Denied Update Errors on Secondary Servers

[Cricket Liu]

> I would expect anyone outside our network not to get a response from
Dallas
> since we aren't allowing external queries against it.  Our 3 secondaries
are
> what we have available for anyone to query against.etc and what we have
> registered with Network Solutions. Internal clients can query with no
> problems.  Our primary is a third party DNS server that we really don't
want
> our clients querying against..directly anyhow. Instead we want them to go
to
> our secondaries which they are.  Hopefully this sheds a little more light.
> BIND 9 is in the works and is something we're very much looking forward
to.

If you really don't want anyone querying it, you shouldn't list
dallas.jhuapl.edu
in your zones' NS records:

% dig @apldns1.jhuapl.edu. ns 244.128.in-addr.arpa.

; <<>> DiG 8.3 <<>> @apldns1.jhuapl.edu. ns 244.128.in-addr.arpa.
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 4
;; QUERY SECTION:
;;      244.128.in-addr.arpa, type = NS, class = IN

;; ANSWER SECTION:
244.128.in-addr.arpa.   1D IN NS        dallas.jhuapl.edu.
244.128.in-addr.arpa.   1D IN NS        apldns1.jhuapl.edu.
244.128.in-addr.arpa.   1D IN NS        apldns2.jhuapl.edu.
244.128.in-addr.arpa.   1D IN NS        apldns3.jhuapl.edu.

The first query to a 244.128.in-addr.arpa name server will follow the
delegation
from the in-addr.arpa name servers, which only includes
apldns[123].jhuapl.edu.
But successive queries will use any of the four.

cricket