Split DNS configuration: can't update external zone from internal system using nsupdate

Solution 1:

I think the best solution would generally be to just use dedicated TSIG keys to access the different views.

I know the question mentions this and says it didn't work, but that must have been because the client matching directives of the two views were not updated appropriately.

If we assume that there are the two TSIG keys named internal and external for this purpose (looks to be the case in the question), the views should be updated along these lines:

view "internal" {
        match-clients {
                key "internal";
                !key "external";
                ... # existing IP-based matching as it was
        };
        ... # all the other stuff from the view as it was
};

and

view "external" {
        match-clients {
                    key "external";
                    !key "internal";
                    ... # existing IP-based matching as it was
        };
        ... # all the other stuff from the view as it was
};

This way, any incoming messages (queries/updates) signed with one of these two keys will always hit the corresponding view as the new key-based matching entries are listed before any IP-based matching and exhaust all possible view/key combinations regarding these keys.

(Technically there is a bit of redundancy in my proposed solution as the order of the views are also a factor that could be used to eliminate some view/key combinations, but I would recommend explicitly listing all the combinations regardless. This way things don't fall apart if you were to reorder the views, and I personally also find it more clear what the actual intent is.)