Re: update-policy wildcard grant

Wed, 01 Apr 2020 18:18:29 -0700 


> On 2 Apr 2020, at 11:59, Jim Popovitch via bind-users 
> <bind-users@lists.isc.org> wrote:
> 
> On Thu, 2020-04-02 at 09:27 +1100, Mark Andrews wrote:
>>> On 2 Apr 2020, at 06:53, Jim Popovitch via bind-users <
>>> bind-users@lists.isc.org> wrote:
>>> 
>>> Hello!
>>> 
>>> I started on #bind, moved on to the ARM, and now I am here.
>>> 
>>> Here is what I want:
>>> 
>>>  update-policy {grant webserver-tsig-key wildcard _acme-challenge.* 
>>> TXT;};
>>> 
>>> This is what I get:
>>> 
>>>  ~$ named-checkconf 
>>>  /etc/bind/named.conf:73: '_acme-challenge.*' is not a wildcard
>>> 
>>> What am I doing wrong?
>> 
>> Presumably the webserver is locked done enough that you can just let
>> the TSIG update TXT anywhere.
> 
> Do you mean like kb.isc.org ?  :-)
> 
> Honestly, no webserver, worth it's salt in 2020, is ever locked down
> well enough, imho.

The tool updating the acme challenges and certificates can definitely
be locked down enough.

You could use SIG(0) rather than TSIG to authenticate the updates and store KEY
records in the DNS for each site.  That is much easier to manage than TSIG’s for
each site and doesn’t require updating named.conf once it is setup with TSIG 
only
being used to add the KEY records as each site is establised.

        grant * self . TXT;

>> If you really need to apply tighter rules then use ‘external’ and
>> implement the check outside of named.
> 
> Thanks for that, it looks exactly like what I need/want.
> 
> -Jim P.
> 
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: ma...@isc.org

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to