samba - Jul 2018 - samba 4.8.3 with BIND dynamic dns update failed

Hello,

I ran today into new issue.

My setup is 2 DC's with samba 4.8.3 with BIND as dns, with secure dns 
updates only.

Everything is working pretty fine, except that today one of the recently 
added machines was first unable to update, then unable to update it's 
own entry. In bind log I see that update is refused.

Account that was failing with update was earlier - a couple of times 
actually - added and removed from domain and I'm pretty certain that 
this is the reason for the failure, but I couldn't "clean it up".

I removed machine from AD, deleted account from AD, restarted samba and 
bind, added machine once again with the same name.

I did wbinfo -i <machine name> on both DC's and it seems fine. Overall
GPO's were being applied correctly, except for the secure DNS update.

Probably that's something easy to fix, right now I simply changed 
machine name and added it again to AD - and as expected everything works 
splendidly.


I suspect that "something " for whatever reason remembers previous AD 
entry for this machine and there is some key-mismatch during secure 
update (like different kvno is expected).  Before I dig too deep into 
this, I guess that someone has already had to come across this issue and 
found a solution?

Regards,

Kacper