Logging question about message 'update-security: error: client update denied'

Mon May 16 23:03:17 UTC 2016

Thank you for the response Mark. I'm still a little confused at what this
might mean though. Clearly the originating address is my slave DNS server
(every single one of the messages say "error: client 10.20.0.101").

Are you saying that some process other than named on the same server
(10.20.0.101) is responsible for these messages (and is there a 'for
instance' of what could do such a thing?), or that somehow other hosts are
relaying their update requests (again: from what possible processes?)
through my slave dns server? What can I look for to figure this out on my
network?

Thanks in advance for any clarifications.

-Josh

On Mon, May 16, 2016 at 4:24 PM, Mark Andrews <marka at isc.org> wrote:

>
> In message <CANX+b1K5Z28oqVnb7=
> FxWGrHL5YSsg0Ear_fnnpYuDzJcDywNQ at mail.gmail.com>, Josh Nielsen writes:
> > Hello,
> >
> > I have a message that has been showing up in my master DNS server's log
> > over the past few weeks and I am wondering if I can find more verbose
> > specifics from debugging messages in BIND somehow.
> >
> > The messsage looks like this:
> >
> > May 16 10:52:16 dns01 named[2591]: 16-May-2016 10:52:16.844
> > update-security: error: client 10.20.0.101#34148: update 'my.domain/IN'
> > denied
>
> It a UPDATE request being denied.  It will be some process other
> than named sending the request unless you have configured named to
> forward updates.
>
> In the best of worlds every machine would be updating its own PTR
> records and keep its own addresses in the DNS up to date.
>
> Mark
>
> > The frequency of the messages is sporadic. Sometime two or three time in
> an
> > hour, sometimes once each hour, sometimes 2-3 hours go by before I see
> one,
> > but I get multiple a day.
> >
> > I take it that this means that for some reason the slave is trying to
> > update the master with some entry, even though I haven't explicitly set
> up
> > my slave server to be capable of doing so (that I know of). I intended to
> > have the slaves only receive changes coming down from the master but not
> to
> > try pushing changes up.
> >
> > Here is the zone block for the domain in question in the master and slave
> > servers' /etc/named.conf:
> >
> > Master (10.20.0.110):
> >
> > zone "my.domain" in {
> >         type master;
> >         file "db.my.domain";
> >         allow-transfer {
> >                 10.20.0.100/32;
> >                 10.20.0.101/32;
> >         };
> >         allow-update {
> >                 key "xcat_key";
> >         };
> >         notify yes;
> >         also-notify {10.20.0.100; 10.20.0.101;};
> > };
> >
> > Slave #2 (10.20.0.101):
> >
> > zone "my.domain" in {
> >         type slave;
> >         file "slaves/db.my.domain";
> >         masters {10.20.0.110;};
> > };
> >
> > There are no complaints about Slave #1 in the master's log, though it is
> > basically a clone of Slave #2. They provide name resolution for a compute
> > cluster and the cluster nodes point to both of them in their resolv.conf
> > but in alternating order for load balancing purposes. Is there a way
> that I
> > can get more detail of what specifically the DNS slave server is trying
> to
> > update the master with (maybe via more verbose output on the slave
> itself)?
> >
> > Master BIND version: BIND 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1
> > Slave BIND version: BIND 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6
> >
> > Thanks,
> > Josh
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160516/fa133df6/attachment.html>