Does bind9 support adding acl and view through commands, not by updating config file?

Discussion:

Zhengyu Pan

2021-04-15 07:35:38 UTC

Hi,

I want to implement intelligent DNS through bind9. I need to add a custom line(IP address ranges) to bind9 using acl and view when add a user. Because when add a tenant, i need to define a new acl and view. I don't want to update named.conf config file frequently.

Does bind9 support adding acl and view through commands or API, not by updating config file?

like the command "rndc addacl" or "rndc addview".

Thanks

Zhengyu

--

Thanks£¡
Zhengyu

Matus UHLAR - fantomas

2021-04-15 08:08:26 UTC

Permalink

what is supposed to be intelligent there?

I mean, why? are you going to provide recursive service to someone who pays
for that?

Post by Zhengyu Pan
Does bind9 support adding acl and view through commands or API, not by updating config file?
like the command "rndc addacl" or "rndc addview".

I don't think so, looks a bit too complicated.
--
Matus UHLAR - fantomas, ***@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Save the whales. Collect the whole set.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Zhengyu Pan

2021-04-15 12:53:15 UTC

Permalink

The "intelligent" means that dns server return the corresponding A record IP address according to the source IP address of the tenants.
My dns server is an Authoritative dns server. It hosts the zones of different tenants.

I need to update config file name.conf frequently Because The views and ACLS are added frequently.
So i want to know whether have commands or API to add acl and view like the command "rndc addacl" or "rndc addview"?
Updating config file frequently may affect other zones in this dns server.

Post by Matus UHLAR - fantomas

what is supposed to be intelligent there?
I mean, why? are you going to provide recursive service to someone who pays
for that?

Post by Zhengyu Pan
Does bind9 support adding acl and view through commands or API, not by updating config file?
like the command "rndc addacl" or "rndc addview".

I don't think so, looks a bit too complicated.
--
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Save the whales. Collect the whole set.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users

Matus UHLAR - fantomas

2021-04-15 16:28:15 UTC

Permalink

Post by Zhengyu Pan
The "intelligent" means that dns server return the corresponding A record IP address according to the source IP address of the tenants.
My dns server is an Authoritative dns server. It hosts the zones of different tenants.

do you mean, the same domains with different content, depending on clients'
IPs? That's common multiple-view setup
(nothing special or intelligent).

Post by Zhengyu Pan
I need to update config file name.conf frequently Because The views and ACLS are added frequently.

Why? Do you have that many clients constantly with changing IPs?

Maybe they could use local DNS server talking to your DNS server using TSIG,
and instead of IPs you'd define TSIG keys.

Post by Zhengyu Pan
So i want to know whether have commands or API to add acl and view like the command "rndc addacl" or "rndc addview"?

I'm afraid for now there's no way to make this via rndc.
You'll have to generate named config per-client.

Post by Zhengyu Pan
Updating config file frequently may affect other zones in this dns server.

I don't understand how/why it should affect other zones.

Post by Zhengyu Pan

Post by Matus UHLAR - fantomas

what is supposed to be intelligent there?
I mean, why? are you going to provide recursive service to someone who pays
for that?

Post by Zhengyu Pan
Does bind9 support adding acl and view through commands or API, not by updating config file?
like the command "rndc addacl" or "rndc addview".

I don't think so, looks a bit too complicated.

--
Matus UHLAR - fantomas, ***@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Have you got anything without Spam in it?
- Well, there's Spam egg sausage and Spam, that's not got much Spam in it.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Zhengyu Pan

2021-04-16 04:16:20 UTC

Permalink

Post by Matus UHLAR - fantomas
do you mean, the same domains with different content, depending on clients'
IPs? That's common multiple-view setup
(nothing special or intelligent).

Yes, I will create a view and acl for every client. Because every client has the unique IP address.

Post by Matus UHLAR - fantomas
Why? Do you have that many clients constantly with changing IPs?
Maybe they could use local DNS server talking to your DNS server using TSIG,
and instead of IPs you'd define TSIG keys.

My client vm directly connect the dns server. There are no local servers on the road.
Different client may create the same domain. So I must use IP to limit who use which view. client view can't use TSIG key.

Post by Matus UHLAR - fantomas
I'm afraid for now there's no way to make this via rndc.
You'll have to generate named config per-client.

I wan to know whether per-client can have own confile file that contains view and acl. Not put view and acl in named.conf.

Post by Matus UHLAR - fantomas

Post by Zhengyu Pan
Updating config file frequently may affect other zones in this dns server.

I don't understand how/why it should affect other zones.

Yes, updating config file don't affect other zones.

--

Thanks.
Zhengyu

Post by Matus UHLAR - fantomas

do you mean, the same domains with different content, depending on clients'
IPs? That's common multiple-view setup
(nothing special or intelligent).

Post by Zhengyu Pan
I need to update config file name.conf frequently Because The views and ACLS are added frequently.

Why? Do you have that many clients constantly with changing IPs?
Maybe they could use local DNS server talking to your DNS server using TSIG,
and instead of IPs you'd define TSIG keys.

Post by Zhengyu Pan
So i want to know whether have commands or API to add acl and view like the command "rndc addacl" or "rndc addview"?

I'm afraid for now there's no way to make this via rndc.
You'll have to generate named config per-client.

Post by Zhengyu Pan
Updating config file frequently may affect other zones in this dns server.

I don't understand how/why it should affect other zones.

Post by Zhengyu Pan

Post by Matus UHLAR - fantomas

what is supposed to be intelligent there?
I mean, why? are you going to provide recursive service to someone who pays
for that?

Post by Zhengyu Pan
Does bind9 support adding acl and view through commands or API, not by updating config file?
like the command "rndc addacl" or "rndc addview".

I don't think so, looks a bit too complicated.

--
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Have you got anything without Spam in it?
- Well, there's Spam egg sausage and Spam, that's not got much Spam in it.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users

Evan Hunt

2021-04-16 23:47:02 UTC

Permalink

Post by Zhengyu Pan
I want to implement intelligent DNS through bind9. I need to add a custom
line(IP address ranges) to bind9 using acl and view when add a user.
Because when add a tenant, i need to define a new acl and view. I don't
want to update named.conf config file frequently.
Does bind9 support adding acl and view through commands or API, not by
updating config file?
like the command "rndc addacl" or "rndc addview".

No, and I wouldn't recommend doing this via "reconfig" either. Views
don't scale well. Finding the correct view for a query is a linear search,
so your performance will decline quite badly if you have more than a few
views to search through.
--
Evan Hunt -- ***@isc.org
Internet Systems Consortium, Inc.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users