I’ve looked through some existing threads on this and some of the info appears to be out of date. I apologize if it should have found the info already.
I’m trying to replicate what I had on google domains where each dynamic dns sub domain had it’s own credentials.
I’ve created a token, created a default policy, created a restricted policy to a specific sub domain. All appears to be correct but using said restricted token wont update the sub domain where an unrestricted token will. Here are the policies I set. Does everything look right? Token and IDs redacted of course and in this example the domain would be dynamic.example.net.
curl -X POST https://desec.io/api/v1/auth/tokens/{id}/policies/rrsets/
–header “Authorization: Token {auth token}”
–header “Content-Type: application/json” --data @- <<<
‘{“domain”: null, “subname”: null, “type”: null}’
curl -X POST https://desec.io/api/v1/auth/tokens/{id}/policies/rrsets/
–header “Authorization: Token {auth token}”
–header “Content-Type: application/json” --data @- <<<
‘{“domain”: “example.net”, “subname”: “dynamic”, “type”: “A”, “perm_write”: true}’
