thr3ads.net - Logcheck devel - [Logcheck-devel] Bug#443908: /etc/logcheck/ignore.d.server/bind: [bind] unexpected RCODE (NOTIMP) [Sep 2007]

If this information is useful, please help other people find it:
Share via:

Frédéric Brière

2007-Sep-24 22:33 UTC

[Logcheck-devel] Bug#443908: /etc/logcheck/ignore.d.server/bind: [bind] unexpected RCODE (NOTIMP)

Package: logcheck-database
Version: 1.2.61
Severity: wishlist
File: /etc/logcheck/ignore.d.server/bind

After #437891, I got yet another new "unexpected RCODE", this time
"NOTIMP".  As I was starting to get pissed off, I copied the whole
list
out of lib/dns/result.c, in an attempt to put an end to my headache.

If you insist on using an enumeration instead of ".*", here's the
complete list (aside from NOERROR, obviously):

  ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: unexpected RCODE
\((FORMERR|SERVFAIL|NXDOMAIN|NOTIMP|REFUSED|YXDOMAIN|YXRRSET|NXRRSET|NOTAUTH|NOTZONE|BADVERS|<rcode
[[:digit:]]+>|[[:digit:]]+)\) resolving '[^[:space:]]+':
[.[:digit:]]+#[0-9]+$

(Remember that this is both a violations and a normal ignore rule.)

The source sets undefined rcodes such as 15 as "<rcode 15>", but
they
show up as merely "15" in my log.  The answer is too deep in the code
for me to figure out, so I stuck both in the rule.

For curiosity's sake, I tried to find if there were rcodes that would
never be unexpected, but there doesn't seem any common denominator.


-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.21-2-k7 (SMP w/1 CPU core)
Locale: LANG=en_CA.utf-8, LC_CTYPE=en_CA.utf-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-- debconf information excluded

Justin Pryzby

2007-Sep-24 22:55 UTC

head link

[Logcheck-devel] Bug#443908: /etc/logcheck/ignore.d.server/bind: [bind] unexpected RCODE (NOTIMP)

On Mon, Sep 24, 2007 at 06:33:07PM -0400, Fr?d?ric Bri?re
wrote:> Package: logcheck-database
> Version: 1.2.61
> Severity: wishlist
> File: /etc/logcheck/ignore.d.server/bind
> 
> After #437891, I got yet another new "unexpected RCODE", this
time
> "NOTIMP".  As I was starting to get pissed off, I copied the
whole list
> out of lib/dns/result.c, in an attempt to put an end to my headache.
> 
> If you insist on using an enumeration instead of ".*", here's
the
> complete list (aside from NOERROR, obviously):
> 
>   ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: unexpected RCODE
\((FORMERR|SERVFAIL|NXDOMAIN|NOTIMP|REFUSED|YXDOMAIN|YXRRSET|NXRRSET|NOTAUTH|NOTZONE|BADVERS|<rcode
[[:digit:]]+>|[[:digit:]]+)\) resolving '[^[:space:]]+':
[.[:digit:]]+#[0-9]+$Aren't some of these worth reporting?  eg. REFUSED and NOTAUTH are
probably okay for a workstation.
> For curiosity's sake, I tried to find if there were rcodes that would
> never be unexpected, but there doesn't seem any common denominator.The bind message says "Unexpected" so should these really be filtered?

Thanks
Justin

Reasonably Related Threads

Search for more apparently analagous threads

Logcheck devel - Sep 2007 - Bug#443908: /etc/logcheck/ignore.d.server/bind: [bind] unexpected RCODE (NOTIMP)

[Logcheck-devel] Bug#443908: /etc/logcheck/ignore.d.server/bind: [bind] unexpected RCODE (NOTIMP)

[Logcheck-devel] Bug#443908: /etc/logcheck/ignore.d.server/bind: [bind] unexpected RCODE (NOTIMP)

Reasonably Related Threads