[knot-dns-users] Deny dynamic updates for certain owners/names

Hi all, we are using dynamic updates for solving ACME challenges. My goal is to restrict the key used for this as much as possible. However, I find it a bit difficult to do so while keeping the required flexibility. Maybe someone has some good recommendations for this? The key is already restricted to TXT records, so that's good. In a nutshell, I'd like to allow only "_acme-challenge.example.com" and "_acme-challenge.*.example.com". However, the latter cannot be expressed in the current config format. I would be fine allowing "*.example.com", if I could just deny a select few names (SPF, DKIM). But AFAICT, the "deny" option only works on action, key, and address, now owner matching. Is there any other way to achieve something like this? Thanks a lot, Conrad