Ownership and access control of zones in the dns server.
As a Data Center, I want security functionality in DNS clustering so that my root users cannot overwrite one anothers' DNS zones.
Also can I just echo here the absolute importance of the DNS clustering security fix we discussed - this is our biggest wish for 2012 the ability for servers to use the DNS cluster but only see there own zones locally on the server. Currently we cannot sell a dedicated server and give a customer root and also use the DNS cluster because as root you can see every zone on the cluster including those from other servers - BIG wish from us is to fix this as we want to use the cPanel dns cluster for ALL our servers currently cannot.
This is a feature that has been migrated over from the cPanel Forums. All previous comments and discussions concerning this feature can be located at:
http://forums.cpanel.net/f5/dns-clustering-security-flaw-112653.html
I like this idea 
cPanel, WebHost Manager and WHM are registered trademarks of cPanel, L.L.C. for providing its computer software that facilitates the management and configuration of Internet web servers.
I agree with this function, its very important to save IPs and maintaining the infrastructure organized
I agree with this function, its very important to save IPs and maintaining the infrastructure organized
This is definitely a required function for cPanel DNS clustering.
While the zones come up as non-existant on the slave servers, it still shows the users which zones do actually exists, and limits the usability to servers which customers do not have higher level access.
This is definitely a required function for cPanel DNS clustering.
While the zones come up as non-existant on the slave servers, it still shows the users which zones do actually exists, and limits the usability to servers which customers do not have higher level access.
Oh my god - I've been talking to cPanel about htis very feature for 2+ years now.
They actually fixed it in 11.28 (I confirmed it was working), but UNDID the fix afterwards; now they are refusing to cooperate on this matter.
Please check thread http://forums.cpanel.net/f185/all-root-owned-dns-zones-available-all-resellers-307992.html for more information.
Oh my god - I've been talking to cPanel about htis very feature for 2+ years now.
They actually fixed it in 11.28 (I confirmed it was working), but UNDID the fix afterwards; now they are refusing to cooperate on this matter.
Please check thread http://forums.cpanel.net/f185/all-root-owned-dns-zones-available-all-resellers-307992.html for more information.
This is NOT a feature request: this is a BUG that needs attention right away.
I can not believe that cPanel believes that publishing root-owned data to a reseller account is acceptable, or even - to quote cpanel's support - "expected behaviour".
PLEASE FIX THIS! We're paying a LOT of money for our cpanel licenses on all our servers, and this is simply NOT acceptable at all.
This is NOT a feature request: this is a BUG that needs attention right away.
I can not believe that cPanel believes that publishing root-owned data to a reseller account is acceptable, or even - to quote cpanel's support - "expected behaviour".
PLEASE FIX THIS! We're paying a LOT of money for our cpanel licenses on all our servers, and this is simply NOT acceptable at all.
I also agree that this should NOT be treated as a functionality request - this is major grade A BUG and we believe that it needs urgent attention and a solution released ASAP
I also agree that this should NOT be treated as a functionality request - this is major grade A BUG and we believe that it needs urgent attention and a solution released ASAP
This is seriously important to hosts who would like to offer VPS and nameserver functionality. Why has this been overlooked for so long?
This is seriously important to hosts who would like to offer VPS and nameserver functionality. Why has this been overlooked for so long?
Any news on this?
It should be pretty easy to record ownership info together with zones.
That would allow to provide DNS redundancy for wider masses.
This is impossible now since all cluster members can see and edit all zones!
Please fix this!
Thanks
Any news on this?
It should be pretty easy to record ownership info together with zones.
That would allow to provide DNS redundancy for wider masses.
This is impossible now since all cluster members can see and edit all zones!
Please fix this!
Thanks
I've been asked to migrate my comments about my own experiences creating a secure DNS infrastructure replacement from its own feature request to this one. Below is the original post:
For those of us using dnsadmin to connect to a custom remote module (Softlayer, VPS.net, etc.), the ability to have multiple non-root resellers use their own individual cluster configurations is vital for security of the DNS infrastructure. Additionally (for non-resellers) the owner of a zone can be determined in dnsadmin during request handling and their reseller hierarchy traversed to find the most applicable cluster configuration. This allows even non-reseller accounts with a valid cluster config file to have individual secure authentication to the cluster, or even different cluster systems.
From a complexity point of view, Cpanel::DNSLib::PeerConfig::getdnspeers and Cpanel::DNSLib::Config::get_cluster_member_config already accept user parameters, making the overall implementation relatively straightforward. The ideal implementation would add a "CPANEL_USER" header to dnsadmin requests via Cpanel::DnsUtils::AskDnsAdmin::askdnsadmin and when it exists, traverse the OWNER tree via repeated Cpanel::AcctUtils::Owner::getowner calls until Cpanel::DNSLib::PeerConfig::getdnspeers returns one or more peers or the user owns itself/is owned by root, at which point you'd fall through to the code as it is today (default to REMOTE_USER or root). The user name can be cached exactly as $fetched_dns_peers is in the current code to prevent unnecessary slow-downs.
An alternative to using a custom header in Cpanel::DnsUtils::AskDnsAdmin::askdnsadmin is to parse keys in %$rform to find all zones related to the request and determine user via Cpanel::AcctUtils::DomainOwner::getdomainowner calls, though this has the downside of not working for dnsadmin calls that do not require input and should be avoided.
