Token restricted to custom sub domain dynamic dns

I’ve looked through some existing threads on this and some of the info appears to be out of date. I apologize if it should have found the info already.

I’m trying to replicate what I had on google domains where each dynamic dns sub domain had it’s own credentials.

I’ve created a token, created a default policy, created a restricted policy to a specific sub domain. All appears to be correct but using said restricted token wont update the sub domain where an unrestricted token will. Here are the policies I set. Does everything look right? Token and IDs redacted of course and in this example the domain would be dynamic.example.net.

curl -X POST https://desec.io/api/v1/auth/tokens/{id}/policies/rrsets/
–header “Authorization: Token {auth token}”
–header “Content-Type: application/json” --data @- <<<
‘{“domain”: null, “subname”: null, “type”: null}’

curl -X POST https://desec.io/api/v1/auth/tokens/{id}/policies/rrsets/
–header “Authorization: Token {auth token}”
–header “Content-Type: application/json” --data @- <<<
‘{“domain”: “example.net”, “subname”: “dynamic”, “type”: “A”, “perm_write”: true}’

Hi edgeintegrated,

Thanks for your message, and welcome to deSEC! :slight_smile:

As a dynDNS update request will potentially also add, modify or remove the AAAA RRset, the token needs permission for both A and AAAA record types. So, if you create the additional policy for AAAA, it should work.

Stay secure,
Peter

1 Like

It worked! Thanks so much.