update-policy wildcard grant
Jim Popovitch
jimpop at domainmail.org
Thu Apr 2 00:59:56 UTC 2020
On Thu, 2020-04-02 at 09:27 +1100, Mark Andrews wrote:
> > On 2 Apr 2020, at 06:53, Jim Popovitch via bind-users <
> > bind-users at lists.isc.org> wrote:
> >
> > Hello!
> >
> > I started on #bind, moved on to the ARM, and now I am here.
> >
> > Here is what I want:
> >
> > update-policy {grant webserver-tsig-key wildcard _acme-challenge.*
> > TXT;};
> >
> > This is what I get:
> >
> > ~$ named-checkconf
> > /etc/bind/named.conf:73: '_acme-challenge.*' is not a wildcard
> >
> > What am I doing wrong?
>
> Presumably the webserver is locked done enough that you can just let
> the TSIG update TXT anywhere.
Do you mean like kb.isc.org ? :-)
Honestly, no webserver, worth it's salt in 2020, is ever locked down
well enough, imho.
> If you really need to apply tighter rules then use ‘external’ and
> implement the check outside of named.
Thanks for that, it looks exactly like what I need/want.
-Jim P.
More information about the bind-users
mailing list