// configuration snippet for bind 9 nameserver (put it into /etc/bind9/named.conf )

key "nsupdate.info." {
    // everyone who has this key may update this zone:
    // must be same algorithm as in the Domain record of the nsupdate.info based service
    algorithm hmac-sha512;
    // the secret is just a shared secret in base64-encoding, you don't need
    // to use a special tool to create it. Some random in base64 encoding should
    // be OK. must be same secret as in the Domain database record of the nsupdate.info based service
    secret "YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYQ==";
};

zone nsupdate.info {
        type master;
        // bind9 needs write permissions into that directory and into that file:
        file "/etc/bind/zones/nsupdate.info";
        update-policy {
            // these "deny" entries are needed for the service domain,
            // if you add another domain, you may want to check the need
            // for other "deny" entries if the zone is not fully available.
            // we don't allow updates to the infrastructure hosts:
            deny  nsupdate.info.      name      nsupdate.info;
            deny  nsupdate.info.      name  www.nsupdate.info;
            deny  nsupdate.info.      name ipv4.nsupdate.info;
            deny  nsupdate.info.      name ipv6.nsupdate.info;
            // but we allow updates to any other host:
            grant nsupdate.info. subdomain nsupdate.info;
        };
};