<div dir="ltr">Hi Kenneth<div><br></div><div>I'm also struggling with the in-view clause and RPZ zones at this moment, documentation says that the in-view clause can't be used in policy zones, and I really don't know why is that programmed that way, it shouldn't matter if it t's a regular zone or a rpz zone.</div><div><br></div><div>I'm using the 9.10.3 version, which it's the latest version, maybe can anyone give us a hint on how to change this directly on source code ?</div><div><br></div><div>Regards</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Nov 5, 2015 at 5:00 PM, Kenneth Lakin <span dir="ltr"><<a href="mailto:kennethlakin@gmail.com" target="_blank">kennethlakin@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Why doesn't BIND accept the in-view option for RPZ zone definitions?<br>
named-checkconf has no problem with it, but BIND chokes on startup.<br>
<br>
I'm running BIND 9.10.2-P4 from Gentoo Linux's net-dns/bind-9.10.2_p4<br>
package. Has this been fixed in a later version? Am I doing something<br>
really silly?<br>
<br>
Details follow:<br>
<br>
Consider the following partial config file:<br>
<br>
acl "v1" { <a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">10.0.0.0/24</a>; };<br>
acl "v2" { <a href="http://10.0.1.0/24" rel="noreferrer" target="_blank">10.0.1.0/24</a>; };<br>
acl "slave" { 192.168.1.1; };<br>
masters "slave" { slave; };<br>
<br>
#Forward definitions<br>
view "zone-defs" IN {<br>
match-clients { slave; };<br>
zone "<a href="http://example.com" rel="noreferrer" target="_blank">example.com</a>" IN {<br>
type master;<br>
file "pri/example.com.zone";<br>
notify yes;<br>
also-notify { slave; };<br>
allow-transfer { slave; };<br>
};<br>
};<br>
<br>
view "v1" IN {<br>
match-clients { v1; };<br>
zone "<a href="http://example.com" rel="noreferrer" target="_blank">example.com</a>" IN { in-view "zone-defs"; };<br>
};<br>
<br>
view "v2" IN {<br>
match-clients { v2; };<br>
zone "<a href="http://example.com" rel="noreferrer" target="_blank">example.com</a>" IN { in-view "zone-defs"; };<br>
};<br>
<br>
Clients in views v1 and v2 can each query <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> data, and updates<br>
to the zone work as expected.<br>
<br>
If I add<br>
<br>
response-policy { zone "rpz"; };<br>
zone "rpz" IN {<br>
type master;<br>
file "pri/rpz.zone";<br>
notify yes;<br>
also-notify { slave; };<br>
allow-transfer { slave; };<br>
};<br>
<br>
to view v1, RPZ works as it should. If I add the same statements to view<br>
v2 (Notice that we now have master zones in *two* views sharing the same<br>
writeable file! I'll come back to this in a minute.), RPZ still works as<br>
expected. named-checkconf is happy, and BIND loads and uses the config<br>
without issue.<br>
<br>
So, if I attempt to forward-declare the RPZ zone by moving the "rpz"<br>
zone definition into the "zone-defs" view, then change the "rpz" zone in<br>
v1 and v2 like so:<br>
<br>
zone "rpz" IN { in-view "zone-defs"; };<br>
<br>
I can *reload* the configuration without problem and RPZ *seems* to work<br>
as expected. named-checkconf is *also* totally okay with the config<br>
file. However, if I *restart* BIND, BIND fails to start and emits the<br>
following error:<br>
<br>
/etc/bind/named.conf:$LINE: 'rpz' is not a master or slave zone<br>
<br>
If I leave the zone definition that now contains "in-view" in v1 and v2,<br>
but remove the response-policy block from v1 and v2 and move it into<br>
zone-defs, named-checkconf and BIND both accept the config file, but<br>
-naturally- RPZ does not work for the v1 and v2 views.<br>
<br>
Unrelated to all that, remember how we can have RPZ master zones in<br>
different views that share the same writeable file? You *can't* do that<br>
with RPZ slave zones. named-checkconf complains that the "writeable file<br>
... [is] already in use". (*PLEASE*(!!!) don't fix this until we can<br>
forward-define RPZ zones, just like we can for regular zones.)<br>
<br>
Anyway. As I asked above: Is this fixed in a later version, or am I<br>
-perhaps- doing something rather silly?<br>
<br>
