Web Development

Delegating DNS record write permissions

With application owners having an increased closeness to infrastructure teams, delegating permissions to certain objects becomes natural. IT guru Rick Vanover highlights one trend to take the burden off of a network team.

For many environments, using Active Directory-integrated DNS zones is the way to go. Further, I’m a big fan of using the DNS CNAME record to configure application-related topics such as making ODBC database connections. One of the hitching points in the Windows DNS world is that DNS permissions are tied to Active Directory permissions. In larger organizations, your Windows Active Directory administrator may not be your application administrator.

A practice that I’m going forward with is assigning permissions to a DNS record. This is effectively going to allow an application owner or an IT service owner to be able to change the DNS record. Let me explain this so you can get some perspective of the controls in place. This practice would be for the following situations only:

  • A CNAME or Alias record only for static entries. This would exclude dynamic entries such as a computer account.
  • Only in DNS zones for non-Active Directory domains
  • Have firm policy that requires how DNS records are changed in delegated configurations. For example, prohibit application owners from running the DNS console to change the delegated domain records. Instead, provide a script running DNSCMD or other command to change the DNS record and send an email to management and others as a record of the activity.
An example of this type of DNS object is shown below in Figure A. Figure A

Figure A

Click image to enlarge.

Notice how the delegated.rwvdev.intra domain has the sole record, DB-Application-Prod.delegated.rwvdev.intra. This record’s security configuration is shown in the image. Here, Windows Active Directory accounts can be added the write permission to change a record. The next question is how to determine when a DNS record changed; look no further than the DNS timestamp field.

What is your take on adding permissions for DNS domains under specific requirements such as this? Why engage network administrators for application changes? Share your comments below.

About

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

5 comments
lpoehlitz
lpoehlitz

Anything one can do the empower a given owner of an area of responsibility to do the whole job while maintaining control is goodness. The described process has a good balance between empowering and control. Lou

svig
svig

How about some info for BIND users? Not every IT department runs Microsoft services everywhere. Thanks -S

DomBenson
DomBenson

It is possible to delegate write permissions on a per-zone basis by specifying public keys in the BIND config, and including { allow-update ; } within the relevant zone(s). The keypairs can be generated with dnskeygen. Running nsupdate -k starts an nsupdate session that will have access to edit the zones with a matching allow-update reference. The allow-update can also include hosts/networks, although this is typically less useful/secure. DHCP-initiated DDNS signs individual records with corresponding TXT records, to ensure that it only updates/removes records originally generated by itself. I don't know of an implementation of this to allow per-record delegation, but it would be fairly simple to put together some shell scripts that would achieve it.

b4real
b4real

SVIG: Good point that you raise. My professional experience has been almost entirely with Active Directory-Intergrated DNS. But, I'll see if I can fold this into my future content. CHEERS!

karanox
karanox

BIND information would indeed be nice. I would be surprised to see an ISP anywhere in the world that use M$ products, and I've seen some pretty hairy BIND/DNS setups in various ISPs and Telcos around the world... Having some good advice would speed up a lot of BIND implementations, instead of forcing new DNS admins to trawl the web. Menandmice are a life saver though for BIND info...