• maxminddb support in 9.16

    From Denis@mixair@gmail.com to bind-users on Thu May 21 10:38:41 2020
    From Newsgroup: comp.protocols.dns.bind

    --000000000000b24afc05a6239a1d
    Content-Type: text/plain; charset="UTF-8"

    Hi,
    I'm struggling go get geo access-lists working with actual libmaxminddb
    support but can't do it right. Bind is compiled with the following options:

    named -V
    BIND 9.16.3 (Stable Release) <id:5ea41c1>
    running on Linux x86_64 5.6.3-1.el7.elrepo.x86_64 #1 SMP Wed Apr 8 07:13:05
    EDT 2020
    built by make with defaults
    compiled by GCC 4.8.5 20150623 (Red Hat 4.8.5-39)
    compiled with OpenSSL version: OpenSSL 1.0.2k-fips 26 Jan 2017
    linked to OpenSSL version: OpenSSL 1.0.2k-fips 26 Jan 2017
    compiled with libxml2 version: 2.9.1
    linked to libxml2 version: 20901
    compiled with json-c version: 0.11
    linked to json-c version: 0.11
    compiled with zlib version: 1.2.7
    linked to zlib version: 1.2.7
    *linked to maxminddb version: 1.2.0*
    threads support is enabled

    default paths:
    named configuration: /usr/local/etc/named.conf
    rndc configuration: /usr/local/etc/rndc.conf
    DNSSEC root key: /usr/local/etc/bind.keys
    nsupdate session key: /usr/local/var/run/named/session.key
    named PID file: /usr/local/var/run/named/named.pid
    named lock file: /usr/local/var/run/named/named.lock
    *geoip-directory: /usr/share/GeoIP*

    The geoip-directory contains Geolite2 databases:
    ls /usr/share/GeoIP
    GeoLite2-ASN.mmdb GeoLite2-City.mmdb GeoLite2-Country.mmdb

    But when I try to generate acls the same way it was done with legacy
    Maxmind databases:
    acl us {
    geoip country us;
    }

    I'm getting "no GeoIP database installed which can answer queries of type 'country'".
    The documentation now shows that "BIND 9.16 supports v2 of the API but
    these instructions have not been updated accordingly"
    Can you share the instructions that should be used now?

    Thank you,

    --000000000000b24afc05a6239a1d
    Content-Type: text/html; charset="UTF-8"
    Content-Transfer-Encoding: quoted-printable

    <div dir=3D"ltr">Hi,<div>I&#39;m struggling go get geo access-lists working=
    with actual libmaxminddb support but can&#39;t do it right. Bind is compil=
    ed with the following options:</div><div><br></div><div>named -V<br>BIND 9.= 16.3 (Stable Release) &lt;id:5ea41c1&gt;<br>running on Linux x86_64 5.6.3-1= .el7.elrepo.x86_64 #1 SMP Wed Apr 8 07:13:05 EDT 2020<br>built by make with=
    defaults<br>compiled by GCC 4.8.5 20150623 (Red Hat 4.8.5-39)<br>compiled = with OpenSSL version: OpenSSL 1.0.2k-fips =C2=A026 Jan 2017<br>linked to Op= enSSL version: OpenSSL 1.0.2k-fips =C2=A026 Jan 2017<br>compiled with libxm=
    l2 version: 2.9.1<br>linked to libxml2 version: 20901<br>compiled with json=
    -c version: 0.11<br>linked to json-c version: 0.11<br>compiled with zlib ve= rsion: 1.2.7<br>linked to zlib version: 1.2.7<br><b>linked to maxminddb ver= sion: 1.2.0</b><br>threads support is enabled<br><br>default paths:<br>=C2=
    =A0 named configuration: =C2=A0/usr/local/etc/named.conf<br>=C2=A0 rndc con= figuration: =C2=A0 /usr/local/etc/rndc.conf<br>=C2=A0 DNSSEC root key: =C2=
    =A0 =C2=A0 =C2=A0/usr/local/etc/bind.keys<br>=C2=A0 nsupdate session key: /= usr/local/var/run/named/session.key<br>=C2=A0 named PID file: =C2=A0 =C2=A0=
    =C2=A0 /usr/local/var/run/named/named.pid<br>=C2=A0 named lock file: =C2=
    =A0 =C2=A0 =C2=A0/usr/local/var/run/named/named.lock<br>=C2=A0 <b>geoip-dir= ectory: =C2=A0 =C2=A0 =C2=A0/usr/share/GeoIP</b><br></div><div><br></div><d= iv>The geoip-directory contains Geolite2 databases:</div><div>ls /usr/share= /GeoIP<br>GeoLite2-ASN.mmdb =C2=A0GeoLite2-City.mmdb =C2=A0GeoLite2-Country= .mmdb<br></div><div><br></div><div>But when I try to generate acls the same=
    way it was done with legacy Maxmind databases:</div><div>acl us {</div><di= v>=C2=A0 =C2=A0 =C2=A0 geoip country us;<br></div><div>}</div><div><br></di= v><div>I&#39;m getting &quot;no GeoIP database installed which can answer q= ueries of type &#39;country&#39;&quot;.</div><div>The documentation now sho=
    ws that=C2=A0 &quot;BIND 9.16 supports v2 of the API but these instructions=
    have not been updated accordingly&quot;</div><div>Can you share the instru= ctions that should be used now?</div><div><br></div><div>Thank you,</div><d= iv><br></div></div>

