On 5/14/20 4:50 PM, Bob Harold wrote: > I am preparing to enable DNSSEC validation, so I am working on alerts > for failed validations, so I can see whether they are user errors > (that might need negative trust anchors or other exceptions) or actual > attacks. > But it seems that the "dnssec" category logs all sorts of DNSSEC > issues, even if the response validates correctly. Is there something > that I can match on to get just the responses that fail? (user gets > SERVFAIL instead of an answer) ?
That's a question specifically for BIND 9.11, right? In any case, there's a module in Knot Resolver just for this: https://knot-resolver.readthedocs.io/en/stable/modules-bogus_log.html --Vladimir
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop