nsupdate fails with "could not get zone keys for secure dynamic update"

[Paul Galbraith]

A quick follow-up for posterity, this was resolved by manually editing 
the bind 9.18 zone files and removing all DNSSEC records.

On 2024-10-22 9:57 p.m., Paul Galbraith wrote:
> I am getting this error with bind 9.20.2, when trying to delete an 
> AAAA record with nsupdate on the same host.  Using rndc on the host to 
> sign the zone seems to work fine, so I'm quite confused. Is there any 
> way to get more detail about these "zone keys" that named "could not 
> get"?
>
> Oct 23 01:18:45 named[18113]: debug level is now 10
> Oct 23 01:19:05 named[18113]: client @0x95d24325020 ::1#50908/key 
> local-ddns: updating zone 'galbraiths.ca/IN': deleting rrset at 
> 'angmar.galbraiths.ca' AAAA
> Oct 23 01:19:05 named[18113]: client @0x95d24325020 ::1#50908/key 
> local-ddns: updating zone 'galbraiths.ca/IN': could not get zone keys 
> for secure dynamic update
> Oct 23 01:19:05 named[18113]: client @0x95d24325020 ::1#50908/key 
> local-ddns: updating zone 'galbraiths.ca/IN': RRSIG/NSEC/NSEC3 update 
> failed: not found
> Oct 23 01:27:06 named[18113]: received control channel command 'sign 
> galbraiths.ca'
> Oct 23 01:27:06 named[18113]: zone galbraiths.ca/IN (signed): 
> reconfiguring zone keys
> Oct 23 01:27:06 named[18113]: zone galbraiths.ca/IN (signed): next key 
> event: 23-Oct-2024 02:27:06.724
>
> This is happening on a recently upgraded system (previous bind was 
> 9.18.x I believe) which was previously working fine with nsupdate.
>
> I'm wondering if this is somehow related to named being chrooted to 
> /var/named, but rndc sign zone works fine so quite doubtful about that 
> still, and I expect I would get a different error if named could not 
> find the local-ddns key.
>