    --000000000000b24afc05a6239a1d--
    --- Synchronet 3.18a-Linux NewsLink 1.113
  • From Evan Hunt@each@isc.org to Denis on Thu May 21 19:01:12 2020
    From Newsgroup: comp.protocols.dns.bind

    On Thu, May 21, 2020 at 10:38:41AM +0300, Denis wrote:
    But when I try to generate acls the same way it was done with legacy
    Maxmind databases:
    acl us {
    geoip country us;
    }

    I'm getting "no GeoIP database installed which can answer queries of type 'country'".

    Can you check whether the "geoip2" system test is passing?

    - build BIND
    - cd bin/tests/system
    - sudo sh ifconfig.sh up
    - sh run.sh geoip2

    If the system test (which uses its own built-in database files) passes,
    then I would guess the systemwide GeoIP database files either aren't where named is looking for them, or are not readable.

    If you check the named log, within the first few lines after the server
    starts up there should be something like this:

    21-May-2020 11:56:34.303 looking for GeoIP2 databases in '/usr/share/GeoIP' 21-May-2020 11:56:34.303 opened GeoIP2 database '/usr/share/GeoIP/GeoLite2-Country.mmdb'
    21-May-2020 11:56:34.307 opened GeoIP2 database '/usr/share/GeoIP/GeoLite2-City.mmdb'
    21-May-2020 11:56:34.307 opened GeoIP2 database '/usr/share/GeoIP/GeoLite2-ASN.mmdb'

    The documentation now shows that "BIND 9.16 supports v2 of the API but
    these instructions have not been updated accordingly"
    Can you share the instructions that should be used now?

    Which documentation says that? I don't remember it from the BIND doc...

    Setting up ACLs should be largely unchanged, with the exception that a
    couple of very infrequently used keywords like "areacode" and "netspeed"
    became unavailable in the new API, and three-letter country codes are
    now obsolete. "Country" is definitely still supported, and since you used
    "us" rather than "usa" in your example, it should've worked.

    --
    Evan Hunt -- each@isc.org
    Internet Systems Consortium, Inc.
    --- Synchronet 3.18a-Linux NewsLink 1.113
  • From Denis@mixair@gmail.com to Evan Hunt on Thu May 21 22:52:36 2020
    From Newsgroup: comp.protocols.dns.bind

    --000000000000687ae205a62ddb3b
    Content-Type: text/plain; charset="UTF-8"

    Thank you so much, a silly mistake as it always happens - I was injecting
    the wrong binary via the systemd-unit.
    Everything's fine now.

    By "documentation" I meant the ISC's article -
    https://kb.isc.org/docs/aa-01149


    On Thu, May 21, 2020 at 10:01 PM Evan Hunt <each@isc.org> wrote:

    On Thu, May 21, 2020 at 10:38:41AM +0300, Denis wrote:
    But when I try to generate acls the same way it was done with legacy Maxmind databases:
    acl us {
    geoip country us;
    }

    I'm getting "no GeoIP database installed which can answer queries of type 'country'".

    Can you check whether the "geoip2" system test is passing?

    - build BIND
    - cd bin/tests/system
    - sudo sh ifconfig.sh up
    - sh run.sh geoip2

    If the system test (which uses its own built-in database files) passes,
    then I would guess the systemwide GeoIP database files either aren't where named is looking for them, or are not readable.

    If you check the named log, within the first few lines after the server starts up there should be something like this:

    21-May-2020 11:56:34.303 looking for GeoIP2 databases in '/usr/share/GeoIP' 21-May-2020 11:56:34.303 opened GeoIP2 database '/usr/share/GeoIP/GeoLite2-Country.mmdb'
    21-May-2020 11:56:34.307 opened GeoIP2 database '/usr/share/GeoIP/GeoLite2-City.mmdb'
    21-May-2020 11:56:34.307 opened GeoIP2 database '/usr/share/GeoIP/GeoLite2-ASN.mmdb'

    The documentation now shows that "BIND 9.16 supports v2 of the API but these instructions have not been updated accordingly"
    Can you share the instructions that should be used now?

