Conrad,
We are happy that you found a solution. I agree that the documentation should
be improved. It's never perfect.
Daniel
On 9/2/24 21:24, Conrad Hoffmann wrote:
On 9/2/24 3:47 PM, Daniel Salzman wrote:
The 'deny' option should apply to every match. Please show me the current ACL
rule.
Right, it does indeed :/ I feel a tad stupid now for not trying hard enough,
but what really threw me off was the wording in the docs [1]:
If enabled, instead of allowing, deny the specified action, address, key, or
combination if these items.
Much more importantly, though, I discovered that 3.3(?) introduced `update-owner-match: pattern` [2], which provides _exactly_ what I was asking for (matching "_acme-challenge.*.example.com"). So
thanks for that :)
But for anyone playing along at home, this works even without `pattern`:
acl:
- id: txt_updates_protect
action: update
key: tsigkey.example.com
update-type: [TXT]
update-owner: name
update-owner-name: [ _spf, _dmarc ] # Protect these records
deny: on
- id: txt_updates_allow
action: update
key: tsigkey.example.com
update-type: [TXT]
update-owner: name
update-owner-name: [ example.com. ]
update-owner-match: sub
template:
- id: default
acl: [txt_updates_protect, txt_updates_allow]
...
So, sorry for the noise, but maybe someone else learned a thing or two, I know
I did. And I might also submit a patch for the documentation :)
Cheers,
Conrad
[1] https://www.knot-dns.cz/docs/3.4/singlehtml/index.html#deny
[2] https://www.knot-dns.cz/docs/3.4/singlehtml/index.html#update-owner-match
--
