Reuse RPZ zones between views

Mark Andrews marka at isc.org
Wed Jun 12 19:46:07 UTC 2024 

Have you read the fine documentation on BIND where it is stated this is not (currently) possible?

If you want to extend named to support this we would be happy to review a change request.  It is complicated however which is why it has not been done. 

-- 
Mark Andrews

> On 13 Jun 2024, at 02:38, Jesus Cea <jcea at jcea.es> wrote:
> 
> My RPZ zones are quite big, and I would like to be able to reuse them in several views sharing the memory instead of independent data structures.
> 
> I thought that zone "in-view" would work, but it doesn't.
> 
> I am doing something like:
> 
> """
> view honeypot {
>    match-clients { honeypot; };
>    allow-recursion { honeypot; };
> 
>    zone "rpz" {
>      type slave;
>      [...];
>    };
>    response-policy {
>        zone "rpz" policy disabled; //cname prueba.xx.xx;
>      } break-dnssec yes;
> };
> 
> view default {
>    match-clients { any; };
>    allow-recursion { any; };
>    zone "rpz" { in-view "honeypot"; };
>    response-policy {
>      zone "rpz";
>    } break-dnssec yes;
> };
> """
> 
> Trying to activate that configuration produce an error:
> 
> """
> response-policy zone 'rpz' for view default is not a primary or secondary zone
> """
> 
> But "rpz" is secondary (slave) in "honeypot"
> I would think this a bug in bind?. I am using version 9.18.25.
> 
> Any suggestion beside loading the "rpz" zone separately in each view?. That would explode my memory usage (I have quite a few views).
> 
> -- 
> Jesús Cea Avión                         _/_/      _/_/_/        _/_/_/
> jcea at jcea.es - https://www.jcea.es/    _/_/    _/_/  _/_/    _/_/  _/_/
> Twitter: @jcea                        _/_/    _/_/          _/_/_/_/_/
> jabber / xmpp:jcea at jabber.org  _/_/  _/_/    _/_/          _/_/  _/_/
> "Things are not so easy"      _/_/  _/_/    _/_/  _/_/    _/_/  _/_/
> "My name is Dump, Core Dump"   _/_/_/        _/_/_/      _/_/  _/_/
> "El amor es poner tu felicidad en la felicidad de otro" - Leibniz
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list