[DNSOP] DNSSEC actual failures log where?

Bob Harold <rharolde@umich.edu> Thu, 14 May 2020 14:51 UTC

Return-Path: <rharolde@umich.edu>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0B2F3A0B0E for <dnsop@ietfa.amsl.com>; Thu, 14 May 2020 07:51:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umich.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tpm5EiHcAEVB for <dnsop@ietfa.amsl.com>; Thu, 14 May 2020 07:50:59 -0700 (PDT)
Received: from mail-lf1-x131.google.com (mail-lf1-x131.google.com [IPv6:2a00:1450:4864:20::131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 750BA3A0AD1 for <dnsop@ietf.org>; Thu, 14 May 2020 07:50:59 -0700 (PDT)
Received: by mail-lf1-x131.google.com with SMTP id b26so2878138lfa.5 for <dnsop@ietf.org>; Thu, 14 May 2020 07:50:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=google-2016-06-03; h=mime-version:from:date:message-id:subject:to; bh=PNVlmjaFRz0Pzt1xqcUiYoYKTHx4sEGNqs1E1CIAjQ0=; b=awuJnzO6VS/58NLI2jfd4uodqY+W+YQdycMe+DsyYI+yPwUU4qGf1ub00mTe9KGZDb +ZjWC0yXKqK+c320uzgx/hH6vCbUo1zuLvjQ9+acFHfDR+1rDYqge0vuWkXAZVhD54kd gg2jYJFqpEcnWxt+kZ5nDQEpk3aXqM93yk2bvJ8+QcpV/rs15nGHdx1xBrNHqA88yA/R ovzxYc2v8Nv4jjk7gEnG5h9rTB4F0KUcskBfvUrEskfjZi/tOqaf22c7Ny2+VeqW6As5 veT6meTkIoWvY+DCbQxuyxwHOkNxXAZrw4e8yoFagj03DNC6BLTniavPY9mJHDzjDe53 wqIA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=PNVlmjaFRz0Pzt1xqcUiYoYKTHx4sEGNqs1E1CIAjQ0=; b=WY18TVItgHajoB7dj+N+TCRRUGJrR3oPyvjMlPlWK7yqFWcGCJk2k/kCaSClZ1W+x+ sWJo0CShIikUw1Ha2zQCn+un9Lsmc1tnhCX+QtKdkuqZJO+lV+m+gFQoKIIlUcvlHdEh lcU7Z6Iv0/mnqjc4qcxNp2nVbhDL7YdgXB2/nS5S4UBsWw+1Zt83DmDZbUzTKMSdj09S 85j+IqYS30LQnk0MS/ofDivpQa4ZfVjP8FaGpx3WYn55Yh09glhgeDXZn56UdX3a5zQ4 WMYXSc/q//IDyBZAHrbRsJRoScY80rq5U/PcTGD3Gp209ZLJtlghIY0EPHmTcYnaFszR Bi3A==
X-Gm-Message-State: AOAM533HaKL9FeIOOghQ2Do0u/V7UlGp5rmVB9sJMYbA5HhEjTj/MAqt IG9ynI6kso66LsPKYbxxL3RnYVsmFKhUDB/m1gnRWex0Z+U=
X-Google-Smtp-Source: ABdhPJxBeXyvJ89sTW5UW9Ju6QPEuS0dVafUeLcPnZABaoz3u/9OEGusZMnmydRuKpVv22vInTOGrO1PzqtIqKXf3KY=
X-Received: by 2002:ac2:5384:: with SMTP id g4mr3577138lfh.1.1589467857193; Thu, 14 May 2020 07:50:57 -0700 (PDT)
MIME-Version: 1.0
From: Bob Harold <rharolde@umich.edu>
Date: Thu, 14 May 2020 10:50:46 -0400
Message-ID: <CA+nkc8BGV6RT-r5=+iky2EW2efkuxZkCz5gm8nD+nW08LgO-qQ@mail.gmail.com>
To: IETF DNSOP WG <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000002a75b05a59cd34c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/pw-ny2XuA7CDBv3WH87P54qkbBs>
Subject: [DNSOP] DNSSEC actual failures log where?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 May 2020 14:51:09 -0000

I am preparing to enable DNSSEC validation, so I am working on alerts for
failed validations, so I can see whether they are user errors (that might
need negative trust anchors or other exceptions) or actual attacks.
But it seems that the "dnssec" category logs all sorts of DNSSEC issues,
even if the response validates correctly.  Is there something that I can
match on to get just the responses that fail? (user gets SERVFAIL instead
of an answer) ?

-- 
Bob Harold