diff --git a/doc/configuration.rst b/doc/configuration.rst
index c9b0179d4fab756a4722ea3e7018e71480372735..19f233ce9df9c7f91dfc18314513ccd22b16d89c 100644
--- a/doc/configuration.rst
+++ b/doc/configuration.rst
@@ -138,16 +138,8 @@ the given request is applied and the remaining rules are ignored. Some examples:
- domain: acl2.example.com
acl: [deny_all, key_rule] # Allow with the TSIG except for the subnet
-For dynamic DNS updates, additional conditions may be specified for more granular
-filtering. Example::
-
- acl:
- - id: owner_type_rule
- action: update
- update-type: [A, AAAA, MX] # Updated records must match one of the specified types
- update-owner: name # Updated record owners are restricted by the next conditions
- update-owner-match: equal # The record owner must exactly match one name from the next list
- update-owner-name: [a, b.example.com.] # Note that non-FQDN names are relative to the effective zone name
+In the case of dynamic DNS updates, some additional conditions may be specified
+for more granular filtering. See more in the section :ref:`Restricting dynamic updates`.
.. NOTE::
If more conditions (address ranges and/or a key)
@@ -289,61 +281,85 @@ processed::
- domain: example.com
acl: update_acl
+.. _Restricting dynamic updates:
+
Restricting dynamic updates
---------------------------
-The :ref:`update-owner<acl_update_owner>` ACL option allows not only to
-compare the updated record's name ("owner") with a list in
-:ref:`update-owner-name<acl_update_owner_name>` as introduced above, but also
-to compare against the name of the zone being updated::
+There are several additional ACL options for dynamic DNS updates which affect
+the request classification based on the update contents.
- key:
- - id: ddns-key
- ...
+Updates can be restricted to specific resource record types::
acl:
- - id: zone_update_acl
- key: ddns-key
- update-owner: zone
- action: zone_update_acl
+ - id: type_rule
+ action: update
+ update-type: [A, AAAA, MX] # Updated records must match one of the specified types
- zone:
- - domain: example.com.
- acl: zone_acl
- - domain: example.net.
- acl: zone_acl
+Another possibility is restriction on the owner name of updated records. The option
+:ref:`acl_update-owner` is used to select the source of domain
+names which are used for the comparison. And the option :ref:`acl_update-owner-match`
+specifies the required relation between the record owner and the reference domain
+names. Example::
-This permits update requests signed by the TSIG key `ddns-key` to update
-records at the zone apex of the two zones. Updates to the whole zone can be
-permitted by setting :ref:`update-owner-match<acl_update_owner_match>` to
-`sub-or-equal` additionally.
+ acl:
+ - id: owner_rule1
+ action: update
+ update-owner: name # Updated record owners are restricted by the next conditions
+ update-owner-match: equal # The record owner must exactly match one name from the next list
+ update-owner-name: [foo, bar.] # Reference domain names
-Furthermore update ACLs can match the record owner against an incoming
-request's TSIG key id. The key id is defined by the :ref:`id<key_id>` field
-in the :ref:`key<key>` section. We do this as follows::
+.. NOTE::
+ If the specified owner name is non-FQDN (e.g. ``foo``), it's considered relatively
+ to the effective zone name. So it can apply to more zones
+ (e.g. ``foo.example.com.`` or ``foo.example.net.``). Alternatively, if the
+ name is FQDN (e.g. ``bar.``), the rule only applies to this name.
+
+If the reference domain name is the zone name, the following variant can be used::
+
+ acl:
+ - id: owner_rule2
+ action: update
+ update-owner: zone # The reference name is the zone name
+ update-owner-match: sub # Any record owner matches except for the zone name itself
+
+ template:
+ - id: default
+ acl: owner_rule2
+
+ zone:
+ - domain: example.com.
+ - domain: example.net.
+
+The last variant is for the cases where the reference domain name is a TSIG key name,
+which must be used for the transaction security::
key:
- - id: example.com.
- ...
- - id: example.net.
- ...
+ - id: example.com # Key names are always considered FQDN
+ ...
+ - id: steve.example.net
+ ...
+ - id: jane.example.net
+ ...
acl:
- - id: ddns_acl
- update-owner: key
- key: [example.com., example.net.]
- action: update
+ - id: owner_rule3_com
+ action: update
+ update-owner: key # The reference name is the TSIG key name
+ update-owner-match: sub # The record owner must be a subdomain of the key name
+ key: [example.com] # One common key for updating all non-apex records
+
+ - id: owner_rule3_net
+ action: update
+ update-owner: key # The reference name is the TSIG key name
+ update-owner-match: equal # The record owner must exactly match the used key name
+ key: [steve.example.net, jane.example.net] # Keys for updating specific zone nodes
zone:
- domain: example.com.
- acl: ddns_acl
+ acl: owner_rule3_com
- domain: example.net.
- acl: ddns_acl
-
-This way each key can only change records in the domain corresponding to it's
-name. Here we only allow updates at the zone apex but we can use
-:ref:`update-owner-match<acl_update_owner_match>` again to allow updates to
-the whole zone if desired.
