XoT Bind9 configuration xot-acl syntax

[onlime]

On https://dnsprivacy.org/encrypted-zone-transfer (BTW great documentation! had it implemented easily thanks to this nice overview) you recommend the following acl for Bind9 configuration:

acl xot-acl { !{ !xot-secondaries; any; }; key xot-key ;};

Can you please explain that double negation? Could that acl be simplified to the following?:

acl xot-acl { xot-secondaries; key xot-key ;};

I would like to achieve that only secondaries (listed in acl xot-secondaries) are allowed to transfer zones, and only if those are providing the same shared secret xot-key.

Also, I would like to point out that hmac-sha256 algorithm should be preferred over hmac-md5 in your documentation. Please also document how to generate the xot-key, e.g. with the TSIG key generation tool tsig-keygen (which defaults to hmac-sha256, at least in Debian Bookworm's bind9 9.18.19:

$ tsig-keygen xot-key
key "xot-key" {
    algorithm hmac-sha256;
    secret "YhycIolcQy4Xy/X16RZ0dBktbgbAD+x1yzw5Xxfh8+A=";
};

Thanks, Philip

[saradickinson]

So sorry for the late follow up - I didn't get an email notification of this issue for some reason and just spotted it when reviewing the site...

I've updated the page to explain the need for double negation (good question!) and updated to sha256 too. Many thanks!