some bind8 module questions

[Frank A. <fa...@en...>]

hello!

I'm planning to use the BIND8 module for giving away access to customers
to their own zone files.

There are a lot of very good features configurable in that module, but
currently i'm still missing some to make above secure.

- The option "Restrict zone files to directory" doesn't seem to have any
  effect if defined.
- It would be nice if one can disable editing of name server (NS)
  entries and SOA settings.
  These are things that a customer shouldn't change for himself.

And, as global request... is it possible to set module configuration for
newly created users to the minimum possible rights (e.g. all to "no") ?
I don't see any reason, why a new user should have "can edit module
configuration" on "yes" after creation - could cause security problems
if one does create a new user and does forget to edit the user specific
module configuration.


And, as last feature request for today, one question:

Is it possible, that a user can be configured to be able to edit all
zone files that are located in one directory?

For example, i have a dns server with about 40000 domains in it. So i
managed the zone files in different directories depending on the
customer name.
So, i have /named/primary/tchibo as directory where the files for tchibo.de,
tchibo.at, tchibo.ch etc. are located.
Now i want to create a user 'tchibo' that should be able to edit all
zone files located in the mentioned directory, even if there will be
more domains added in the future, but no access to any other files in
any other directory, neither read nor write access.
Currently i thought, that "Restrict zone files to directory" was the
desired option, but as mentioned above, that doesn't seem to work.

Well, awaiting a lot of useful discussion on that :))


With kind regards,

		Frank Altpeter

-- 
Fry: "Maybe he has a parasite." 
Hermes: "Maybe he is a parasite."