Skip to content

Specification: DNS permissions and validation

Jump to bottom Edit New page
drkitty edited this page Oct 16, 2014 · 3 revisions

Domain names are managed centrally by Information Services at OSU. This includes domain name registration, renewals, authoritative DNS servers and delegation of DNS zones, and management access control. As our central DNS management interface, Cyder provides the latter.

The inventory and delegation of management permissions to DCAs is handled by IS. As such, Cyder will only permit accounts with cyder-admin or super-admin permissions levels to manipulate Domains, NS records, and SOA records.

Containers can be given access to utilize zero or more Domains. If a Container is allowed to use a Domain, the accounts with access to said Container have the ability to create DNS records within that Domain. Domains and sub-Domains as Cyder concepts can only be created by cyder-admin/super-admin. Container users/admins cannot create sub-Domains. In other words, if the Domain foo.com is allowed in a container, the admins of that container can create an A record for foo.com, bob.foo.com, but not wazoo.bob.foo.com, etc. If a Container user/admin requires a sub-Domain of a Domain they already have access to, they must request it from a cyder-admin/super-admin. The requirement to have a Domain assigned to a Container does not extend to Dynamic Interfaces, as the Domain for the auto-generated A/PTR records is taken from the Interface's Range.

If a Domain is assigned to multiple Containers, there is the potential for name/record conflicts. In this case, names and records are available to be created on a first-come, first-served basis. In the case where multiple identical names are valid (A record, and CNAME record round-robins), these are not allowed to span multiple Containers. Detailed restrictions on each record type are listed below, including non-permissions related validation specifications.

PTR

  • Validate IP (reverse Domain) is in range/network allowed in current container.
  • Don't validate that the target exists or that the Container has permissions for use of the target Domain.
  • Make sure target is not an IPv4/6 address.
  • Don't allow if IP is already in use on a static interface – even if DNS is disabled!
  • Don't allow if IP in dynamic range.

A

  • Validate name uses Domain allowed in current container.
  • If name already exists in another container don't allow it to be created again in different container.
  • If name exists in the current container, notify user existing A exists, allow them to ignore if they're attempting to create a round-robin. Give user option to see existing matching object(s). Include objects with DNS disabled!
  • Validate target syntax – must be an IPv4/6 address.
  • Don't validate target IP is in any specific range/network we control.

CNAME

  • Validate Domain is allowed in this container
  • If name already exists in another container don't allow it to be created again in different container.
  • If name already exists in the current container, notify user existing CNAME exists, allow them to ignore if they're attempting to create a round-robin. Give user option to see existing matching object(s). Include objects with DNS disabled!
  • Don't allow if name already exists as an A, MX or SOA – CNAME cannot be at the same level as these record types. Give user option to see existing matching object(s). Include objects with DNS disabled!
  • Do not verify that the Domain/fqdn of the target is in Cyder or that it exists. Only validate that it is a valid hostname (fully qualified or short name are both ok!) and is not an IPv4/6 address.
Add a custom footer
Add a custom sidebar
Clone this wiki locally