DNSSEC validation failure loggingΒΆ

This module logs a message for each DNSSEC validation failure (on notice level). It is meant to provide hint to operators which queries should be investigated using diagnostic tools like DNSViz.

Add following line to your configuration file to enable it:

modules.load('bogus_log')

Example of error message logged by this module:

[dnssec] validation failure: dnssec-failed.org. DNSKEY

List of most frequent queries which fail as DNSSEC bogus can be obtained at run-time:

> bogus_log.frequent()
{
    {
        ['count'] = 1,
        ['name'] = 'dnssec-failed.org.',
        ['type'] = 'DNSKEY',
    },
    {
        ['count'] = 13,
        ['name'] = 'rhybar.cz.',
        ['type'] = 'DNSKEY',
    },
}

Please note that in future this module might be replaced with some other way to log this information.