RPZ in dns views

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

RPZ in dns views

Rama Krishna Prasad Chunduru
Hi All,
   I am trying to use RPZ ( Response Policy Zone) in DNS views (BIND 9.8.2) but i am getting the below error

service named restart

Stopping named:                                            [  OK  ]

Starting named: 

Error in named configuration:

/etc/named.conf:92: when using 'view' statements, all zones must be in views

                                                           [FAILED]

I am pasting the named.conf file and "dummy-block" which has the zone info below


named.conf


options {

// DNS tables are located in the /var/named directory

directory "/var/named";


// Forward any unresolved requests to our ISP's name server

forwarders {

4.2.2.1;

};


/*

* If there is a firewall between you and nameservers you want

* to talk to, you might need to uncomment the query-source

* directive below.  Previous versions of BIND always asked

* questions using port 53, but BIND 8.1 uses an unprivileged

* port by default.

*/

query-source address * port 53;

         

          listen-on port 53 { 127.0.0.1; any; };

          allow-query     { localhost; any; };

          allow-query-cache       { localhost; any; };

          recursion yes;

          /*

           * Added the below lines to make DNS + TSIG

           */


          dnssec-enable    yes;

          dnssec-validation yes;

          dnssec-lookaside auto;


        /* Path to ISC DLV key */

bindkeys-file "/etc/named.iscdlv.key";


};


key "secret-key" {

    algorithm "hmac-md5";

    secret "PUp7RAfTglybAoctQR3aUW+cLpNDyjlMWUvCoHPxiWr9e0budWUQ6jp9MmrhaINa1DFZgvtuxxkOw7oCnU4qzQ==";

};


key "second-secret-key" {

      algorithm "hmac-md5";

      secret "sjz+sH4PGPPKPXLeTM7oG3WbmCIwxxcWLA+qaGaazmvLY0TvbPZ9xZi+B5JuYWMA8rpzUYi26kFiBODIOw9Rdg==";

};



key "third-secret-key" {

      algorithm "hmac-md5";

      secret "cQiZnv+4GZb0rEFkagYw8cFowSeC2Yj6dXXT7pvdllJoMW0Gt7Nhv07Y5EyZUTcS2hX5Ngbu7syyZ6IGUkCvqA==";

};



acl "first-key-acl" {

  key secret-key;

};


acl "second-key-acl"{

   key second-secret-key;

};


acl "third-key-acl"{

   key third-secret-key;

};


view  "second-key-view" {

    match-clients{

           second-key-acl;

            //key secret-key;

     };


    

   zone "bbc.com

   {

     type master;

     file "views/firstkey";

     allow-query  {none;};

   };



     

   response-policy {

         zone "youtube.com";

   };

};


zone "youtube.com

 {

   type master;

    file "dummy-block";

   allow-query  {none;};

 };


view  "secret-key-vew"  {

    match-clients{

           first-key-acl;

            //key secret-key;

     };


    zone "abc.com

    {

      type master;

      file "views/secondkey";

     allow-query  {none;};

    };

};



view default {

        match-clients      { any; };

        match-destinations { any; };

        include "/etc/named.rfc1912.zones";

};





dummy-block


youtube.com. 14400 IN SOA ns.youtube.com. root.ns.youtube.com. (

2004123001;

86000;

7200;

1209600;

600)


youtube.com. 14400 IN NS ns.youtube.com.


ns.youtube.com. 14400 IN A 10.255.246.110



I appreciate your help on this.


Thanks,

Rama


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: RPZ in dns views

Doug Barton
On 01/22/2016 05:30 PM, Rama Krishna Prasad Chunduru wrote:

> Hi All,
>     I am trying to use RPZ ( Response Policy Zone) in DNS views (BIND
> 9.8.2) but i am getting the below error
>
> service named restart
>
> Stopping named:                                            [  OK ]
>
> Starting named:
>
> Error in named configuration:
>
> /etc/named.conf:92: when using 'view' statements, all zones must be in views
>
>                                                             [FAILED]

That error message is pretty clear. :)

Whenever you edit named.conf, especially if you're doing it by hand, you
should run named-checkconf and make sure you don't get any errors.
That's what the service script is doing for you, and it's even telling
you exactly which line to look at (92).



> view  "second-key-view" {
>
>      match-clients{
>
>             second-key-acl;
>
>              //key secret-key;
>
>       };
>
>
>     zone "bbc.com <http://bbc.com>"
>
>     {
>
>       type master;
>
>       file "views/firstkey";
>
>       allow-query  {none;};
>
>     };
>
>
>
>     response-policy {
>
>           zone "youtube.com <http://youtube.com>";
>
>     };
>
> };

You ended the view with the close-curly-bracket immediately above. You
probably want to comment out (or completely remove) the zone declaration
below.

> zone "youtube.com <http://youtube.com>"
>
>   {
>
>     type master;
>
>      file "dummy-block";
>
>     allow-query  {none;};
>
>   };
>
>
> view  ...

hope this helps,

Doug



_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: RPZ in dns views

Rama Krishna Prasad Chunduru
Hi Doug,
 Thanks for immediate reply. The problem is solved.
Regards,
Rama

On Fri, Jan 22, 2016 at 11:40 PM, Doug Barton <[hidden email]> wrote:
On 01/22/2016 05:30 PM, Rama Krishna Prasad Chunduru wrote:
Hi All,
    I am trying to use RPZ ( Response Policy Zone) in DNS views (BIND
9.8.2) but i am getting the below error

service named restart

Stopping named:                                            [  OK ]

Starting named:

Error in named configuration:

/etc/named.conf:92: when using 'view' statements, all zones must be in views

                                                            [FAILED]

That error message is pretty clear. :)

Whenever you edit named.conf, especially if you're doing it by hand, you should run named-checkconf and make sure you don't get any errors. That's what the service script is doing for you, and it's even telling you exactly which line to look at (92).



view  "second-key-view" {

     match-clients{

            second-key-acl;

             //key secret-key;

      };


    zone "bbc.com <http://bbc.com>"

    {

      type master;

      file "views/firstkey";

      allow-query  {none;};

    };



    response-policy {

          zone "youtube.com <http://youtube.com>";

    };

};

You ended the view with the close-curly-bracket immediately above. You probably want to comment out (or completely remove) the zone declaration below.

zone "youtube.com <http://youtube.com>"

  {

    type master;

     file "dummy-block";

    allow-query  {none;};

  };


view  ...

hope this helps,

Doug





_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users