DNS Management Authorization Levels

Hello,

I am seeking to accomplish the following and am wondering if this can be done using Cloudflare’s API or any other mechanism?

  1. Three users involved: Domain Owner, Domain User, My Company
  2. My Company will manage access control to DNS servers/management
  3. Domain Owner will keep their domain at their registrar of choice, but point the domain to My Company’s DNS management tool (using nameservers?)
  4. From here, My Company will allow the final Domain User to control the DNS management as a ‘secondary’ level of control. Ultimately, My Company (using My Company’s system) and the Domain Owner (using the Domain Owner’s Registrar’s system) can both withdraw the Domain User’s access at any time.
  5. While the Domain User has access to the DNS records through My Company’s system, they can point the DNS records to any targets that they wish. The execution will likely happen due to the Domain Owner’s Registrar forwarding DNS requests to My Company, which would then forward the DNS requests to the Domain User’s targets, using the Cloudflare system.
  6. This should all be done securely, avoiding malicious hijacking, man in the middle or any other form of security breach.
  7. My Company wants to do this for multiple domains owned by multiple Domain Owners and multiple Domain Users.

Is this possible, if so, how?

I didn’t see anything in your list regarding a Cloudflare account, so I’ll take some guesses: You want all of this within your single Cloudflare account, housing many different zones (domains).

As for the API, the API is just a command line version of the dashboard. But with API Tokens, you can set permissions such as which zone (domain) the token applies to, and which settings they can change.

Give this a look:

1 Like

Hi. This looks good, though I see a limit of 50 API tokens. This is fine for our launch, but if successful, I want to be sure that we can enter into an enterprise agreement where we can manage more than 50 API tokens. We will need a new zone for each domain name, as each will have a unique user. It is possible that we will need thousands or tens of thousands zones (domains / unique users of the domains).

The account is {redacted}
Best regards,

Sean

That’s interesting that the support document tells you about a 50 token limit, yet my API Tokens page says nothing about that, or how many tokens I have left beyond the ten I’m using.

Maybe @cloonan knows the scoop about token limits on various plans. It would seem to me that on an Enterprise plan, they’ll gladly sell you as much of anything they can that’s not already included in copious amounts.

1 Like

Will @cloonan see this message?

1 Like

I’m sure @cloonan will, but the more we ping @cloonan, the more likely @cloonan will ignore us. There’s a slight chance I’m kidding.

2 Likes

I’d say odds are really good!

I am researching for details but @HenryM may be able to give us a short cut answer…I can only see the 50 tokens per user limit, but I don’t see information by plan type, still digging

1 Like

Thank you @cloonan!

1 Like

Sounds like this model:

Which comes directly from the Partner Platform blog post. Fuller docs here, and @erictung might know more.

3 Likes

Yes. This is good. I like what I am seeing here. Thank you @michael.

1 Like

This model only works if you are registered as Cloudflare Partner, and depends on your region - not everyone can access to the Partner API. For instance, APAC partners currently do not have access to the Partner API.

So this might be a better option.

2 Likes

Now I only realized that. Just calculate the number of API tokens I’ve created and there’s 38. Wow.

Update: just verified that the restriction is there:

image

1 Like

Just confirmed with Cloudflare Support, Enterprise customers may increase the limit with valid reasons/use cases.

1 Like

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.