[Unbound-users] Best way to be notified of DNSSEC validation failures?

W.C.A. Wijngaards wouter at nlnetlabs.nl
Thu Mar 8 08:25:02 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Augie,

On 03/07/2012 09:41 PM, Augie Schwer wrote:
> What is the best way to be notified of DNSSEC validation failures
> in Unbound?
> 
> If I set "verbosity" to "2" I receive a log entry of :
> 
> "Could not establish a chain of trust to keys for
> <dnssec-failed.org. DNSKEY IN>"
> 
> When testing a failed host -- I could use this to be notified of 
> validation failures on specific domains.
> 
> Is there a better way?

in unbound.conf:

val-log-level: 2

You then get single line with query name, and failure reason.  Per
failure.

In contrib there is validation-reporter.sh - this is a tiny daemon
that listens to the logfile and can send the validation failures
elsewhere (where you have a 'central' failure list).  No security on
the transmission (plain tcp), because it assumes the failures are
public information.  This could be used to pool validation failures
between different participants (or your set of servers).

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPWGzaAAoJEJ9vHC1+BF+NyhMP/0cF9EJmaHioSpxQQhSBmNZI
WE1GCZ2tGLOV13AAbkvgc2mgEVrVCzh188SUhRJnUrfH1CpYZHbFvcWWJ4+gNp1G
rHdL7nfnT6HXr4tkZc0AkjPCPxqAJZlF/E63nWEfJMBcvdbGGRUOZ3B6DJq7W2an
S0pey01tRziulPt4w77700aqkB4iwnMLQuixAE8P0OrI/PWI5JNHjEXiMQUuTJMl
RN8bvRDoUQh31AdfzmrdvBIZO3cnP76THnHdOueBD622egdGVR0+SLHgAbcBeW6D
imhG6C5j++E6akiwlCzE3VmhaKg3/Kp9FRAF8jGwHokHVSaRUgD6vno7Lv4XRy0g
PBUshKDosngphcfFPH0MKrl8QGhY2Mr2guRupL0Xe82XshZdKyTk/offBbz8VvJX
/wvbtZp7Cvhqm4GO1OFS9dPmRzJSz+XBmDanPMjE5EqAK7yTjcXtmjK2Ez/Ro7jt
oBdRmn7wIIu71488f+uEIiKegvD4emotWHUtQuFOEu13qtXDihH+FuDsHB7o0QLA
iCPwa5wZnc4v5WW410q6gSsJAGPGjNGbskrjmbLexwY9RkiKqHzHmM/R1gLpvAYs
AeDQoxrXb62D9sKOpT/8Fs9HfLXY9dJEGV6Gz9NyD0E4HVe20gZ3ezYf4964wlaK
+VFyu4wDmxZTEU6+1G2s
=B+/E
-----END PGP SIGNATURE-----



More information about the Unbound-users mailing list