Customer Access to Modify DNS
Steve Senator
sts+bind-users at senator.colospgs.co.us
Fri Feb 4 04:48:48 UTC 2000
lilith at paxumbrae.com writes:
> I am interested in collecting fact-based reasons as to why it would be a
> bad idea to allow customers to modify their own DNS zones through a
> webpage or dynamic updates.
The Public DNS Service (http://soa.granitecanyon.com) sees
approximately 100 new zone registrations per day. Of these,
about 10% are in error for the first two weeks. These are
all self-managed DNS zones. In some cases, users specify dependencies
within their zone data that make a zone unworkable. That is, they
shoot themselves in the body part.
> I am interested in doing what is best to preserve data integrity and
> security,
Generate a number of standard template zone files for a small number
of business needs. For example:
- creating a "parked" domain name (an inactive, but reserved zone)
- creating a zone that maps onto another machine with all standard
services directed there (ex. home-based DSL machine)
- creating a zone that maps a number of different conventional names
(ex. "ftp.yourzone.com", "mail.yourzone.com") onto separate
machines. Use a standard template to set the actual IP addresses.
- etc.
> and it seems to me that allowing customers who may not know what
> they are doing the opportunity to access such sensitive data is asking for
> a lot of support calls, especially in allowing them to modify in-addr
> zones which they may only own a handful of addresses in.
This is consistent with the history of the Public DNS. Almost no one
reads the FAQ first. They just try various combinations. In most
cases, they don't shoot themselves. But adminstering a distributed
data base is not simple if you haven't a well-designed schema - and
that is exactly the problem.
0.02,
-Steve Senator
More information about the bind-users
mailing list