[bind10-dev] 答复: Re: How to load ACLs from database

Michal 'vorner' Vaner michal.vaner at nic.cz
Wed Sep 19 19:06:31 UTC 2012 

Hello

(Returning the list back to the recipients, so others can see the discussion
too.)

On Tue, Sep 18, 2012 at 11:07:35PM +0000, Tony Xue wrote:
> If implement by script, it's cannot be realtime update, that means users need to wait maybe hours for refresh, also using script makes me feel quiet unsafe.

Well, no, the script would not be in realtime. But querying the database every
time any packet comes, extracting all the ACLs and rebuilding it would be quite
slow (probably slower than answering queries directly from DB, which has quite
low performance already and needs some kind of caching to get somewhere).

However, the update would not be that much slow, so you could run the script
every 5 seconds instead of hours. Or, you could come up with a way to trigger
the update whenever someone modifies the database (and have the database just as
synchronization between bind10 and your frontend).

I don't understand the thing about unsafe. You mean unsafe like with some kind
of security issue? I don't see any, can you point me to some?

Anyway, I proposed it not as a very clean solution, more like a way to get
something close to what you asked for with very little effort.

> What about do the same thing as resolver DNS queries from database? The implementation is quiet same isn't it?

Resolver? Like the recursive resolver? That one has no database, only in-memory
cache. But if you mean answering the authoritative answers from database, as I
mentioned above, it is slow and needs special care. It would look impractical to
me. But that aside, yes, the implementation could look similar in some way. But
the database backend has several developer-weeks of work in it and it still
needs more work. I think we don't have time to spend similar amount of time on
implementing ACL database backend now (but I'm not a manager, so I can't
guarantee we don't have the time).

We plan to have some kind of hooks infrastructure which could be used to plug in
some code that'd check it against the DB. But that is not implemented yet
either.

Of course, if you could come up with a working solution and sent us a patch/git
branch, it met the quality standards we try to keep and such, I think the
feature could be included.

With regards

-- 
Q:	Why was Stonehenge abandoned?
A:	It wasn't IBM compatible.

Michal 'vorner' Vaner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <https://lists.isc.org/pipermail/bind10-dev/attachments/20120919/5ea26da4/attachment.bin>

More information about the bind10-dev mailing list