On Fri, 2008-11-14 at 17:35 -0800, Chris Buxton wrote: > Use a firewall (with deep packet inspection) to restrict by subnet. > Then use the TSIG key in the allow-update statement. > > Unfortunately, to my knowledge, that's the only way to do this. Wouldn't using a BIND view to restrict by subnet work instead of a firewall? /Niall