DNSKEY dynamic update: unexpected change 9.6.0-P1 -> 9.6.1

Wed Jul 8 20:50:05 UTC 2009

Upgrading from 9.6.0-P1 to 9.6.1 on my master server 
unexpectedly changed DNSKEY dynamic update behavior. My
tools to secure zones rely on insertion of DNSKEY
records via dynamic update. This stopped working when
I upgraded to 9.6.1. 

The culprit seems to be:

*** bind-9.6.0-P1/bin/named/update.c	Wed Nov 19 01:21:45 2008
--- bind-9.6.1/bin/named/update.c	Thu Apr 30 03:03:37 2009

***************
*** 3971,3977 ****
  		}
  #endif
  #ifndef ALLOW_INSECURE_TO_SECURE
! 		if (had_dnskey && !has_dnskey) {
  			update_log(client, zone, LOGLEVEL_PROTOCOL,
  				   "update rejected: DNSKEY record added");
  			result = DNS_R_REFUSED;
--- 3981,3987 ----
  		}
  #endif
  #ifndef ALLOW_INSECURE_TO_SECURE
! 		if (!had_dnskey && has_dnskey) {
  			update_log(client, zone, LOGLEVEL_PROTOCOL,
  				   "update rejected: DNSKEY record added");
  			result = DNS_R_REFUSED;

I'm guessing this is related to 

  2530.   [bug]           named failed to reject insecure to secure transitions
                          via UPDATE. [RT #19101]

Admittedly the code didn't match the pre-processor definition
in 9.6.0-P1. But I was assuming secure<->insecure zone transition
capability was turned on by default in bind 9.6. At least the file 
that documents this feature (NSEC3-NOTES) doesn't mention anything
about it not being on by default. 

For type time being, I've recompiled to fix the problem with:

   CFLAGS="-DALLOW_SECURE_TO_INSECURE -DALLOW_INSECURE_TO_SECURE"

Is there any reason these flags should not be set by default? And
if not, could I ask that the documentation (NSEC3-NOTES) be
updated to reflect what needs to be done.

Also the private type record seems to have changed from 65535 to 
65534 but this hasn't been updated in NSEC3-NOTES.

Thanks!
--Shumon.