BIND 8.2.3 "update failed" messages

Mark.Andrews at nominum.com Mark.Andrews at nominum.com
Thu Mar 15 23:13:05 UTC 2001 

> "David G. Humes" <david.humes at jhuapl.edu> wrote:
> 
> > I just set up a new BIND 8.2.3-REL slave and have been getting the
> following
> > messages in named.run if I turn on debugging:
> >
> > 12-Mar-2001 16:19:41.856 debug 1: update failed _tcp.xyz.edu 2
> > 12-Mar-2001 16:19:44.090 debug 1: update failed _udp.xyz.edu 2
> > 12-Mar-2001 16:19:47.554 debug 1: update failed ssd.xyz.edu 2
> > 12-Mar-2001 16:19:56.972 debug 1: update failed aplsrv.xyz.edu 2
> > 12-Mar-2001 16:20:10.732 debug 1: update failed _sites.xyz.edu 2
> > 12-Mar-2001 16:21:56.974 debug 1: update failed _msdcs.xyz.edu 2
> >
> > The one thing in common with each of these zones is that they are
> dynamic
> > zones set up to support  updates from DHCP.  But then we have some other
> > dynamic zones that are not logging errors.  All the zone files seem to
> be up
> > to date, but these messages are persistent.  Any ideas?
> 
> > The slave that's logging these errors is a nonproduction server, BIND
> > 8.2.3-REL on Solaris 2.6.  It's just a test box, so none of our systems
> > "should" have it listed as a server.  So I don't think the Win2K Domain
> > Controllers should be hitting on it.  Also, since it's a slave, wouldn't yo
> u
> > expect to see the "unapproved update" messages on the primary server rather
> > than a slave?  It was my understanding that a slave just passes an update
> > request to the primary without attempting to decide if the client is
> > approved to make an update.
> 
> The Win2k code will lookup the SOA for the zone to be updated, and it
> will extract the name of the master DNS from that SOA.  It will then
> send DDNS packets to that master DNS.  In you example above, what is
> in the SOA for the four "_" zones
> 
>      _msdcs.xyz.edu
>      _sites.xyz.edu
>      _tcp.xyz.edu
>      _udp.xyz.edu
> 
> as the master DNS?  If W2k DHCP is sending DDNS update packets to a
> slave server, then I consider this a bug.  I would like to see a
> trace of the DNS traffic between the DHCP server and any DNS server it
> is querying.

	It is not a bug but a design feature to enable DDNS to work
	with stealth masters living behind firewalls.

	Updates should always be sent to a listed nameserver.  If the
	origin also happens to be a nameserver then it will be tried
	first.

	Mark
> 
> I have gotten one trace of DDNS activity between a Win2k DHCP server
> and the master server for the zone.  The pre-req sections in the DDNS
> packets don't match the pre-req sections sent by a Win2k self 
> registration, but they do not have to match.  I find fault with both
> sets of pre-req sections, but there is no major error with the pre-req
> logic.
> ----------------------------------------------------------------------
> Barry S. Finkel
> Electronics and Computing Technologies Division
> Argonne National Laboratory          Phone:    +1 (630) 252-7277
> 9700 South Cass Avenue               Facsimile:+1 (630) 252-9689
> Building 221, Room B236              Internet: BSFinkel at anl.gov
> Argonne, IL   60439-4844             IBMMAIL:  I1004994
> 
> 
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com

More information about the bind-users mailing list