This small guide suppose that you have already DHCP interim that was working before you decided to activate signed DDNS (that are used by the Windows workstations), if not please check on this internet for guides like this one or this one

Why DHCP Interim has to be disactivated when signed DDNS is used ?

So most of the tutorial about DHCP DDNS use a configuration like this to authorize updates from the DHCP server:

  allow-update { key dhcpupdate; };

But Bind9 do not accept both allow-update and update-policy

The solution

The solution is to migrate from allow-update to update-policy to do so you have to add something like that to the update-policy for your DNS zone: grant dhcp.example.org subdomain example.org A AAAA; so that the whole thing looks like:

   update-policy {
        grant dhcp.example.org  subdomain example.org A AAAA;
        grant EXAMPLE.ORG ms-self * A AAAA;
   };

Once that done you have to search for the definition of the dhcp update key (here dhcpupdate in my example) and replace it to dhcp.example.org (where example.org is your DNS domain). Usually tutorials propose to create a separate file for storing the key or propose to add a key stanza in the named.conf. Anyhow you have to change it to have something like this:

key dhcp.example.org {
  algorithm hmac-md5;
  secret "YOURKEYGOESHERE";
};

The last step is to modify the dhcpd.conf to replace all the occurrence of old key name to the new one (ie dhcpupdate to dhcp.example.org). Last note: if your dhcp server is on a different server than the DNS server and that the key is stored in a separate file then you need to modify the name of the key in this file as well.

Once every thing is modified you have to restart dhcpd and bind9 and everything should work (you can verify as your mileage can vary ...)