Denied Update Messages On Secondary Servers

[Cricket Liu]

> I have logging configured on my secondaries such that any unapproved
> updates, etc are written to a log file.  I've noticed that a lot of denied
> from IP for zone type messages on each of my secondaries.  What I don't
> understand is why I'm seeing them on my secondaries since the clients
should
> be going to the primary to try and update.  When I look on my primary I
> don't see most of the offending IP's being logged there which I would
expect
> since I have ACL's setup for W2K boxes, etc to allow them to update
specific
> zones.  If someone can shed some light as to why I'm seeing these messages
> on my secondary I would appreciate it.  Probably something relatively
> obvious but escaping me at the moment.

Do you have the primary master name server's domain name
in the MNAME field of the SOA records for these zones?
Many clients will send a dynamic update to the name servers
named in the MNAME field first, assuming it's probably the
primary master name server, as long as that name server is
also in the list of NS records for the zone.  If the MNAME
field doesn't contain one of the name servers in the NS records,
though, some clients only use the NS records.

cricket