meaning of "update forwarding xxx denied"?

[Mike Diggins]

I updated my secondary name server from BIND 9.3.5P1 to 9.4.2P2 (Solaris)
earlier this week without any problems. Today I updated the primary. All
is working, but I'm now logging these messages:

Aug 28 19:04:11 ns1 named[12157]: [ID 873579 local4.error] client
172.26.20.34#53281: update forwarding 'xxx.mcmaster.ca/IN' denied

This was not happening prior to the upgrade. I assume this an attempted
dynamic update? I'm not sure what the 'forwarding' part means. I also
don't know why it's now logging these messages, when I have:

category "update" { "null"; };

in my named.conf. This used to suppress these messages (failed dynamic
updated anyway) - or is this something different? Any why don't I see any
of these messages logged on the secondary?

BTW, we don't allow any sort of dynamic updates, but I understand that
Windows likes to try anyway. Some clarification would be appreciated.

-Mike

[Ben Croswell]

Update forwarding, as I understand it, is mainly used in a stealth master
configuration. Rather than have DDNS updates go to the stealth master it
goes a given DNS server and then that server is configured to forward the
updates to the stealth master. That way the general populace doesn't need
to talk to your stealth master.

--
-Ben Croswell

[Kevin Darcy]

It can also happen if the primary master is unavailable or the update
merely times out.

- Kevin

[Mike Diggins]

ok, I suppose that's what I have, a stealth master. My master is hidden
and only feeds the two slaves (what I called my primary and secondary). My
clients don't (can't) talk directly to the master. So assuming this is
expected behavior, can I somehow turn this off at the server end or
disable the logging of that message through the BIND configuration? What
changed in BIND 9.4 that I'm now seeing this? I should add that it's
impossible to stop my clients from trying to dynamic update.

-Mike

> --
> -Ben Croswell
>
>
>
>

_________________________________________

Mike Diggins Voice: 905.525.9140 Ext. 27471
Network Analyst, Enterprise Networks FAX: 905.528.3773
University Technology Services E-Mail: dig...@mcmaster.ca
McMaster University, Hamilton, Ontario

[Mark Andrews]

> It can also happen if the primary master is unavailable or the update
> merely times out.

No. The message is a result of ACL processing.

> - Kevin

>
> Ben Croswell wrote:
> > Update forwarding, as I understand it, is mainly used in a stealth master
> > configuration. Rather than have DDNS updates go to the stealth master it
> > goes a given DNS server and then that server is configured to forward the
> > updates to the stealth master. That way the general populace doesn't need
> > to talk to your stealth master.
> >
> > On Thu, Aug 28, 2008 at 7:11 PM, Mike Diggins <dig...@mcmaster.ca> wrote:
> >
> >
> >> I updated my secondary name server from BIND 9.3.5P1 to 9.4.2P2 (Solaris)
> >> earlier this week without any problems. Today I updated the primary. All
> >> is working, but I'm now logging these messages:
> >>
> >> Aug 28 19:04:11 ns1 named[12157]: [ID 873579 local4.error] client
> >> 172.26.20.34#53281: update forwarding 'xxx.mcmaster.ca/IN' denied
> >>
> >> This was not happening prior to the upgrade. I assume this an attempted
> >> dynamic update? I'm not sure what the 'forwarding' part means. I also
> >> don't know why it's now logging these messages, when I have:
> >>
> >> category "update" { "null"; };

Did you read CHANGES?

1301. [func] New category 'update-security'.

> >> in my named.conf. This used to suppress these messages (failed dynamic
> >> updated anyway) - or is this something different? Any why don't I see any
> >> of these messages logged on the secondary?
> >>
> >> BTW, we don't allow any sort of dynamic updates, but I understand that
> >> Windows likes to try anyway. Some clarification would be appreciated.
> >>
> >> -Mike
> >>
> >>
> >>
> >>
> >>
> >
> >
> >
>
>
--

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_A...@isc.org

[Kevin Darcy]

What I mean is, the Dynamic Update might have been sent to a slave
because the client failed over after trying to update the primary master.

This was in response to "... mainly used in a stealth master
configuration". Sometimes it's a failover scenario instead of intended
behavior.

- Kevin

[Mike Diggins]

On Fri, 29 Aug 2008, Mark Andrews wrote:

>
>> It can also happen if the primary master is unavailable or the update
>> merely times out.
>
> No. The message is a result of ACL processing.
>
>> - Kevin
>>
>> Ben Croswell wrote:
>>> Update forwarding, as I understand it, is mainly used in a stealth master
>>> configuration. Rather than have DDNS updates go to the stealth master it
>>> goes a given DNS server and then that server is configured to forward the
>>> updates to the stealth master. That way the general populace doesn't need
>>> to talk to your stealth master.
>>>
>>> On Thu, Aug 28, 2008 at 7:11 PM, Mike Diggins <dig...@mcmaster.ca> wrote:
>>>
>>>
>>>> I updated my secondary name server from BIND 9.3.5P1 to 9.4.2P2 (Solaris)
>>>> earlier this week without any problems. Today I updated the primary. All
>>>> is working, but I'm now logging these messages:
>>>>
>>>> Aug 28 19:04:11 ns1 named[12157]: [ID 873579 local4.error] client
>>>> 172.26.20.34#53281: update forwarding 'xxx.mcmaster.ca/IN' denied
>>>>
>>>> This was not happening prior to the upgrade. I assume this an attempted
>>>> dynamic update? I'm not sure what the 'forwarding' part means. I also
>>>> don't know why it's now logging these messages, when I have:
>>>>
>>>> category "update" { "null"; };
>
> Did you read CHANGES?
>
> 1301. [func] New category 'update-security'.

oops, I guess I missed that. Thanks!

-Mike