update-policy wildcard grant

Mark Andrews marka at isc.org
Wed Apr 1 22:27:41 UTC 2020

> On 2 Apr 2020, at 06:53, Jim Popovitch via bind-users <bind-users at lists.isc.org> wrote:
> Hello!
> I started on #bind, moved on to the ARM, and now I am here.
> Here is what I want:
>   update-policy {grant webserver-tsig-key wildcard _acme-challenge.* TXT;};
> This is what I get:
>   ~$ named-checkconf 
>   /etc/bind/named.conf:73: '_acme-challenge.*' is not a wildcard
> What am I doing wrong?

Presumably the webserver is locked done enough that you can just let the TSIG update TXT anywhere.

If you really need to apply tighter rules then use ‘external’ and implement the check outside of named.

This is documented in the BIND 9 Administrators Reference Manual.


This rule allows named to defer the decision of whether to allow a given update to an external daemon.
The method of communicating with the daemon is specified in the identity field, the format of which is "local:path", where path is the location of a UNIX-domain socket. (Currently, "local" is the only supported mechanism.) Requests to the external daemon are sent over the UNIX-domain socket as datagrams with the following format:

Protocol version number (4 bytes, network byte order, currently 1)

Request length (4 bytes, network byte order)

Signer (null-terminated string)
Name (null-terminated string)
TCP source address (null-terminated string)
Rdata type (null-terminated string)
Key (null-terminated string)
TKEY token length (4 bytes, network byte order )
TKEY token (remainder of packet)

The daemon replies with a four-byte value in network byte order, containing either 0 or 1; 0 indicates that the specified update is not permitted, and 1 indicates that it is.


> tia!
> -Jim P.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list