BIND - sorting of reverse domain.

Kevin Darcy kcd at daimlerchrysler.com
Tue Jul 9 21:03:10 UTC 2002 

"D. Stussy" wrote:

> On 8 Jul 2002, Andris Kalnozols wrote:
> >Since this thread has gotten rather large (22 replies at last count),
> >I'll insert a few quotes before making my point.
> >
> >Original post:
> >
> >> D. Stussy <kd6lvw at bde-arc.ampr.org> wrote:
> >> It appears that BIND (I have version 9.2.1) sorts all its domain
> >> entries in the files it stores alphabetically ("machine sort order").
> >> That's fine for the forward domain file where domain/hostnames are
> >> usually alphabetic.  However, for the reverse domain file, it makes
> >> more sense to sort it in NUMERICAL value order, thus keeping adjacent
> >> IP addresses nearer to each other.  (Of course, I don't care what
> >> named does internally with the zone as a memory image ....)
> >
> >Selected replies:
> >
> >> Mark Andrews <mark_andrews at isc.org> replied:
> >> The order is DNSSEC order.  To support returning signed NXDOMAIN
> >> responses the namserver needs to know the node that appears
> >> immediately before the name in the query.  To do this it sorts the
> >> zone when it loads it into DNSSEC order.  When named writes out the
> >> zone it just walks the zone which results in records being emitted
> >> in DNSSEC order.
> >
> >> > Mark Andrews <mark_andrews at isc.org> replied:
> >> > BIND 9 sorts in DNSSEC order because it *needs* the zone to be
> >> > sorted this way to able to find the correct NXT record to be
> >> > returned with a NXDOMAIN response.
> >>
> >> D. Stussy <kd6lvw at bde-arc.ampr.org> wrote:
> >> Perhaps in the current implementation, but such need not be the case.
> >
> >> D. Stussy <kd6lvw at bde-arc.ampr.org> wrote:
> >> If true, then it must actively sort the zone file in order for
> >> it to be written out in alphabetical order (which is occuring
> >> with this version).  It is obviously bothering to take the time
> >> to do this, so while we're at it, why not write out the reverse
> >> domain files in numerical order where possible?  [We're back to
> >> my original question!]
> >
> >> D. Stussy <kd6lvw at bde-arc.ampr.org> wrote:
> >> ...How the RR records are ordered for a zone name is of no
> >> consequence whatsoever when determining whether or not the
> >> name EXISTS or not.  I couldn't care less about that - it is
> >> not relevent to the original question.
> >>
> >> My question was not one of how it IS coded - but one of how
> >> it MAY be coded.  How the current source code is actually
> >> written isn't of consequence because if the preference I asked
> >> about were to be accepted, the source program would have to be
> >> changed anyway.
> >>
> >> You all are too worried about the actual implementation while
> >> I'm talking about conceptual design - a separate step.
> >
> >After reading your comments, I get the distinct impression that
> >when DNSSEC is mentioned, you are not making the connection to
> >RFC-2535, the specification that implements it.  Here's what it
> >requires as a sort order:
> >
> >  8.2 Canonical DNS Name Order
> >
> >    For purposes of DNS security, the canonical ordering of owner names
> >    is to sort individual labels as unsigned left justified octet strings
> >    where the absence of a octet sorts before a zero value octet and
> >    upper case letters are treated as lower case letters.  Names in a
> >    zone are sorted by sorting on the highest level label and then,
> >    within those names with the same highest level label by the next
> >    lower label, etc. down to leaf node labels.  Within a zone, the zone
> >    name itself always exists and all other names are the zone name with
> >    some prefix of lower level labels.  Thus the zone name itself always
> >    sorts first.
> >
> >    Example:
> >          foo.example
> >          a.foo.example
> >          yljkjljk.a.foo.example
> >          Z.a.foo.example
> >          zABC.a.FOO.EXAMPLE
> >          z.foo.example
> >          *.z.foo.example
> >          \200.z.foo.example
> >
> >Since BIND 9 strives for strict compliance with IETF standards,
> >changing the internal sort order when a zone is loaded is not
> >an option if DNSSEC is to be implemented efficiently.
> >
> >To implement what you are asking means that the code for writing
> >out a zone to disk must first traverse the red-black tree to see
> >if the relative domain names consist solely of digits and, if so,
> >traverse the tree once again and resort the data numerically before
> >writing the disk file.  With all the essential work that name servers
> >(and BIND maintainers) have to do, do you still think that your idea
> >would be a good use of resources?
>
> Incorrect.  I have made that connection.  Note that this only talks about the
> name component, which is what I limited my query to.  DNSSEC order also takes
> into account the RR-set (a secondary sort key) order for a zone, and that falls
> OUTSIDE my query (by going beyond it).  Furthermore, the RFC requires an order
> for the MEMORY IMAGE, but again, that isn't relevent to the FILE image I queried
> about.
>
> Since others said that a zone ISN'T stored in alphabetical/machine order, but is
> written out as such, I properly concluded that before writing, an additional
> sort of the zone names was occuring so as to make the file listing of the zone
> appear in a human readable pattern.  It wasn't until later that they finally
> admitted that it was a side-effect of their tree-traversal (which
> coincidentally, did traverse the tree in machine order to write the file) -
> which means that it IS in fact sorted in machine order to begin with.  Beyond my
> query, my assertions were as a result of their false statements.
>
> However, there was also the contradiction.  At least one said that when
> searching for a zone by name, the search terminates when one hits a value
> greater (in machine order) than the target.  That only happens with a certain
> structure (a list) and is complete nonsense to others (e.g. a tree).  They then
> accuse me of misunderstanding.  That statement was clear but false once again.
>
> Had these responders to my query had not made these false statements, my
> question would have been mooted at the first response.  Their incorrect
> statements implied actions such as an additional sort before exportation to a
> file of the data.  I simply asked, if that's what you're doing (presumedly to
> make the file human readable), then why not make this adjustment (where both
> text values are completely numerical, compare on the numerical values) while
> performing this sort (which now I know doesn't exist).
>
> My follow-up question, once I overcame their falsehoods, then was:  Why was it
> chosen to save the file in machine order when that requires a tree-rebalance
> performance penalty when reading it back in (upon restart)?  If it is saved in
> this other tree traversal order, the rebalance penalty is completely avoided (as
> long as the zone file hadn't been tampered with in the meantime).  I still await
> an answer to that one.

No-one really cares about squeezing an ounce of performance out of the zone-loading
process, especially if it has the potential to harm the human-readability of zone
files. There are much bigger fish to fry in the DNS world.

If you want to send a patch to ISC, send a patch. Or subscribe yourself to
bind9-workers. bind-users is for *users* of BIND, and this discussion is off-topic
here. I intend this to be my last message in the thread.


- Kevin

More information about the bind-users mailing list