02-04-2013 03:56 PM
We currently use Infoblox to manage a complex DNS system with administration delegated to many different groups and administrators. We are increasingly having issues whereby write permssions have been given to the forward lookup zone ie - company.com.au, but permissions to the reverse lookup zone have not been assigned. This reverse zone is not always a 1 to 1 mapping so auditing this is difficult.
I was considering whether it is sensible to give hte ALL USERS group write access to PTR records, such that forward lookup zones are restricted, but reverse zones are not. This would greatly simplify our permissions management, but i am concerned of the security implications. Does anyone have any thoughts on this?? Know of obvious security problems with doing this?? Any ideas would be greatly appreciated.