22 Říj
2019
22 Říj
'19
14:27
Hello Team,
I found it, it is described in the Upgrading guide,
DNSSEC validation is now turned on by default. If you need to disable it,
see Trust anchors and DNSSEC
(https://knot-resolver.readthedocs.io/en/stable/daemon.html#dnssec-config).
***
Since version 4.0, DNSSEC validation is enabled by default. This is secure
default and should not be changed unless absolutely necessary.
Options in this section are intended only for expert users and normally
should not be needed.
If you really need to turn DNSSEC off and are okay with lowering security of
your system by doing so, add the following snippet to your configuration
file.
<span
style='box-sizing:border-box;color:rgb(64,128,144);font-style:italic'>-- turns
off DNSSEC validation</span>
<span style='box-sizing:border-box'>trust_anchors</span><span
style='box-sizing:border-box'>.</span><span
style='box-sizing:border-box'>remove</span><span
style='box-sizing:border-box'>(</span><span
style='box-sizing:border-box;color:rgb(64,112,160)'>'.'</span><span
style='box-sizing:border-box'>)</span>.
***
Anyway, if it is enabled by default, how to prevent the "DNSSEC validation
failure" spamming in the log and increasing the I/O operation on the
system?
For me now is the service in the unstable condition. My kresd@1 is crashing
and restarting in the row. Please, any advice?
I modify the server name and the domain, but still it is a live log output.
Oct 22 14:02:51 dnstestserver kresd[15877]: DNSSEC validation failure
example.com DNSKEY
Oct 22 14:02:58 dnstestserver kresd[15877]: DNSSEC validation failure
example.com DNSKEY
Oct 22 14:03:08 dnstestserver kresd[15877]: DNSSEC validation failure
example.com DNSKEY
Oct 22 14:03:18 dnstestserver systemd[1]: kresd(a)1.service watchdog timeout
(limit 10s)!
Oct 22 14:03:22 dnstestserver systemd[1]: kresd(a)1.service: main process
exited, code=killed, status=6/ABRT
Oct 22 14:03:22 dnstestserver systemd[1]: Unit kresd(a)1.service entered
failed state.
Oct 22 14:03:22 dnstestserver systemd[1]: kresd(a)1.service failed.
Oct 22 14:03:22 dnstestserver systemd[1]: kresd(a)1.service holdoff time over,
scheduling restart.
Oct 22 14:03:22 dnstestserver systemd[1]: Cannot add dependency job for unit
kresd.service, ignoring: Unit not found.
Oct 22 14:03:22 dnstestserver systemd[1]: Stopped Knot Resolver daemon.
Oct 22 14:03:22 dnstestserver systemd[1]: Starting Knot Resolver daemon...
Oct 22 14:04:07 dnstestserver kresd[16468]: [http] created new ephemeral TLS
certificate
Oct 22 14:04:07 dnstestserver systemd[1]: Started Knot Resolver daemon.
Oct 22 14:04:07 dnstestserver kresd[16468]: [ta_update] refreshing TA for .
Oct 22 14:04:07 dnstestserver kresd[16468]: [ta_update] key: 20326 state:
Valid
Oct 22 14:04:07 dnstestserver kresd[16468]: [ta_update] next refresh for .
in 24 hours
Oct 22 14:04:09 dnstestserver kresd[16468]: DNSSEC validation failure
example.com DNSKEY
...
Best regards.
--
Smil Milan Jeskyňka Kazatel
---------- Původní e-mail ----------
Od: Milan Jeskynka Kazatel <KazatelM(a)seznam.cz>
Komu: knot-resolver-users(a)lists.nic.cz
Datum: 22. 10. 2019 13:33:46
Předmět: DNSSEC validation failure logging on Centos 7 Knot Resolver,
version 4.2.0
"Hello Team,
I would like to know if the "DNSSEC validation failure logging" is enabled
by DEFAULT in version 4.2.0. on Centos 7.
I do not have any explicit call for this module - as is described in the
documentation like this: modules.load('bogus_log'), nevertheless, I´m facing
a huge report in the system log regarding DNSSEC validation failure
somedomainname. DNSKEY
In the configuration, I´m using the 'http' module and module 'stats', can
it
be relevant?
kresd.conf
-- Load Useful modules
modules = {
'policy', -- Block queries to local zones/bad sites
'view', -- Handle requests by source IP
'stats', -- Track internal statistics
'hints', -- Add static records to resolver
}
-- load HTTP module with defaults (self-signed TLS cert)
modules.load('http')
http.config()
How can I disable DNSSEC validation failure logging?
best regards,
--
Smil Milan Jeskyňka Kazatel
"