Logging question about message 'update-security: error: client update denied'

Mon May 16 21:24:12 UTC 2016

In message <CANX+b1K5Z28oqVnb7=FxWGrHL5YSsg0Ear_fnnpYuDzJcDywNQ at mail.gmail.com>, Josh Nielsen writes:
> Hello,
> 
> I have a message that has been showing up in my master DNS server's log
> over the past few weeks and I am wondering if I can find more verbose
> specifics from debugging messages in BIND somehow.
> 
> The messsage looks like this:
> 
> May 16 10:52:16 dns01 named[2591]: 16-May-2016 10:52:16.844
> update-security: error: client 10.20.0.101#34148: update 'my.domain/IN'
> denied

It a UPDATE request being denied.  It will be some process other
than named sending the request unless you have configured named to
forward updates.

In the best of worlds every machine would be updating its own PTR
records and keep its own addresses in the DNS up to date.

Mark

> The frequency of the messages is sporadic. Sometime two or three time in an
> hour, sometimes once each hour, sometimes 2-3 hours go by before I see one,
> but I get multiple a day.
> 
> I take it that this means that for some reason the slave is trying to
> update the master with some entry, even though I haven't explicitly set up
> my slave server to be capable of doing so (that I know of). I intended to
> have the slaves only receive changes coming down from the master but not to
> try pushing changes up.
> 
> Here is the zone block for the domain in question in the master and slave
> servers' /etc/named.conf:
> 
> Master (10.20.0.110):
> 
> zone "my.domain" in {
>         type master;
>         file "db.my.domain";
>         allow-transfer {
>                 10.20.0.100/32;
>                 10.20.0.101/32;
>         };
>         allow-update {
>                 key "xcat_key";
>         };
>         notify yes;
>         also-notify {10.20.0.100; 10.20.0.101;};
> };
> 
> Slave #2 (10.20.0.101):
> 
> zone "my.domain" in {
>         type slave;
>         file "slaves/db.my.domain";
>         masters {10.20.0.110;};
> };
> 
> There are no complaints about Slave #1 in the master's log, though it is
> basically a clone of Slave #2. They provide name resolution for a compute
> cluster and the cluster nodes point to both of them in their resolv.conf
> but in alternating order for load balancing purposes. Is there a way that I
> can get more detail of what specifically the DNS slave server is trying to
> update the master with (maybe via more verbose output on the slave itself)?
> 
> Master BIND version: BIND 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1
> Slave BIND version: BIND 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6
> 
> Thanks,
> Josh
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org