[bind10-dev] Multiple nsec3 chains in db
Jelte Jansen
jelte at isc.org
Fri Mar 16 13:51:40 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I know we decided to start out with just the one NSEC3 chain, and then
later extend things to support multiple chains, but with an eye on the
future for this I just voiced a comment in ticket #1758 that resulted
in a short discussion on jabber, ending with the notion that this
should be discussed on-list :)
The thing is, is there is data about several NSEC3 chains, there are
(at least) two ways to handle this in the db abstraction layer;
Assuming we have a getNSEC3Records(hash, zone) and a
getNSEC3PreviousName(hash, zone) for the purpose of this discussion.
IIUC, the current thinking was that for getNSEC3Records, we can just
let the it match everything based on the name, and filter out the
results that do not match the active chain (i.e. make the caller
verify the values and drop out any accidental collisions from another
chain). If no correct matches are left than we should be looking for
the covering NSEC3.
For getPreviousName(), if the resulting NSEC3 has the wrong
parameters, we can ask again, until it returns one that does match.
However, IMO this is a bit of a roundabout and inefficient way to do
it, and it seems cleaner and more efficient to me that both methods
should only ever return data from the actual active chain (esp. in the
case of the second). Since we obviously don't want the actual querying
layer to do rdata parsing, this would however mean that we'll need to
store the hash parameters in separate columns in the database. (and
then we can fight over whether the 'active chain' should be stored in
state or passed as method parameters ;))
Of course, if in the majority of cases there is only one chain (it
really only got added for rolling your nsec3 settings), the original
way would just be a single check before adding the data to a response,
so maybe I'm the only one that is even considering the latter approach.
Any thoughts?
Jelte
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk9jRWwACgkQ4nZCKsdOncX4mwCgt4Vbx91w1BmtP5GpjtCJ1mFY
IbsAoNKGKK94wwPxbSRO5ssOSkjFj2IZ
=XpBF
-----END PGP SIGNATURE-----
More information about the bind10-dev
mailing list