Large named.conf, untrusted zone file access

[Kevin Darcy]

Sean Hamilton wrote:

> 1. Is there a better way to manage my large list of domain names in
> named.conf than having a large list of zone definitions and their
> corresponding files?

You could break that list down into several "include" files if you want.
If you wish to get more sophisticated than that, you could always build
the named.conf from some sort of database, put a web frontend on the
database, yadda yadda yadda...

> 2. Is it 'safe' to give untrusted users access to their zone files? Or
> should I insist on maintaining them myself?

Generally speaking, if one zone gets messed up it doesn't affect other
zones hosted by the same nameserver. So *technically* there is no reason
why you couldn't "delegate" maintenance authority to anyone and everyone
on a zone-by-zone basis. However, in practice, novice users seem to be
very good at mucking up zone files, and if you're the guy on the hook to
keep DNS running properly, you may find that you create even *more* work
for yourself by letting them run amuck with zone files, and then having
to constantly go back and clean up their messes. It would probably be
better to put a maintenance system in place, with a fairly simplistic
frontend and *lots* of sanity checking, and make everyone use that
maintenance system to update their DNS.


- Kevin