A Safer nsupdate?

[rel at gulbransen.com]

Greetings All,

I've been playing with nsupdate lately (bind 8.2.2p5) on freebsd and solaris.  I've been working on a way
to make it any safer than having the allow-updates parameter set to certain ip's.  The following
is a howto type summary of what I've been playing with.  If you have any suggestions that would be
helpful, please respond.

Also, it seems that there are hooks in place to nsupdate to make it do application layer key pair
authentication, but I've yet to figure out exactly how to use that.

And now for something completely different:
How to set up bind to accept updates via nsupdate:
 
The ability to use nsupdate assumes that you can successfully resolve the
name.domain pair that you're attempting to update. The nsupdate utility talks
directly to the bind server who is the SOA for that zone.
 
Authority to update the name server is segmented on a zone by zone basis.  It
is configured in the named.conf file by specifying an 'allow-update' call in
the zone stanza.
 
The following example would allow host '192.168.43.1' to send nsupdate
requests to the server who is SOA for foo.com:
 
zone "foo.com" {
        type master;
        file "zone.foo";
        allow-update { 192.168.43.1; };
};
 
After the named process is HUP'd, 192.168.43.1 is ready to send update
requests.
 
Important: Use the nsupdate utility from the SAME distribution as your bind.
.. eg. If you downloaded bind 8.2.2p5, use the nsupdate from 8.2.2p5.  Even
though the options available on previous versions of nsupdate look identical to
the newer nsupdate... do not be fooled... it may not work.