Subtle problem reported by Bluecat via support ticket:

https://support.isc.org/Ticket/Display.html?id=14222

They found a scenario where dual-stack mode does not work correctly. When both ddns-guard-id-must-match and ddns-other-guard-is-dynamic are enabled, the server does not correctly distinguish between no guard record present and guard record present but does not match the client, when a guard record of the other type is present.

This causes the server to decide a v4 A record with a TXT guard record for a different client, is actually a static entry because the same hostname has a v6 DHCID record. It then precedes to replace the A/PTR records and adds another v4 TXT record for the new client.

What it should have done is recognized the presence of a none-matchingTXT record, and not do the updates.

I created a patch (attached) for them that corrects this be adding the necessaryDNS pre-requisite when both of those knobs are true:

14222_v441.patch