Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Logging question about message 'update-security: error: client update denied'
1,116 views
Skip to first unread message
Josh Nielsen
May 16, 2016, 4:34:12 PM5/16/16
to bind-...@lists.isc.org
Hello,
I have a message that has been showing up in my master DNS server's log over the past few weeks and I am wondering if I can find more verbose specifics from debugging messages in BIND somehow.
I have a message that has been showing up in my master DNS server's log over the past few weeks and I am wondering if I can find more verbose specifics from debugging messages in BIND somehow.
The messsage looks like this:
May 16 10:52:16 dns01 named[2591]: 16-May-2016 10:52:16.844 update-security: error: client 10.20.0.101#34148: update 'my.domain/IN' denied
The frequency of the messages is sporadic. Sometime two or three time in an hour, sometimes once each hour, sometimes 2-3 hours go by before I see one, but I get multiple a day.
I take it that this means that for some reason the slave is trying to update the master with some entry, even though I haven't explicitly set up my slave server to be capable of doing so (that I know of). I intended to have the slaves only receive changes coming down from the master but not to try pushing changes up.
Here is the zone block for the domain in question in the master and slave servers' /etc/named.conf:
Master (10.20.0.110):
zone "my.domain" in {
type master;
file "db.my.domain";
allow-transfer {
};
allow-update {
key "xcat_key";
};
notify yes;
also-notify {10.20.0.100; 10.20.0.101;};
};
Slave #2 (10.20.0.101):
zone "my.domain" in {
type slave;
file "slaves/db.my.domain";
masters {10.20.0.110;};
};
There are no complaints about Slave #1 in the master's log, though it is basically a clone of Slave #2. They provide name resolution for a compute cluster and the cluster nodes point to both of them in their resolv.conf but in alternating order for load balancing purposes. Is there a way that I can get more detail of what specifically the DNS slave server is trying to update the master with (maybe via more verbose output on the slave itself)?
Master BIND version: BIND 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1
Slave BIND version: BIND 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6
Thanks,
Josh
There are no complaints about Slave #1 in the master's log, though it is basically a clone of Slave #2. They provide name resolution for a compute cluster and the cluster nodes point to both of them in their resolv.conf but in alternating order for load balancing purposes. Is there a way that I can get more detail of what specifically the DNS slave server is trying to update the master with (maybe via more verbose output on the slave itself)?
Master BIND version: BIND 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1
Slave BIND version: BIND 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6
Thanks,
Josh
Mark Andrews
May 16, 2016, 5:24:18 PM5/16/16
to Josh Nielsen, bind-...@isc.org
In message <CANX+b1K5Z28oqVnb7=FxWGrHL5YSsg0Ear...@mail.gmail.com>, Josh Nielsen writes:
> Hello,
>
> I have a message that has been showing up in my master DNS server's log
> over the past few weeks and I am wondering if I can find more verbose
> specifics from debugging messages in BIND somehow.
>
> The messsage looks like this:
>
> May 16 10:52:16 dns01 named[2591]: 16-May-2016 10:52:16.844
> update-security: error: client 10.20.0.101#34148: update 'my.domain/IN'
> denied
than named sending the request unless you have configured named to
forward updates.
In the best of worlds every machine would be updating its own PTR
records and keep its own addresses in the DNS up to date.
Mark
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Josh Nielsen
May 16, 2016, 7:03:24 PM5/16/16
to Mark Andrews, bind-...@isc.org
Thank you for the response Mark. I'm still a little confused at what this might mean though. Clearly the originating address is my slave DNS server (every single one of the messages say "error: client 10.20.0.101").
Are you saying that some process other than named on the same server (10.20.0.101) is responsible for these messages (and is there a 'for instance' of what could do such a thing?), or that somehow other hosts are relaying their update requests (again: from what possible processes?) through my slave dns server? What can I look for to figure this out on my network?
Thanks in advance for any clarifications.
-Josh
Are you saying that some process other than named on the same server (10.20.0.101) is responsible for these messages (and is there a 'for instance' of what could do such a thing?), or that somehow other hosts are relaying their update requests (again: from what possible processes?) through my slave dns server? What can I look for to figure this out on my network?
Thanks in advance for any clarifications.
-Josh
Josh Nielsen
May 16, 2016, 7:08:27 PM5/16/16
to Mark Andrews, bind-...@isc.org
Could it maybe be dhcp related?
Matthew Pounsett
May 16, 2016, 7:09:03 PM5/16/16
to Josh Nielsen, bind-...@isc.org
On 16 May 2016 at 19:03, Josh Nielsen <jnie...@hudsonalpha.org> wrote:
Thank you for the response Mark. I'm still a little confused at what this might mean though. Clearly the originating address is my slave DNS server (every single one of the messages say "error: client 10.20.0.101").
Are you saying that some process other than named on the same server (10.20.0.101) is responsible for these messages (and is there a 'for instance' of what could do such a thing?), or that somehow other hosts are relaying their update requests (again: from what possible processes?) through my slave dns server? What can I look for to figure this out on my network?
Your DHCP daemon would be one thing that could be generating those messages. Often it's configured to update the DNS with the addresses it's handing out (either forward, reverse, or both).
Matus UHLAR - fantomas
May 17, 2016, 4:49:42 AM5/17/16
to bind-...@lists.isc.org
>In message <CANX+b1K5Z28oqVnb7=FxWGrHL5YSsg0Ear...@mail.gmail.com>, Josh Nielsen writes:
>> I have a message that has been showing up in my master DNS server's log
>> over the past few weeks and I am wondering if I can find more verbose
>> specifics from debugging messages in BIND somehow.
>>
>> The messsage looks like this:
>>
>> May 16 10:52:16 dns01 named[2591]: 16-May-2016 10:52:16.844
>> update-security: error: client 10.20.0.101#34148: update 'my.domain/IN'
>> denied
On 17.05.16 07:24, Mark Andrews wrote:
>> I have a message that has been showing up in my master DNS server's log
>> over the past few weeks and I am wondering if I can find more verbose
>> specifics from debugging messages in BIND somehow.
>>
>> The messsage looks like this:
>>
>> May 16 10:52:16 dns01 named[2591]: 16-May-2016 10:52:16.844
>> update-security: error: client 10.20.0.101#34148: update 'my.domain/IN'
>> denied
>It a UPDATE request being denied. It will be some process other
>than named sending the request unless you have configured named to
>forward updates.
>
>In the best of worlds every machine would be updating its own PTR
>records and keep its own addresses in the DNS up to date.
depends on the idealness of the world, but I personally don't like allowing
>forward updates.
>
>In the best of worlds every machine would be updating its own PTR
>records and keep its own addresses in the DNS up to date.
clients to update their DNS records, imho the DHCP server should do those
changes if it assigne the client an IP address
>> Master (10.20.0.110):
>>
>> zone "my.domain" in {
>> type master;
>> file "db.my.domain";
>> allow-transfer {
>> 10.20.0.100/32;
>> 10.20.0.101/32;
>> };
>> allow-update {
>> key "xcat_key";
>> };
>> notify yes;
>> also-notify {10.20.0.100; 10.20.0.101;};
>> };
...many windows machines tend to register their name in DNS (it's
on by default in netowrk settings).
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"They say when you play that M$ CD backward you can hear satanic messages."
"That's nothing. If you play it forward it will install Windows."
Josh Nielsen
May 17, 2016, 12:17:23 PM5/17/16
to Matthew Pounsett, bind-...@isc.org
Okay, yeah I am running DHCP on the same server so I'll check its settings.
Thanks!
Thanks!
0 new messages