BIND9.18.33 after upgrade to this version, same BIND configuration no longer accepts dynamic DNS updates with SIG0 keypairs

[Adam Burns]

Hi all,

I'm trying to debug some dynamic update zones (using SIG0 keys) after a 
BIND version upgrade, and I'm hoing someone on this list can give advice 
on potential root cause or at least suggestions on how to debug ...

The instance has been working perfectly through upgrades until at least 
BIND9.18.26, however after upgrading to BIND9.18.33, dynamic updates 
from clients using SIG0 KEYS now seem to consistently fail.

The update-policy definition that has reliably worked for many previous 
versions and updates until now.


Example zone definition from named.conf:

zone "zenr.io" IN {
         type master;
         file "dynamic/zenr.io/named.zenr.io";
         key-directory "dynamic/zenr.io";
         // auto-dnssec maintain;
         dnssec-policy "default";
         allow-transfer { 138.201.89.108; 2a01:4f8:c17:3dd5::1; };
         update-policy {
                 grant "zenr.io" name zenr.io. ANY;
                 grant "zenr.io" subdomain zenr.io. ANY;
                 grant * selfsub . ANY;
         };
};

All updates attempted from invoking a previously functional keypair seem 
to now

$ dig vortex.zenr.io +short KEY
512 3 15 2MK3KZkUgYQVumU9bhy1KzIZ2FhFQZ8yLP2nFMJRCEQ=

$ cat Kvortex.zenr.io.+015+56161.key
vortex.zenr.io. IN KEY 512 3 15 2MK3KZkUgYQVumU9bhy1KzIZ2FhFQZ8yLP2nFMJRCEQ=

$ nsupdate -k Kvortex.zenr.io.+015+56161 -L 10
01-Sep-2025 07:20:59.381 dns_requestmgr_create
01-Sep-2025 07:20:59.381 dns_requestmgr_create: 0x7fdf4a4acc40
 > server ns1.free2air.org
 > zone zenr.io
 > update add zenr.io 600 TXT "testing dynamic updates"
 > send
update failed: REFUSED


Any information on configuration changes that may be required to restore 
functionality or info on potential roots causes or further diagnostic 
hints would be greatly appreciated.

Thanks & Regards,

Adam.