Re: views-based RPZ

Mon, 26 Aug 2024 07:04:24 -0700 

Hi Petr,
great that you mention where to look into the code, I'm not familiar with it yet. This is certainly what I'm looking for, the search algorithm for a client IP to find its view. The lab test depends on an investment in a Supernic (and the appropriate chassis/Motherboard/PCI architecture for it) , thus I prefer to look into the code first and see if it deserves hardware-based acceleration. 


@Greg we have a bunch of rpz resolvers for ISPs ranging from 4 to 
15MQueries/5 min. But bigger ISPs with 10 fold more traffic have 
manifested the rpz policies should be as flexible as possible for 
individual corporate customers. Nowadays loading zones with millions of 
rpz domains with ixfr takes a long time on platinum-xeon on a single 
view where bind 9.18* is not very responsive. Yes this deserves a single 
lab test for e.g. 2 or 3 views and see if loading time varies.


Thank you all for your insights,

Carlos

On 26/08/2024 10:20, Petr Špaček wrote:

On 25. 08. 24 9:20, Greg Choules via bind-users wrote:

Regarding view selection, I don't know exactly how the code works or 
how efficient it is. But certainly I have seen some configs with a 
lot of views and they seem to function OK.



Views are matched one by one, you can have a look at function 
get_matching_view() in file bin/named/server.c.



Having said that, the matching can be fast enough or not depending on 
the configuration. Typically it's better to do a test in lab than 
theorize.


Petr Špaček
Internet Systems Consortium



What sort of QPS are each of your servers handling?

Cheers, Greg


On Sun, 25 Aug 2024 at 05:27, Grant Taylor via bind-users 
<bind-users@lists.isc.org <mailto:bind-users@lists.isc.org>> wrote:


    On 8/24/24 07:37, Carlos Horowicz via bind-users wrote:
     > 2. if RPZ records are held in memory, why would an RPZ zone need
    to be
     > stored n times if there are n orthogonal views ? That is, why the
    more

     > views the more memory needed. Maybe you meant the qpcache, to 
store

     > different answers, though I don't understand how that works.


    I believe that some newer versions of BIND can share zone 
information

    across multiple views.  Check out the "in-view" statement that goes
    in a
    zone {...} clause.

    Link - Chapter 7 BIND zone clause
       - https://www.zytrax.com/books/dns/ch7/zone.html#in-view
<https://www.zytrax.com/books/dns/ch7/zone.html#in-view>

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






















					Reply via email to