I've been asked to migrate my comments about my own experiences creating a secure DNS infrastructure replacement from its own feature request to this one. Below is the original post:
For those of us using dnsadmin to connect to a custom remote module (Softlayer, VPS.net, etc.), the ability to have multiple non-root resellers use their own individual cluster configurations is vital for security of the DNS infrastructure. Additionally (for non-resellers) the owner of a zone can be determined in dnsadmin during request handling and their reseller hierarchy traversed to find the most applicable cluster configuration. This allows even non-reseller accounts with a valid cluster config file to have individual secure authentication to the cluster, or even different cluster systems.
From a complexity point of view, Cpanel::DNSLib::PeerConfig::getdnspeers and Cpanel::DNSLib::Config::get_cluster_member_config already accept user parameters, making the overall implementation relatively straightforward. The ideal implementation would add a "CPANEL_USER" header to dnsadmin requests via Cpanel::DnsUtils::AskDnsAdmin::askdnsadmin and when it exists, traverse the OWNER tree via repeated Cpanel::AcctUtils::Owner::getowner calls until Cpanel::DNSLib::PeerConfig::getdnspeers returns one or more peers or the user owns itself/is owned by root, at which point you'd fall through to the code as it is today (default to REMOTE_USER or root). The user name can be cached exactly as $fetched_dns_peers is in the current code to prevent unnecessary slow-downs.
An alternative to using a custom header in Cpanel::DnsUtils::AskDnsAdmin::askdnsadmin is to parse keys in %$rform to find all zones related to the request and determine user via Cpanel::AcctUtils::DomainOwner::getdomainowner calls, though this has the downside of not working for dnsadmin calls that do not require input and should be avoided.
We definitely need this asap. Thanks. Clients on VPS Servers especially need this to save costs and make things easier. We need it for security.
We definitely need this asap. Thanks. Clients on VPS Servers especially need this to save costs and make things easier. We need it for security.
I sell plans with cPanel VPS and dedicated servers and all DNS zones with DNS Cluster (dnsonly)
need is for all DNS zones are not visible from the MENU Edit DNS Zone in WHM for VPS and dedicated servers.
Since the DNS zone other VPS and dedicated servers that are clients are different.
I sell plans with cPanel VPS and dedicated servers and all DNS zones with DNS Cluster (dnsonly)
need is for all DNS zones are not visible from the MENU Edit DNS Zone in WHM for VPS and dedicated servers.
Since the DNS zone other VPS and dedicated servers that are clients are different.
estill no answer?
We have 3 brands in our company and we need to at least separate these because there are 3 support teams.
Also VPS and dedicated server clients are screaming for cluster access.
estill no answer?
We have 3 brands in our company and we need to at least separate these because there are 3 support teams.
Also VPS and dedicated server clients are screaming for cluster access.
This is absolutely a bug and not a feature request. I'm really getting tired of seeing thousands of zones from my other servers on each new box I connect to my cluster.
This is absolutely a bug and not a feature request. I'm really getting tired of seeing thousands of zones from my other servers on each new box I connect to my cluster.
This feature should be added to cPanel, a lot of users and datacenter need this.
This feature should be added to cPanel, a lot of users and datacenter need this.
This still isn't fixed. Currently servers can see all zones but cannot edit them, which is better than it used to be - but I don't want my dedicated customers being able to see all zones in our cluster, if they decide to use our nameservers.
This still isn't fixed. Currently servers can see all zones but cannot edit them, which is better than it used to be - but I don't want my dedicated customers being able to see all zones in our cluster, if they decide to use our nameservers.
We had issues recently because this feature doesn't exist yet with both setting ttl records and mith migranting an old server to a new one.
We need a way to edit which server owns which records as when you copy an account to another server using the same dns cluster, in most cases you want the ownership of the zone moved accross but in some cases you might want to move it back to the previous server.
We had issues recently because this feature doesn't exist yet with both setting ttl records and mith migranting an old server to a new one.
We need a way to edit which server owns which records as when you copy an account to another server using the same dns cluster, in most cases you want the ownership of the zone moved accross but in some cases you might want to move it back to the previous server.
Yes, I wholeheartedly agree.
I have two web servers (more to be added soon) and 8 DNSONLY servers. I have configured them using direct links method.
On web servers, I have set the DNS role of the DNSONLY servers to Write Only, while on DNSONLY servers, I have set the DNS role of the web servers to Standalone.
However, the DNS zones of both the web servers are syncing with each other. I tried deleting the DNS zones of the web server 1 in web server 2, and the web server 1 one along with all the 8 DNSONLY servers went down. I had a hard time bringing them back online again.
I briefed cPanel support of the same, and they told:
For example if you look at ws0001* in /var/named you will only see the DNS zones for domains that are hosted on ws0001*. You will not find the actual zone files for the other domains.
While I agree with cPanel support, but I still think it makes no sense Displaying the DNS zones of all the web servers on each web server.
Yes, I wholeheartedly agree.
I have two web servers (more to be added soon) and 8 DNSONLY servers. I have configured them using direct links method.
On web servers, I have set the DNS role of the DNSONLY servers to Write Only, while on DNSONLY servers, I have set the DNS role of the web servers to Standalone.
However, the DNS zones of both the web servers are syncing with each other. I tried deleting the DNS zones of the web server 1 in web server 2, and the web server 1 one along with all the 8 DNSONLY servers went down. I had a hard time bringing them back online again.
I briefed cPanel support of the same, and they told:
For example if you look at ws0001* in /var/named you will only see the DNS zones for domains that are hosted on ws0001*. You will not find the actual zone files for the other domains.
While I agree with cPanel support, but I still think it makes no sense Displaying the DNS zones of all the web servers on each web server.
Any update on this?
Any update on this?
We need this feature.
We need this feature.
Replies have been locked on this page!