Not sure in his case, but I keep my dns configuration in git and deploy over ssh git pull followed by a dns server restart. I prefer ssh as I know better how to secure that and it seems like less attack surface.

I use both, ssh <host> "nsupdate -l". That way I don't trust nsupdates security model, yet I can still automate updates from any machine I choose.