DDNS rejected if zone contains CDS/CDNSKEY
Even with DNSSEC signing not configured for Bind, if the zone contains (possibly invalid) CDS or CDNSKEY record, any incomming DDNS (even not touching those records) is rejected by Bind.
For example, with the attached configuration file and zone file, if i call
echo -e 'server 127.0.0.1 38893\nzone example.com.\nadd xyz.example.com. 3600 A 5.6.7.8\nsend' | nsupdateit responds with update failed: REFUSED while in Bind log appears
08-Aug-2019 15:46:00.350 client @0x7f503c0424a0 127.0.0.1#57942: updating zone 'example.com/IN': adding an RR at 'xyz.example.com' A 5.6.7.8
08-Aug-2019 15:46:00.350 client @0x7f503c0424a0 127.0.0.1#57942: updating zone 'example.com/IN': update rejected: bad CDNSKEY RRsetExpected behaviour:
- either: the zone is rejected upon zone load (perhaps with the error message "bad CDNSKEY RRset")
- or: the DDNS update is accepted and processed the same way as if there were none CDS/CDNSKEY records
Version: BIND 9.11.3-1ubuntu1.8-Ubuntu (I haven't try any other version since I had no time to figure out how to install them. However, this seems to be easily reproducible!)