GTM 12.1.2HF1 Bind Vulnerability CVE-2017-3143 Mitigation

Good Morning,

 

reviewing this vulnerability and wanted to see if there are options aside from the ISC posting of: allow-update { !{!10/8;any;}; key update-key; };

 

Since the DNS Services comes with: allow-update { localhost; };

 

Could a Zone be updated to only allow updates from the GTMs in the Sync Group? Ex. allow-update { !{GTM1.testdomain.com; GTM2.testdomain.com} };

 

Would this serve as a mitigation since it restricts to certain Hosts? I'm sure my syntax for the 2 host is probably not correct.

 

Also, 'Key update-key', is this a Key already know to the Sync group members or locally stored and used independently?

 

thanks!