In message <1350000602.4741.10.camel@tardis>, Noel Butler writes: > On Wed, 2012-10-10 at 18:44 +0000, Evan Hunt wrote: > > > > BIND 9.7.7, 9.8.4 and 9.9.2 have "improved" OpenSSL error logging. > > > Unfortunately, our logs are now filling up with "RSA_verify failed" > > > messages. > >=20 > > Yeah, oops, we made that one too noisy. You're not the first one > > who's noticed. :/ > >=20 > > > How does one go about tracking down the source of these failures and > > > correcting them? (We are running OpenSSL 1.0.1c.) > >=20 > > In BIND9, in lib/dns/opensslrsa_link.c, change this: > >=20 > > return (dst__openssl_toresult2("RSA_verify", > > DST_R_VERIFYFAILURE)); > >=20 > > to this: > >=20 > > return (dst__openssl_toresult(DST_R_VERIFYFAILURE)); > >=20 > > > Evan, After applying this change the logs still fill up with some crud > (9.9.2) > > now still fills up with=20 > > Oct 12 04:13:46 ns1 named[18293]: sucessfully validated after lower > casing signer 'US' > Oct 12 04:36:35 ns1 named[18293]: sucessfully validated after lower > casing signer 'CO' > Oct 12 04:36:35 ns1 last message repeated 4 times > ...
Just drop the log level to ISC_LOG_DEBUG(1) and recompile. Search for "sucessfully validated after lower casing" in lib/dns/dnssec.c > any method to disable this? Is it in its own category we can null out > without affecting any other logging? > > Cheers > > > --=-AyuHzrnm272okD0wrLMC > Content-Type: text/html; charset="utf-8" > Content-Transfer-Encoding: quoted-printable > > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN"> > <HTML> > <HEAD> > <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; CHARSET=3DUTF-8"> > <META NAME=3D"GENERATOR" CONTENT=3D"GtkHTML/3.28.3"> > </HEAD> > <BODY> > On Wed, 2012-10-10 at 18:44 +0000, Evan Hunt wrote: > <BLOCKQUOTE TYPE=3DCITE> > <PRE> > > BIND 9.7.7, 9.8.4 and 9.9.2 have "improved" OpenSSL error lo= > gging. > > Unfortunately, our logs are now filling up with "RSA_verify faile= > d" > > messages. > > Yeah, oops, we made that one too noisy. You're not the first one > who's noticed. :/ > > > How does one go about tracking down the source of these failures and > > correcting them? (We are running OpenSSL 1.0.1c.) > > In BIND9, in lib/dns/opensslrsa_link.c, change this: > > return (dst__openssl_toresult2("RSA_verify", > DST_R_VERIFYFAILURE)); > > to this: > > return (dst__openssl_toresult(DST_R_VERIFYFAILURE)); > > </PRE> > </BLOCKQUOTE> > <BR> > Evan, After applying this change the logs still fill up with some crud = > ; (9.9.2)<BR> > <BR> > now still fills up with <BR> > <BR> > Oct 12 04:13:46 ns1 named[18293]: sucessfully validated after lower casing = > signer 'US'<BR> > Oct 12 04:36:35 ns1 named[18293]: sucessfully validated after lower casing = > signer 'CO'<BR> > Oct 12 04:36:35 ns1 last message repeated 4 times<BR> > ...<BR> > <BR> > <BR> > any method to disable this? Is it in its own category we can null out witho= > ut affecting any other logging?<BR> > <BR> > Cheers<BR> > <BR> > </BODY> > </HTML> > > --=-AyuHzrnm272okD0wrLMC-- > > --=-rzSsBjcPf+kQEds4PID0 > Content-Type: application/pgp-signature; name="signature.asc" > Content-Description: This is a digitally signed message part > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (GNU/Linux) > > iQEcBAABAgAGBQJQd1/VAAoJECg/hgl/0DbHn8UIAJadMzruG+U2FJNxbImd+1ap > 9kRAwQSWTCoOIXO5uMpwWnLjE9yCE99SAmyzc1bvB7a5zWsfNP1ikAFRCYU6VwZQ > fggc9giR61F8uoOkCrkBvIDBeHaEpPxAShZDfdpDvIKTD+eHmKQ1SUXmSMEqZHM5 > VYMzDGIOp3p6P7CF2LFLoIh4C+4nbnKabp9wVCIfFCeLKABR5EC92TSFU5GzX1yR > N4Yih4JoVnTPjKvi54EWQhph6qYTb8VwsP+3lWTMs+/MkgtpShcK+Cb3TPjJRVyC > 0CU3lm45OM967Yk1+8bg6qnmvJZNvrtXVA4Ijr+rcrsBJW6Z8IkhSpjHf84Ud2M= > =CS5c > -----END PGP SIGNATURE----- > > --=-rzSsBjcPf+kQEds4PID0-- > > > --===============7738493491241320234== > Content-Type: text/plain; charset="us-ascii" > MIME-Version: 1.0 > Content-Transfer-Encoding: 7bit > Content-Disposition: inline > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > --===============7738493491241320234==-- > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users