BIND Based Appliances.

Larry Fahnoe fahnoe at FahnoeTech.com
Sun Oct 5 17:55:49 UTC 2008 

On Sun, Oct 05, 2008 at 08:55:14AM -0400, Jeff A. Earickson wrote:
> On Sat, 4 Oct 2008, Larry Fahnoe wrote:
> >The fundamental reasons that I chose to use Infoblox in this
> >application were the need for a bullet proof GUI with logging and fine
> >grained access control for less experienced admins to use when making
> >DNS and DHCP changes, and the integrated database underneath BOTH bind
> >and dhcpd.  The need for the bullet proof GUI and appliance style
> >deployment seems to be the original question that sparked this
> >conversation, but to me the fact that Infoblox has implemented these
> >features on top of an integrated, distributed database with a
> >full-featured API to talk to it is the key differentiator between
> 
> How much do you use the API?   Someone else noted that their perl API 
> was not so hot.

I've used it enough to get my data imported and then layered some of
the customizations that we wanted done.  One of the areas that was
important to me was to be able to provide my bind secondaries with
updated config files as zones are added, deleted or modified.  I did
this via the API.  I also implement a different security model and
found it easier to do via the API than the GUI.  Is the API good?  I
think that's a matter of opinion, but since their GUI uses the same
API, you can do pretty much anything you want to the data using it.

> >Infoblox and other bind integrators.  This in my opinion represents an
> >architectural enhancement to bind and dhcpd.  A significant side
> >benefit of the integrated database is the IP network and address
> >management that comes along for the ride.
> 
> In the course of evaluating a demo Infoblox box, I've also wondered
> how difficult it would be to get one's data *out* of their appliance
> if one wished to change to another product.  Integrated database may
> translate to "hidden data" on an appliance.

Understood, but since the API is used by their GUI, you can indeed get
the data out in any form that you'd like (of course you'd have to
write the code to do it).

I think you hit the nail on the head on one of the implications of
using something other than the text files we're all used to: you'd
better make sure you have access to either tools or a functional API
to have full control of the data.  As I commented to another poster
off-list: the database is a blessing and a curse, just understand the
good bits of it and what they cost to achieve.  Speaking for myself, I
rather like text based data files, but at some point my personal
preference has to yield in order to give control to other folks who
are not as mindful of syntax and to gain access to the data via other
more advanced means.  Translating back and forth between native text
files and other tools just didn't seem like the way I wanted to go.

> >For all the good that I see in the Infoblox way of doing things, they
> >are far from perfect.  For those who see that it is an ISC bind/dhcpd
> >based appliance and therefore expect to simply import the config and
> >data files without a hitch, well, you're in for a bit of a hurdle.
> 
> Yup, I found that out right away.  It totally choked on my DHCP conf
> file.  Their data import wizard did point out a few mistakes and typos
> in our DNS setup that I had to fix (thank you), but it also had major
> problems importing my data and could not do it.  An infoblox engineer
> called up to "help out", ie take my DNS and DHCP files and massage them
> so that the wizard can import them.  I will be interested to see what
> changes get made to them.

They offered to do that for me too, but I just rolled my own stuff to
get the job done.

> I did notice that their wizard did not recognize the LOC DNS directive,
> which we use to denote latitude, longitude, altitude of our ntp server.
> 
> The engineer said that they do not integrate their import wizard with
> their gui manager because it changes so rapidly.  Hmmm.  Still in 
> development?

And bind/dhcpd are not?  ;-}  I would expect any integrator writing
import/export tools to be constantly updating these tools.

One of the challenges I observe in writing code that imports data from
bind and dhcpd is that as the file syntax changes, the import tools
will also need to track that.  How many different syntaxes have their
been?  I know that most are backwards compatible, but I also know that
each of us makes use of our favorite subset of the syntax, and that
sometimes different versions have slight differences in what the
syntax actually does (some statements being ignored etc.).

As far as Infoblox is concerned, it is worth noting that from a
development standpoint, they group some things (for example the
schema, the GUI and the API) together and have coordinated releases.
Other componets (for example the import tool) have different release
cycles.  Disclaimer: I know only what I've observed from using the
appliances for a few years now, and conversations with their support
folk.

--Larry

-- 
Larry Fahnoe, Fahnoe Technology Consulting, fahnoe at FahnoeTech.com
952/925-0744      Minneapolis, Minnesota       www.FahnoeTech.com

More information about the bind-users mailing list