I have a relatively simple Bind/DNS configuration, and would like to allow some of my users to be able to add their own configurations (eg A records and CNAMEs). Even though I trust my users, I want to restrict access to all configuration files to only myself and other admins. I also do not want my users to (have to) log in to a shell session on the DNS server.
Solutions I have considered:
- Delegating zones: this won't work for me, because it adds significant complexity and overhead (each user would need to maintain a DNS server for their own zone). Also, a firewall that is outside of my control prevents me from setting up additional reachable DNS servers within my network.
- User-editable "include" files: this is what I am aiming for now, but I am unable to find any existing solutions to allow authenticated/restricted access to a subset of configuration files. Thus I would have to create my own. I am not sure how I would approach this: git with hooks? A web application?
Have other admins encountered this problem, and if so how was it solved?