Since Samba bind_dlz implementation does not provide ACLs support for the zones it manages, dynamically updating those zones does not work. Technical details by Alexander Bokovoy reported in this tread: https://lists.samba.org/archive/samba-technical/2020-March/134952.html In bin/named/update.c, update_action() code starts with: CHECK(dns_zone_getdb(zone, &db)); zonename = dns_db_origin(db); zoneclass = dns_db_class(db); dns_zone_getssutable(zone, &ssutable); /* * Update message processing can leak record existance information * so check that we are allowed to query this zone. Additionally * if we would refuse all updates for this zone we bail out here. */ CHECK(checkqueryacl(client, dns_zone_getqueryacl(zone), zonename, dns_zone_getupdateacl(zone), ssutable)); The message you see 'client ...: update ... denied' comes from checkqueryacl()'s call: ... } else if (updateacl == NULL && ssutable == NULL) { dns_name_format(zonename, namebuf, sizeof(namebuf)); dns_rdataclass_format(client->view->rdclass, classbuf, sizeof(classbuf)); result = DNS_R_REFUSED; ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY, NS_LOGMODULE_UPDATE, ISC_LOG_INFO, "update '%s/%s' denied", namebuf, classbuf); } ... So, both updateacl (result of call to dns_zone_getupdateacl(zone) above) and ssutable are not there.
I've tested this on Samba 4.16.4 and dynamic update of the primary domain zone works correctly. Removing the ACL of a domain record also correctly gives: samba_dlz: disallowing update of signer=example-computer\$\@EXAMPLE.TEST name=example-computer.example.test type=AAAA error=insufficient access rights