Some notes on (dynamic) Bind 9 logging

September 19, 2010

Bind 9's rndc has tasty looking options to change and increase logging on the fly, which is just what you want if you're trying to track down an erratic behavior in a caching nameserver (where restarting the server might well make the whole thing go away so you can't troubleshoot what's going on). However, it turns out that you need some Bind configuration options already configured in order to make it work. Since I just went through figuring this out (and I may need to do it again), here's what's needed:

  • you need one or more logging channels configured with 'severity dynamic'. Without this, you can issue all the 'rndc trace 99' commands you want to and nothing extra will get logged.

    (Note that 'severity debug' does not do what you want.)

    Doing this only to a file-based channel is good, unless you really want to flood your syslog for some reason. If your Bind is running chroot'd (as is the default on, eg, OpenBSD) the file path for this is relative to the chroot.

  • you must also add whatever logging categories you're interested in and configure them to use the channel you've set up with dynamic severity.

    Note that some categories will log additional things even at 'rndc notrace' level; this may make you want to comment them out when not running in a debug setup. Sadly there seems to be no way to enable and disable logging categories through rndc.

  • 'rndc reconfig' may be helpful in getting a running Bind instance to notice your changed or added logging configuration without too many changes in its behavior. This really depends on what you're trying to debug, though.

    (It was successful for me, in that it didn't suddenly make the Bind instance start properly answering the query it had previously been failing on.)

Once you have done all of this, 'rndc querylog; rndc trace 99' should turn on more or less maximum logging, and then 'rndc querylog; rndc notrace' will turn it off. You may want to verify the current running setup with 'rndc status'.

Sadly, I cannot (yet) say what categories it is necessary to enable in order to get Bind to log enough information to reconstruct where a particular query answer comes from. Maybe I'll figure that out Monday, assuming I don't decide that the server has just started to malfunction and needs be restarted.

Written on 19 September 2010.
« Another reason why I don't like Ubuntu kernel packaging
Your on the fly control system should not use toggles »

These are my WanderingThoughts
(About the blog)

Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.
Mastodon: @cks
Twitter @thatcks

* * *

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web
Also: (Sub)topics

This is a DWiki.
GettingAround
(Help)

Search:
Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.
Last modified: Sun Sep 19 00:14:38 2010
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.