samba - Jan 2014 - Strange problem with ddns AAAA delete

I am trying to setup dynamic updates with bind_dlz backend, but for some
reason if any windows client or linux with nsupdate tries to remove AAAA
record, server just 'cancelling transaction', while A and PTR records
(both on reverse ipv4 and ipv6) working fine.
If i'am remove AAAA record manually via samba-tool or windows mmc then
AAAA record can be updated, but after that it again cannot be deleted.
Maybe i am doing something wrong? -_-

It is samba 4.1.3 with bind 9.9.3_p2 on gentoo, two domain controllers.

Example with nsupdate:
----
kinit -k host/$(hostname -f)

nsupdate
>gsstsig
>zone nya.ai.
>delete tellurium.nya.ai. AAAA
>show
>send
---------
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; ZONE SECTION:
;nya.ai.                                IN      SOA

;; UPDATE SECTION:
tellurium.nya.ai.       0       ANY     AAAA

update failed: SERVFAIL

------
/var/log/daemon.log
------
Jan  2 10:32:40 aurum named[4388]: samba_dlz: starting transaction on
zone nya.ai
Jan  2 10:32:41 aurum named[4388]: samba_dlz: allowing update of
signer=host/tellurium.nya.ai\@NYA.AI name=tellurium.nya.ai
tcpaddr=2001:470:c870::16 type=AAAA key=3807097567.sig-aurum.nya.ai/160/0
Jan  2 10:32:41 aurum named[4388]: client 2001:470:c870::16#38313/key
host/tellurium.nya.ai\@NYA.AI: updating zone 'nya.ai/NONE': deleting
rrset at 'tellurium.nya.ai' AAAA
Jan  2 10:32:41 aurum named[4388]: samba_dlz: cancelling transaction on
zone nya.ai
------

I encountered the same problems on my Debian Testing machine with Bind
9.8.4 and Samba 4.1.3 for AAAA records. The corresponding PTR and A
records can be deleted through nsupdate, but AAAA records show errors.

See below for my example, nsupdate debug info and bind.log. Domain info
and IPv6 addresses are redacted.

Downgrading to Samba 4.0.11 shows no solution. And the only solution is
to remove the AAAA record through samba-tool.

Best regards,
Nico Speelman

Example:
kinit -k -t "/etc/krb5.dhcpd.keytab" "dns-update at
EXAMPLE.COM"
root at zeus:~# nsupdate -g -d << UPDATE
>zone example.com
>update delete test.example.com. AAAA
>send
>UPDATE
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  62502
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; QUESTION SECTION:
;example.com.             IN      SOA

;; ANSWER SECTION:
example.com.      3600    IN      SOA     zeus.example.com. hostmaster at
example.com. 71 900 600 86400 0

;; AUTHORITY SECTION:
example.com.      900     IN      NS      zeus.example.com.

;; ADDITIONAL SECTION:
zeus.example.com. 900     IN      A       10.0.0.2
zeus.example.com. 900     IN      AAAA    <redacted>::2

Found zone name: example.com
The master is: zeus.example.com
start_gssrequest
Found realm from ticket: EXAMPLE.COM
send_gssrequest
Outgoing update query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  17277
;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;2030484513.sig-zeus.example.com. ANY TKEY

