[rbldnsd] dsbl dump to bind config

nathan r. hruby rbldnsd@corpit.ru
Fri, 31 Oct 2003 12:26:04 -0500 (EST)

On Fri, 31 Oct 2003, Michael Tokarev wrote:

> nathan r. hruby wrote:
> Note that you can't "just use" bind-style datafile on your own nameserver:
> the data should contain *your* list of nameservers, not DSBL's.

Ahhh!  Enlightenment!

> > trying to use the -d option to rbldnsd to dump the zone into something 
> > bind can understand.  The command I'm using is this:
> > 
> > rbldnsd -d list.dsbl.org:ip4set:list.dsbl.org-rbldnsd > dsbl-bind
> > 
> > What gets output looks correct, but when I load it into bind-9 it seems to 
> > reject the zone with the following error:
> > 	named[28411]: zone list.dsbl.org/IN: has no NS records
> Yes.  BIND requires NS records to be present.  Since there's no NS
> records in rbldns-*dsbl.org files, rbldnsd can't generate them.  In
> principle, i may modify rbldnsd to issue a warning message in such
> incomplete-bind-zone cases.

That'd be nice for the braindead like myself ;-)

> The workaround using *this* method is to create a small file with
> NS records - *your* NS records in it and combine two files - your
> one and the one retrieved from DSBL:
> File "ns" contains the following:
> ---cut---
> $NS 2d ns1.example.com
> $NS 2d ns2.example.com
> ...
> ---cut---
> (use your nameserver(s) there), and the command line is:
>   rbldnsd -d list.dsbl.org:ip4set:rbldns-list.dsbl.org,ns > dsbl-bind
> This way, rbldnsd will get list of nameservers from your data,
> and the rest from dsbl file (note the file is rbldns-list.dsbl.org,
> not list.dsbl.org-rbldnsd).

Ha!  Wonderful!  On our system, we call it list.dsbl.org-rbldnsd to denote 
the format so people don't get confused, which is easy to do at 3AM when 
something has gone "Horribly Wrong" <TM> and you haven't played with the 
dns box in a month and a half :)

> But you don't need rbldnsd or whatever to do this conversion.
> The format of file as published by DSBL.org is *trivial*, and
> a one-line perl, awk or even sed script will do the work just
> fine, and faster.
>   perl -e 'print "@ SOA ...\n\tNS...\n";
>    while(<>) {
>     print "$4.$3.$2.$1 A\n\tTXT \"http://dsbl.org/listing?ip=$1.$2.$3.$4\"\n"
>      if /^(\d+)\.(\d+)\.(\d+)\.(\d+)/;
>    }'  rbldns-list.dsbl.org > dsbl-bind
> See http://dsbl.org/cgi-bin/ezmlm-browse.cgi?command=showmsg&list=dsbl-discussion&month=200310&msgnum=1118&threadid=cpdpnmebgpnnedcbjhgp
> for more examples.

Hmm.. Nifty.  I think I'll keep dumping with rbldnsd for a while just to 
get it installed and when / if the SBL becomes available we'll fire it 

> > to not have to do that for simplicity's sake (the other admins would get
> > confused easily :) and the fact that our other blacklist (spamhaus's SBL)
> > is currently living in bind and is bind formatted (if there's a way/script
> > to stick the SBL into rbldnsd, I'd probably be happier to use it then :)  
> Well.. i don't know whenever SBL published their data in other formats.

I was hoping someone may have a conversion script.  The goal is to keep 
everything consistent.


nathan hruby <nhruby@uga.edu>
uga enterprise information technology services
production systems support
metaphysically wrinkle-free