Discussion:
maxminddb support in 9.16
(too old to reply)
Denis
2020-05-21 07:38:41 UTC
Permalink
Hi,
I'm struggling go get geo access-lists working with actual libmaxminddb
support but can't do it right. Bind is compiled with the following options:

named -V
BIND 9.16.3 (Stable Release) <id:5ea41c1>
running on Linux x86_64 5.6.3-1.el7.elrepo.x86_64 #1 SMP Wed Apr 8 07:13:05
EDT 2020
built by make with defaults
compiled by GCC 4.8.5 20150623 (Red Hat 4.8.5-39)
compiled with OpenSSL version: OpenSSL 1.0.2k-fips 26 Jan 2017
linked to OpenSSL version: OpenSSL 1.0.2k-fips 26 Jan 2017
compiled with libxml2 version: 2.9.1
linked to libxml2 version: 20901
compiled with json-c version: 0.11
linked to json-c version: 0.11
compiled with zlib version: 1.2.7
linked to zlib version: 1.2.7
*linked to maxminddb version: 1.2.0*
threads support is enabled

default paths:
named configuration: /usr/local/etc/named.conf
rndc configuration: /usr/local/etc/rndc.conf
DNSSEC root key: /usr/local/etc/bind.keys
nsupdate session key: /usr/local/var/run/named/session.key
named PID file: /usr/local/var/run/named/named.pid
named lock file: /usr/local/var/run/named/named.lock
*geoip-directory: /usr/share/GeoIP*

The geoip-directory contains Geolite2 databases:
ls /usr/share/GeoIP
GeoLite2-ASN.mmdb GeoLite2-City.mmdb GeoLite2-Country.mmdb

But when I try to generate acls the same way it was done with legacy
Maxmind databases:
acl us {
geoip country us;
}

I'm getting "no GeoIP database installed which can answer queries of type
'country'".
The documentation now shows that "BIND 9.16 supports v2 of the API but
these instructions have not been updated accordingly"
Can you share the instructions that should be used now?

Thank you,
Evan Hunt
2020-05-21 19:01:12 UTC
Permalink
Post by Denis
But when I try to generate acls the same way it was done with legacy
acl us {
geoip country us;
}
I'm getting "no GeoIP database installed which can answer queries of type
'country'".
Can you check whether the "geoip2" system test is passing?

- build BIND
- cd bin/tests/system
- sudo sh ifconfig.sh up
- sh run.sh geoip2

If the system test (which uses its own built-in database files) passes,
then I would guess the systemwide GeoIP database files either aren't where
named is looking for them, or are not readable.

If you check the named log, within the first few lines after the server
starts up there should be something like this:

21-May-2020 11:56:34.303 looking for GeoIP2 databases in '/usr/share/GeoIP'
21-May-2020 11:56:34.303 opened GeoIP2 database '/usr/share/GeoIP/GeoLite2-Country.mmdb'
21-May-2020 11:56:34.307 opened GeoIP2 database '/usr/share/GeoIP/GeoLite2-City.mmdb'
21-May-2020 11:56:34.307 opened GeoIP2 database '/usr/share/GeoIP/GeoLite2-ASN.mmdb'
Post by Denis
The documentation now shows that "BIND 9.16 supports v2 of the API but
these instructions have not been updated accordingly"
Can you share the instructions that should be used now?
Which documentation says that? I don't remember it from the BIND doc...

Setting up ACLs should be largely unchanged, with the exception that a
couple of very infrequently used keywords like "areacode" and "netspeed"
became unavailable in the new API, and three-letter country codes are
now obsolete. "Country" is definitely still supported, and since you used
"us" rather than "usa" in your example, it should've worked.
--
Evan Hunt -- ***@isc.org
Internet Systems Consortium, Inc.
Denis
2020-05-21 19:52:36 UTC
Permalink
Thank you so much, a silly mistake as it always happens - I was injecting
the wrong binary via the systemd-unit.
Everything's fine now.

By "documentation" I meant the ISC's article -
https://kb.isc.org/docs/aa-01149
Post by Evan Hunt
Post by Denis
But when I try to generate acls the same way it was done with legacy
acl us {
geoip country us;
}
I'm getting "no GeoIP database installed which can answer queries of type
'country'".
Can you check whether the "geoip2" system test is passing?
- build BIND
- cd bin/tests/system
- sudo sh ifconfig.sh up
- sh run.sh geoip2
If the system test (which uses its own built-in database files) passes,
then I would guess the systemwide GeoIP database files either aren't where
named is looking for them, or are not readable.
If you check the named log, within the first few lines after the server
21-May-2020 11:56:34.303 looking for GeoIP2 databases in '/usr/share/GeoIP'
21-May-2020 11:56:34.303 opened GeoIP2 database
'/usr/share/GeoIP/GeoLite2-Country.mmdb'
21-May-2020 11:56:34.307 opened GeoIP2 database
'/usr/share/GeoIP/GeoLite2-City.mmdb'
21-May-2020 11:56:34.307 opened GeoIP2 database
'/usr/share/GeoIP/GeoLite2-ASN.mmdb'
Post by Denis
The documentation now shows that "BIND 9.16 supports v2 of the API but
these instructions have not been updated accordingly"
Can you share the instructions that should be used now?
Which documentation says that? I don't remember it from the BIND doc...
Setting up ACLs should be largely unchanged, with the exception that a
couple of very infrequently used keywords like "areacode" and "netspeed"
became unavailable in the new API, and three-letter country codes are
now obsolete. "Country" is definitely still supported, and since you used
"us" rather than "usa" in your example, it should've worked.
--
Internet Systems Consortium, Inc.
Evan Hunt
2020-05-21 21:08:16 UTC
Permalink
Post by Denis
Thank you so much, a silly mistake as it always happens - I was injecting
the wrong binary via the systemd-unit.
Everything's fine now.
By "documentation" I meant the ISC's article -
https://kb.isc.org/docs/aa-01149
Ah, thank you, I hadn't seen that.

The only thing I see in that article that's out of date is that
the "--with-geoip" option is no longer needed, or valid; it's
"--with-maxminddb" now, and it's enabled by default.
--
Evan Hunt -- ***@isc.org
Internet Systems Consortium, Inc.
Loading...