Sharing zones between views to conserve memory

Jan Gutter jang at lucidview.net
Wed Jan 9 12:37:29 UTC 2013


Hi

I've come across an interesting scalability issue with regards to how
our organization uses BIND. I'm putting up the question here, but I
have a sneaky suspicion that I'll have to solve this problem in the
source code. The way we use BIND seems to be slightly non-obvious, and
I'm really after any creative or bright ideas that would help me in
reducing memory use, but still keeping the functionality there.

The use case:

We have one BIND server (running 9.9) that serves a number of
subdivisions within our company. Each subdivision has a response
policy that refers to a few "category" zones (of which there are about
90). The issue is, that these zones are LARGE and almost impossible to
clean up. There's a huge commonality between subdivisions and zones,
however (many subdivisions use the largest zone file with 1.7m entries
or so).

The current setup:

I've set up BIND to do something like this:

view "subdivision-01" {
  match-clients { 10.0.1.0/24; };
  zone "category-01" {type master; file "/etc/bind/cat01.rpz";
allow-query { none; }; };
...
  zone "category-90" {type master; file "/etc/bind/cat90.rpz"; allow-query
  zone "whitelist" {type master; file "/etc/bind/whitelist.rpz"; allow-query
{ none; }; };
  response-policy {
    zone "whitelist" policy no-op;
    zone "category-01" policy CNAME policy.example.com;
...
    zone "category-90" policy CNAME policy.example.com;
  };
  include "/etc/bind/named.conf.default-zones";
  include "/etc/bind/zones.rfc1918";
};

I normally make a copy of that setup for each subdivision, omitting
the categories that aren't used in the subdivision.

The problem:

Each subdivision added in this way, increases BIND's memory use by
almost a gigabyte! Most subdivisions use the category with 1.7m
entries, and that's a big culprit. It looks a lot like BIND makes a
new copy of the zone per view. Making the memory requirements an order
of magnitude less for the zone, or making it independent of the number
of views would both solve the problem.

So, here's my question: is there a way to share zones between views to
conserve memory? The hypothetical way would be to put the policy zones
in a "common" view, and just set response-policy uniquely for each
view. Like I said, I have a sneaky suspicion that it's not possible
with 9.9...

Any other bright ideas, suggestions or general flames would be
welcome! I'm not married to this specific setup in the least: any tool
that does the job is valid.

As an off-topic aside, it seems that the policy no-op statement only
works in bind 9.9, and not 9.8. I'm running Ubuntu 12.04 (pity me!)
and 9.8 seems to have slight issues with a response-policy

Thanks for reading this far, I feel I've succeeded in my goal if I've
caused at least one sysadmin or developer to overheat for a couple of
minutes.

Jan Gutter



More information about the bind-users mailing list