[Pdns-users] Disabling DNSUPDATE for *some* zones?

[Kevin P. Fleming]

I've got PowerDNS Auth happily running and serving a number of domains
(primary and two secondaries, NOTIFY/AXFR, IPv6, etc.).

I've enabled DNSUPDATE so that I can do Let's Encrypt DNS-01
challenges for certificate issuance, and I use a TSIG key for the
update requests. When setting up a cert for a new domain recently, I
failed to set the domain metadata to indicate that the TSIG key would
be required, and PowerDNS accepted the DNSUPDATE anyway (and emitted a
log message to that effect).

I don't want this behavior, I want to disable DNSUPDATE for all
domains which don't have a TSIG key set in their metadata. The only
way I can see to do this would be to set ALLOW-DNSUPDATE-FROM at the
domain level to an invalid address, so that all requests will fail,
but I also have this set in the main configuration which might not be
overridden by the domain metadata.

Is there another way to disable DNSUPDATE at the domain level?