Re: Reuse RPZ zones between views

Wed, 12 Jun 2024 12:46:47 -0700 

Have you read the fine documentation on BIND where it is stated this is not 
(currently) possible?

If you want to extend named to support this we would be happy to review a 
change request.  It is complicated however which is why it has not been done. 

-- 
Mark Andrews

> On 13 Jun 2024, at 02:38, Jesus Cea <j...@jcea.es> wrote:
> 
> My RPZ zones are quite big, and I would like to be able to reuse them in 
> several views sharing the memory instead of independent data structures.
> 
> I thought that zone "in-view" would work, but it doesn't.
> 
> I am doing something like:
> 
> """
> view honeypot {
>    match-clients { honeypot; };
>    allow-recursion { honeypot; };
> 
>    zone "rpz" {
>      type slave;
>      [...];
>    };
>    response-policy {
>        zone "rpz" policy disabled; //cname prueba.xx.xx;
>      } break-dnssec yes;
> };
> 
> view default {
>    match-clients { any; };
>    allow-recursion { any; };
>    zone "rpz" { in-view "honeypot"; };
>    response-policy {
>      zone "rpz";
>    } break-dnssec yes;
> };
> """
> 
> Trying to activate that configuration produce an error:
> 
> """
> response-policy zone 'rpz' for view default is not a primary or secondary zone
> """
> 
> But "rpz" is secondary (slave) in "honeypot"
> I would think this a bug in bind?. I am using version 9.18.25.
> 
> Any suggestion beside loading the "rpz" zone separately in each view?. That 
> would explode my memory usage (I have quite a few views).
> 
> -- 
> Jesús Cea Avión                         _/_/      _/_/_/        _/_/_/
> j...@jcea.es - https://www.jcea.es/    _/_/    _/_/  _/_/    _/_/  _/_/
> Twitter: @jcea                        _/_/    _/_/          _/_/_/_/_/
> jabber / xmpp:j...@jabber.org  _/_/  _/_/    _/_/          _/_/  _/_/
> "Things are not so easy"      _/_/  _/_/    _/_/  _/_/    _/_/  _/_/
> "My name is Dump, Core Dump"   _/_/_/        _/_/_/      _/_/  _/_/
> "El amor es poner tu felicidad en la felicidad de otro" - Leibniz
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to