> Now I have a domain in which more than one source must have the rights to
> do dynamic updates via TSIG. Is there a way to avoid collisions? To give
> the right-permissions in a way, that a record that is written by source_A
> not could be deleted by source_B?

no. not in bind, and not in rfc2136. source_A and source_B could choose to
cooperate, by adding a TXT RR or some other marker whose text must match the
creator's identity as a prerequisite of subsequent updates. but DNS UPDATE
has no arbitration mechanism for non-cooperating updators.

i once thought that some rule of the form "a host ought to be allowed to
change the PTR for its own address" would be useful, but ip source address
authorization/authentication is unsafe in an anti-BCP38 world like ours.
perhaps a similar rule involving IPSEC will evolve over time.
Paul Vixie