<br>_______________________________________________<br>
Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><span></span><span></span><a href="http:///" target="_blank"></a><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div style="font-size:12.8000001907349px"><b style="color:rgb(136,136,136);font-size:12.8000001907349px"><font size="4" color="#444444">José Alonso Hernández</font></b><div style="color:rgb(136,136,136);font-size:12.8000001907349px"><font color="#444444" size="2"><i>CEO</i></font></div><div style="color:rgb(136,136,136);font-size:12.8000001907349px"><font color="#444444" size="2"><i><br></i></font></div><div style="color:rgb(136,136,136);font-size:12.8000001907349px"><i style="font-size:12.8000001907349px"><font size="2" color="#444444"><img src="https://docs.google.com/uc?export=download&id=0B0NZsRPs-VSHbWtQZktPcDFIM1E&revid=0B0NZsRPs-VSHQzNCczBBazZkTTJaUCtUanVYZXkxS1UrQzdRPQ" width="96" height="41"></font></i></div><div style="color:rgb(136,136,136);font-size:12.8000001907349px"><i style="font-size:12.8000001907349px"><font size="2" color="#444444"><br></font></i></div><div style="color:rgb(136,136,136);font-size:12.8000001907349px"><span style="font-size:12.8000001907349px"> </span><a href="https://www.facebook.com/IgnisSoftware" style="color:rgb(17,85,204)" target="_blank"><img src="https://docs.google.com/uc?export=download&id=0B0NZsRPs-VSHb3hta0k3S012eDg&revid=0B0NZsRPs-VSHbUtFcjZ4REVFVFB0U1M4bkdhajE3V1FTMlA0PQ" style="font-size:12.8000001907349px"></a><span style="font-size:12.8000001907349px"> </span><a href="https://twitter.com/IgnisSoftware" target="_blank"><img src="https://docs.google.com/uc?export=download&id=0B0NZsRPs-VSHRU1GVDJSZkFQZlU&revid=0B0NZsRPs-VSHSFJMeFpJUDE3YUNMeXdUWFE1VzJmUWM5QW1zPQ" style="font-size:12.8000001907349px"></a> <img src="https://docs.google.com/uc?export=download&id=0B0NZsRPs-VSHb0VnOTAxWjFYQm8&revid=0B0NZsRPs-VSHbTVncmRtM1VjSEpjclBGTG91YzZESCtrdWVjPQ" style="font-size:12.8000001907349px;color:rgb(34,34,34)"><span style="font-size:12.8000001907349px;color:rgb(34,34,34)"> </span><img src="https://docs.google.com/uc?export=download&id=0B0NZsRPs-VSHVWRWbksycHV2TFU&revid=0B0NZsRPs-VSHVVJ0VmMzWmZZY3A2dEpEQWhyakZybHJXbVdVPQ" style="font-size:12.8000001907349px;color:rgb(34,34,34)"><i style="font-size:12.8000001907349px"><font size="2" color="#444444"><br></font></i></div><div style="color:rgb(136,136,136);font-size:12.8000001907349px"><br></div><div style="color:rgb(136,136,136);font-size:12.8000001907349px"><span style="font-size:12.8000001907349px"> </span><br></div><div style="color:rgb(136,136,136);font-size:12.8000001907349px"><font color="#444444" size="2"><i>+52 656 135 3846 </i></font><i style="color:rgb(68,68,68);font-size:small">| </i><span style="color:rgb(68,68,68);font-size:small"> jah@ignis.software | </span><i style="color:rgb(68,68,68);font-size:small"> </i><span style="color:rgb(68,68,68);font-size:small">Ciudad Juárez, Chihuahua, México | </span></div><div style="color:rgb(136,136,136);font-size:12.8000001907349px"><span style="color:rgb(68,68,68);font-size:small"><br></span></div><div style="color:rgb(136,136,136);font-size:12.8000001907349px"><span style="color:rgb(153,153,153);font-family:Helvetica,Arial,sans-serif;font-size:9px;line-height:11px">This e-mail message may contain confidential or legally privileged information and is intended only for the use of the intended recipient(s). Any unauthorized disclosure, dissemination, distribution, copying or the taking of any action in reliance on the information herein is prohibited. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, or contain viruses. Anyone who communicates with us by e-mail is deemed to have accepted these risks. Company Name is not responsible for errors or omissions in this message and denies any responsibility for any damage arising from the use of e-mail. Any opinion and other statement contained in this message and any attachment are solely those of the author and do not necessarily represent those of the company.</span></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
</div>