BIND rejecting key to update a zone

Mark E. Jeftovic markjr at
Fri Jun 8 15:01:46 UTC 2018

Hi Michal, thanks for the reply and sorry for the delay on my end.

I've started a fresh install here and started over and still having the
same issue, even when I crank the debug trace up to 5, I'm not seeing
anything additional in the logs:

08-Jun-2018 14:56:50.281 update-security: info: client rpz-update: signer "rpz-update" denied
08-Jun-2018 14:56:50.281 update-security: error: client rpz-update: update 'test.rpz/IN' denied

I've also tried taking the allow-update out of the zone statement and
moving it back up globally, and trying both (defining it globally and in
the zone) because I remembered bug #46603 (kinda sorta in the ballpark)
- but no dice there either.

- mark

On 2018-06-04 4:58 AM, Michał Kępień wrote:
> Hi Mark,
>> Jun  1 20:19:34 rpz0 named[30999]: client
>> dns-update: signer "dns-update" denied
>> Jun  1 20:19:34 rpz0 named[30999]: client
>> dns-update: update 'test.rpz/IN' denied
>> What am I missing here?  
> Interesting, you do not seem to be missing anything: this works as
> expected for me (i.e. the update is allowed) on a fresh Debian 9 VM.
> AFAICT without looking at your entire configuration, in order for both
> of the log messages you quoted to be generated, named would need to
> recognize the key used for signing the request (otherwise you would get
> a BADKEY response), but not allow it to update the relevant zone.
> Perhaps a long shot, but is there any chance there are non-ASCII
> characters in your configuration file, like some Unicode variant of the
> hyphen character (‐, ‑, ‒, etc.)?  If not, could you please bump the
> debug level to at least 3, retry, and paste the log messages generated?
> Please also feel free to open an issue at

Mark E. Jeftovic <markjr at>
Co-founder & CEO, easyDNS Technologies Inc.
+1-(416)-535-8672 x 225

More information about the bind-users mailing list