;; ADDITIONAL SECTION:
2030484513.sig-zeus.example.com. 0 ANY TKEY gss-tsig. 1389189213 1389189213 3
NOERROR 1334 YIIFMgYGKwYBBQUCoIIFJjCCBSKgDTALBgkqhkiG9xIBAgKiggUPBIIF
C2CCBQcGCSqGSIb3EgECAgEAboIE9jCCBPKgAwIBBaEDAgEOogcDBQAg
AAAAo4ID6GGCA+QwggPgoAMCAQWhExsRU1BFRUxNQU5ST0JCRU4uTkyi
KDAmoAMCAQGhHzAdGwNETlMbFnpldXMuc3BlZWxtYW5yb2JiZW4ubmyj
ggOYMIIDlKADAgEXoQMCAQGiggOGBIIDgmsON8wxoSZg5XB4/DKoReUo
yzxLQvrnCqA6IO2EyOQAUT0UotfWTQ0y32pCbvOKKXkAAzgbo/Q1imnF
1KiZaVKzqq6VdO+g+WxssBYVE2SElpU3h3vz9HXvDswSoq9ZyVEla44f
dbFCgjvebRPkK/Hn8Sbt05Ji3mwGhEflW1bDo40X/OojBUWYMzKxtkxK
hagWP+9h2u8whUV9Law/SONFqSrovasCrxD7qMIHLCFFYD3T7TTqUeKp
tpGmIO8hSczqHH1R3gXzWvKOf9EmhQNeuJdF99gHyd+UjXxMqXf14fWQ
wVDS/C5l3JYxOyogm19yThHvmlcXl7AdGADUuA5EgvqzgNw4ldZwC4u8
lBqgT+9lSxp1iz8Yub0408CBWY+kDNobJhIJeCMLCsH8aj2McauCgzKh
Rm/89h3sbtqy9pDuC6auI/HI6e7uDDaSUOZD7SyjAJVG1xrt3MEAmQJJ
uuvJ352EIFT21mpNBxY6WGU11oVvOSsrfaDxR8e5FbIUkbcRuh6yNzza
UWn6J5eye4tEZUBThgauwV+YdLNdolOMdqLtCEo5JNfpWGlACsv+fqWE
NCpZgtstYITnuqHLp0v5dQBQtCytnOe/LVDdDyEzBTc+KHPfbrDkU+ox
zTZPSA4zRGVvscxgYzn7Mifs7xLExdFWgnYUe+pXO/A8tCP4L1kDU8eQ
3mqm1KeOwxAATa10uLY0k0XMtnnnSCVRpgZ4+eB2+JIdZD4OIBRP3JSA
67BgsYTjxCykprs8z3mtaIjvpYHAAwdj//yrsj1UpeZne624DlZlRIHM
RZNkQZBF3s7NufUG8FMWJ1TkPXOLH5tGpvP+3JT9/nxFfZ61ffLfVjVk
ebK0ZPYYrlp9eq+FynPPMbMBjFucqssys4e3zx7uBbW+CbpKQoy0TOYk
GgWDFh2mZVzNNEe0eTsXQjzOHAiC3Ja6icAe7r5QGW0mwfuA4qB4BEIn
amo21mxyq9D7IpB0oyk5MUEJ17yF0QLrTuKXMRCuRv902xLaJVgrkeiF
6jiiGixBYs2BdAlBP4x+/Nr9Ui/9TpIqEQZxGaOkfxCih0IyNB0MeDT0
ol6H1G8DpUzfQyub4DDpvrgbuXwPjZ8tcgTNh0jkEfEx7+3sH05OUGbD
EGap6R2kRL6nXYbquzvNZX0saGcW3NpFC/2LXfvp53H+I50MOdTSb3+k
gfAwge2gAwIBF6KB5QSB4m/deyXULCy2+W8rkGjYDBUTQRAUFybgmghu
iE023YkIEbwI1LHxLPlXtmKzRm0yQ1RkGAwnemDQn3mTef9WbkZHvo6K
pdGugDRgbcx+9XKLiyYZRG7I1kyvTFmhi+GpF6TQsOt8LlLSW0vM3VSv
kgy7CqdMq4qTajRLlmBmhTcNYT6aFI9md0xyP4ShSvX8PehsOXQMjSIW
Y1rDXegTsoemF4M2TNk7AzI5Ehse2dMx3FRz9xhGitn/rNQ2mQOEaf45
bytaxzdmm9bdzk6FAf2sDPvOZWW6qorHCOINL+OQI8U= 0

recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  17277
;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;2030484513.sig-zeus.example.com. ANY TKEY

;; ANSWER SECTION:
2030484513.sig-zeus.example.com. 0 ANY TKEY gss-tsig. 1389189213 1389192813 3
NOERROR 182 oYGzMIGwoAMKAQChCwYJKoZIhvcSAQICooGbBIGYYIGVBgkqhkiG9xIB
AgICAG+BhTCBgqADAgEFoQMCAQ+idjB0oAMCAReibQRrzZ49asvshhYi
FpTrgwhX/iaPE/nwRdYt1IvTKdRn/MmoYK/xraGXrrRNGdzoXUp8e5F2
NZENixex7gML6rYJciVSooVPYq/k62q9tF4KpH/aC98slpC3YGjBA3fb n/vIbR3HrSwlOb9f84I= 0

Sending update to 127.0.0.1#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  12629
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; ZONE SECTION:
;example.com.             IN      SOA

;; UPDATE SECTION:
test.example.com. 0       ANY     AAAA

;; TSIG PSEUDOSECTION:
2030484513.sig-zeus.example.com. 0 ANY TSIG gss-tsig. 1389189213 300 28
BAQE//////8AAAAAMc13+SF8EK25E+C2EAqzCg== 12629 NOERROR 0


Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: SERVFAIL, id:  12629
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;example.com.             IN      SOA

;; TSIG PSEUDOSECTION:
2030484513.sig-zeus.example.com. 0 ANY TSIG gss-tsig. 1389189213 300 28
BAQF//////8AAAAADfmtpkMP/Nuloe3Xj3siVA== 12629 NOERROR 0

bind.log excerpt:
08-Jan-2014 14:53:33.364 database: info: samba_dlz: starting transaction on zone
example.com
08-Jan-2014 14:53:33.368 database: info: samba_dlz: allowing update of
signer=dns-update\@EXAMPLE.COM name=test.example.com tcpaddr=127.0.0.1 type=AAAA
key=2030484513.sig-zeus.example.com/160/0
08-Jan-2014 14:53:33.370 database: info: samba_dlz: cancelling transaction on
zone example.com