Security logging oddity

[Robert Zilbauer]

I'm running BIND 9.3.2 and am having trouble understanding why some 
denied queries are logged while others are not. I did a bunch of 
searching around about it, but came up empty. Maybe someone here could 
help? I'd be more than happy to RTFM if someone could point me to the 
right FM to R. ;-)

Here's the deal. A BIND 9.3.2 server that's been locked down and doesn't 
allow strangers to do recursive queries. All queries from external 
sources *are* denied, no problems there. 

Example #1 --
  hastur log # host m1.2mdn.net aaa.bbb.ccc.80
  Using domain server:
  Name: aaa.bbb.ccc.80
  Address: aaa.bbb.ccc.80#53
  Aliases: 

  Host m1.2mdn.net not found: 5(REFUSED)

Example #2 --
  hastur log # host www.slappy.org aaa.bbb.ccc.80
  Using domain server:
  Name: aaa.bbb.ccc.80
  Address: aaa.bbb.ccc.80#53
  Aliases: 

  Host www.slappy.org not found: 5(REFUSED)

However, even with logging turned up to debug 3 or 4, only Example #1 
comes back with a "denied" log entry: 

06-Apr-2006 16:19:26.405 queries: info: client xx.yy.zz.33#64531: view 
external-in: query: m1.2mdn.net IN A +
06-Apr-2006 16:19:26.405 security: info: client xx.yy.zz.33#64531: view 
external-in: query 'm1.2mdn.net/A/IN' denied

Example #2 only results in a log entry of: 

06-Apr-2006 16:28:26.102 queries: info: client xx.yy.zz.33#64543: view 
external-in: query: www.slappy.org IN A +

No explicit "denied" message in the logs.

I'd like to see "denied" logging for all denied queries. Perhaps someone 
could give me a shove in the right direction?

Thanks.

-- 
The Sun,  with all  the planets  revolving  around  it,  and 
depending on it, can still ripen a bunch of grapes as though 
it had nothing else in the Universe to do.
                             -- Galileo Galilei, 1564 - 1642