NOTAUTH on dynamic zone update

Benedikt Gollatz benedikt at
Mon Feb 16 03:08:01 UTC 2009

Hello everyone,

I use nsupdate to dynamically update a reverse lookup zone hosted by my 
BIND9 setup. For that purpose, I've created host-type HMAC-MD5 keys, 
added an appropriate "key" section to my configuration, added the updating 
host to the "controls" section, and added an "allow-update" parameter to the 
zone configuration like this:

zone "[...]" in {
    type master;
    allow-update { key "key-name"; };

I pass the key to nsupdate using one (either) of the keyfiles generated by 
dnssec-keygen with the -k parameter.

Unfortunately this doesn't work. When running nsupdate, I get a "failed: not 
authoritative for update zone (NOTAUTH)" error in my server log file, and no 
updating is done.

I'm confused about the error message because both the BIND configuration file 
and the SOA record of the zone state that the server indeed is authoritative 
for the update zone.

Also, this configuration works fine with a dhcpd updating a different zone 
hosted by the same server.

Googling yields a few people with similar problems but no real solution. Any 
hints on what I might be doing wrong are appreciated.


More information about the bind-users mailing list