Those records have an ACL on them to stop registered records from being hijacked by other hosts.
In addition, Secure Dynamic Update can be required for zones that are Active Directory-integrated (and should be required, per best practices), which allows only members of the Authenticated Users group to register records.
What this means in practice is the following: This means the DHCP server computer account will own certain records in DNS, such as the PTR records and even some A records for older hosts.
(However, it's unlikely that you would have many NT 4.0 hosts in your environment.) This can cause the following two problems: For this reason, DHCP servers could be added to a group called Dns Update Proxy.
This helps create a virtual connection between the endpoint and the source.
To understand this concept better, the IP can be compared to a postal system where a labelled package is dropped into the system, which helps you connect the sender to the receiver.