The recommended solution is to use a TSIG compliant DHCP server on a
Unix/Linux system and have the DHCP server send TSIG signed updates. also provides an open source DHCP server. :-) You also should
limit the updates to a specific sub-domain, so that the ACLs and
directory permissions can be minimal. There's some security
configuration recommendations for signed updates in the Center for
Internet Security BIND 9 benchmark. See for
details. (I was the editor for the benchmark)

-- Ralf Durkee, CISSP, GSEC, GCIH
Principal Security Consultant

Steven Brown wrote:
> It seems Secure Dynamic Update on Windows clients violates the standard
> in such a way that the only server that can be used is Microsoft's (gee,
> what a surprise). However, I want to do it anyway. What's the best way
> to do this, ideally with only Open Source software? I could script up
> something to run a win32 build of nsupdate periodically but that seems
> rather hacky and a pain to maintain.