BIND-9.10.2-P4: Cannot use in-view to refer to RPZ zone definitions: "'$RPZ_ZONE' is not a master or slave zone"

Lannar Dean ldd at rgnets.com
Fri Nov 10 19:09:12 UTC 2023 

I know this is an incredibly old thread, but I was wondering if there has been any progress on this topic within the last 8 years. 

I am attempting to use views to offer different configurations of RPZ filtering to different subsets of the user population.  My original approach was having multiple named processes running on different ports, with PF redirecting port 53 to the appropriate port based on the user's source IP. 

Some of my RPZ zones are quite large, and if the same zone records exist for multiple configurations, this means loading a lot of the same data into multiple processes, resulting in long startup times and very high memory utilization.  So I wanted to use views to reduce named to a single process, and define RPZ zones that can be shared among multiple views using the "in-view" config.

I'm using a config like the following:

view Child {
  match-clients { Child; };
  allow-recursion { any; };
  response-policy { zone "cf1"; zone "cf2"; };
  zone "cf1" {
      type master;
      file "cf1";
  };
  zone "cf2" {
      type master;
      file "cf2";
  };
};

view Teen {
  match-clients { Teen; };
  allow-recursion { any; };
  response-policy { zone "cf1"; };
  zone "cf1" {
    in-view Child;
  };
};

Since the rpz for cf1 is large, I want to only have to load/keep a single copy of it in memory and reference it from both the Child and Teen views.  However the above configuration gives me the error:
response-policy zone 'cf1' for view B is not a master or slave zone

If I add "type master;" to the cf1 zone in view B, I get
zone 'cf1': 'in-view' used with incompatible zone options

So it appears my goal is still not achievable, unless I'm missing something.  Is there some other mechanism to achieve this end result (sharing zones between different user populations without loading multiple copies of the zone into memory)?

I am currently running BIND 9.16.44 by the way.

Thanks for any advice!

More information about the bind-users mailing list