update-policy wildcard grant

Mark Andrews marka at isc.org
Thu Apr 2 01:17:58 UTC 2020



> On 2 Apr 2020, at 11:59, Jim Popovitch via bind-users <bind-users at lists.isc.org> wrote:
> 
> On Thu, 2020-04-02 at 09:27 +1100, Mark Andrews wrote:
>>> On 2 Apr 2020, at 06:53, Jim Popovitch via bind-users <
>>> bind-users at lists.isc.org> wrote:
>>> 
>>> Hello!
>>> 
>>> I started on #bind, moved on to the ARM, and now I am here.
>>> 
>>> Here is what I want:
>>> 
>>>  update-policy {grant webserver-tsig-key wildcard _acme-challenge.* 
>>> TXT;};
>>> 
>>> This is what I get:
>>> 
>>>  ~$ named-checkconf 
>>>  /etc/bind/named.conf:73: '_acme-challenge.*' is not a wildcard
>>> 
>>> What am I doing wrong?
>> 
>> Presumably the webserver is locked done enough that you can just let
>> the TSIG update TXT anywhere.
> 
> Do you mean like kb.isc.org ?  :-)
> 
> Honestly, no webserver, worth it's salt in 2020, is ever locked down
> well enough, imho.

The tool updating the acme challenges and certificates can definitely
be locked down enough.

You could use SIG(0) rather than TSIG to authenticate the updates and store KEY
records in the DNS for each site.  That is much easier to manage than TSIG’s for
each site and doesn’t require updating named.conf once it is setup with TSIG only
being used to add the KEY records as each site is establised.

	grant * self . TXT;

>> If you really need to apply tighter rules then use ‘external’ and
>> implement the check outside of named.
> 
> Thanks for that, it looks exactly like what I need/want.
> 
> -Jim P.
> 
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org



More information about the bind-users mailing list