What is the best way to be notified of DNSSEC validation failures in Unbound?
If I set "verbosity" to "2" I receive a log entry of :
"Could not establish a chain of trust to keys for <dnssec-failed.org.
DNSKEY IN>"
When testing a failed host -- I could use this to be notified of
validation failures on specific domains.
Is there a better way?
Hi Augie,
What is the best way to be notified of DNSSEC validation failures
in Unbound?If I set "verbosity" to "2" I receive a log entry of :
"Could not establish a chain of trust to keys for
<dnssec-failed.org. DNSKEY IN>"When testing a failed host -- I could use this to be notified of
validation failures on specific domains.Is there a better way?
in unbound.conf:
val-log-level: 2
You then get single line with query name, and failure reason. Per
failure.
In contrib there is validation-reporter.sh - this is a tiny daemon
that listens to the logfile and can send the validation failures
elsewhere (where you have a 'central' failure list). No security on
the transmission (plain tcp), because it assumes the failures are
public information. This could be used to pool validation failures
between different participants (or your set of servers).
Best regards,
Wouter
That works perfectly!
I had to add "--line-buffered" to the "grep" call though as grep on my
system was buffering all the input.
Thanks!