Can not create DNS records in "Secure Only" zones

I did effective permissions on the DNS zone and I, a domain and enterprise admin, have full perms to the zones.  What perms should I be looking at in ADUC?  The three DCs are brand new installations of Server 2008 R2, I haven't made any perm changes to the C drive.

Via the GUI (run on DC01):

The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "0000051B: AtrErr: DSID-030F1F8D, #1:
    0: 0000051B: DSID-030F1F8D, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor)". The event data contains the error.

Via the Command Line (run on DC01):

dnscmd DC01 /RecordAdd test.org test CNAME iss-09.test.org

Command failed:  RCODE_REFUSED     9005    0x232D

This happens when I try to create a PTR or any record in a zone where it is set to "secure only"  (on any of the domain controllers).  What is weird is that it actually creates an entry in the zone that I can see via ADSI edit (DomainDNSZones).  If I try an nslookup, it doesn't work though.  I have to delete the entry from ADSI edit.  None of the three DCs are multihomed and only have one NIC.   Each DC is pointing to another DC for DNS as primary, but i end with 127.0.0.1.

DNS search order:

DC01 -->  172.30.110.26 (dc02) 172.30.100.76 (dc03) 127.0.0.1
DC02 -->  172.30.100.76 (dc03) 172.30.100.94 (dc01) 127.0.0.1
DC03 -->  172.30.100.94 (dc01) 172.30.110.26 (dc02) 127.0.0.1

I'll post Ace's resonse and questions next