A One Host Zone

In some settings not having to set up a separate dynamic zone for dynamic updates would be the best scenario; or to enable a specific host, or key, to modify only the records of one specific domain name, a more fine-grained access control of who may change what. In the setting shown previously, anyone with the correct key or access to the right host is able to perform any updates on the whole zone. This might not be desirable, and if you find yourself in such a situation, you should consider not implementing dynamic DNS at all. If you can't trust your users at this level, they should perhaps not be able to alter DNS at all.

But there is a "hackish" way to work around it: It is possible to make a "one host" zone. The zone can have its own update ACL and thus the holder of the associated key or IP number can only update the zone, not anything outside it, and no one else can alter the zone either. The way to do this is to delegate the zone bearing the hostname to the nameservers you want, as shown previously, and then seed the zone. If the zone is for magellan.penguin.bv,

 $TTL 1m ; @       1m      SOA ns.penguin.bv. hostmaster.penguin.bv. (                 1               ; serial                 5m              ; refresh                 2m              ; retry                 6h              ; expire                 1m              ; minimum                 )         1m      NS      ns.penguin.bv.         1m      NS      ns.herring.bv.         1m      A       10.10.10.10 

it gives magellan.penguin.bv an A record with the value 10.10.10.10. This can be deleted and re-added just as described previously for magellan.dyn.penguin.bv. This gives finer update access control and the capability to have dynamic hosts directly under the main domain, but at the cost of configuration overhead and increased key/ACL maintenance. Of course, anyone able to update this zone can add subdomains of magellan.penguin.bv if he wants to, so it can't really be called secure or considered very restricted.