mirror/bind9
1
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9.git synced 2025-12-20 00:55:29 +08:00
Code Issues Actions 4 Packages Projects Releases Wiki Activity
Page: BIND 9.19 Planning: DB notes
Pages
"main" branch partial history rewrite in August 2022 A few thoughts on Rust in BIND BIND 9 Achievements BIND 9 F2F Meeting in Warsaw, October 2019 BIND 9 Memory Explained BIND 9 PKCS11 BIND 9 Packaging BIND 9 Style Guide BIND 9.11 ESV Soft Code Freeze BIND 9.15 Plan BIND 9.17 Plan BIND 9.19 Plan BIND 9.19 Planning: CHANGES BIND 9.19 Planning: Configuration Backend BIND 9.19 Planning: DB notes BIND 9.19 Planning: Discuss new features BIND 9.19 Planning: Incident Manager Rotation BIND 9.19 Planning: Netmgr evaluation BIND 9.19 Planning: Refactor RBTDB BIND 9.19 Planning: Refactoring XFR BIND 9.19 Planning: Refactoring zone.c BIND 9.19 Planning: Refactoring BIND 9.19 Planning: Statistics System Overhaul BIND 9.19 Planning: Testing BIND 9.19 Planning: Things to do before BIND 9.18 cutoff BIND 9.21 Plan BIND Development and Release Process 2019 BIND development workflow BIND9 Databases CGroups v2 limiting resource consumption for testing CPU profiling using perf Config system requirements DNS Shotgun integration into Gitlab CI DNSSEC Key and Signing Policy (KASP) Data structure survey Debian Packages Escalation Engineer Duties Git Of Theseus Gitlab how to How to setup Docker image with core file Integration tests wish list Internal objects and their relations Known Issues in BIND 9.18 Known Issues in BIND 9.20 Known Issues in BIND 9.21 LLM based tools thoughts Planning Policy for removing named.conf options Preparing Useful Merge Requests QP‑trie in NSD Requirements and Designs Server side Git hooks Serving stale data Stable Release Update Statistics Requirements SystemTap on 4326 remove locking from copy_namehook_lists SystemTap on main Team Meetings Testing by configuration options Updating resolver algorithm, or "who knows best, the parent or the child?" User space Probing in BIND 9 _sidebar benchmarks best practices caches dashboard home october2018meeting pytest howto stdatomic usage in master
Clone
BIND 9.19 Planning: DB notes
Tony Finch edited this page 2022-04-11 17:10:44 +01:00
Table of Contents

See also the refactoring RBTDB discussion

What are the requirements for DNS data structures (what BIND calls a database), if they are tuned for particular purposes? Thinking in the abstract, without worrying about the constraints of RBTDB.

There's a basic distinction between authoritative data and cached data; it is likely that a cache will benefit from splitting the bulk read-mostly data from active and recently-completed queries.

alternatives

If we want the cache to share code with auth zones, that pushes the design towards transactional updates and ordered lookups, as assumed by the points below.

Or the cache could be built from a big hash table. This would need the separate authority cache suggested under active queries below, and it would push NSEC NXDOMAIN synthesis to another separate data structure. But then it might support more fine-grained locking so it would not need a separate active queries table.

In any case, it's desirable to separate the lookup index structures (trees or hash tables, however they are implemented) from the tricky DNS details, so we have freedom to pick and choose data structures.

common issues

  • additional and authority sections

    a glue cache helps root zone performance; what about fast lookups for additional data too? is it useful in a cache as well as an auth server?

  • case preservation

authoritative

  • read-mostly

  • longest-match lookups to find enclosing zone

  • NSEC denial requires ordered lookups

  • NSEC3 denial requires another data structure

  • transactional updates

  • multi-version concurrency between updates and zone transfers

  • scheduler for signing

tricky details

  • occluded data (under DNAME or zone cut)

  • wildcards

  • zone cuts and DS

  • EDNS client subnet - in the main database or as a stunt extension?

bulk cache

  • read-mostly

  • updated from active queries table

  • scheduler for TTL cleaning

  • memory usage limit

    (perhaps TTL cleaning and folding in results from recursion can be done with a transactional update so the fast read path can have simpler locking)

  • NSEC NXDOMAIN synthesis requires ordered lookups

    (NSEC3 synthesis does not seem worth worrying about, because NSEC3 is mostly useful for opt-out which does not provide NXDOMAIN proofs)

tricky details

  • query time, to handle TTLs after expiry before cleaning

  • RFC 2181 trust levels

  • unvalidated records, +CD queries

  • prefetch

  • serve stale

  • EDNS client subnet

  • records present on both sides of a zone cut: NSEC, NS and their signatures (#3031)

negative cache

  • mostly the same issues as the positive cache, but no need for ordered lookups

    (Note NSEC NXDOMAIN synthesis uses the positive cache, because the necessary NSEC records exist).

  • is it useful for the negative and positive caches to be the same data structure or separate?

active queries

  • supports frequent small updates

  • only needs exact-match lookups

  • query coalescing

  • NSEC3PARAM database

Is it worth having an authority database separate from the main cache, that is just for infrastructure records? SOA, NS, DS, DNSKEY, NSEC3PARAM (as well as the ADB for nameserver addresses)

BIND contains a separate rbt instance used for DNSSEC validation trust anchors, called a keytable. Should it be part of a more general authority database? But there are some parts of the keytable that are special (RFC 5011 processing and saving trust anchor updates).