<div dir="ltr">Could it maybe be dhcp related?</div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, May 16, 2016 at 6:03 PM, Josh Nielsen <span dir="ltr"><<a href="mailto:jnielsen@hudsonalpha.org" target="_blank">jnielsen@hudsonalpha.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Thank you for the response Mark. I'm still a little confused at what this might mean though. Clearly the originating address is my slave DNS server (every single one of the messages say "<span style="font-size:12.8px">error: client 10.20.0.101")</span>. <br><br>Are you saying that some process other than named on the same server (10.20.0.101) is responsible for these messages (and is there a 'for instance' of what could do such a thing?), or that somehow other hosts are relaying their update requests (again: from what possible processes?) through my slave dns server? What can I look for to figure this out on my network?<br><br>Thanks in advance for any clarifications.<br><br>-Josh<div class="gmail_extra"><br><div class="gmail_quote">On Mon, May 16, 2016 at 4:24 PM, Mark Andrews <span dir="ltr"><<a href="mailto:marka@isc.org" target="_blank">marka@isc.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
In message <CANX+b1K5Z28oqVnb7=<a href="mailto:FxWGrHL5YSsg0Ear_fnnpYuDzJcDywNQ@mail.gmail.com" target="_blank">FxWGrHL5YSsg0Ear_fnnpYuDzJcDywNQ@mail.gmail.com</a>>, Josh Nielsen writes:<br>
> Hello,<br>
><br>
> I have a message that has been showing up in my master DNS server's log<br>
> over the past few weeks and I am wondering if I can find more verbose<br>
> specifics from debugging messages in BIND somehow.<br>
><br>
> The messsage looks like this:<br>
><br>
> May 16 10:52:16 dns01 named[2591]: 16-May-2016 10:52:16.844<br>
> update-security: error: client 10.20.0.101#34148: update 'my.domain/IN'<br>
> denied<br>
<br>
It a UPDATE request being denied. It will be some process other<br>
than named sending the request unless you have configured named to<br>
forward updates.<br>
<br>
In the best of worlds every machine would be updating its own PTR<br>
records and keep its own addresses in the DNS up to date.<br>
<br>
Mark<br>
<br>
> The frequency of the messages is sporadic. Sometime two or three time in an<br>
> hour, sometimes once each hour, sometimes 2-3 hours go by before I see one,<br>
> but I get multiple a day.<br>
><br>
> I take it that this means that for some reason the slave is trying to<br>
> update the master with some entry, even though I haven't explicitly set up<br>
> my slave server to be capable of doing so (that I know of). I intended to<br>
> have the slaves only receive changes coming down from the master but not to<br>
> try pushing changes up.<br>
><br>
> Here is the zone block for the domain in question in the master and slave<br>
> servers' /etc/named.conf:<br>
><br>
> Master (10.20.0.110):<br>
><br>
> zone "my.domain" in {<br>
> type master;<br>
> file "db.my.domain";<br>
> allow-transfer {<br>
> <a href="http://10.20.0.100/32" rel="noreferrer" target="_blank">10.20.0.100/32</a>;<br>
> <a href="http://10.20.0.101/32" rel="noreferrer" target="_blank">10.20.0.101/32</a>;<br>
> };<br>
> allow-update {<br>
> key "xcat_key";<br>
> };<br>
> notify yes;<br>
> also-notify {10.20.0.100; 10.20.0.101;};<br>
> };<br>
><br>
> Slave #2 (10.20.0.101):<br>
><br>
> zone "my.domain" in {<br>
> type slave;<br>
> file "slaves/db.my.domain";<br>
> masters {10.20.0.110;};<br>
> };<br>
><br>
> There are no complaints about Slave #1 in the master's log, though it is<br>
> basically a clone of Slave #2. They provide name resolution for a compute<br>
> cluster and the cluster nodes point to both of them in their resolv.conf<br>
> but in alternating order for load balancing purposes. Is there a way that I<br>
> can get more detail of what specifically the DNS slave server is trying to<br>
> update the master with (maybe via more verbose output on the slave itself)?<br>
><br>
> Master BIND version: BIND 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1<br>
> Slave BIND version: BIND 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6<br>
><br>
> Thanks,<br>
> Josh<span class="HOEnZb"><font color="#888888"><br>
<span><font color="#888888">--<br>
Mark Andrews, ISC<br>
1 Seymour St., Dundas Valley, NSW 2117, Australia<br>
PHONE: <a href="tel:%2B61%202%209871%204742" value="+61298714742" target="_blank">+61 2 9871 4742</a> INTERNET: <a href="mailto:marka@isc.org" target="_blank">marka@isc.org</a><br>
</font></span></font></span></blockquote></div><br></div></div>
</blockquote></div><br></div>