To provide fine-grained controls over the ability to use Dynamic DNS (DDNS)
to update records in a zone, BIND 9 provides a feature called
update-policy. Various rules can be configured to limit the types of
updates that can be performed by a client, depending on the key used when
sending the update request. Unfortunately, some rule types were not
initially documented, and when documentation for them was added to the
Administrator Reference Manual (ARM) in change #3112, the language that was
added to the ARM at that time incorrectly described the behavior of two
rule types, krb5-subdomain and ms-subdomain. This incorrect documentation
could mislead operators into believing that policies they had configured
were more restrictive than they actually were. This affects BIND versions
prior to BIND 9.11.5 and BIND 9.12.3.
mdeslaurper the ISC advisory: "At the present time, ISC is not providing
any code changing the behavior of the update-policy feature."
deferring for now to see if the policy will change

documentation changes went into 9.11.5

we will not be changing the documentation in our stable releases
Source: bind9 (LP Ubuntu Debian)
Upstream:released (9.11.5)
Ubuntu 12.04 ESM (Precise Pangolin):ignored
Ubuntu 14.04 ESM (Trusty Tahr):ignored
Ubuntu 16.04 LTS (Xenial Xerus):ignored
Ubuntu 18.04 LTS (Bionic Beaver):ignored
Ubuntu 19.10 (Eoan Ermine):released (1:9.11.5.P1+dfsg-1ubuntu2)
More Information

Updated: 2020-01-29 20:03:32 UTC (commit 768ceb2fdee6790d707d0f681e1b54916744af1e)