Samba4 BIND9_DLZ stale DNS records with ddns

Dynamic DNS woes

If you joined a machine to a domain and then updated Samba to a newer version, you may need to remove the dns record so that nsupdate can replace the entry upon the next ddns update attempt. e.g.
A Linux client: catral.hh3.site was being refused ddns updates:

2013-09-14T23:28:58.140494+02:00 hh16 named[11513]: samba_dlz: starting transaction on zone hh3.site
2013-09-14T23:28:58.147040+02:00 hh16 named[11513]: samba_dlz: disallowing update of signer=CATRAL\$\@HH3.SITE name=catral.hh3.site type=A error=insufficient access rights

So we remove the entry:

ldbdel --url=/usr/local/samba/private/sam.ldb DC=catral,dc=hh3.site,CN=MicrosoftDNS,DC=DomainDnsZones,DC=hh3,dc=site

and bingo:

2013-09-14T23:33:15.038284+02:00 hh16 named[11513]: samba_dlz: starting transaction on zone 1.168.192.in-addr.arpa

2013-09-14T23:33:15.044506+02:00 hh16 named[11513]: samba_dlz: allowing update of signer=CATRAL\$\@HH3.SITE name=21.1.168.192.in-addr.arpa tcpaddr=192.168.1.21 type=PTR key=3622513282.sig-hh16.hh3.site/160/0

2013-09-14T23:33:15.044537+02:00 hh16 named[11513]: client 192.168.1.21#54295/key CATRAL\$\@HH3.SITE: updating zone '1.168.192.in-addr.arpa/NONE': adding an RR at '21.1.168.192.in-addr.arpa' PTR

2013-09-14T23:33:15.044544+02:00 hh16 named[11513]: samba_dlz: committed transaction on zone 1.168.192.in-addr.arpa

Note this week's special offer. The reverse zone was thrown in for nothing! BUT on 4.0.7
you have to delete the entire zone first otherwise you get REFUSED messages from bind.
samba-tool dns zonedelete 1.168.192.in-addr.arpa
then recreate it:
samba-tool zoneadd hh16 1.168.192.in-addr.arpa
(any brave sole volunteer to do the bugzilla?)

** Update for Samba 4.1.8, June 2014. No change. We still need to remove the entire reverse zone to get the updates. July 2014: No change.