Kindly mute the 'trust-anchor-telemetry' experimental warning.
Summary
Kindly mute the 'trust-anchor-telemetry' experimental warning.
BIND version affected
BIND 9.18.20 (Extended Support Version) <id:>
running on FreeBSD amd64 13.2-RELEASE-p7 FreeBSD 13.2-RELEASE-p7 stable/23.7-n254871-d5ec322cffc SMP
built by make with '--disable-linux-caps' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/namedb' '--with-dlopen=yes' '--with-libxml2' '--with-openssl=/usr/local' '--enable-dnsrps' '--with-readline=libedit' '--enable-dnstap' '--disable-fixed-rrset' '--disable-geoip' '--without-maxminddb' '--without-gssapi' '--with-libidn2=/usr/local' '--with-json-c' '--disable-largefile' '--with-lmdb=/usr/local' '--disable-querytrace' '--enable-tcp-fastopen' '--prefix=/usr/local' '--mandir=/usr/local/man' '--disable-silent-rules' '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd13.2' 'build_alias=amd64-portbld-freebsd13.2' 'CC=cc' 'CFLAGS=-O2 -pipe -DLIBICONV_PLUG -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing ' 'LDFLAGS= -L/usr/local/lib -ljson-c -Wl,-rpath,/usr/local/lib -fstack-protector-strong ' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-DLIBICONV_PLUG -isystem /usr/local/include' 'CPP=cpp' 'PKG_CONFIG=pkgconf' 'PKG_CONFIG_LIBDIR=/usr/obj/usr/ports/dns/bind918/work/.pkgconfig:/usr/local/libdata/pkgconfig:/usr/local/share/pkgconfig:/usr/libdata/pkgconfig' 'READLINE_CFLAGS=-L/usr/local/lib'
compiled by CLANG FreeBSD Clang 14.0.5 (https://github.com/llvm/llvm-project.git llvmorg-14.0.5-0-gc12386ae247c)
compiled with OpenSSL version: OpenSSL 1.1.1w 11 Sep 2023
linked to OpenSSL version: OpenSSL 1.1.1w 11 Sep 2023
compiled with libuv version: 1.47.0
linked to libuv version: 1.47.0
compiled with libnghttp2 version: 1.58.0
linked to libnghttp2 version: 1.58.0
compiled with libxml2 version: 2.10.4
linked to libxml2 version: 21004
compiled with json-c version: 0.17
linked to json-c version: 0.17
compiled with zlib version: 1.2.13
linked to zlib version: 1.2.13
compiled with protobuf-c version: 1.4.1
linked to protobuf-c version: 1.4.1
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): yes
TKEY mode 3 support (GSS-API): no
default paths:
named configuration: /usr/local/etc/namedb/named.conf
rndc configuration: /usr/local/etc/namedb/rndc.conf
DNSSEC root key: /usr/local/etc/namedb/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/pid
named lock file: /var/run/named/named.lockSteps to reproduce
- Use attached configuration file and start BIND server
What is the current bug behavior?
So this "experimental" features has been introduced about 5 years ago. Yet, after all that time, one or two warning lines are logged to syslog with LOG_WARNING severity, depending on whether you foolishly tried to mute the annoying hardcoded warning with the trust-anchor-telemetry no; option as suggested in KB. The hardcoded warning is annoying, doubling the pointless noise when you try to disable the feature - and, if fact, with a configuration that completely ignores DNSSEC since BIND is only used here to filter out AAAA for certain domains to avoid geolocation with IPv6 tunnels with certain domains - is just inexplicable.
What is the expected correct behavior?
Do not log pointless warnings to syslog.
Relevant configuration files
acl "Allow_ACL" {
127.0.0.0/8;
};
controls {
inet 127.0.0.1 port 9530 allow {
127.0.0.1/32;
} keys {
"rndc-key";
};
};
logging {
channel "default_log" {
file "/var/log/named/named.log" versions 3 size 5242880;
print-time yes;
print-severity yes;
print-category yes;
};
channel "query_log" {
file "/var/log/named/query.log" versions 3 size 5242880;
print-time yes;
};
channel "rpz_log" {
file "/var/log/named/rpz.log" versions 3 size 5242880;
print-time yes;
};
category "default" {
"default_log";
};
category "general" {
"default_log";
};
category "queries" {
"query_log";
};
category "rpz" {
"rpz_log";
};
category "lame-servers" {
"null";
};
};
options {
directory "/usr/local/etc/namedb/working";
dump-file "/var/dump/named_dump.db";
listen-on port 53530 {
127.0.0.1/32;
};
listen-on-v6 port 53530 {
::1/128;
};
pid-file "/var/run/named/pid";
statistics-file "/var/stats/named.stats";
allow-recursion {
"Allow_ACL";
};
dnssec-validation no;
max-cache-size 80%;
recursion yes;
allow-query {
"Allow_ACL";
};
};
key "rndc-key" {
algorithm "hmac-sha256";
secret "????????????????????????????????????????????";
};
plugin query "/usr/local/lib/bind/filter-aaaa.so" {
filter-aaaa-on-v4 break-dnssec;
filter-aaaa-on-v6 break-dnssec;
};
zone "." {
type hint;
file "/usr/local/etc/namedb/named.root";
};
zone "localhost" {
type primary;
file "/usr/local/etc/namedb/primary/localhost-forward.db";
};
zone "127.in-addr.arpa" {
type primary;
file "/usr/local/etc/namedb/primary/localhost-reverse.db";
};
zone "0.ip6.arpa" {
type primary;
file "/usr/local/etc/namedb/primary/localhost-reverse.db";
};Relevant logs
<28>1 2023-12-18T08:21:44+01:00 gw.example.com named 57351 - [meta sequenceId="31"] /usr/local/etc/namedb/named.conf:27: option 'trust-anchor-telemetry' is experimental and subject to change in the future
<28>1 2023-12-18T08:21:44+01:00 gw.example.com named 57351 - [meta sequenceId="30"] config.c: option 'trust-anchor-telemetry' is experimental and subject to change in the future