    Which documentation says that? I don't remember it from the BIND doc...

    Setting up ACLs should be largely unchanged, with the exception that a
    couple of very infrequently used keywords like "areacode" and "netspeed" became unavailable in the new API, and three-letter country codes are
    now obsolete. "Country" is definitely still supported, and since you used "us" rather than "usa" in your example, it should've worked.

    --
    Evan Hunt -- each@isc.org
    Internet Systems Consortium, Inc.


    --000000000000687ae205a62ddb3b
    Content-Type: text/html; charset="UTF-8"
    Content-Transfer-Encoding: quoted-printable

    <div dir=3D"ltr">Thank you so much, a silly mistake as it always happens - =
    I was injecting the wrong binary via the systemd-unit.<div>Everything&#39;s=
    fine now.<br><div><br></div><div>By &quot;documentation&quot; I meant the = ISC&#39;s article -=C2=A0<a href=3D"https://kb.isc.org/docs/aa-01149">https= ://kb.isc.org/docs/aa-01149</a></div></div><div><br></div></div><br><div cl= ass=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Thu, May 21, 2= 020 at 10:01 PM Evan Hunt &lt;<a href=3D"mailto:each@isc.org">each@isc.org<= /a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0=
    px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">O=
    n Thu, May 21, 2020 at 10:38:41AM +0300, Denis wrote:<br>
    &gt; But when I try to generate acls the same way it was done with legacy<b=

    &gt; Maxmind databases:<br>
    &gt; acl us {<br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0geoip country us;<br>
    &gt; }<br>
    &gt; <br>
    &gt; I&#39;m getting &quot;no GeoIP database installed which can answer que= ries of type<br>
    &gt; &#39;country&#39;&quot;.<br>

    Can you check whether the &quot;geoip2&quot; system test is passing?<br>

    - build BIND<br>
    - cd bin/tests/system<br>
    - sudo sh ifconfig.sh up<br>
    - sh run.sh geoip2<br>

    If the system test (which uses its own built-in database files) passes,<br> then I would guess the systemwide GeoIP database files either aren&#39;t wh= ere<br>
    named is looking for them, or are not readable.<br>

    If you check the named log, within the first few lines after the server<br> starts up there should be something like this:<br>

    21-May-2020 11:56:34.303 looking for GeoIP2 databases in &#39;/usr/share/Ge= oIP&#39;<br>
    21-May-2020 11:56:34.303 opened GeoIP2 database &#39;/usr/share/GeoIP/GeoLi= te2-Country.mmdb&#39;<br>
    21-May-2020 11:56:34.307 opened GeoIP2 database &#39;/usr/share/GeoIP/GeoLi= te2-City.mmdb&#39;<br>
    21-May-2020 11:56:34.307 opened GeoIP2 database &#39;/usr/share/GeoIP/GeoLi= te2-ASN.mmdb&#39;<br>

    &gt; The documentation now shows that=C2=A0 &quot;BIND 9.16 supports v2 of = the API but<br>
    &gt; these instructions have not been updated accordingly&quot;<br>
    &gt; Can you share the instructions that should be used now?<br>

    Which documentation says that? I don&#39;t remember it from the BIND doc...=


    Setting up ACLs should be largely unchanged, with the exception that a<br> couple of very infrequently used keywords like &quot;areacode&quot; and &qu= ot;netspeed&quot;<br>
    became unavailable in the new API, and three-letter country codes are<br>
    now obsolete. &quot;Country&quot; is definitely still supported, and since = you used<br>
    &quot;us&quot; rather than &quot;usa&quot; in your example, it should&#39;v=
    e worked.<br>

    -- <br>
    Evan Hunt -- <a href=3D"mailto:each@isc.org" target=3D"_blank">each@isc.org= </a><br>
    Internet Systems Consortium, Inc.<br>
    </blockquote></div>

    --000000000000687ae205a62ddb3b--
    --- Synchronet 3.18a-Linux NewsLink 1.113
  • From Evan Hunt@each@isc.org to Denis on Thu May 21 21:08:16 2020
    From Newsgroup: comp.protocols.dns.bind

    On Thu, May 21, 2020 at 10:52:36PM +0300, Denis wrote:
    Thank you so much, a silly mistake as it always happens - I was injecting
    the wrong binary via the systemd-unit.
    Everything's fine now.

    By "documentation" I meant the ISC's article - https://kb.isc.org/docs/aa-01149

    Ah, thank you, I hadn't seen that.

    The only thing I see in that article that's out of date is that
    the "--with-geoip" option is no longer needed, or valid; it's "--with-maxminddb" now, and it's enabled by default.

    --
    Evan Hunt -- each@isc.org
    Internet Systems Consortium, Inc.
    --- Synchronet 3.18a-Linux NewsLink 1.113