[rbldnsd] dsbl dump to bind config

[Michael Tokarev]

nathan r. hruby wrote:
> Hi!
> 
> We're planning to use list.dsbl.org on one of our primary mail systems.  
> To help speed it up we were hoping to locally cache the blacklist in our 
> existing nameserver setup.  The last time we looked at dsbl there was a 
> bind-style config file, which was great because we could just load it into 
> our existing name servers.  Now they use rbldsnd format zone files.  I'm 

Yeah.  Bind zone files was too large, and requires quite some time to
generate and quite some bandwidth and processing power to rsync...

Note that you can't "just use" bind-style datafile on your own nameserver:
the data should contain *your* list of nameservers, not DSBL's.

> trying to use the -d option to rbldnsd to dump the zone into something 
> bind can understand.  The command I'm using is this:
> 
> rbldnsd -d list.dsbl.org:ip4set:list.dsbl.org-rbldnsd > dsbl-bind
> 
> What gets output looks correct, but when I load it into bind-9 it seems to 
> reject the zone with the following error:
> 	named[28411]: zone list.dsbl.org/IN: has no NS records

Yes.  BIND requires NS records to be present.  Since there's no NS
records in rbldns-*dsbl.org files, rbldnsd can't generate them.  In
principle, i may modify rbldnsd to issue a warning message in such
incomplete-bind-zone cases.

The workaround using *this* method is to create a small file with
NS records - *your* NS records in it and combine two files - your
one and the one retrieved from DSBL:

File "ns" contains the following:
---cut---
$NS 2d ns1.example.com
$NS 2d ns2.example.com
...
---cut---
(use your nameserver(s) there), and the command line is:

  rbldnsd -d list.dsbl.org:ip4set:rbldns-list.dsbl.org,ns > dsbl-bind

This way, rbldnsd will get list of nameservers from your data,
and the rest from dsbl file (note the file is rbldns-list.dsbl.org,
not list.dsbl.org-rbldnsd).

But you don't need rbldnsd or whatever to do this conversion.
The format of file as published by DSBL.org is *trivial*, and
a one-line perl, awk or even sed script will do the work just
fine, and faster.

  perl -e 'print "@ SOA ...\n\tNS...\n";
   while(<>) {
    print "$4.$3.$2.$1 A 127.0.0.2\n\tTXT \"http://dsbl.org/listing?ip=$1.$2.$3.$4\"\n"
     if /^(\d+)\.(\d+)\.(\d+)\.(\d+)/;
   }'  rbldns-list.dsbl.org > dsbl-bind

See http://dsbl.org/cgi-bin/ezmlm-browse.cgi?command=showmsg&list=dsbl-discussion&month=200310&msgnum=1118&threadid=cpdpnmebgpnnedcbjhgp
for more examples.

[]
> Queries to the zone just result in SERVFAIL responses :(  I'm not really 

Sure: bind will refuse to serve incomplete (from it's point of view) zone.

> sure if I'm doing this right, does that command look ok?  Shouldn't this 
> work?  Our old reference bind style dsbl list works just happily on other 
> DNS servers and the setup is exatly the same, so I'm leaning toward the 
> newly dumped zonefile as a culprit.

..and BIND already told you the reason.

> I know that the recommendation would be to use rbldsnd on localhost:5353
> and have a forward entry for bind to point at the local rbldnsd.  I'd like

Why port 5353? ;)

> to not have to do that for simplicity's sake (the other admins would get
> confused easily :) and the fact that our other blacklist (spamhaus's SBL)
> is currently living in bind and is bind formatted (if there's a way/script
> to stick the SBL into rbldnsd, I'd probably be happier to use it then :)  

Well.. i don't know whenever SBL published their data in other formats.

> Also our DNS servers have plenty of horsepower (dual 1.2Ghz p3's w/2GB
> RAM), just for this sort of thing, so I'm not really worried about wasting
> CPU/memory - these machines just run DNS and NTP.

Hey, gimme one of those machines, and I'll set another machine for you,
say, 100MHz i486 with 64Mb RAM, that will be faster than your current
setup... ;)

/mjt