maxminddb support in 9.16

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

maxminddb support in 9.16

Denis
Hi,
I'm struggling go get geo access-lists working with actual libmaxminddb support but can't do it right. Bind is compiled with the following options:

named -V
BIND 9.16.3 (Stable Release) <id:5ea41c1>
running on Linux x86_64 5.6.3-1.el7.elrepo.x86_64 #1 SMP Wed Apr 8 07:13:05 EDT 2020
built by make with defaults
compiled by GCC 4.8.5 20150623 (Red Hat 4.8.5-39)
compiled with OpenSSL version: OpenSSL 1.0.2k-fips  26 Jan 2017
linked to OpenSSL version: OpenSSL 1.0.2k-fips  26 Jan 2017
compiled with libxml2 version: 2.9.1
linked to libxml2 version: 20901
compiled with json-c version: 0.11
linked to json-c version: 0.11
compiled with zlib version: 1.2.7
linked to zlib version: 1.2.7
linked to maxminddb version: 1.2.0
threads support is enabled

default paths:
  named configuration:  /usr/local/etc/named.conf
  rndc configuration:   /usr/local/etc/rndc.conf
  DNSSEC root key:      /usr/local/etc/bind.keys
  nsupdate session key: /usr/local/var/run/named/session.key
  named PID file:       /usr/local/var/run/named/named.pid
  named lock file:      /usr/local/var/run/named/named.lock
  geoip-directory:      /usr/share/GeoIP

The geoip-directory contains Geolite2 databases:
ls /usr/share/GeoIP
GeoLite2-ASN.mmdb  GeoLite2-City.mmdb  GeoLite2-Country.mmdb

But when I try to generate acls the same way it was done with legacy Maxmind databases:
acl us {
      geoip country us;
}

I'm getting "no GeoIP database installed which can answer queries of type 'country'".
The documentation now shows that  "BIND 9.16 supports v2 of the API but these instructions have not been updated accordingly"
Can you share the instructions that should be used now?

Thank you,


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: maxminddb support in 9.16

Evan Hunt
On Thu, May 21, 2020 at 10:38:41AM +0300, Denis wrote:
> But when I try to generate acls the same way it was done with legacy
> Maxmind databases:
> acl us {
>       geoip country us;
> }
>
> I'm getting "no GeoIP database installed which can answer queries of type
> 'country'".

Can you check whether the "geoip2" system test is passing?

- build BIND
- cd bin/tests/system
- sudo sh ifconfig.sh up
- sh run.sh geoip2

If the system test (which uses its own built-in database files) passes,
then I would guess the systemwide GeoIP database files either aren't where
named is looking for them, or are not readable.

If you check the named log, within the first few lines after the server
starts up there should be something like this:

21-May-2020 11:56:34.303 looking for GeoIP2 databases in '/usr/share/GeoIP'
21-May-2020 11:56:34.303 opened GeoIP2 database '/usr/share/GeoIP/GeoLite2-Country.mmdb'
21-May-2020 11:56:34.307 opened GeoIP2 database '/usr/share/GeoIP/GeoLite2-City.mmdb'
21-May-2020 11:56:34.307 opened GeoIP2 database '/usr/share/GeoIP/GeoLite2-ASN.mmdb'

> The documentation now shows that  "BIND 9.16 supports v2 of the API but
> these instructions have not been updated accordingly"
> Can you share the instructions that should be used now?

Which documentation says that? I don't remember it from the BIND doc...

Setting up ACLs should be largely unchanged, with the exception that a
couple of very infrequently used keywords like "areacode" and "netspeed"
became unavailable in the new API, and three-letter country codes are
now obsolete. "Country" is definitely still supported, and since you used
"us" rather than "usa" in your example, it should've worked.

--
Evan Hunt -- [hidden email]
Internet Systems Consortium, Inc.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: maxminddb support in 9.16

Denis
Thank you so much, a silly mistake as it always happens - I was injecting the wrong binary via the systemd-unit.
Everything's fine now.

By "documentation" I meant the ISC's article - https://kb.isc.org/docs/aa-01149


On Thu, May 21, 2020 at 10:01 PM Evan Hunt <[hidden email]> wrote:
On Thu, May 21, 2020 at 10:38:41AM +0300, Denis wrote:
> But when I try to generate acls the same way it was done with legacy
> Maxmind databases:
> acl us {
>       geoip country us;
> }
>
> I'm getting "no GeoIP database installed which can answer queries of type
> 'country'".

Can you check whether the "geoip2" system test is passing?

- build BIND
- cd bin/tests/system
- sudo sh ifconfig.sh up
- sh run.sh geoip2

If the system test (which uses its own built-in database files) passes,
then I would guess the systemwide GeoIP database files either aren't where
named is looking for them, or are not readable.

If you check the named log, within the first few lines after the server
starts up there should be something like this:

21-May-2020 11:56:34.303 looking for GeoIP2 databases in '/usr/share/GeoIP'
21-May-2020 11:56:34.303 opened GeoIP2 database '/usr/share/GeoIP/GeoLite2-Country.mmdb'
21-May-2020 11:56:34.307 opened GeoIP2 database '/usr/share/GeoIP/GeoLite2-City.mmdb'
21-May-2020 11:56:34.307 opened GeoIP2 database '/usr/share/GeoIP/GeoLite2-ASN.mmdb'

> The documentation now shows that  "BIND 9.16 supports v2 of the API but
> these instructions have not been updated accordingly"
> Can you share the instructions that should be used now?

Which documentation says that? I don't remember it from the BIND doc...

Setting up ACLs should be largely unchanged, with the exception that a
couple of very infrequently used keywords like "areacode" and "netspeed"
became unavailable in the new API, and three-letter country codes are
now obsolete. "Country" is definitely still supported, and since you used
"us" rather than "usa" in your example, it should've worked.

--
Evan Hunt -- [hidden email]
Internet Systems Consortium, Inc.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: maxminddb support in 9.16

Evan Hunt
On Thu, May 21, 2020 at 10:52:36PM +0300, Denis wrote:
> Thank you so much, a silly mistake as it always happens - I was injecting
> the wrong binary via the systemd-unit.
> Everything's fine now.
>
> By "documentation" I meant the ISC's article -
> https://kb.isc.org/docs/aa-01149

Ah, thank you, I hadn't seen that.

The only thing I see in that article that's out of date is that
the "--with-geoip" option is no longer needed, or valid; it's
"--with-maxminddb" now, and it's enabled by default.

--
Evan Hunt -- [hidden email]
Internet Systems Consortium, Inc.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users