Re: update-policy wildcard grant

Wed, 01 Apr 2020 15:28:40 -0700 


> On 2 Apr 2020, at 06:53, Jim Popovitch via bind-users 
> <bind-users@lists.isc.org> wrote:
> 
> Hello!
> 
> I started on #bind, moved on to the ARM, and now I am here.
> 
> Here is what I want:
> 
>   update-policy {grant webserver-tsig-key wildcard _acme-challenge.* TXT;};
> 
> This is what I get:
> 
>   ~$ named-checkconf 
>   /etc/bind/named.conf:73: '_acme-challenge.*' is not a wildcard
> 
> What am I doing wrong?

Presumably the webserver is locked done enough that you can just let the TSIG 
update TXT anywhere.

If you really need to apply tighter rules then use ‘external’ and implement the 
check outside of named.

This is documented in the BIND 9 Administrators Reference Manual.

external

This rule allows named to defer the decision of whether to allow a given update 
to an external daemon.
The method of communicating with the daemon is specified in the identity field, 
the format of which is "local:path", where path is the location of a 
UNIX-domain socket. (Currently, "local" is the only supported mechanism.) 
Requests to the external daemon are sent over the UNIX-domain socket as 
datagrams with the following format:

Protocol version number (4 bytes, network byte order, currently 1)

Request length (4 bytes, network byte order)

Signer (null-terminated string)
Name (null-terminated string)
TCP source address (null-terminated string)
Rdata type (null-terminated string)
Key (null-terminated string)
TKEY token length (4 bytes, network byte order )
TKEY token (remainder of packet)

The daemon replies with a four-byte value in network byte order, containing 
either 0 or 1; 0 indicates that the specified update is not permitted, and 1 
indicates that it is.

Mark

> tia!
> 
> -Jim P.
> 
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: ma...@isc.org

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to