Strange error from nsupdate
cet1 at cam.ac.uk
Mon Feb 14 21:53:15 UTC 2011
On Feb 14 2011, Chris Buxton wrote:
>On Feb 14, 2011, at 6:31 AM, Chris Thompson wrote:
>> We are running BIND 9.7.2-P3, and update our zones with nsupdate calls
>> that look like this:
>> nsupdate -v -k keys/update-key <[input] >/dev/null 2>[errors]
>> This is run from a Solaris 10_x86 non-global "zone" (container).
>> On a couple of occasions it has generated the error
>> dns_dispatch_getudp (v4): permission denied
>> This seems to strike at random, and goes away on retrying the same
>> nsupdate call. What's really strange here is that nsupdate is being
>> told to use TCP (the -v option), so why is it messing around with UDP?
>> Has anyone else seen this?
>I haven't seen it specifically, but:
>- nsupdate might be sending a query (over UDP) to fill in missing info,
> such as the zone or server to update.
The zone is given explicitly, the server by absolute name. It might be
looking up the IP address of the server, I suppose.
>- Your Solaris container might be the problem. I've heard of problems
> running named in a container, typically performance problems but this
> type of behavior might explain a performance issue.
The container doing the nsupdate isn't actually the one running the
nameserver, although that is in fact also also in a container. We haven't
had performance problems with the nameservers doing this (although they
are not very heavily loaded).
I should emphasize that this is a low-frequency effect - I estimate
something like 0.2%. It would be easier to track down if it were more
Email: cet1 at cam.ac.uk
More information about the bind-users