Kay-Michael Voit wrote:
did you consider just to blockother mac-addresses through iptables?
Yes, but the MAC should just be checked for one specific user.
No, just one user with limited rights. That user executes a C-script that becomes root and reloads bind. Only this users key is trusted.but... i don't know, what you are doing there, but are you sure you want to grant every user ssh acces
But isn't ssh more secure than a web interface (even when using SSL)? Using your method, anybody who hackes the webapp has total root access...i would suggest to use a webinterface, for example with php, which puts commands into a database, or something similar (perhaps a text file could do it, too) and then run a cronjob, let's say, every 10 mins with a script that restarts bind.
We thought about the cron-option, but as soon as a domain is registered, the Dutch TLD-organisation checks if there is a valid DNS-record. Therefore bind needs to be reloaded as soon as the mail is send to the TLD-org. We could que all mail and send it thrue a cronjob as well, but this seems a bit complicated for the task.