Hi, the default configuration of current net-dns/bind contains the following directive in the options block: allow-update { /* Don't allow updates, e.g. via nsupdate. */ none; }; This causes a warning message for all builtin and configured zones: Nov 28 21:00:24 server named[4847]: zone 'version.bind' allows updates by IP address, which is insecure Nov 28 21:00:24 server named[4847]: zone 'hostname.bind' allows updates by IP address, which is insecure Nov 28 21:00:24 server named[4847]: zone 'authors.bind' allows updates by IP address, which is insecure Nov 28 21:00:24 server named[4847]: zone 'id.server' allows updates by IP address, which is insecure Commenting out that directive gets rid of the message. Functionality stays the same since "none" is the default for allow-update. From looking at the code it seems that a check for special case "none" is missing from that security check. Arguably this should be fixed upstream. See https://lists.isc.org/pipermail/bind-users/2016-November/098021.html for a first discussion with upstream. In the meantime: Should above default be provided as a commented block so people know it's the default but don't get confused by the misleading warning? Thanks, Michael
upstream is aware of the problem: https://lists.isc.org/pipermail/bind-users/2016-November/098057.html.
From the looks of upstream git this will be fixed in 9.11.1.