BIND rejecting key to update a zone

Michał Kępień michal at
Mon Jun 4 08:58:59 UTC 2018

Hi Mark,

> Jun  1 20:19:34 rpz0 named[30999]: client
> dns-update: signer "dns-update" denied
> Jun  1 20:19:34 rpz0 named[30999]: client
> dns-update: update 'test.rpz/IN' denied
> What am I missing here?  

Interesting, you do not seem to be missing anything: this works as
expected for me (i.e. the update is allowed) on a fresh Debian 9 VM.

AFAICT without looking at your entire configuration, in order for both
of the log messages you quoted to be generated, named would need to
recognize the key used for signing the request (otherwise you would get
a BADKEY response), but not allow it to update the relevant zone.
Perhaps a long shot, but is there any chance there are non-ASCII
characters in your configuration file, like some Unicode variant of the
hyphen character (‐, ‑, ‒, etc.)?  If not, could you please bump the
debug level to at least 3, retry, and paste the log messages generated?
Please also feel free to open an issue at

Best regards,
Michał Kępień

More information about the bind-users mailing list