What is the issue regarding secure Dynamic DNS updates and Microsoft's and ISC's softwares ?
This is the Frequently Given Answer to that question.
The client authentication mechanism used by Microsoft's DHCP and DNS softwares and the client authentication mechanism used by ISC's DHCP and DNS softwares, for Secure Dynamic DNS updates, are different and are mutually incompatible.
The client authentication mechanism for Secure Dynamic DNS updates is a "TSIG" resource record set included in the update datagram that the client sends to the server. This resource record set contains as its data a signature cryptographically generated from a combination of the datagram contents and a secret key that the client and server share. The server only performs the update if this signature is valid.
Microsoft's DHCP and DNS softwares use GSS TSIG. The shared secret that the DDNS client and server use is automatically negotiated and distributed to client and server using Kerberos, without need for the administrator to explicitly inform either the client or the server what it is.
ISC's DHCP and DNS softwares use HMAC-MD5 TSIG. The shared secret that the DDNS client and server use is manually supplied to both by an administrator. (It is generated manually by the administrator running ISC's dnskeygen or dnssec-keygen utility, supplied manually to the DNS server by the administrator entering key directives containing it into BIND's named.conf configuration file, and supplied manually to the DNS client by the administrator using the -k option to pass it to ISC's nsupdate utility.)
ISC and Nominum people documented HMAC-MD5 TSIG in 2000-03, submitting it as a draft RFC, which was then published as RFC 2845 two months later in 2000-05.
Secure Dynamic DNS updates are possible with Microsoft's DHCP client or DHCP server talking to Microsoft's DNS server, or with ISC's DHCP server talking to ISC's DNS server; but are not possible when one mixes Microsoft and ISC softwares. Each company's softwares are only capable of performing secure dynamic DNS updates with the DNS server softwares from that same company.
Essentially: If one employs Secure Dynamic DNS updates, both companies lock one into their own softwares.