Hi I've come across an interesting scalability issue with regards to how our organization uses BIND. I'm putting up the question here, but I have a sneaky suspicion that I'll have to solve this problem in the source code. The way we use BIND seems to be slightly non-obvious, and I'm really after any creative or bright ideas that would help me in reducing memory use, but still keeping the functionality there.
The use case: We have one BIND server (running 9.9) that serves a number of subdivisions within our company. Each subdivision has a response policy that refers to a few "category" zones (of which there are about 90). The issue is, that these zones are LARGE and almost impossible to clean up. There's a huge commonality between subdivisions and zones, however (many subdivisions use the largest zone file with 1.7m entries or so). The current setup: I've set up BIND to do something like this: view "subdivision-01" { match-clients { 10.0.1.0/24; }; zone "category-01" {type master; file "/etc/bind/cat01.rpz"; allow-query { none; }; }; ... zone "category-90" {type master; file "/etc/bind/cat90.rpz"; allow-query zone "whitelist" {type master; file "/etc/bind/whitelist.rpz"; allow-query { none; }; }; response-policy { zone "whitelist" policy no-op; zone "category-01" policy CNAME policy.example.com; ... zone "category-90" policy CNAME policy.example.com; }; include "/etc/bind/named.conf.default-zones"; include "/etc/bind/zones.rfc1918"; }; I normally make a copy of that setup for each subdivision, omitting the categories that aren't used in the subdivision. The problem: Each subdivision added in this way, increases BIND's memory use by almost a gigabyte! Most subdivisions use the category with 1.7m entries, and that's a big culprit. It looks a lot like BIND makes a new copy of the zone per view. Making the memory requirements an order of magnitude less for the zone, or making it independent of the number of views would both solve the problem. So, here's my question: is there a way to share zones between views to conserve memory? The hypothetical way would be to put the policy zones in a "common" view, and just set response-policy uniquely for each view. Like I said, I have a sneaky suspicion that it's not possible with 9.9... Any other bright ideas, suggestions or general flames would be welcome! I'm not married to this specific setup in the least: any tool that does the job is valid. As an off-topic aside, it seems that the policy no-op statement only works in bind 9.9, and not 9.8. I'm running Ubuntu 12.04 (pity me!) and 9.8 seems to have slight issues with a response-policy Thanks for reading this far, I feel I've succeeded in my goal if I've caused at least one sysadmin or developer to overheat for a couple of minutes. Jan Gutter _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users