Add Reseller Account to DNS Cluster?

[mikelegg]

Is it possible to add a reseller account into a cPanel DNS Cluster so that it's zones can be pushed to the cluster?

[mikelegg]

From what I can see ...

1. You don't have to use the user "root" when adding a server to a cluster, so I could use the reseller username and the reseller WHM key to add the reseller server to the cluster.

2. There is a Reseller ACL option called "Clustering".

So it seems it would be possible, but I'm just wondering if it would actually work the way I think it would.

[mikelegg]

Well, I gave it a go and everything was OK until I tried to configure the roles of the DNS servers within the reseller account to "Synchronise Changes".

The message it gave me was "For security reasons, the root user must add this server into the cluster before it can be made to synchronize dns records. To accomplish this you or the server administrator must login as root and add xxx.xxx.xxx.xxx to the cluster."

[cPanelTristan]

The issue with a reseller having this access would be they can see all zones in the cluster upon being added to it, so they can edit DNS zones or remove those that they don't even own at that point. I wouldn't allow a reseller to have cluster access personally to your nameservers. Now, if you wanted to give them access to their own nameservers and only cluster those nameservers, then I could see doing that option.

[mikelegg]

Thanks Tristan

I don't quite understand the purpose of giving resellers the "Clustering" privilege in their ACL.

In order for them to synchronise their zones to remote servers, the remote servers have to be added by someone with root privileges.

So while a reseller can add servers to his cluster he doesn't appear to be able to actually do anything useful with them.

[learning]

So while a reseller can add servers to his cluster he doesn't appear to be able to actually do anything useful with them.

Is this final assumption correct? I´ve been looking for a reseller with this figured out. Any official response?

[cPanelTristan]

The remote servers must be added by someone with root privileges to the DNS only servers. You do not want your resellers able to cluster to your existing nameservers, since anyone clustered to those nameservers can remove or edit all zones in the cluster even those they do not own.