[ratelimits] Logging category

Phil Mayers p.mayers at imperial.ac.uk
Wed May 8 20:42:05 UTC 2013

On 08/05/2013 21:26, Vernon Schryver wrote:

> Are you using a BIND9 RRL patch from this year?  I changed the
> logging last year.  If you are using a current version of an RRL
> patch, `named -v` will say something about either ".094.21" or
> "105.03".

I downloaded it yesterday, so I hope so ;o)

BIND 9.9.2-rpz+rl.094.21-P2

...says the server.

> Responses that are slipped ro dropped are logged in "queries"
> category at the "info" level.  That is the same category and level
> at which the query itself and any other errors are logged.  Rate
> limit dispositions should no more than double the noise in the
> "queries" category.   If the "queries" category is too busy (it
> often is), consider turning of query logging.

That's pretty much precisely what I *don't* want to do. During even 
heavy DoS load, query logging works fine and doesn't incur worrisome 
load, whilst being very useful surprisingly often.

But the external process I'm using to "tail" the logs is written in a 
scripting language, so a sensible optimisation is to reduce the amount 
of data it has to parse/process. If you're telling me that RRL logging 
will always go in the "query" category, then I will investigate other 
alternatives (e.g. stick a "grep -v" in the pipeline).

> The separate "rate-limit" category is either less or more noisy
> than the queries category depending on the level you choose for the
> channel.
> Please consult the ARM fragment via the link on
> http://www.redbarn.org/dns/ratelimits labeled "Draft text for BIND9
> Administrators Reference Manual (ARM) describing"

I've read that; I know what the current behaviour is. I'm wondering if 
it will always be that way.


More information about the ratelimits mailing list