Just a straw-man proposal, prompted by what we've just seen at DNS-OARC.

<https://indico.dns-oarc.net/event/26/session/4/contribution/19/material/slides/0.pdf>

I suggest that BIND should default to permitting only TCP transport for
dynamic updates that are only controlled by an IP ACL, unless
deliberately configured otherwise by the administrator.

Ray