Name servers can be configured to allow dynamic updates from only specific entities. If a name server that ADNR updates is configured to restrict which entities can update the name server, ADNR must be specifically permitted to update that name server. Name servers typically permit dynamic updates from a predetermined set of source IP addresses, sometimes referred to as an access control list (ACL), or they might require authentication with digital signatures, sometimes referred to as transaction signatures (TSIG). Authentication using digital signatures is much more secure than authenticating by source IP address, because the latter is subject to address spoofing. Furthermore, the source IP address that ADNR uses might not be entirely predictable, unless deliberate steps are taken in the TCP/IP profile to make it predictable through mechanisms like job-specific source IP address specification or other forms of SOURCEVIPA configuration. Other possible options for lessening the impact of the unpredictability of the source IP address that ADNR uses include using a subnet in the name server's ACL. However, this allows updates from any entity in that subnet, which compromises security.
For the BIND 9 name server, dynamic updates are allowed by ACL using the allow-update statement, or by digital signatures using the update-policy or the allow-update statement.
When dynamic updates are permitted using digital signatures (TSIG), the name server and ADNR must be configured with the same shared cryptographic key. You can generate the key using the dnssec-keygen utility. Then you define the key to the name server and reference the key from name server zone definitions that want to use it.
You must also define the TSIG key to ADNR using the key configuration statement, and then reference the TSIG key from the update_key keyword of the zone keyword of the dns statement. The key file should be protected from unauthorized access. ADNR must have read access to the file. Both the .key and the .private key files generated by the dnssec-keygen utility must be present for ADNR to properly communicate with the name server, even though only the .key key file name is actually specified on the update_key keyword.