NOTAUTH on dynamic zone update

Mark Andrews Mark_Andrews at
Tue Feb 17 20:54:30 UTC 2009

In message <gnalak$f16$1 at>, Benedikt Gollatz writes:
> Hello everyone,
> I use nsupdate to dynamically update a reverse lookup zone hosted by my 
> BIND9 setup. For that purpose, I've created host-type HMAC-MD5 keys, 
> added an appropriate "key" section to my configuration, added the updating 
> host to the "controls" section, and added an "allow-update" parameter to the 
> zone configuration like this:
> zone "[...]" in {
>     type master;
>     [...]
>     allow-update { key "key-name"; };
> };
> I pass the key to nsupdate using one (either) of the keyfiles generated by 
> dnssec-keygen with the -k parameter.
> Unfortunately this doesn't work. When running nsupdate, I get a "failed: not 
> authoritative for update zone (NOTAUTH)" error in my server log file, and no 
> updating is done.

	The zone section in the update message does NOT match a
	master/slave zone configured in the view that the update
	message matched.

> I'm confused about the error message because both the BIND configuration file
> and the SOA record of the zone state that the server indeed is authoritative 
> for the update zone.
> Also, this configuration works fine with a dhcpd updating a different zone 
> hosted by the same server.
> Googling yields a few people with similar problems but no real solution. Any 
> hints on what I might be doing wrong are appreciated.
> Benedikt
> _______________________________________________
> bind-users mailing list
> bind-users at
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at

More information about the bind-users mailing list