Mark Andrews via RT <bind9-public@isc.org> wrote:
>
> With inline signing DNSSEC records (other than DS) are modified by
> other paths than using UPDATE.   I would be using these mechanisms
> instead of UPDATE even with normal signed zones.

Yes, I'm aware of those mechanisms. But for quick fiddling, and for
testing broken CDS RRsets, I hoped I could use UPDATE.

I think something the patch below would have helped avoid confusion.
(Is this the right test for the security status of a zone?)

---
 bin/named/update.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/bin/named/update.c b/bin/named/update.c
index cd62c5d..5023dff 100644
--- a/bin/named/update.c
+++ b/bin/named/update.c
@@ -3100,9 +3100,14 @@ update_action(isc_task_t *task, isc_event_t *event) {
 	if (! ISC_LIST_EMPTY(diff.tuples)) {
 		result = dns_zone_cdscheck(zone, db, ver);
 		if (result == DNS_R_BADCDS || result == DNS_R_BADCDNSKEY) {
+			isc_boolean_t secure =
+				dns_zone_getkeyopts(zone) &
+				(DNS_ZONEKEY_ALLOW|DNS_ZONEKEY_MAINTAIN);
 			update_log(client, zone, LOGLEVEL_PROTOCOL,
-				   "update rejected: bad %s RRset",
-				   result == DNS_R_BADCDS ? "CDS" : "CDNSKEY");
+				   "update rejected: bad %s RRset%s",
+				   result == DNS_R_BADCDS ? "CDS" : "CDNSKEY",
+				   !secure ? " (zone is unsigned"
+					     " or inline-signing)" : "");
 			result = DNS_R_REFUSED;
 			goto failure;
 		}
-- 
2.10.1.445.g3cdd5d1