== Some notes on (dynamic) Bind 9 logging Bind 9's _rndc_ has tasty looking options to change and increase logging on the fly, which is just what you want if you're trying to track down an erratic behavior in a caching nameserver (where restarting the server might well make the whole thing go away so you can't troubleshoot what's going on). However, it turns out that you need some Bind configuration options already configured in order to make it work. Since I just went through figuring this out (and I may need to do it again), here's what's needed: * you need one or more logging channels configured with '_severity dynamic_'. Without this, you can issue all the '_rndc trace 99_' commands you want to and nothing extra will get logged. (Note that '_severity debug_' does not do what you want.) Doing this only to a file-based channel is good, unless you really want to flood your syslog for some reason. If your Bind is running chroot'd (as is the default on, eg, OpenBSD) the file path for this is relative to the chroot. * you must also add whatever logging categories you're interested in and configure them to use the channel you've set up with dynamic severity. Note that some categories will log additional things even at '_rndc notrace_' level; this may make you want to comment them out when not running in a debug setup. Sadly there seems to be no way to enable and disable logging categories through _rndc_. * '_rndc reconfig_' may be helpful in getting a running Bind instance to notice your changed or added logging configuration without too many changes in its behavior. This really depends on what you're trying to debug, though. (It was successful for me, in that it didn't suddenly make the Bind instance start properly answering the query it had previously been failing on.) Once you have done all of this, '_rndc querylog; rndc trace 99_' should turn on more or less maximum logging, and then '_rndc querylog; rndc notrace_' will turn it off. You may want to verify the current running setup with '_rndc status_'. Sadly, I cannot (yet) say what categories it is necessary to enable in order to get Bind to log enough information to reconstruct where a particular query answer comes from. Maybe I'll figure that out Monday, assuming I don't decide that the server has just started to malfunction and needs be restarted.