Database driven ACL
Darcy Kevin (FCA)
kevin.darcy at fcagroup.com
Mon Feb 29 22:01:23 UTC 2016
As the Perl folks say: TMTOWTDI (There's More Than One Way To Do It)
Those who are familiar and/or conversant with structured-database technologies tend to gravitate towards a structured-database-centric approach.
Those who, conversely, think structured databases are overkill, or for whatever reason eschew that approach, will use other methods, such as storing meta-data in the DNS itself.
There are pros and cons. One particular "pro" of an "in-DNS" approach is that one already has a robust replication mechanism built into the protocol. Another "pro" is that the data can be accessed casually using the same tools (e.g. "dig") that the same people (typically) use for troubleshooting run-of-the-mill DNS issues. One "pro" of a structured-database approach, on the other hand, is that it is extensible, so if one wants to "hang" other types of data on DNS Records (e.g. asset info, location info, links to ITIL-oriented repositories such as a CMDB, etc.) it's not that hard to extend the schema to accommodate such things. Another "pro" of a structured-database approach is the wealth of APIs that can be used to access and possibly to manipulate the (meta-)data.
Don't overlook the information-security aspect. If your ACLs are stored in DNS itself, then hopefully you have everything DNSSEC-signed and validated. Otherwise, you might be one forged packet (or, in the case of TCP, a few well-placed forged packets) away from having your ACLs compromised...
From: bind-users-bounces at lists.isc.org [mailto:bind-users-bounces at lists.isc.org] On Behalf Of Alan Clegg
Sent: Monday, February 29, 2016 4:11 PM
To: bind-users at lists.isc.org
Subject: Re: Database driven ACL
On 2/29/16, 4:04 PM, "/dev/rob0" <bind-users-bounces at lists.isc.org on behalf of rob0 at gmx.co.uk> wrote:
>On Mon, Feb 29, 2016 at 11:18:33AM +0200, Ali Jawad wrote:
>> Is there a mature/tested method of loading ACLs through a DB query
>> instead of editing the config file or reading/writing into a text
>> file ?
>I like this idea. I'd further suggest using either:
> 1. An abstraction layer such that any DB backend might be used; or
> 2. sqlite3
Would also be cool to have a meta-zone or type (overlay similar to RPZ
perhaps?) that could be used to configure DNS options.
Then your existing DNS tools could act as your management interface.
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
bind-users at lists.isc.org
More information about the bind-users