Switching key types for authorizing updates
Tony Finch
dot at dotat.at
Thu Aug 12 13:00:43 UTC 2021
John Thurston <john.thurston at alaska.gov> wrote:
>
> But as far as I can tell, the name of the key needs to match the hostname in
> the update-policy statement. I can define a new aes-256 key, but it can't have
> the name "foo.bar.baz.com" while the current md5 key is defined. Nor can I
> find a way to craft an update-policy statement line to let a new key with a
> different name manipulate the desired TXT records, while letting the current
> key continue to work.
I think you want something like:
update-policy {
grant "foo.bar.baz.com_aes256" subdomain "foo.bar.baz.com" TXT;
};
i.e. using the "subdomain" rule type instead of "selfsub", so the
domain name (second foo...) doesn't need to match the keyname (first
foo...)
Tony.
--
f.anthony.n.finch <dot at dotat.at> https://dotat.at/
work to the benefit of all
More information about the bind-users
mailing list