On Mon, 3 Mar 2025, Michael Richardson wrote:
Brett Delmage via bind-users <bind-users@lists.isc.org> wrote:
> Specifically for me now that's the query log including the flags. But it
> could be other log files too at times. I am running DNSSEC and primary,
> secondary, and internal resolving servers so many logs are of interest at
> different times.
If you are having DNSSEC problems, then you may find
https://dnsviz.net/d/brettdelmage.ca/dnssec/
useful. BTW: I don't see anything wrong there.
Are you having problems with others resolving your domain, or problems with
another domain?
Thanks. I was actually just trying to debug acme.sh DNS-01 cert
generation. Cert gen works fine with the the LE test/staging server but
unreliably with the real LE server.
While debugging I realized I was not 100% certain on the flags and other
fields in the query log and sought to expand my knowledge. I know the
flags field corresponds to flags in the DNS protocol and dig man
page, but I'm only guessing the query log's single-character
representation, and some other fields.
It seems to me that it would be useful for ISC to have a page explaining
the log file formats, if I have simply not found it. I searched this
list's archives before posting, too.
(I think the LE server DNS-01 authentication query may not be reaching my
BIND server due to some very heavy packet filtering I use. So I was
debugging that using multitail on both update.log and query.log to watch
the DNS action. acme.sh DNS-01 challenges have worked fine for me for
years on various servers so something has changed or I am making a stupid
mistake. But that's not BIND-related. Anyone know the best forum for
asking an acme.sh question?)
Brett
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
