In general, you don't want to mix dynamic update zones with ones that you want to edit by hand. I see that you are doing manual DNSSEC signing in your cron job.
Your choices are: a) do everything with dynamic update, and turn on automatic DNSSEC management in bind9. b) do your DNSSEC signing inline. I blogged poorly about my setup: https://www.sandelman.ca/mcr/blog/sysadmin/bind9-dnssec-formula/ c) a mix of the above. My solution is not to mix dynamic update with other access. Instead, I put in CNAMEs in the signed zone to a sub-zone (or other zone) where I do exclusive dynamic update. This isn't perfect, but it works well enough to allow dns-01 (certbot/LetsEncrypt) to be able to refresh my certificates.
signature.asc
Description: PGP signature
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users