DNS Clustering without sharing root access key.
As a Hosting Provider, I want DNS Clustering without sharing root access key, so that I have better security between servers on the DNS Cluster.
One thing someone has brought to me recently is an issue around DNS clustering. We run our own cluster of DNS only installs for our shared hosting all the shared hosting servers push their DNS to this cluster.
What we'd also like to do for smaller VPS/Server customers is use our cluster for secondary DNS - but at the moment we can't do so because we'd have to give them the main remote access key for their server to be able to push zones to us. If we could setup multiple remote keys (and lock them to IPs) then that would be brilliant.
This is a feature that has been migrated over from the cPanel Forums. All previous comments and discussions concerning this feature can be located at:
http://forums.cpanel.net/f145/ability-control-zone-access-dns-only-server-case-33628-a-159697.html
I like this idea 
cPanel, WebHost Manager and WHM are registered trademarks of cPanel, L.L.C. for providing its computer software that facilitates the management and configuration of Internet web servers.
With the additional privileges, we added in cPanel & WHM Version 68, this request is resolved.
https://documentation.cpanel.net/display/68Docs/68+Release+Notes#id-68ReleaseNotes-NewACLsNewaccessprivileges
The 'Manage DNS Records' privilege should be the only one the token needs.
With the additional privileges, we added in cPanel & WHM Version 68, this request is resolved.
https://documentation.cpanel.net/display/68Docs/68+Release+Notes#id-68ReleaseNotes-NewACLsNewaccessprivileges
The 'Manage DNS Records' privilege should be the only one the token needs.
Please check forum topic http://forums.cpanel.net/f185/all-root-owned-dns-zones-available-all-resellers-307992.html as well...
It's a security flaw to be honest :(
Please check forum topic http://forums.cpanel.net/f185/all-root-owned-dns-zones-available-all-resellers-307992.html as well...
It's a security flaw to be honest :(
This would be nice for dedicated server customers who do not want to run their own DNS. Without this requested feature, the customer has to wait for me to add a DNS entry. It's also manual work for me to do. Meanwhile, it's too much of a security risk to put my root key in the customer's WHM installation.
This would be nice for dedicated server customers who do not want to run their own DNS. Without this requested feature, the customer has to wait for me to add a DNS entry. It's also manual work for me to do. Meanwhile, it's too much of a security risk to put my root key in the customer's WHM installation.
This feature request has my support. We too want to use our DNS cluster for resellers and dedicated servers, but won't do so until using a shared DNS is secure.
This feature request has my support. We too want to use our DNS cluster for resellers and dedicated servers, but won't do so until using a shared DNS is secure.
This should be combined with
http://features.cpanel.net/responses/as-a-data-center-i-want-security-functionality-in-dns-clustering-so-that-my-root-users-cannot-overwrite-one-anothers-dns-zones
This should be combined with
http://features.cpanel.net/responses/as-a-data-center-i-want-security-functionality-in-dns-clustering-so-that-my-root-users-cannot-overwrite-one-anothers-dns-zones
+1 for this feature.
+1 for this feature.
Very appreciated...
What do you think cPanel? When can we get it?
Very appreciated...
What do you think cPanel? When can we get it?
DNSOnly seems to be not as used by many cpanel resellers. To move away from root ssh key to an api seems to be an import move. Is there any thread in the forum with an statement from Cpanel?
DNSOnly seems to be not as used by many cpanel resellers. To move away from root ssh key to an api seems to be an import move. Is there any thread in the forum with an statement from Cpanel?
This is a very important change that needs to happen. We have the same problem as OP, still over 3 years ago...
This is a very important change that needs to happen. We have the same problem as OP, still over 3 years ago...
Don't forget IP spoofing! ;)
Don't forget IP spoofing! ;)
This would open so many possibilities for hosting providers... Branding of reseller name servers, additional service offerings and so many other...
AND it's not difficult to do, cPanel!!!
This would open so many possibilities for hosting providers... Branding of reseller name servers, additional service offerings and so many other...
AND it's not difficult to do, cPanel!!!
I believe that this is the part that cPanel should look into:
"setup multiple remote keys"
I don't see how you could create a secure connection without handing over a password or some other sensitive root authentication method but, using multiple remote keys could be handled in the same way as SSH keys, so you could create as many as you need.
