logo       
Google Custom Search
    AddThis Social Bookmark Button
<prev   next>
-->

Re: Secure Bind Template: msg#00324

Subject: Re: Secure Bind Template 
On Sun, 22 Dec 2002, Rob Payne wrote:

> On Sat, Dec 21, 2002 at 08:43:22PM +0100, Ketil Froyn wrote:
>
> > 1) What is the performance impact of having large acl's like the "bogon"
> >    acl? Are there any measurements around?
>
> What type of query load is your server handling?  What is your threat
> model?  Recursive server or authoritative?

I was asking from a theoretical point of view, actually, and if there is a
significant difference, I'm sure others would like to know too. If there
isn't, I bet some people would like to know that too.

> In terms of performance, what is going to be worse in the long run,
> checking ACL's and denying access to bogus queries, or a DoS
> perpetrated by having your name server attempt to answer all of those
> queries?

I agree, but if bind has a significant performance overhead checking
these, you might be better off putting these rules in your firewall (which
I'm sure you have if you are pushing loads so large that it matters).

> I wonder if the (debug level) logging that that template includes
> isn't more of a bottleneck than the ACL checking..

Probably.

> To the point of setting a low polling interval, that is the stated
> purpose of NOTIFY in RFC 1996.  It is a good idea to keep the polling
> interval low (to cut down on unnecessary traffic) and allow alerts to
           ^^^
> be sent out when the zone actually changes.

Do you mean high?

RFC 1996 says:

   1.1. Slow propagation of new and changed data in a DNS zone can be
   due to a zone's relatively long refresh times.  Longer refresh times
   are beneficial in that they reduce load on the master servers, but
   that benefit comes at the cost of long intervals of incoherence among
   authority servers whenever the zone is updated.

Is the load on the masters still an issue? If a master is serving some
slaves with IXFR, frequent SOA queries and corresponding IXFRs if
something has changed probably isn't problematic.  Anyway, I'd imagine the
load on the master is higher if all the slaves query at the same time
because of a notify, rather than spreading them out in time.

So with IXFR, switching off notify and and setting a low polling interval
seems to me to be as good a solution as high poll and notify.

Feel free to point out any mistakes I have made, though :)

Ketil
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  ICMP in firewall log from root-servers, J.D. Bronson
Next by Date:  Re: ICMP in firewall log from root-servers, Mark_Andrews
Previous by Thread:  Re: ICMP in firewall log from root-servers, Mark_Andrews
Next by Thread:  Re: Secure Bind Template, Rob Payne
Indexes:  [Date] [Thread] [Top] [All Lists]

    ^^^ ADDITIONAL NAVIGATION ^^^

  
Google Custom Search

Recently Viewed:
handhelds.pocke...    colinux.general...    apache.maven.no...    kde.freebsd/200...    emacs.devel/200...    qnx.openqnx.dev...    lib.fox-toolkit...    genealogy.gramp...    bug-tracking.gn...    yellowdog.gener...    network.zebra.b...    recreation.radi...    mathematics.aba...    internationaliz...    freebsd.devel.n...    xfree86.cvs/200...    security.cyrus....    desktop.xfce.de...    text.xml.french...    video.gimp.deve...    windows.devel.d...    politics.activi...    user-groups.lin...    java.ejb.middle...   
Home | blog view | USPTO Patent Archive (NEW!) | advertise | OSDir is an inevitable website. super tiny logo