RPZ in dns views

Rama Krishna Prasad Chunduru rkpchunduru at gmail.com
Sat Jan 23 01:30:04 UTC 2016


Hi All,
   I am trying to use RPZ ( Response Policy Zone) in DNS views (BIND 9.8.2)
but i am getting the below error

service named restart

Stopping named:                                            [  OK  ]

Starting named:

Error in named configuration:

/etc/named.conf:92: when using 'view' statements, all zones must be in views

                                                           [FAILED]

I am pasting the named.conf file and "dummy-block" which has the zone info
below


*named.conf*


options {

// DNS tables are located in the /var/named directory

directory "/var/named";


// Forward any unresolved requests to our ISP's name server

forwarders {

4.2.2.1;

};


/*

* If there is a firewall between you and nameservers you want

* to talk to, you might need to uncomment the query-source

* directive below.  Previous versions of BIND always asked

* questions using port 53, but BIND 8.1 uses an unprivileged

* port by default.

*/

query-source address * port 53;



          listen-on port 53 { 127.0.0.1; any; };

          allow-query     { localhost; any; };

          allow-query-cache       { localhost; any; };

          recursion yes;

          /*

           * Added the below lines to make DNS + TSIG

           */


          dnssec-enable    yes;

          dnssec-validation yes;

          dnssec-lookaside auto;


        /* Path to ISC DLV key */

bindkeys-file "/etc/named.iscdlv.key";


};


key "secret-key" {

    algorithm "hmac-md5";

    secret
"PUp7RAfTglybAoctQR3aUW+cLpNDyjlMWUvCoHPxiWr9e0budWUQ6jp9MmrhaINa1DFZgvtuxxkOw7oCnU4qzQ==";

};


key "second-secret-key" {

      algorithm "hmac-md5";

      secret
"sjz+sH4PGPPKPXLeTM7oG3WbmCIwxxcWLA+qaGaazmvLY0TvbPZ9xZi+B5JuYWMA8rpzUYi26kFiBODIOw9Rdg==";

};



key "third-secret-key" {

      algorithm "hmac-md5";

      secret
"cQiZnv+4GZb0rEFkagYw8cFowSeC2Yj6dXXT7pvdllJoMW0Gt7Nhv07Y5EyZUTcS2hX5Ngbu7syyZ6IGUkCvqA==";

};



acl "first-key-acl" {

  key secret-key;

};


acl "second-key-acl"{

   key second-secret-key;

};


acl "third-key-acl"{

   key third-secret-key;

};


view  "second-key-view" {

    match-clients{

           second-key-acl;

            //key secret-key;

     };




   zone "bbc.com"

   {

     type master;

     file "views/firstkey";

     allow-query  {none;};

   };





   response-policy {

         zone "youtube.com";

   };

};


zone "youtube.com"

 {

   type master;

    file "dummy-block";

   allow-query  {none;};

 };


view  "secret-key-vew"  {

    match-clients{

           first-key-acl;

            //key secret-key;

     };


    zone "abc.com"

    {

      type master;

      file "views/secondkey";

     allow-query  {none;};

    };

};



view default {

        match-clients      { any; };

        match-destinations { any; };

        include "/etc/named.rfc1912.zones";

};





*dummy-block*


youtube.com. 14400 IN SOA ns.youtube.com. root.ns.youtube.com. (

2004123001;

86000;

7200;

1209600;

600)


youtube.com. 14400 IN NS ns.youtube.com.


ns.youtube.com. 14400 IN A 10.255.246.110


I appreciate your help on this.


Thanks,

Rama
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160122/084fe6b8/attachment-0001.html>


More information about the bind-users mailing list