BIND 8.2.3 "update failed" messages
Mark.Andrews at nominum.com
Mark.Andrews at nominum.com
Thu Mar 15 23:13:05 UTC 2001
> "David G. Humes" <david.humes at jhuapl.edu> wrote:
>
> > I just set up a new BIND 8.2.3-REL slave and have been getting the
> following
> > messages in named.run if I turn on debugging:
> >
> > 12-Mar-2001 16:19:41.856 debug 1: update failed _tcp.xyz.edu 2
> > 12-Mar-2001 16:19:44.090 debug 1: update failed _udp.xyz.edu 2
> > 12-Mar-2001 16:19:47.554 debug 1: update failed ssd.xyz.edu 2
> > 12-Mar-2001 16:19:56.972 debug 1: update failed aplsrv.xyz.edu 2
> > 12-Mar-2001 16:20:10.732 debug 1: update failed _sites.xyz.edu 2
> > 12-Mar-2001 16:21:56.974 debug 1: update failed _msdcs.xyz.edu 2
> >
> > The one thing in common with each of these zones is that they are
> dynamic
> > zones set up to support updates from DHCP. But then we have some other
> > dynamic zones that are not logging errors. All the zone files seem to
> be up
> > to date, but these messages are persistent. Any ideas?
>
> > The slave that's logging these errors is a nonproduction server, BIND
> > 8.2.3-REL on Solaris 2.6. It's just a test box, so none of our systems
> > "should" have it listed as a server. So I don't think the Win2K Domain
> > Controllers should be hitting on it. Also, since it's a slave, wouldn't yo
> u
> > expect to see the "unapproved update" messages on the primary server rather
> > than a slave? It was my understanding that a slave just passes an update
> > request to the primary without attempting to decide if the client is
> > approved to make an update.
>
> The Win2k code will lookup the SOA for the zone to be updated, and it
> will extract the name of the master DNS from that SOA. It will then
> send DDNS packets to that master DNS. In you example above, what is
> in the SOA for the four "_" zones
>
> _msdcs.xyz.edu
> _sites.xyz.edu
> _tcp.xyz.edu
> _udp.xyz.edu
>
> as the master DNS? If W2k DHCP is sending DDNS update packets to a
> slave server, then I consider this a bug. I would like to see a
> trace of the DNS traffic between the DHCP server and any DNS server it
> is querying.
It is not a bug but a design feature to enable DDNS to work
with stealth masters living behind firewalls.
Updates should always be sent to a listed nameserver. If the
origin also happens to be a nameserver then it will be tried
first.
Mark
>
> I have gotten one trace of DDNS activity between a Win2k DHCP server
> and the master server for the zone. The pre-req sections in the DDNS
> packets don't match the pre-req sections sent by a Win2k self
> registration, but they do not have to match. I find fault with both
> sets of pre-req sections, but there is no major error with the pre-req
> logic.
> ----------------------------------------------------------------------
> Barry S. Finkel
> Electronics and Computing Technologies Division
> Argonne National Laboratory Phone: +1 (630) 252-7277
> 9700 South Cass Avenue Facsimile:+1 (630) 252-9689
> Building 221, Room B236 Internet: BSFinkel at anl.gov
> Argonne, IL 60439-4844 IBMMAIL: I1004994
>
>
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at nominum.com
More information about the bind-users
mailing list