[bind10-dev] 答复: Re: 答复: Re: How to load ACLs from database

Tony Xue xuezxbb at gmail.com
Wed Sep 19 23:22:44 UTC 2012 

Hello,

My last email was sent in a hurry so I didn't explain it very well also I forgot to send it to maillist.

The unsafe I mean is that makes me feel quiet unreliable, but the script is ok now.

The resolver I mean is when the DNS software resolving auth domains, it can read records from database so if I simply do the same thing to the code for reading ACLs, maybe it's a better choice.

So if it's not so simple to do it in the source code, I will think about find a better way to implement this.

Thank you very much.


-----Original Message-----
From: Michal 'vorner' Vaner <michal.vaner at nic.cz>
Date: Wed, 19 Sep 2012 21:06:31 
To: Tony Xue<xuezxbb at gmail.com>; Bind 10<bind10-dev at lists.isc.org>
Subject: Re: 答复: Re: [bind10-dev] How to
 load ACLs from database

Hello

(Returning the list back to the recipients, so others can see the discussion
too.)

On Tue, Sep 18, 2012 at 11:07:35PM +0000, Tony Xue wrote:
> If implement by script, it's cannot be realtime update, that means users need to wait maybe hours for refresh, also using script makes me feel quiet unsafe.

Well, no, the script would not be in realtime. But querying the database every
time any packet comes, extracting all the ACLs and rebuilding it would be quite
slow (probably slower than answering queries directly from DB, which has quite
low performance already and needs some kind of caching to get somewhere).

However, the update would not be that much slow, so you could run the script
every 5 seconds instead of hours. Or, you could come up with a way to trigger
the update whenever someone modifies the database (and have the database just as
synchronization between bind10 and your frontend).

I don't understand the thing about unsafe. You mean unsafe like with some kind
of security issue? I don't see any, can you point me to some?

Anyway, I proposed it not as a very clean solution, more like a way to get
something close to what you asked for with very little effort.

> What about do the same thing as resolver DNS queries from database? The implementation is quiet same isn't it?

Resolver? Like the recursive resolver? That one has no database, only in-memory
cache. But if you mean answering the authoritative answers from database, as I
mentioned above, it is slow and needs special care. It would look impractical to
me. But that aside, yes, the implementation could look similar in some way. But
the database backend has several developer-weeks of work in it and it still
needs more work. I think we don't have time to spend similar amount of time on
implementing ACL database backend now (but I'm not a manager, so I can't
guarantee we don't have the time).

We plan to have some kind of hooks infrastructure which could be used to plug in
some code that'd check it against the DB. But that is not implemented yet
either.

Of course, if you could come up with a working solution and sent us a patch/git
branch, it met the quality standards we try to keep and such, I think the
feature could be included.

With regards

-- 
Q:	Why was Stonehenge abandoned?
A:	It wasn't IBM compatible.

Michal 'vorner' Vaner

More information about the bind10-dev mailing list