in-view RPZ definitions

Lannar Dean ldd at rgnets.com
Fri Nov 10 22:24:59 UTC 2023 

This is a continuation of a very old thread from this mailing list found
here:
https://groups.google.com/g/comp.protocols.dns.bind/c/nAHtXSDcDl4?pli=1

It appears that what I'm attempting to do did not work at the time of this
thread 8 years ago, but I'm wondering if anything has changed by now.

I am attempting to use views to offer different configurations of RPZ
filtering to different subsets of my user population.  My original approach
was having multiple named processes running on different ports, with PF
redirecting port 53 to the appropriate port based on the user's source IP.

Some of my RPZ zones are quite large, and if the same zone records exist
for multiple configurations, this means loading a lot of the same data into
multiple processes, resulting in long startup times and very high memory
utilization.  So I wanted to use views to reduce named to a single process,
and define RPZ zones that can be shared among multiple views using the
"in-view" config.

I'm attempting to use a config like the following:

view Child {
  match-clients { Child; };
  allow-recursion { any; };
  response-policy { zone "cf1"; zone "cf2"; };
  zone "cf1" {
      type master;
      file "cf1";
  };
  zone "cf2" {
      type master;
      file "cf2";
  };
};

view Teen {
  match-clients { Teen; };
  allow-recursion { any; };
  response-policy { zone "cf1"; };
  zone "cf1" {
    in-view Child;
  };
};

Since the rpz for cf1 is large, I want to only have to load/keep a single
copy of it in memory and reference it from both the Child and Teen views.
However the above configuration gives me the error:
response-policy zone 'cf1' for view B is not a master or slave zone

If I add "type master;" to the cf1 zone in view B, I get
zone 'cf1': 'in-view' used with incompatible zone options

So it appears my goal is still not achievable, unless I'm missing
something.  Is there some other mechanism to achieve this end result
(sharing some zones between different user populations without loading
multiple copies of the zone into memory)?

I am currently running BIND 9.16.44 by the way.

Thanks for any advice!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20231110/7e358569/attachment.htm>

More information about the bind-users mailing list