Since I couldn’t find an appropriate tool, I wrote it myself (to be put somewhere soon): a web frontend to update a bind nameserver without needing to go through the hassle of parsing zonefiles, reloading the nameserver and such.

How it works: it just uses the NSupdate functionality included with Bind. It’s public key crypto, and all the code is already in bind and probably audited quite well. And the web frontend can run on the admin web box, properly firewalled off.

With that tool I can easily change the DNS zones on my SELinux boxes, without having to fight with allowing a web server on that box to read and write bind files and reloading the bind service. IMHO this solution is a lot cleaner: just tell the changes via UDP port 53 to the name server and let it do the actual job himself.

The “dynamic” zonefiles - those bind may write to - live in a separate dir (and separate SELinux file context) and with the extra SELinux protection, privilege escalation of bind is really unlikely.

(The web interface is really basic though - it doesn’t do many syntax checks. So you should have sufficient DNS knowledge before using it, but thats a good idea anyway. There is a couple of stuff you can break with DNS, you know?)