views-based RPZ

Carlos Horowicz carlos at planisys.com
Mon Aug 26 09:59:16 UTC 2024 

Hi Petr,

great that you mention where to look into the code, I'm not familiar 
with it yet. This is certainly what I'm looking for, the search 
algorithm for a client IP to find its view. The lab test depends on an 
investment in a Supernic (and the appropriate chassis/Motherboard/PCI 
architecture for it) , thus I prefer to look into the code first and see 
if it deserves hardware-based acceleration.

@Greg we have a bunch of rpz resolvers for ISPs ranging from 4 to 
15MQueries/5 min. But bigger ISPs with 10 fold more traffic have 
manifested the rpz policies should be as flexible as possible for 
individual corporate customers. Nowadays loading zones with millions of 
rpz domains with ixfr takes a long time on platinum-xeon on a single 
view where bind 9.18* is not very responsive. Yes this deserves a single 
lab test for e.g. 2 or 3 views and see if loading time varies.

Thank you all for your insights,

Carlos

On 26/08/2024 10:20, Petr Špaček wrote:
> On 25. 08. 24 9:20, Greg Choules via bind-users wrote:
>> Regarding view selection, I don't know exactly how the code works or 
>> how efficient it is. But certainly I have seen some configs with a 
>> lot of views and they seem to function OK.
>
> Views are matched one by one, you can have a look at function 
> get_matching_view() in file bin/named/server.c.
>
> Having said that, the matching can be fast enough or not depending on 
> the configuration. Typically it's better to do a test in lab than 
> theorize.
>
> Petr Špaček
> Internet Systems Consortium
>
>
>> What sort of QPS are each of your servers handling?
>>
>> Cheers, Greg
>>
>> On Sun, 25 Aug 2024 at 05:27, Grant Taylor via bind-users 
>> <bind-users at lists.isc.org <mailto:bind-users at lists.isc.org>> wrote:
>>
>>     On 8/24/24 07:37, Carlos Horowicz via bind-users wrote:
>>      > 2. if RPZ records are held in memory, why would an RPZ zone need
>>     to be
>>      > stored n times if there are n orthogonal views ? That is, why the
>>     more
>>      > views the more memory needed. Maybe you meant the qpcache, to 
>> store
>>      > different answers, though I don't understand how that works.
>>
>>     I believe that some newer versions of BIND can share zone 
>> information
>>     across multiple views.  Check out the "in-view" statement that goes
>>     in a
>>     zone {...} clause.
>>
>>     Link - Chapter 7 BIND zone clause
>>        - https://www.zytrax.com/books/dns/ch7/zone.html#in-view
>> <https://www.zytrax.com/books/dns/ch7/zone.html#in-view>

More information about the bind-users mailing list