allow-update in global options (was Re: bind and certbot with dns-challenge)

Sam Wilson Sam.Wilson at
Tue Apr 2 16:00:48 UTC 2019

On 2019-03-17 20:37:56 +0000, Alan Clegg said:

> On 3/17/19 2:51 PM, Alan Clegg wrote:
>> On 3/17/19 7:13 AM, Stephan von Krawczynski wrote:
>>> Hello all,
>>> I am using "BIND 9.13.7 (Development Release) <id:6491691>" on arch linux. Up
>>> to few days ago everything was fine using "certbot renew". I had
>>> "allow-update" in nameds' global section, everything worked well. Updating to
>>> the above version threw a config error that "allow-update" has no global scope
>>> and is to be used in every single zone definition.
>> And you may have found a bug.  I'm checking internally at this time.
> So, after a discussion with one of the BIND engineers this afternoon,
> this turned out to be quite an interesting and deep-rooted issue.
> During a cleanup of other code (specifically named-checkconf), code was
> changed that enforced what was believed to have been the default
> previously: specifically, allow-update was only allowed in zone stanzas.

Can I ask who believed it was previously the default?  I hope I'm not 
misreading the first dozen or so lines of this page (which seems to be 
reflected in previous editions of the ARM).



The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

More information about the bind-users mailing list