[nsd-users] Global setting of zone ACL options
Martin Svec
martin.svec at zoner.cz
Fri Apr 2 13:03:55 UTC 2010
Hi,
for a large number of zones, it is very uncomfortable to specify
provide-xfr/request-xfr/notify/allow-notify settings individually for
every zone. I would like to add these options to the server section of
the config. Such global ACL settings would then be appended to the ACLs
of every zone.
Example:
server:
provide-xfr: 10.1.2.3 NOKEY
provide-xfr: 10.1.2.4 NOKEY
....
zone:
name: "domain1.com"
zone:
name: "domain2.com"
provide-xfr: 10.6.6.6 NOKEY
...would be equivalent to:
zone:
name: "domain1.com"
provide-xfr: 10.1.2.3 NOKEY
provide-xfr: 10.1.2.4 NOKEY
zone:
name: "domain1.com"
provide-xfr: 10.6.6.6 NOKEY
provide-xfr: 10.1.2.3 NOKEY
provide-xfr: 10.1.2.4 NOKEY
I already have a sketch of the patch, but I want to ask two questions first:
(a) Are you (NSD maintainers and users) interested in this patch? I hope
so ;-)
(b) There are two ways it can be implemented. I can either make private
copies of the global ACL entries for every zone, or share the global ACL
entries across all zones. I prefer the second way but my question to NSD
maintainers is: is it safe/reasonable to share the acl_options_t objects
across multiple ACLs? ACL objects are organized in single-linked lists,
so it is very easy to append a shared list to the end of them. But it
requires the lists to be accessed in a read-only manner everywhere!! Is
that true? I've found no code that writes to the ACLs yet but I can be
wrong.
I welcome any comments.
Martin
More information about the nsd-users
mailing list