Switching key types for authorizing updates

Tony Finch dot at dotat.at
Thu Aug 12 13:00:43 UTC 2021

John Thurston <john.thurston at alaska.gov> wrote:
> But as far as I can tell, the name of the key needs to match the hostname in
> the update-policy statement. I can define a new aes-256 key, but it can't have
> the name "foo.bar.baz.com" while the current md5 key is defined. Nor can I
> find a way to craft an update-policy statement line to let a new key with a
> different name manipulate the desired TXT records, while letting the current
> key continue to work.

I think you want something like:

	update-policy {
		grant "foo.bar.baz.com_aes256" subdomain "foo.bar.baz.com" TXT;

i.e. using the "subdomain" rule type instead of "selfsub", so the
domain name (second foo...) doesn't need to match the keyname (first

f.anthony.n.finch  <dot at dotat.at>  https://dotat.at/
work to the benefit of all

More information about the bind-users mailing list