[knot-dns-users] Re: Deny dynamic updates for certain owners/names

On 9/2/24 3:47 PM, Daniel Salzman wrote: Right, it does indeed :/ I feel a tad stupid now for not trying hard enough, but what really threw me off was the wording in the docs [1]: Much more importantly, though, I discovered that 3.3(?) introduced `update-owner-match: pattern` [2], which provides _exactly_ what I was asking for (matching "_acme-challenge.*.example.com"). So thanks for that :) But for anyone playing along at home, this works even without `pattern`:     acl:       - id: txt_updates_protect         action: update         key: tsigkey.example.com         update-type: [TXT]         update-owner: name         update-owner-name: [ _spf, _dmarc ] # Protect these records         deny: on       - id: txt_updates_allow         action: update         key: tsigkey.example.com         update-type: [TXT]         update-owner: name         update-owner-name: [ example.com. ]         update-owner-match: sub     template:       - id: default         acl: [txt_updates_protect, txt_updates_allow]         ... So, sorry for the noise, but maybe someone else learned a thing or two, I know I did. And I might also submit a patch for the documentation :) Cheers, Conrad [1] https://www.knot-dns.cz/docs/3.4/singlehtml/index.html#deny [2] https://www.knot-dns.cz/docs/3.4/singlehtml/index.html#update-owner-match