Strange error from nsupdate

Chris Thompson cet1 at
Mon Feb 14 21:53:15 UTC 2011

On Feb 14 2011, Chris Buxton wrote:

>On Feb 14, 2011, at 6:31 AM, Chris Thompson wrote:
>> We are running BIND 9.7.2-P3, and update our zones with nsupdate calls
>> that look like this:
>> nsupdate -v -k keys/update-key <[input] >/dev/null 2>[errors]
>> This is run from a Solaris 10_x86 non-global "zone" (container).
>> On a couple of occasions it has generated the error
>> dns_dispatch_getudp (v4): permission denied
>> This seems to strike at random, and goes away on retrying the same
>> nsupdate call. What's really strange here is that nsupdate is being
>> told to use TCP (the -v option), so why is it messing around with UDP?
>> Has anyone else seen this?
>I haven't seen it specifically, but:
>- nsupdate might be sending a query (over UDP) to fill in missing info,
> such as the zone or server to update.

The zone is given explicitly, the server by absolute name. It might be
looking up the IP address of the server, I suppose.

>- Your Solaris container might be the problem. I've heard of problems
> running named in a container, typically performance problems but this
> type of behavior might explain a performance issue.

The container doing the nsupdate isn't actually the one running the
nameserver, although that is in fact also also in a container. We haven't
had performance problems with the nameservers doing this (although they
are not very heavily loaded).

I should emphasize that this is a low-frequency effect - I estimate
something like 0.2%. It would be easier to track down if it were more

Chris Thompson
Email: cet1 at

More information about the bind-users mailing list