Many views and many zones...

Marco Schumann schumann at strato-rz.de
Fri Aug 10 14:58:04 UTC 2007


Hello,

we want to offer our customers a view configuration for their zones.
ACLs and views will overlap if customer use their IP ranges. Thus we
would have to create a huge number of effective views defined by the
intersections of the customer ACLs.

With some 100.000 zones and more than one or two views we would need
current memory multiplied by number of effective views to keep the
service up. Therefore we would like to minimize memory consumption and
reconfig time as well as configuration efforts.

Our idea was to set up the ACLs and views as requested by the customer
(no more effective views for the named) and to not use the first view
the requesting IP matches but to run through all matching views if a
zone is not found in the current matching view, eg.:

acl customer1 {
  192.168.0.0/24;
  192.168.1.0/24;
}

acl customer2 {
  192.168.1.0/24;
  192.168.2.0/24;
}

view customer1 {
  match-clients { customer1; };
  zone "domain1.com" {
    ...
  }
}
view customer2 {
  match-clients { customer2; };
  zone "domain2.net" {
    ...
  }
}
view world {
  match-clients { any; };
  zone "..." {
    ...
  }
}

If IP 192.168.1.10 asks for domain1.com, it gets response from view
customer1, if it asks for domain2.net, it gets response from view
customer2, if 192.168.0.5 asks for domain2.net, it may receive a
response from view world (the last configured matching view) or NXDOMAIN
if it is not configured there.

This cannot be configured with the current version, as all zones would
have to be in all views. So we created a first patch (named-9.4.1-P1,
NOT functional, named stops answering) to make bind continue running
through the next matching view if it would return NXDOMAIN until it
reaches the last matching view.

Would you consider this way a good idea? Are there any attempts to make
it a feature, maybe with bind-10?

Kind regards
-- 
Marco
-------------- next part --------------
A non-text attachment was scrubbed...
Name: view.patch
Type: text/x-patch
Size: 6327 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-workers/attachments/20070810/f3b0b631/attachment.bin>


More information about the bind-workers mailing list