summaryrefslogtreecommitdiffstats
path: root/modules/bogus_log/README.rst
diff options
context:
space:
mode:
Diffstat (limited to 'modules/bogus_log/README.rst')
-rw-r--r--modules/bogus_log/README.rst45
1 files changed, 45 insertions, 0 deletions
diff --git a/modules/bogus_log/README.rst b/modules/bogus_log/README.rst
new file mode 100644
index 0000000..d60c278
--- /dev/null
+++ b/modules/bogus_log/README.rst
@@ -0,0 +1,45 @@
+.. SPDX-License-Identifier: GPL-3.0-or-later
+
+.. _mod-bogus_log:
+
+DNSSEC validation failure logging
+=================================
+
+This module logs a message for each DNSSEC validation failure (on ``notice`` :func:`level <log_level>`).
+It is meant to provide hint to operators which queries should be
+investigated using diagnostic tools like DNSViz_.
+
+Add following line to your configuration file to enable it:
+
+.. code-block:: lua
+
+ modules.load('bogus_log')
+
+Example of error message logged by this module:
+
+.. code-block:: none
+
+ [dnssec] validation failure: dnssec-failed.org. DNSKEY
+
+.. _DNSViz: http://dnsviz.net/
+
+List of most frequent queries which fail as DNSSEC bogus can be obtained at run-time:
+
+.. code-block:: lua
+
+ > bogus_log.frequent()
+ {
+ {
+ ['count'] = 1,
+ ['name'] = 'dnssec-failed.org.',
+ ['type'] = 'DNSKEY',
+ },
+ {
+ ['count'] = 13,
+ ['name'] = 'rhybar.cz.',
+ ['type'] = 'DNSKEY',
+ },
+ }
+
+Please note that in future this module might be replaced
+with some other way to log this information.
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-08 01:44:21 +0000