Don't allow dynamic updates of SIG records, since it either leaves the

database in an inconsistent state or fails when it shouldn't.  This will be
supported at some point, but it's better to flat out refuse than fail badly.

bin/named/update.c

@@ -2069,11 +2069,18 @@ update_action(isc_task_t *task, isc_event_t *event) {
 		 * "Unlike traditional dynamic update, the client
 		 * is forbidden from updating NXT records."
 		 */
-		if (dns_db_issecure(db) && rdata.type == dns_rdatatype_nxt) {
+		if (dns_db_issecure(db)) {
+			if (rdata.type == dns_rdatatype_nxt) {
 				FAILC(DNS_R_REFUSED,
 				      "explicit NXT updates are not allowed "
 				      "in secure zones");
 			}
+			else if (rdata.type == dns_rdatatype_sig) {
+				FAILC(DNS_R_REFUSED,
+				      "explicit SIG updates are currently not "
+				      "supported in secure zones");
+			}
+		}
 
 		if (ssutable != NULL && client->signer != NULL) {
 			if (rdata.type != dns_rdatatype_any) {