Hi,Since I have seen this issue resolved nowhere within Google results, I
would like to post it here for future reference - its cause, how to work
around it.
Thanks for rwatson@ for his expertise.
This is what I have seen on my own system:
Nov 11 19:13:02 tarsier named[21464]: client 211.166.10.255#38500: error
sending response: permission denied
Which happens very frequently.
======
The cause:
Some other system on the same subnet produced a DNS query, claiming it
from the IP broadcast address (either full 1's or full 0's from the same
subnet), and unicast to the system running a DNS service.
named(8), in turn, attempts to respond the DNS query. When sending out
the response packet, the destination IP address would be that IP
broadcast address. The FreeBSD implementation (also other TCP/IP stacks
I am aware of) does not permit this unless the socket have SO_BROADCAST,
according to sendmsg(2) manual page.
This EACCES would result in the messsage "error sending response:
permission denied".
Basically our TCP/IP stack is doing the right thing.
======
The workaround is to filter out the traffic from the offending host. I
am not yet aware of which operating system did that.
Another workaround is to patch named (contrib/bind9/bin/named/client.c)
around the log and disable the whole log thing.
======
The fix is to either fix the offending host or remove it.
Cheers,