Architecture Questions

[Kevin Darcy]

Jack Wenzinger wrote:

> Kevin;
>
> Thanks for the response.  I'll try to flag the questions as best I can.
>
> >From: Kevin Darcy <kcd at daimlerchrysler.com>
> >To: bind-users at isc.org
> >Subject: Re: Architecture Questions
> >Date: Wed, 12 Jan 2000 17:39:02 -0500
> >
> >Jack Wenzinger wrote:
> >
> > > Just fishing for some opinions from the experts...
> > >
> > > I'm building a DNS platform with over a thousand tertiary subdomains.
> > > Each subdomain will have its own DNS server that will act as secondary
> >for
> > > its own subdomain.
> > >
> > > They will be receiving their zone transfers from two main DNS servers
> >that
> > > will be geographically dispersed.
> > >
> > > Each tertiary subdomain needs to be able to handle up to 1000 addresses
> > > (although initial rollout will be more like 10 at each site), and around
> >10
> > > reverse zones.
> >
> >Okay, I'm a little confused here. What do you mean by a subdomain having
> >reverse zones? Reverse zones are the in-addr.arpa part of the hierarchy,
> >which
> >is almost certainly not where your forward zones are. I assume what you
> >really
> >mean is there is 1 forward subdomain per "entity" (location, network,
> >organizational subdivision, whatever), and around 10 reverse zones also
> >associated with that "entity", so in effect they belong together, even
> >though
> >located in different parts of the DNS namespace.
>
> Ok, this could be that I have my terminology mixed up. By reverse I mean the
> in-addr.arpa files that typically contain the PTR records to the main
> db.domain file.  These files are usually comprised of the network number.

It's just the term "subdomain" that I have a problem with. You seem to be using
it generically, whereas to me it has a specific denotation within DNS.

> >Also, why would you need more than 4 reverse zones for 1000 addresses? The
> >reverse namespace is structured on octet boundaries, so each reverse zone
> >can
> >"naturally" accommodate 256 addresses. Are you planning on implementing
> >RFC 2317 classless in-addr.arpa delegation? That would seem overkill if all
> >of
> >your reverse zones are centrally-managed anyway -- you'd just be
> >classlessly
> >delegating the zones back to the same servers. What am I missing?
> >
>
> Actually this is a question that I've been meaning to test in-house.  We
> have 8 25bit contiguous networks assigned to each subdomain.  Theoretically,
> I should be able to put them all into one file if a mask of 255.255.252.0 is
> supported.

You'd only be able to group them like that if you generated a whole bunch of
RFC 2317-style CNAMEs at each /16 level -- up to 65,536 CNAMEs apiece --
pointing to PTRs in the various 8000 zones. It seems rather silly to me to have
a CNAME and a PTR for every address when all of your reverse zones are being
mastered on the same two servers. Classless delegation is normally used for
situations where one organization wants to control part of a reverse namespace
that's smaller than /24.

>  Instead of combining them, I'd like to keep them broken out into
> separate files.  One of the requirements that I have is to be able allow
> managers at each of these locations to provision their own devices.  In
> order to keep from having creating a massive star trek naming scheme, we are
> building a device provisioning front end that will have set naming
> conventions for various devices.  They want this system to allow only
> certain devices on specific subnets.  Its makes my job easier on the front
> end development if I can group the subnets separately by filename or zone.

Because you're splitting on non-octet boundaries, I actually think it'd be more
trouble than it's worth. It can't be that hard to incorporate netmasking code
into your ACL mechanism, can it? (Admittedly, my ACL mechanism is based only on
string matches and cannot handle netmasks). Seems like it would be less hassle
overall than maintaining thousands of unnecessary CNAMEs...

> Sounds like I need to read the RFC you mentioned above.

Not if you just put the netmask-aware ACL logic in the frontend. In that case,
use regular octet-boundary delegation. Each "subdomain" would get 4 /24
networks, as far as DNS was concerned. You could always break those /24 reverse
zone files into 2 include files apiece, if you really wanted to have separate
files. But in that case your management system would have to be include-file
aware; in particular, it would have to know to increment the serial number when
something changes in *either* include file.

By the way, it looks like you're going to need a /8 or 16 /16's for all of
this. Are you going to use fake ones, or do you just happen to have that many
real ones laying around? :-) IPv6?

> > > Each subdomain will consist of approximately 12-13 zone files, creating
> > > about 12000-13000 DB files on the two main servers.
> >
> >I'm getting even more confused. When you say the subdomain consists of
> >12-13
> >zone files, do you mean each subdomain has subdomains, i.e. quarternary
> >subdomains? That seems a little extreme. Or do you mean include files? What
> >would be the purpose of breaking up the zone file data into so many include
> >files? It can't be a requirement of your management system, since as you
> >point
> >out below, you haven't decided on one yet. Or, are you including all of the
> >reverse zones mentioned above into that file count, and, if so, how did
> >"around
> >10" reverse zones per subdomain now become "approximately 12-13" zone
> >files?
> >Where did the extra zone files come from?
>
> The numbers may be a bit off but I count at least:
> 8 subnet PTR files
> 1 db.subdomain.domain file
> 1 db.internalhost.domain file
> 1 cache file
> 1 hint file
> 1 127 file

> Some of these files are static but that's how i arrived at the numbers

"Cache" and "hints" are synonymous, are they not? The main servers would only
have one copy each of the hints file, since it is universal. The 127 (loopback)
is local; you'd only need one copy on each main server. You only need 4 reverse
files per "subdomain", as far as I can see (unless you get into include files).
And I'm not sure what "db.internalhost.domain" is supposed to represent.
Regardless, I count at most 6 files per "subdomain".

[snip]

> > > What management front ends do people recommend?  I've looked at QIP (WAY
> >TOO
> > > PRICEY) and MetaIP (NOT a good fit).
> >
> >We have a homegrown frontend system, but we're evaluating commercial
> >offerings.
> >Have you looked at NetID?
> >
> >By the way, I'm curious why you would consider QIP "WAY TOO PRICEY". You're
> >setting up an architecture to support as many as 13,000 zones (I think),
> >and
> >who knows how many queries per day, do you really expect to do this on a
> >shoestring budget?
>
> Not shoestring but if you're going to pay $500,000 for a product, it had
> better meet at least 80% of your requirements.

You have a point there. I wasn't aware QIP was so expensive. I normally don't
get involved in money matters (that's what we have the hard-nosed folks in
Purchasing for :-).


- Kevin