this windows command: dnscmd dcname /config /OpenAclOnProxyUpdates 1 triggers setting the OpenACLOnProxyUpdates flag, this is not implemented in Samba though, the value is fixed to "0" currently: [2022/05/10 09:33:25.513818, 0, pid=2752430, effective(0, 0), real(0, 0)] ../../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1230(dnsserver_operate_server) dnsserver: server operation 'ResetDwordProperty' not implemented DnssrvOperation2: struct DnssrvOperation2 in: struct DnssrvOperation2 dwClientVersion : DNS_CLIENT_VERSION_LONGHORN (458752) dwSettingFlags : 0x00000000 (0) pwszServerName : * pwszServerName : 'dc3' pszZone : NULL dwContext : 0x00000000 (0) pszOperation : * pszOperation : 'ResetDwordProperty' dwTypeId : DNSSRV_TYPEID_NAME_AND_PARAM (15) pData : union DNSSRV_RPC_UNION(case 15) NameAndParam : * NameAndParam: struct DNS_RPC_NAME_AND_PARAM dwParam : 0x00000001 (1) pszNodeName : * pszNodeName : 'OpenACLOnProxyUpdates' [2022/05/10 09:33:25.514925, 1, pid=2752430, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:484(ndr_print_function_debug) DnssrvOperation2: struct DnssrvOperation2 out: struct DnssrvOperation2 result : WERR_CALL_NOT_IMPLEMENTED The flag is documented here: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dnsp/8903e50a-9183-4a7d-9640-53f6f5a91481#Appendix_A_Target_188 https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd334715(v=ws.10)
after shedding some more thoughts on this, all this looks like a bad idea. If the DnsUpdateProxy group is allowed to modify all DNS entries, then client can request any name from the the DHCP server and this way modify the DNS indirectly. On the other hand it would be possible to add a inheritable ACE to the DNS zone for the DnsUpdateProxy group to achieve the same behavior. That being said, I'm closing this as WONTFIX.