We currently use CNR 6.1.2 on Solaris. We want to allow out Windows 2003 Domain Namespace to do dynamic updates of the zone. The problem is that we want to make sure that these dynamic updates are secure. In that a client cannot take or change a server IP or name. How do we prevent a client machine from making a update to its record or IP address that would spoof a server IP address or name? Is this possible with TSIG or with Client-access settings?