samba - Aug 2018 - Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates

> Yes, it is a failure, but a failure of the script, it shouldn't print
> all those Python errors, it should print something like 'No update
> required' for each attempted update and then 'No updates
required'
Yes, I understand. samba_dnsupdate --verbose --all-names --use-samba-tool gave
reasonable output. But samba_dnsupdate --verbose --all-names only just throws
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
which look more serious.
> What it does show is that it isn't a Samba problem, but something to do
> with the interaction of Bind9 and Samba AD.
Same errors I get with Samba internal DNS, so I don't think it is Bind
related. Or maybe I can't understand you, sorry.
> It is your decision, but I wouldn't allow anything to
> change /etc/resolv.conf on a DC.
>
> I can only speak about my experience with the order of
> nameservers in /etc/resolv.conf. All my DC's have their ipaddress as
> the first nameserver, followed by the other DC's. I never add any
> nameservers outside the domain, this is what 'forwarders' is for. I
> also never add a 'domain' line.
>With a DC based on the above, I have never experienced 'islanding'
All DC have static IP configuration, but it's done by nmtui. I never had
problem with this on many CentOS 7 server I manage.
I changed all DCs to point to itself first, than to others. And I also deleted
domain search line, as you recommend.

Jiri