Having said this, it might be needed to implement some kind of restrictions for this keys, so that the are only authorised to do what you specify (e.g.: access WHM and/or SSH, modify/view DNS settings/zones), and this could be changed via some options panel whenever you like it or simply set at the moment of creation without possibility to change said options (of course the first one is more convenient, but I don't know if it is not too complicated to achieve or even possible). At this moment, DNS clustering does not work with 2FA, so maybe you could allow this authentication to be bypassed if some particular key, with the respective option turned on, is used for the connection (other option to add to the menu when creating/editing the access key).
Other thing that could be done is to hand over (or share) DNS administration from root to other new user (named something like dns or dnsmgr, and you would connect as said user if the key was generated to manage DNS, so some options may not be able to be set in the same key, which is not really a problem). With this, you can restrict the access because the user would only be able to modify the things that he owns, so you limit (not prevent) the possibility of some client going rogue. You can prevent this if something like a read-only connection is possible to establish.
I'm just throwing some rough ideas here, maybe you can mold them a make something useful ;)
Thanks for the attention!
I believe that this is the part that cPanel should look into:
"setup multiple remote keys"
I don't see how you could create a secure connection without handing over a password or some other sensitive root authentication method but, using multiple remote keys could be handled in the same way as SSH keys, so you could create as many as you need.
Having said this, it might be needed to implement some kind of restrictions for this keys, so that the are only authorised to do what you specify (e.g.: access WHM and/or SSH, modify/view DNS settings/zones), and this could be changed via some options panel whenever you like it or simply set at the moment of creation without possibility to change said options (of course the first one is more convenient, but I don't know if it is not too complicated to achieve or even possible). At this moment, DNS clustering does not work with 2FA, so maybe you could allow this authentication to be bypassed if some particular key, with the respective option turned on, is used for the connection (other option to add to the menu when creating/editing the access key).
Other thing that could be done is to hand over (or share) DNS administration from root to other new user (named something like dns or dnsmgr, and you would connect as said user if the key was generated to manage DNS, so some options may not be able to be set in the same key, which is not really a problem). With this, you can restrict the access because the user would only be able to modify the things that he owns, so you limit (not prevent) the possibility of some client going rogue. You can prevent this if something like a read-only connection is possible to establish.
I'm just throwing some rough ideas here, maybe you can mold them a make something useful ;)
Thanks for the attention!
This hits us every time a dedicated or VPS customer wants root access to WHM. It would make life so much easier if we could give them access to read/write their own DNS records and sync them back to our cluster but without them seeing everybody else's DNS records in the cluster.
At the moment we have to tell them if they want root access to the server, they have to manage their own DNS and can't use our cluster.
This hits us every time a dedicated or VPS customer wants root access to WHM. It would make life so much easier if we could give them access to read/write their own DNS records and sync them back to our cluster but without them seeing everybody else's DNS records in the cluster.
At the moment we have to tell them if they want root access to the server, they have to manage their own DNS and can't use our cluster.
As of v64, cPanel now supports API Tokens for the DNS Cluster — this resolves the part about being able to have multiple remote keys. A comment made in another feature request (which I'm unable to find right now) suggested that ACL support may be added to API Tokens in future, which seems like it would resolve this request once done.
As of v64, cPanel now supports API Tokens for the DNS Cluster — this resolves the part about being able to have multiple remote keys. A comment made in another feature request (which I'm unable to find right now) suggested that ACL support may be added to API Tokens in future, which seems like it would resolve this request once done.
With the additional privileges, we added in cPanel & WHM Version 68, this request is resolved.
https://documentation.cpanel.net/display/68Docs/68+Release+Notes#id-68ReleaseNotes-NewACLsNewaccessprivileges
The 'Manage DNS Records' privilege should be the only one the token needs.
With the additional privileges, we added in cPanel & WHM Version 68, this request is resolved.
https://documentation.cpanel.net/display/68Docs/68+Release+Notes#id-68ReleaseNotes-NewACLsNewaccessprivileges
The 'Manage DNS Records' privilege should be the only one the token needs.
Replies have been locked on this page!