9.8 controls stmt ignores second key?

[Phil Pennock]

I upgraded bind today from 9.6 to 9.8.3-P1.

One of my automated reloads is now failing.  I've tracked this down to
the second key in the controls configuration being ignored.  If I swap
the order of the keys, the second (now first) key is honoured, the other
is not, so I know that both keys still work and it's just the order that
matters.

controls {
  inet 127.0.0.1 port 954 allow { localhost; } keys { rndc-key-nsauth; rndc-key-dnssync; };
  inet ::1 port 954 allow { localhost; } keys { rndc-key-nsauth; rndc-key-dnssync; };
};

(The non-standard port has a historical reason)

Both keys are hmac-md5.  As I say, both work, but only if they're first
in the list.  Whichever key is second gets this as client:
----------------------------8< cut here >8------------------------------
rndc: connection to remote host closed
This may indicate that
* the remote server is using an older version of the command protocol,
* this host is not authorized to connect,
* the clocks are not synchronized, or
* the key is invalid.
----------------------------8< cut here >8------------------------------

and as server:
----------------------------8< cut here >8------------------------------
 general: info: received control channel command 'reload sks.pool.globnix.net'
 general: error: invalid command from 127.0.0.1#61018: bad auth
----------------------------8< cut here >8------------------------------


As far as I can tell from:
  http://ftp.isc.org/isc/bind9/cur/9.8/doc/arm/Bv9ARM.ch06.html#controls_statement_definition_and_usage
the syntax is unchanged and the above *should* work.

Have I missed something that has changed, or is this a regression?

Nothing obvious in "CHANGES" that I can see.

Thanks,
-Phil