+ acl: owner_rule3_net
.. _dnssec:
diff --git a/doc/man/knot.conf.5in b/doc/man/knot.conf.5in
index ccac6b3a565d7bb09e4d7a5cd5718dcd17c5e3b8..5ead63830aad5f55b3229f7a8e7d3573db297f1b 100644
--- a/doc/man/knot.conf.5in
+++ b/doc/man/knot.conf.5in
@@ -1256,14 +1256,14 @@ set by the \fI\%update\-owner\fP option.
Possible values:
.INDENT 0.0
.IP \(bu 2
-\fBsub\-or\-equal\fP — The owner of each Resource Record in an update must either be equal to
-or be a subdomain of at least one domain set by \fI\%update\-owner\fP\&.
+\fBsub\-or\-equal\fP — The owner of each RR in an update must either be equal to
+or be a subdomain of at least one domain name set by \fI\%update\-owner\fP\&.
.IP \(bu 2
-\fBequal\fP — The owner of each updated RR must be equal to at least one domain set by
-\fI\%update\-owner\fP\&.
+\fBequal\fP — The owner of each updated RR must be equal to at least one domain
+name set by \fI\%update\-owner\fP\&.
.IP \(bu 2
-\fBsub\fP — The owner of each updated RR must be a subdomain of, but MUST NOT be equal to at least
-one domain set by \fI\%update\-owner\fP\&.
+\fBsub\fP — The owner of each updated RR must be a subdomain of, but MUST NOT
+be equal to at least one domain name set by \fI\%update\-owner\fP\&.
.UNINDENT
.sp
\fIDefault:\fP sub\-or\-equal
diff --git a/doc/migration.rst b/doc/migration.rst
index 2b0e9e78a08133a3cee136464865f0720f52e173..f417fe3fbfd87ef1b27288f34e0395efce34af98 100644
--- a/doc/migration.rst
+++ b/doc/migration.rst
@@ -190,7 +190,7 @@ exceptions.
ACL
---
-Configuration option :ref:`acl_update_owner_name` is newly FQDN-sensitive.
+Configuration option :ref:`acl_update-owner-name` is newly FQDN-sensitive.
It means that values ``a.example.com`` and ``a.example.com.`` are not equivalent.
Module synthrecord
diff --git a/doc/reference.rst b/doc/reference.rst
index 908e3f5f87f4bb444652cf3ea3bd466a768484f7..f20fc6f07a1da27f2b7f1a913c69f8eed7983830 100644
--- a/doc/reference.rst
+++ b/doc/reference.rst
@@ -1336,7 +1336,7 @@ items. If no action is specified, deny all actions.
*Default:* off
-.. _acl_update_type:
+.. _acl_update-type:
update-type
-----------
@@ -1346,50 +1346,50 @@ must match one of the specified types.
*Default:* not set
-.. _acl_update_owner:
+.. _acl_update-owner:
update-owner
------------
This option restricts possible owners of Resource Records in a zone update by comparing
them to either the :ref:`TSIG key<acl_key>` identity, the current zone name, or to a list of
-domain names given by the :ref:`update-owner-name<acl_update_owner_name>` option.
-The comparison method is given by the :ref:`update-owner-match<acl_update_owner_match>` option.
+domain names given by the :ref:`acl_update-owner-name` option.
+The comparison method is given by the :ref:`acl_update-owner-match` option.
Possible values:
- ``key`` — The owner of each updated RR must match the identity of the TSIG key if used.
- ``name`` — The owner of each updated RR must match at least one name in the
- :ref:`update-owner-name<acl_update_owner_name>` list.
+ :ref:`acl_update-owner-name` list.
- ``zone`` — The owner of each updated RR must match the current zone name.
*Default:* not set
-.. _acl_update_owner_match:
+.. _acl_update-owner-match:
update-owner-match
------------------
This option defines how the owners of Resource Records in an update are matched to the domain name(s)
-set by the :ref:`update-owner<acl_update_owner>` option.
+set by the :ref:`acl_update-owner` option.
Possible values:
-- ``sub-or-equal`` — The owner of each Resource Record in an update must either be equal to
- or be a subdomain of at least one domain set by :ref:`update-owner<acl_update_owner>`.
-- ``equal`` — The owner of each updated RR must be equal to at least one domain set by
- :ref:`update-owner<acl_update_owner>`.
-- ``sub`` — The owner of each updated RR must be a subdomain of, but MUST NOT be equal to at least
- one domain set by :ref:`update-owner<acl_update_owner>`.
+- ``sub-or-equal`` — The owner of each RR in an update must either be equal to
+ or be a subdomain of at least one domain name set by :ref:`acl_update-owner`.
+- ``equal`` — The owner of each updated RR must be equal to at least one domain
+ name set by :ref:`acl_update-owner`.
+- ``sub`` — The owner of each updated RR must be a subdomain of, but MUST NOT
+ be equal to at least one domain name set by :ref:`acl_update-owner`.
*Default:* sub-or-equal
-.. _acl_update_owner_name:
+.. _acl_update-owner-name:
update-owner-name
-----------------
-A list of allowed owners of RRs in a zone update used with :ref:`update-owner<acl_update_owner>`
+A list of allowed owners of RRs in a zone update used with :ref:`acl_update-owner`
set to ``name``. Every listed owner name which is not FQDN (i.e. it doesn't end
in a dot) is considered as if it was appended with the target zone name.
Such a relative owner name specification allows better ACL rule reusability across