQxLOTl8f4e+JDIhLYYyj8w0zrV883nM5dfv0tUcgb4IeQCkbU<br>
> SBGbJLbNhFFQzPPoYseLZiWq4XhWfOhuiz/hZCgXklqbPL2FhAwcU13isaoiuC59<br>
> UWcftQx0mv+OOwt6sd0pTEQbQiKRbdVw8TozVxv+bZu0x2UpJif0BGzQS7rVEMNl<br>
> SEuNWIoR/re5MelTdSfO<br>
> =XVTV<br>
> -----END PGP SIGNATURE-----<br>
</div></div>> --<br>
<div><div>> nsd-users mailing list<br>
> nsd-users@NLnetLabs.nl<br>
> <a href="http://open.nlnetlabs.nl/mailman/listinfo/nsd-users" target="_blank">http://open.nlnetlabs.nl/mailman/listinfo/nsd-users</a><br>
><br>
_______________________________________________<br>
nsd-users mailing list<br>
nsd-users@NLnetLabs.nl<br>
<a href="http://open.nlnetlabs.nl/mailman/listinfo/nsd-users" target="_blank">http://open.nlnetlabs.nl/mailman/listinfo/nsd-users</a><br>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>