See https://dnns.no/dynamic-dns-with-bind-and-nsupdate.html

Install the bin directory someplace (ie, /opt/bin) and definitely most
definitely, set ownership and permissions very, very strict.

Now, in ~root/.ssh/authorized_keys, create an entry similar to this:

command="/opt/bin/updatedns", ssh-rsa AAAAB3NzaC.... root@servername

where everything after the comma+space (you MUST have the space) is a key
from the machine allowed to do updates. That ssh key must be able to connect
with no password.

bin/keys/ must contain the rndc keys that allow us to talk to the BIND
server.

Following must be in /etc/bind/named.conf.local. Teh slave_server_1 & 2 are
the IP's of the slaves to be updated when an IP changes. The zone file will
be kept in /etc/bind/DYN/domain.name.dns (replace with your real domain
name)
======================================================
include "/etc/bind/keys.conf";

zone "dyndd.net" {
   type master;
   file "DYN/domain.name.dns";
   allow-update {
      key dyndd.net. ;
   };
   allow-transfer { slave_server_1; slave_server_2;  };
   also-notify { slave_server_2;  };
};
=======================================================

/etc/bind/keys.conf contains
=======================================================
key dyndd.net. {
   algorithm HMAC-MD5;
   secret "a key that was generated==";
};
=======================================================