Hi,
The 'deny' option should apply to every match. Please show me the current ACL
rule.
Daniel
On 9/2/24 12:52, Conrad Hoffmann via knot-dns-users wrote:
Hi all,
we are using dynamic updates for solving ACME challenges. My goal is to restrict the key used for this as much as possible. However, I find it a bit difficult to do so while keeping the required
flexibility. Maybe someone has some good recommendations for this?
The key is already restricted to TXT records, so that's good.
In a nutshell, I'd like to allow only "_acme-challenge.example.com" and
"_acme-challenge.*.example.com". However, the latter cannot be expressed in the current
config format.
I would be fine allowing "*.example.com", if I could just deny a select few names (SPF, DKIM). But AFAICT, the "deny" option only works on action, key, and address, now owner matching. Is there any
other way to achieve something like this?
Thanks a lot,
Conrad
--
--
