Improved, comprehensive logging of NTA additions and removals [ISC-Support #8279]
user request is for a log message at the time when an NTA is expired, ideally with a reason.
What we would really like to see is just a message at the expired point. Something we can trigger on predictably. " NTA expired due to time" " NTA expired due to zone revalidating" " NTA removed at user request" (rndc nta -remove) " NTA expired due to "
This was discussed at the weekly meeting, and Mukund said that a timer might need to be added to the NTA code, so as to watch/track NTAs.Note that we do log NTA expiry before a "resolution fails because the NTA has been removed". But it isn't logged at the exact second the NTA expires.. it is cleaned up lazily when we attempt to use it next.
The customer's use case:
The main purpose would be for Tier I helpdesk awareness. We would incorporate this into our existing log analysis system to generate reports that detail why an NTA was removed and when. The most immediate use case I can think of is a signed domain whose signatures have expired that requested an NTA and is now getting complaints about resolution failing. As we talked about we would want to get the current status through real-time queries but knowing the cause of the removal would help reduce call escalation.
It occurs to me that our use case may be different from an external recursive server so this may seem like an odd request. The recursive servers where we will utilize NTA are at the enterprise level and provide recursion for the internal namespace. That internal namespace is very fractured and maintained by over a thousand different groups. So the support structure for those enterprise recursive servers need to be able to answer when there are problems in any of that namespace. Knowing resolution is failing because the NTA has been removed and why will help overall understanding and ticket routing.
Tagging with 9.13.3, hoping to get this into 9.14.0