> I am trying to work out whether that means that the keyfile > contents must be manually added to the zone file, because in > named.conf I have an include line for update.key which contains the > path to that key, so it should be there already.
Do you also have your zone configured to allow updates (with allow-update or update-policy)? Make sure you can use nsupdate manually at the command line to update the zone without using acme.sh first.