Our unbound installation is handeling 2044 DNS query's per seconde, on
this installation we do DNSsec validation. In the .nl zone DNSsec is
actively used. For a lot of domain administrators DNSsec is a new
protocol. This results in zones that are mis-configured for DNSsec. This
way our client can not visit the website. The client checks why he can't
vite the website with friends or google DNS. Those services are not
validating with DNSSec so the website is reachable.
This results in an question on our helpdesk by the client.
Now my question:
I want to know two this.
1. Is it possible to get statistics about ServFails because of DNSSec?
2. I whould like to generate an log file or syslog message what query is
not DNSsec valid?
Our unbound installation is handeling 2044 DNS query's per seconde,
on this installation we do DNSsec validation. In the .nl zone
DNSsec is actively used. For a lot of domain administrators DNSsec
is a new protocol. This results in zones that are mis-configured
for DNSsec. This way our client can not visit the website. The
client checks why he can't vite the website with friends or google
DNS. Those services are not validating with DNSSec so the website
is reachable.
This results in an question on our helpdesk by the client.
Now my question:
I want to know two this.
1. Is it possible to get statistics about ServFails because of
DNSSec?
Yes, unbound-control stats prints out the num.answer.bogus and
num.rrset.bogus counts. man unbound-control documents it.
2. I whould like to generate an log file or syslog message what
query is not DNSsec valid?
use val-log-level: 1 to printout just the queries that have problems.
with val-log-level: 2 it prints out the query names with detailed
error messages (exactly what failed that caused it to be classified as
bogus by unbound).