diff --git a/CHANGES b/CHANGES
index 57df1e27a1..61cf97dab9 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+5843.	[bug]		When an UPDATE targets a zone that is not configured,
+			the requested zone name is now logged in the "not
+			authoritative" error message, so that it is easier to
+			track down problematic update clients. [GL #3209]
+
 5842.	[cleanup]	Remove the task exclusive mode use in ns_clientmgr.
 			[GL #3230]
 
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
index 7316fe327c..0863d0a1ad 100755
--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
@@ -82,6 +82,32 @@ digcomp knowngood.ns1.before dig.out.ns1 || ret=1
 digcomp knowngood.ns1.before dig.out.ns2 || ret=1
 [ $ret = 0 ] || { echo_i "failed"; status=1; }
 
+ret=0
+echo_i "ensure an unrelated zone is mentioned in its NOTAUTH log"
+$NSUPDATE -k ns1/ddns.key > nsupdate.out 2>&1 << END && ret=1
+server 10.53.0.1 ${PORT}
+zone unconfigured.test
+update add unconfigured.test 600 IN A 10.53.0.1
+send
+END
+grep NOTAUTH nsupdate.out > /dev/null 2>&1 || ret=1
+grep ' unconfigured.test: not authoritative' ns1/named.run \
+     > /dev/null 2>&1 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ret=0
+echo_i "ensure a subdomain is mentioned in its NOTAUTH log"
+$NSUPDATE -k ns1/ddns.key > nsupdate.out 2>&1 << END && ret=1
+server 10.53.0.1 ${PORT}
+zone sub.sub.example.nil
+update add sub.sub.sub.example.nil 600 IN A 10.53.0.1
+send
+END
+grep NOTAUTH nsupdate.out > /dev/null 2>&1 || ret=1
+grep ' sub.sub.example.nil: not authoritative' ns1/named.run \
+     > /dev/null 2>&1 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
 ret=0
 echo_i "updating zone"
 # nsupdate will print a ">" prompt to stdout as it gets each input line.
diff --git a/lib/ns/update.c b/lib/ns/update.c
index c96d87071d..5659a8c916 100644
--- a/lib/ns/update.c
+++ b/lib/ns/update.c
@@ -1726,7 +1726,15 @@ ns_update_start(ns_client_t *client, isc_nmhandle_t *handle,
 
 	result = dns_zt_find(client->view->zonetable, zonename, 0, NULL, &zone);
 	if (result != ISC_R_SUCCESS) {
-		FAILC(DNS_R_NOTAUTH, "not authoritative for update zone");
+		/*
+		 * If we found a zone that is a parent of the update zonename,
+		 * detach it so it isn't mentioned in log - it is irrelevant.
+		 */
+		if (zone != NULL) {
+			dns_zone_detach(&zone);
+		}
+		FAILN(DNS_R_NOTAUTH, zonename,
+		      "not authoritative for update zone");
 	}
 
 	/*