wiki:WeeklyMinutes20110607

BIND 10 Conference Call

2011-06-07 @ 15:00 UTC

Attendees

Aharen
Fujiwara
Kambe
Larissa
Jelte
Jinmei
Michal
Stephen

Agenda

  • ACL Design
  • Data source refactoring
  • Security procedures status update
  • Ticket #337 (expired zone should not be served)

ACL Design

Proposal at http://bind10.isc.org/wiki/AclSyntax
Discussion at https://lists.isc.org/pipermail/bind10-dev/2011-June/002321.html and https://lists.isc.org/pipermail/bind10-dev/2011-June/002324.html

Stephen: Where are we with ACLs?

Michal: Original boolean design rejected - people seem to want to go with first match.

Jinmei: Do we want discuss detailed design or check current status?

Michal: Need to decide design now to have something to do for rest of sprint.

Stephen: Need to have some design to which to start working.

Michal: Don't want optimisations at this stage.

Stephen: Worry about needing to do a lot of rework.

Michal: A lot of work is implementation independent. Perhaps the only part we would need to rework is the short check for IP address.

(Michal talked through the design at http://bind10.isc.org/wiki/AclDesign)

Stephen: ACL comprises set of ACE (Access Control Entries). Each ACE comprises a match condition and an action.

Jinmei: BIND 9 has allow, deny and blackhole

Michal: Had proposal for ACL that included only allow or deny. Perhaps want more (e.g. deny and send back this error condition).

Michal: Need some way to store it in the configuration. Also need nesting of the lists.

Stephen: Are we in the position that we can go forward with these tickets?

Jinmei: Not sure.

Michal: If this is syntax we want to use - would still have problem of dependencies. Have done base class but may need rework. Problems with parallel tasks though.

Jinmei: Reckon we can start on the ACL tasks.

Jelte: Did not really feel like there was a consensus.

Larissa: There wasn't really a consensus.

Jinmei: Agree - but impression that many users wanted traditional order-dependent syntax.

Stephen: Agree with Jinmei.

Jinmei: JSON is unfriendly - don't think we have consensus of how to handle this. However, don't have time to rework, suggest we move forward beginning with JSON. Think we can begin work.

Jelte: Agree. Can refine way you type it in later.

Stephen: Agree.

Jinmei: Do not know whether the tickets are specific enough or of the right size. Think Michal can suggest specific task items.

Stephen: We are going with order-dependent syntax. Need to update documents with this.

Michal: Syntax document needs reworking, design document is OK. Syntax can be done by person who writes the loader. Whole ACL will not be based on base class, but will only use base classes for matching part.

Stephen: we currently have in "new" state:

  • #766 ACLS: define properties ACLs should check
  • #768 ACLS: configuration
  • #769 ACLS: C++ access library
  • #978 Generic simplified ACL loader
  • #979 Logic operator ACLs
  • #980 Abbreviated form for the ACL loader.

Stephen: is that a complete set of tasks?

Michal: #768 does not need doing (just a composite of other tasks). More work should be split off access library (#769). Logic operators (#979) not really urgent now. #980 also not urgent now. Have implemented base class but have not define data structure needing to be validated. Want to implemented code in a way that we can use ACL library elsewhere.

Stephen: Need to define tasks for next week.

Jinmei: Need a specific goal for ACLs in the next release. Need to define a specific set of tasks to do that so that we can be more focused.

Stephen: have three weeks until next release, what is realistic goal?

Jinmei: Able to provide simple access check for the resolver (don't need Python for it).

Michal: We will need to implement plugin if we have ACLs in separate modules. Or we can put ACL configuration inside program configuration?

Stephen: Suggest we do the latter (for now at least) - simpler. In summary then, the goal is that for next release, resolver will be able to do simple access check based on source address. The configuration will be held with resolver configuration.

Michal: Need ACL class holding list of conditions and actions. Feeds data one by one into conditions.

(Discussion about tasks.)

Stephen: So the task list for the next week is:

  • <new task> Create ACL class holding list of conditions and actions.
  • Base class for conditions already exists. (template)
  • <new task> Create concrete class to handle IP address check (both IPV4 and IPV6). (This needs to create the structure to hold the IP address and message.)
  • #978 Generic loader - load ACLs from JSON into ACL class holding list of conditions/actions (template)
  • <new task> Integration into resolver

Michal: suggests that this can only support two people.

Stephen: We'll go with what we've decided. If anyone is short of work, take a bug from the general backlog and add it to the current sprint.

Data source refactoring

Proposal at http://bind10.isc.org/wiki/DataSourceDesign
Discussion at https://lists.isc.org/pipermail/bind10-dev/2011-June/002314.html

(There were only five minutes of the meeting left at this point, so Jinmei gave a brief overview of the document in the time remaining.)

Jinmei: Wants more feedback. After feedback, will be able to create development tasks.

Stephen: will there always be a database for persistent storage?

Jinmei: Previous F2F apparently agreed this.

Security procedures status update

Not discussed.

Ticket #337 (expired zone should not be served)

Jelte agrees with Jinmei that this could be postponed.

Stephen: will move to the backlog

AOB

Not discussed.

Last modified 6 years ago Last modified on Jun 7, 2011, 4:53:17 PM