Database driven ACL

Darcy Kevin (FCA) kevin.darcy at
Mon Feb 29 22:01:23 UTC 2016

As the Perl folks say: TMTOWTDI (There's More Than One Way To Do It)

Those who are familiar and/or conversant with structured-database technologies tend to gravitate towards a structured-database-centric approach.

Those who, conversely, think structured databases are overkill, or for whatever reason eschew that approach, will use other methods, such as storing meta-data in the DNS itself.

There are pros and cons. One particular "pro" of an "in-DNS" approach is that one already has a robust replication mechanism built into the protocol. Another "pro" is that the data can be accessed casually using the same tools (e.g. "dig") that the same people (typically) use for troubleshooting run-of-the-mill DNS issues. One "pro" of a structured-database approach, on the other hand, is that it is extensible, so if one wants to "hang" other types of data on DNS Records (e.g. asset info, location info, links to ITIL-oriented repositories such as a CMDB, etc.) it's not that hard to extend the schema to accommodate such things. Another "pro" of a structured-database approach is the wealth of APIs that can be used to access and possibly to manipulate the (meta-)data.

Don't overlook the information-security aspect. If your ACLs are stored in DNS itself, then hopefully you have everything DNSSEC-signed and validated. Otherwise, you might be one forged packet (or, in the case of TCP, a few well-placed forged packets) away from having your ACLs compromised...

												- Kevin

-----Original Message-----
From: bind-users-bounces at [mailto:bind-users-bounces at] On Behalf Of Alan Clegg
Sent: Monday, February 29, 2016 4:11 PM
To: bind-users at
Subject: Re: Database driven ACL

On 2/29/16, 4:04 PM, "/dev/rob0" <bind-users-bounces at on behalf of rob0 at> wrote:

>On Mon, Feb 29, 2016 at 11:18:33AM +0200, Ali Jawad wrote:
>> Is there a mature/tested method of loading ACLs through a DB query 
>> instead of editing the config file or reading/writing into a text 
>> file ?
>I like this idea.  I'd further suggest using either:
>  1. An abstraction layer such that any DB backend might be used; or
>  2. sqlite3

Would also be cool to have a meta-zone or type (overlay similar to RPZ
perhaps?) that could be used to configure DNS options.

Then your existing DNS tools could act as your management interface.


Please visit to unsubscribe from this list

bind-users mailing list
bind-users at

More information about the bind-users mailing list