[bind10-dev] BIND 10 administrator interface sessions

[Shane Kerr]

All,

We have some ideas about the administrator interface in BIND 10. At
the RIPE 59 meeting in Lisbon, I talked to some BIND users about
these, in order to see what users think about administrator interfaces
for BIND 10.

There were two sessions. The first was on Monday evening, and the
second was on Thursday after the 1st DNS working group session (before
lunch). Larissa was present at the second and took notes, I managed
the first one on my own.

Notes from First Session
------------------------
At the first session we had:
- Peter Koch (DENIC)
- Stephane Bortzmeyer (AFNIC)
- Ondrej Sury (NIC.CZ)
- (Some gentleman who's name I did not get) (SIDN)
- Antoin Verschuren (SIDN)
- David Knight (ICANN)
- Joao Damas (Bondis)

I explained the basic idea of operating more like a router than a
standard Unix daemon with a config file holding the configuration.

The immediate reaction was that nobody likes the way configuration
works in Cisco routers, and we should not try to duplicate them.
Ciscos allow you to have a running configuration which does not match
the configuration file, for example.

REQUIREMENT: Use the same configuration on multiple servers. (This is
easy with file-based configuration.)

Peter: Need to be able to dump, check into RCS, and so on. Need to be
able to attach reasoning/notes to configurations. ITIL needs change
management, configuration management, and so on.

REQUIREMENT: Must work with configuration/change management software &
systems.

Stephane: Need to be able to export configuration. Need to be able to
send snippets to bind-users for example.

REQUIREMENT: Must be able to export configuration.

(SIDN gentleman): We never touch configuration files - everything is
in an SQL database.

Joao: Granularity of the configuration is important. Versioning,
transactions, etc. all very nice.

Peter: Should be something that fits into cfengine (for example).
Stephane: Yes, needs to work with other software.

Ondrej: Zone management and configuration management are different
things.

Dave: Changes to zones must not impact the server.

Stephane: Need to appeal to non-experts!
Dave: Much of this stuff, like version control, is *more* important
for non-experts.

Shane: In pre-BIND 10 there was some confusion about what
configuration is and what program data is. So, zones configuration is
really different from server configuration.
Joao: This separation also includes views, TSIG keys, and more. 

REQUIREMENT: Need a way of the name server dumping what it thinks the
current configuration is.

Stephane: How does Apache solve this with 1000s of domains? What about
Postfix?

REQUIREMENT: All representations of configuration must be in sync.

Ondrej: Do we need interaction? Maybe we just need fast reload?

Dave: JunOS is very good. Change, commit, rollback, XML API. Maybe
look at Juniper tutorials.

Ondrej: Firefox about:config is a good start.


Notes from Second Session (thanks to Larissa)
---------------------------------------------
Present:
Suzanne, Shane, Larissa ISC
Johan Ihren             Autonomica      johani at autonomica.se
Sara Monteiro           FCCN            sara.monteiro at fccn.pt  
Pedro Ribeiro           FCCN            pedro.ribeiro at fccn.pt
Joao Afonso             FCCN            joao.afonso at fccn.pt
Eduardo Duarte          FCCN            eduardo.duarte at fccn.pt
Stephane Bortzmeyer     Afnic           bortzmeyer at afnic.fr
Anand Buddhdev          RIPE            anandb at ripe.net


Thoughts:
Anand Buddhev – likes juniper likes to be able to test and to rollback
config. Easy to solve outdated config by having a tool that writes out
the current config at frequent intervals with date stamps


Johan Ihren – its clear that BIND 9 isn't optimal, however as much as
he likes the command channel and it does make sense he doubts that
this would be his primary interface. He has a provisioning system a nd
generates all the config variants and then ships them all at once. The
consequence of this from his point of view is that we must remember
that there is no fit everyone solution. Keep this in mind. That said
he can already see ways to leverage this new command channel interface
to batch changes through the command channel. Somewhere we must
accommodate the very large scale users. (and what about enterprise
users?)


Shane – what is config? Right now zone files are data and every thing
else is config but this is not the truth,

tools

command line vs web gui vs....

concern from Johan: custom tools – in all honesty I will not only have
BIND 10 name servers he has a mix. So what he is really looking for is
a generic control interface with vendor specific
plugins/hooks/extensions.  He realizes BIND 10 is aiming for lots of
components and he will select a subset but his concern is that the
core part he would like to see as an open protocol which could be used
across platforms and everything vendor specific in a specific corner.
The open protocol would not change over different versions.


Versioning


need to serialize – store configs in a database an d somehow get in
and out


johan – netnod/autonomica has moved away from versioning because in
the whole picture the actual version loses relevance. They chop their
config into sections (provisioning, keys, customer, infrastriucture,
etc)


could a BIND10 sql database do that?


Anand – RIPE does something similar – they have bits they stitch
together as necessary and each is versioned separately


Eduardo from FCN – we're doing two things atr once – good to separate
bind10 and this command and control management stuff into two
products.
Johann agrees. Would need to be really clear that the command and
control interface might be separate and might also support other DNS
implementations.