Faster search for zones in API

[jonathaneen]

• Program: Authoritative
• Issue type: Feature request

Short description

Currently the only way to search for a zone based on (partial) zone name using the PowerDNS API seems to be the '/search' endpoint. We noticed in our production environment that searching for zones using this endpoint costs about 30 seconds, mainly because we have a lot of zones and the search implementation loops through all the zones in the database for filtering.

Usecase

Each time a zone gets updated, we want to copy NS records from zones of (possible) subdomains to the zone of the main domain, to ensure a correctly functioning DNSSEC chain. We need a way to efficiently search for subdomain zones, that way we can ensure zone updates to be executed in a timely manner.

Description

It seems the '/search' is not very well suited for our use case. A possible improvement could be to speed up the endpoint by filtering more at a database level. Another approach would be to add a new endpoint, specifically for a fast zone search, while keeping the existing extensive search untouched.

[jonathaneen]

I am happy to add a pull request for this issue, but I'm not sure if I should add another endpoint for my use case or if I should try to improve performance of the existing search endpoint.

[Habbie]

@zeha any thoughts on what would make sense HTTP API wise?

[zeha]

If I understand this right, you have a sub-zone, and need to find the parent zones, right?

For this case you can call /api/v1/servers/localhost/zones?zone=zonename - where zonename would be the sub-zone name with one "level of dot" stripped - to find the immediate parent zone. You'll need to repeat this stripping until you end up with an empty zone name.

If you start with the parent zone, you already "know" from the zone records which sub-zones could exist.

If we want to do this as part of the API, maybe add a new /api/v1/servers/localhost/zones/<id>/parent-zones endpoint which can return a map of parent zone names and their API-zone-ids?

[Habbie]

If I understand this right, you have a sub-zone, and need to find the parent zones, right?

No - the request is the opposite. For any zone, list all subdomains. But indeed, now I'm wondering what's wrong with listing the zone contents and filtering the delegations from it?

[peterthomassen]

I think the request is the following: The user has the zone example.com, and another zone sub.example.com is created or its NS records are changed. Now the user wants to be able to detect using the API that the new zone sub.example.com has been provisioned, so that he can go ahead and add/update the (DNSSEC) delegation in the parent.

(Contrary to the original poster, I think this does not really affect NS as only the child is authoritative for that RRset, i.e. the parent won't even get asked if hosted on the same nameserver instance...)

[zeha]

But then one can do this as part of submitting sub.example.com and then iterating upwards until such a zone is found?

@jonathaneen could you describe your usecase with a few more words?

[Habbie]

(Contrary to the original poster, I think this does not really affect NS as only the child is authoritative for that RRset, i.e. the parent won't even get asked if hosted on the same nameserver instance...)

This is correct, but if the parent is signed and the child is not, the -presence- (but not the content) of the parent-side NS records is required for correct signaling of the insecure '''delegation'''.

[jonathaneen]

Quite often we have a customer that starts with a subdomain zone with us sub.example.com, while the main domain example.com is still registered at his old provider. When he trusts the performance of our platform and decides to move his complete website including the main domain to us, we want to be able to automatically fix the delegation for him. (on creation of the main domain zone) For that use case, we need some way to determine the subdomain zones while not depending on the main domain zone contents.