[dns-operations] anchors.atlas.ripe.net/ripe.net - DNSSEC bogus due expiration

[Steven Miller]

It'd still be good to have that exposed as a metric, since:

  * that way you don't have to wait to make the mistake (or to find the
    logs from someone else's mistake) in order to wrap alerting around it
  * the metric's more or less the metric forever-ish, while it seems
    more likely that a well-intentioned phrasing change in one of the
    logs could screw up whatever pattern's being used to match it
  * I personally think that the metric is somehow more in my face than
    the logs (e.g., "oh look, I dumped the metrics with a curl/wget and
    that looks very much like a counter we need to wrap something
    around" 😁)
  * for those living in the Prometheus/Grafana/Loki ecosystem, it may be
    a bit easier to just run a copy of the BIND exporter
    (https://github.com/prometheus-community/bind_exporter) than to make
    sure that all the logs are getting scraped appropriately and the
    path to get them into Loki works and keeps working all the time --
    it being easier to generate a no-data alert for a metric than it is
    to say "this log message we never get, we still haven't gotten it"

And yes, I recognize that "well, Steve, the code's right over here, go 
to it" is a valid argument.

     -Steve

On 11/3/2023 6:09 AM, Vladimír Čunát via dns-operations wrote:
>
> My understanding is that in this case the signer was producing loud 
> syslog warnings immediately when the issue happened (i.e. long before 
> validation could fail).
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20231103/3f2e28e7/attachment.html>