Logging question about message 'update-security: error: client update denied'

Josh Nielsen jnielsen at hudsonalpha.org
Mon May 16 20:34:04 UTC 2016 

Hello,

I have a message that has been showing up in my master DNS server's log
over the past few weeks and I am wondering if I can find more verbose
specifics from debugging messages in BIND somehow.

The messsage looks like this:

May 16 10:52:16 dns01 named[2591]: 16-May-2016 10:52:16.844
update-security: error: client 10.20.0.101#34148: update 'my.domain/IN'
denied

The frequency of the messages is sporadic. Sometime two or three time in an
hour, sometimes once each hour, sometimes 2-3 hours go by before I see one,
but I get multiple a day.

I take it that this means that for some reason the slave is trying to
update the master with some entry, even though I haven't explicitly set up
my slave server to be capable of doing so (that I know of). I intended to
have the slaves only receive changes coming down from the master but not to
try pushing changes up.

Here is the zone block for the domain in question in the master and slave
servers' /etc/named.conf:

Master (10.20.0.110):

zone "my.domain" in {
        type master;
        file "db.my.domain";
        allow-transfer {
                10.20.0.100/32;
                10.20.0.101/32;
        };
        allow-update {
                key "xcat_key";
        };
        notify yes;
        also-notify {10.20.0.100; 10.20.0.101;};
};

Slave #2 (10.20.0.101):

zone "my.domain" in {
        type slave;
        file "slaves/db.my.domain";
        masters {10.20.0.110;};
};

There are no complaints about Slave #1 in the master's log, though it is
basically a clone of Slave #2. They provide name resolution for a compute
cluster and the cluster nodes point to both of them in their resolv.conf
but in alternating order for load balancing purposes. Is there a way that I
can get more detail of what specifically the DNS slave server is trying to
update the master with (maybe via more verbose output on the slave itself)?

Master BIND version: BIND 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1
Slave BIND version: BIND 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6

Thanks,
Josh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160516/4c8b9b2d/attachment.html>

More information about the bind-users mailing list