On Feb 14 2011, Chris Buxton wrote:
On Feb 14, 2011, at 6:31 AM, Chris Thompson wrote:
We are running BIND 9.7.2-P3, and update our zones with nsupdate calls
that look like this:
nsupdate -v -k keys/update-key <[input] >/dev/null 2>[errors]
This is run from a Solaris 10_x86 non-global "zone" (container).
On a couple of occasions it has generated the error
dns_dispatch_getudp (v4): permission denied
This seems to strike at random, and goes away on retrying the same
nsupdate call. What's really strange here is that nsupdate is being
told to use TCP (the -v option), so why is it messing around with UDP?
Has anyone else seen this?
I haven't seen it specifically, but:
- nsupdate might be sending a query (over UDP) to fill in missing info,
such as the zone or server to update.
The zone is given explicitly, the server by absolute name. It might be
looking up the IP address of the server, I suppose.
- Your Solaris container might be the problem. I've heard of problems
running named in a container, typically performance problems but this
type of behavior might explain a performance issue.
The container doing the nsupdate isn't actually the one running the
nameserver, although that is in fact also also in a container. We haven't
had performance problems with the nameservers doing this (although they
are not very heavily loaded).
I should emphasize that this is a low-frequency effect - I estimate
something like 0.2%. It would be easier to track down if it were more
frequent!
--
Chris Thompson
Email: c...@cam.ac.uk
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
