Subdomnain DNS collision detection

[Silent Ninja]

There should be anything to avoid collition between dns's from the same subdomain.

Example:

1. I create a main site called mysite.com
This will create a dns zone for mysite.com

2. I create a secondary site (separate from it) called site1.mysite.com
This will create a dns zone for site1.mysite.com

Now, I can edit the zone for mysite.com and create a CNAME or A record for a subdomain called site1 (just like the 2nd site) and that would create trouble with the dns zone of the secondary site, and thus disabling it or disabling the CNAME / A record I wanted to add without notifying none of those users why that happened.

I'm thinking this using the cPanel DNS Only cluster and it could happen that both accounts are on the same server or at different ones, depending on which zone get's loaded first, one will override the other.

It could be great that the cPanel / WHM dns zone editor, checks for this type of collisions to avoid this hard to find DNS overlapping issues.

[beddo]

This would be good, I actually had a problem with the nameserver records for a WHM server. WHM set up the main domain zone and the nameserver zone. In the domain zone, ns01.domain.tld had the right primary IP and ns02.domain.tld had the secondary IP.

WHM created a separate zone for each nameserver and set both of them to point to the primary IP. I didn't even notice anything wrong until I tried to connect to something that was configured to only listen on the secondary IP. It seems that the nameserver zones won over the domain zone in this case.

Maybe the zone editor should list any additional zones that are set up as subdomains of the zone you are looking at as their own line which you cannot change. A link next to it to go and edit that zone instead would resolve the problems.

[Silent Ninja]

It would be easy (I think) to merge all the zones with the same domain.tld suffix as some sort of sub-zone, and then if a cPanel account only have access to a subdomain, just hide everything that doesn't have the subdomain.domain.tld format as a restriction.

Example:

- website.tld is created by root (or some other user) and thus a new dns zone is added (website.tld)

- first.website.tld is created for root or another user with access to website.tld (eg the same user or some user from the same reseller as website.tld), then the subdomain's dns zone get's merged as a sub-zone of the main zone (website.tld now have zones for first.website.tld)

If the user who owns "first.website.tld" want's to edit the domain zone, he'll only be able to see and edit everything who has "first.website.tld" as a suffix, unless it's the same user who owns website.tld, in that case the whole zone will be shown.

If the owner of website.tld want's to see or edit the main dns zone, he will be able to see and edit everything (including first.website.tld), and thus he would know that he can't use "first" as a subdomain for something, since it's already created, and he would be able to edit or delete sub-zones created based on his domain.

This would also fix what beddo was saying since editing the zone for his domain.tld will show both dns records, without having to check for duplicates or separate sub-zones.

[cPanelDavidG]

Let's say we have 2 users:

User A has a primary domain of website.tld
User B has a primary domain of first.website.tld

Given that there cannot be 2 primary domains for a cPanel account, User A and User B must be different users, even if they reside under the same reseller user (e.g. root).

To maintain user isolation, it would make more sense to not permit User A to create or modify anything ending in first.website.tld since that belongs to User B. It would seem the best behavior would be to error out to prevent one user from manipulating another user's records.

[texo]

David, I think that you've hit the nail on the head:

It would seem the best behavior would be to error out to prevent one user from manipulating another user's records.

That IMO is the best solution to this problem, which we come across surprisingly often with our reseller clients.

[Silent Ninja]

Ok, it would work too as texo says that users who owns a big domain, who has other uses on the subdomains, won't be able to overwrite or change those subdomains to avoid them being able to take control of a different domain or mistakenly change a DNS zone by creating a subdomain pointing elsewhere on a different dns zone.

Root should however be able to see all the zones and sub-zones (subdomain's zones) for an speciffic domain, all toghether as one (or with some warnings), and still not be able to overwrite a subdomain's zone by editting the main domain's one.

[beddo]

Ahh, I was thinking of the zone editor for root when I suggested being able to follow into sub domains. In theory root should be able to access everything. The user zone editors would of course need to be restricted to their own zones and error on something that already exists. Resellers would be limited so that they couldn't stray into other resellers zones.

Things are always a little more complicated when you start thinking about them!