Re: [knot-resolver-users] DNSSEC validation failure logging on Centos 7 Knot Resolver, version 4.2.0

Hello Team,  I found it, it is described in the Upgrading guide,  DNSSEC validation is now turned on by default. If you need to disable it, see Trust anchors and DNSSEC <https://knot-resolver.readthedocs.io/en/stable/daemon.html#dnssec-config>. *** Since version 4.0, *DNSSEC validation is enabled by default*. This is secure default and should not be changed unless absolutely necessary. *Options in this section are intended only for expert users and normally should not be needed.* If you really need to turn DNSSEC off and are okay with lowering security of your system by doing so, add the following snippet to your configuration file. -- turns off DNSSEC validation trust_anchors.remove('.'). *** Anyway, if it is enabled by default, how to prevent the "DNSSEC validation failure" spamming in the log and increasing the  I/O operation on the system? For me now is the service in the unstable condition. My kresd@1 is crashing and restarting in the row. Please, any advice? I modify the server name and the domain, but still it is a live log output. Oct 22 14:02:51 dnstestserver kresd[15877]: DNSSEC validation failure example.com DNSKEY Oct 22 14:02:58 dnstestserver kresd[15877]: DNSSEC validation failure example.com DNSKEY Oct 22 14:03:08 dnstestserver kresd[15877]: DNSSEC validation failure example.com DNSKEY Oct 22 14:03:18 dnstestserver systemd[1]: kresd(a)1.service watchdog timeout (limit 10s)! Oct 22 14:03:22 dnstestserver systemd[1]: kresd(a)1.service: main process exited, code=killed, status=6/ABRT Oct 22 14:03:22 dnstestserver systemd[1]: Unit kresd(a)1.service entered failed state. Oct 22 14:03:22 dnstestserver systemd[1]: kresd(a)1.service failed. Oct 22 14:03:22 dnstestserver systemd[1]: kresd(a)1.service holdoff time over, scheduling restart. Oct 22 14:03:22 dnstestserver systemd[1]: Cannot add dependency job for unit kresd.service, ignoring: Unit not found. Oct 22 14:03:22 dnstestserver systemd[1]: Stopped Knot Resolver daemon. Oct 22 14:03:22 dnstestserver systemd[1]: Starting Knot Resolver daemon... Oct 22 14:04:07 dnstestserver kresd[16468]: [http] created new ephemeral TLS certificate Oct 22 14:04:07 dnstestserver systemd[1]: Started Knot Resolver daemon. Oct 22 14:04:07 dnstestserver kresd[16468]: [ta_update] refreshing TA for . Oct 22 14:04:07 dnstestserver kresd[16468]: [ta_update] key: 20326 state: Valid Oct 22 14:04:07 dnstestserver kresd[16468]: [ta_update] next refresh for . in 24 hours Oct 22 14:04:09 dnstestserver kresd[16468]: DNSSEC validation failure example.com DNSKEY ... Best regards. -- Smil Milan Jeskyňka Kazatel ---------- Původní e-mail ---------- Od: Milan Jeskynka Kazatel &lt;KazatelM(a)seznam.cz&gt; Komu: knot-resolver-users(a)lists.nic.cz Datum: 22. 10. 2019 13:33:46 Předmět: DNSSEC validation failure logging on Centos 7 Knot Resolver, version 4.2.0 Hello Team, I would like to know if the "DNSSEC validation failure logging" is enabled by DEFAULT in version 4.2.0. on Centos 7. I do not have any explicit call for this module - as is described in the documentation like this: modules.load('bogus_log'), nevertheless, I´m facing a huge report in the system log regarding DNSSEC validation failure somedomainname. DNSKEY In the configuration, I´m using the 'http' module and module 'stats', can it be relevant? kresd.conf -- Load Useful modules modules = {         'policy',   -- Block queries to local zones/bad sites         'view',     -- Handle requests by source IP         'stats',    -- Track internal statistics         'hints',    -- Add static records to resolver } -- load HTTP module with defaults (self-signed TLS cert) modules.load('http') http.config() *How can I disable **DNSSEC validation failure logging**?* best regards, -- Smil Milan Jeskyňka Kazatel