I have a pool of authoritative DNS servers that have to host zones for 5 users each of which have between 2 and 10 zones.
Each user can ssh to the servers using public key authentication. The requirements I am facing say that as long as the user is able to connect to the ssh port on the server, they must also be able to update their own zones without relying on any other network communication.
What I have done so far is to configure each zone to be loaded from the home directory of the user owning the zone as in this example:
zone "example.com" {
type master;
file "/home/example/zones/example.com";
};
I don't know if there exist any recommendations about loading zone files directly from a user's home directory. I tried a few searches and found no recommendations for or against this practice.
It appears to work, but changes only take effect after I have either restarted or reloaded bind, which I currently has to do as root.
The distribution I am using provides BIND 9.8 with security patches. So I downloaded the 9.8 version of "BIND 9 Administrator Reference Manual" to look for ways for a user to instruct bind to reload a zone.
I found the rndc command, however it appears the access controls on BIND are not fine-grained enough to allow a secret to be used only to reload a specific zones. I can specify combinations of IP addresses and HMAC-MD5 secrets permitted access, but any such combination permitted access will be permitted to invoke all commands through rndc.
How do I allow a user to reload their zone files without granting them other administrative rights?
At this point I am thinking I could use either sudo or the command option in .ssh/authorized_keys to give a user access to invoke a specific rndc command.
Is this an advisable approach or should I be doing something else?
I have also considered using zone transfers. But my understanding of how zone transfers work is that the receiving DNS server act as client in the zone transfer and the sending DNS server act as server. If my understanding is correct it means having a client provide a new version of the zone to the server isn't possible. So it seems if I were to take this approach I would have to use a hidden master setup with that hidden master running on a VPN client, which for reasons I cannot fully formulate feels wrong.
i'd make it via
sudoYou could ask your clients to use a rcs tool like git to update their zone files and push them to their homedirs. There, create a git repository with a post receive hook that runs those commands using the sudo rules user1700494 indicates (I would add named-checkzone and named-checkconf as well).
For completeness sake, here are the sudo rules user1700494 suggested
That way you keep everything in version control so you can easily go back if necessary, and your users do not need to login and modify files on the server, everything can be done on their own environment. Additionally you only reload the server after having verified the files are correct.
I would advice the each bind instance to be run on an LXC. Each user having their own Bind instance. Supply them with the credentials of their respective instances.