Created attachment 471189 [details] Patch for various DNSSEC messages from named. Description of problem: The named script does not handle any of the validation and related DNSSEC errors generated by named. Version-Release number of selected component (if applicable): logwatch-7.3.6-58.fc14.noarch bind-9.7.2-4.P3.fc14.x86_64 How reproducible: View logwatch logs for named for any server allowed to perform DNSSEC lookups (default for Fedora) Additional info: The attached patch for medium level reporting reports on the count of Insecure, Invalid, Bad Cache Hits and other DNSSEC Error reports. On high level reporting, it also reports on the count of each lookup that fails the above categories. This patch also updates some matches to handle views correctly, reporting on removed zones in views and ignores uninteresting messages regarding the managed-keys-zone.
I agree that most of these changes would be good. With bind-9.7.2-1.P3 and logwatch-7.3.6-54 on F13, I get these every time named starts: "generating session key" "reading built-in trusted keys from file" "using built-in trusted-keys" "set up managed keys zone" The "managed-keys-zone ... success" message looks harmless to me. I'm also getting loads of these "validating" messages: "got insecure response" "no valid signature found" The "error (XXX) resolving" messages aren't unique to DNSSEC, so I don't think it makes sense to report them in a "DNSSEC Errors" section. (Unless the only remaining errors that aren't handled by existing patterns are DNSSEC errors?) I don't know about the others.
(In reply to comment #1) ... > The "error (XXX) resolving" messages aren't unique to DNSSEC, so I don't think > it makes sense to report them in a "DNSSEC Errors" section. (Unless the only > remaining errors that aren't handled by existing patterns are DNSSEC errors?) The only place I've seen this form seems to be for DNSSEC related things, in particular "insecurity proof failed". It is certainly something that should be monitored. > I don't know about the others. The rest are really generalising existing messages.
This is a regression from #550873 back in FC12.
(In reply to comment #3) > This is a regression from #550873 back in FC12. I'm not sure it is fully a regression in that many of the messages are due to more recent changes to bind. This problem may be ongoing until the IPSEC implementation stabilises.
(In reply to comment #1) ... > The "error (XXX) resolving" messages aren't unique to DNSSEC, so I don't think > it makes sense to report them in a "DNSSEC Errors" section. (Unless the only > remaining errors that aren't handled by existing patterns are DNSSEC errors?) > > I don't know about the others. Okay, while 99.9% of the errors I've seen are DNSSEC, yes there are the occasional ones that not, e.g. general timeouts, etc. So, you are probably correct that this section shouldn't be title "DNSSEC Errors" but just "Errors" or something like that.
Created attachment 476003 [details] Tiny update to previous DNSSEC patch. The new patch changes the error messages from "DNSSEC Errors" to just "DNS Errors".
I have backported the patch to rawhide logwatch: logwatch-7.3.6-68.20110228svn46.fc16 It should go to F-15 and to upstream mailing list now.
logwatch-7.3.6-68.20110203svn25.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/logwatch-7.3.6-68.20110203svn25.fc15
logwatch-7.3.6-68.20110203svn25.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
As F14 reached its end of life and the bug has been fixed for F15, I'm closing this.