Letting users make their own dns changes? Any software available to manage this tricky situation?

Question

I currently waste a lot of time making dns changes for my organization. DDNS of course helps for workstations, but we still have a few thousand unique servers with still more applications needing cname records that DHCP/DDNS alone will not support, so someone needs to make updates, but I'd like to see sysadmins make their own dns updates for their machines.

I'm currently working on extending our asset database to support this functionality, but I hold out hope that there are COTS solutions available.

score 3 · Answer 1 · answered Dec 08 '12 at 16:26

3

You didn't mention what DNS server is in use and you didn't mention whether or not this was in a Windows AD domain, but if this is in relation to Windows DNS, I've used the following to grant limited access to our DNS zones:

http://www.quest.com/activeroles-server/dnsm.aspx

answered Dec 08 '12 at 16:26

joeqwerty

108,377
6
80
171

I was trying to keep this as general as possible in order to not drive anyone away. I could change our dns infrastructure if I had to. Our organization does use Active Directory heavily, and this article is speaking my language. If it geniunely allows delegation to AD groups and proper self-provisioning, I may have an answer. Much thanks. – Jaredk Dec 08 '12 at 17:47
I use it to allow a group of junior admins to manage CNAME records in a subdomain of our AD DNS zone, so it sounds like it's up your alley. – joeqwerty Dec 08 '12 at 18:19

score 2 · Answer 2 · answered Dec 08 '12 at 15:33

2

In past organizations, we've kept our zone files in version control, and allowed the sysadmin team(s) to edit, commit, and push their changes directly to the central git repo and post-commit hooks took care of sanity checking the syntax of the new commit, deploying to the production name servers, and kicking bind to pull in the new configs.

In our case, anyone could have edited any dns record, but fortunately we had enough trust among the staff that people wouldn't touch records that weren't theirs.

If you need more separation than that, you can keep different zones in different repos, with different permissions.

answered Dec 08 '12 at 15:33

EEAA

108,414
18
172
242

1

Thanks. I wish I could trust my System administrators that much. – Jaredk Dec 08 '12 at 17:55
3

If you can't trust your System administrators that much, what are they doing administering your systems. – BillThor Dec 09 '12 at 01:10
@BillThor - My thoughts exactly. – EEAA Dec 09 '12 at 01:31

Letting users make their own dns changes? Any software available to manage this tricky situation?

2 Answers2