[knot-dns-users] Re: Deny dynamic updates for certain owners/names

On 9/2/24 3:47 PM, Daniel Salzman wrote: Right, it does indeed :/ I feel a tad stupid now for not trying hard enough, but what really threw me off was the wording in the docs [1]: Much more importantly, though, I discovered that 3.3(?) introduced `update-owner-match: pattern` [2], which provides _exactly_ what I was asking for (matching "_acme-challenge.*.example.com"). So thanks for that :) But for anyone playing along at home, this works even without `pattern`: acl: - id: txt_updates_protect action: update key: tsigkey.example.com update-type: [TXT] update-owner: name update-owner-name: [ _spf, _dmarc ] # Protect these records deny: on - id: txt_updates_allow action: update key: tsigkey.example.com update-type: [TXT] update-owner: name update-owner-name: [ example.com. ] update-owner-match: sub template: - id: default acl: [txt_updates_protect, txt_updates_allow] ... So, sorry for the noise, but maybe someone else learned a thing or two, I know I did. And I might also submit a patch for the documentation :) Cheers, Conrad [1] https://www.knot-dns.cz/docs/3.4/singlehtml/index.html#deny [2] https://www.knot-dns.cz/docs/3.4/singlehtml/index.html#update-owner-match