[master] add geoip support

3504. [func] Add support for ACLs based on geographic location, using MaxMind GeoIP databases. Based on code contributed by Ken Brownfield <kb@slide.com>. [RT #30681]

[master] add geoip support
3504. [func] Add support for ACLs based on geographic location, using MaxMind GeoIP databases. Based on code contributed by Ken Brownfield <kb@slide.com>. [RT #30681]
501941f0 · Evan Hunt · dad65f7c · 501941f0 · 501941f0 · 501941f0
Commit 501941f0 authored Feb 27, 2013 by Evan Hunt
66 changed files
--- a/CHANGES
+++ b/CHANGES
+3504.	[func]		Add support for ACLs based on geographic location,
+			using MaxMind GeoIP databases. Based on code
+			contributed by Ken Brownfield <kb@slide.com>.
+			[RT #30681]
+			
 3503.	[doc]		Clarify size_spec syntax. [RT #32449]

 3502.	[func]		zone-statistics: "no" is now a synonym for "none",

--- a/bin/named/Makefile.in
+++ b/bin/named/Makefile.in
@@ -82,7 +82,7 @@ SUBDIRS =	unix
 TARGETS =	named@EXEEXT@ lwresd@EXEEXT@

 OBJS =		builtin.@O@ client.@O@ config.@O@ control.@O@ \
-		controlconf.@O@ interfacemgr.@O@ \
+		controlconf.@O@ geoip.@O@ interfacemgr.@O@ \
 		listenlist.@O@ log.@O@ logconf.@O@ main.@O@ notify.@O@ \
 		query.@O@ server.@O@ sortlist.@O@ statschannel.@O@ \
 		tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \
@@ -96,7 +96,7 @@ UOBJS =		unix/os.@O@ unix/dlz_dlopen_driver.@O@
 SYMOBJS =	symtbl.@O@

 SRCS =		builtin.c client.c config.c control.c \
-		controlconf.c interfacemgr.c \
+		controlconf.c geoip.c interfacemgr.c \
 		listenlist.c log.c logconf.c main.c notify.c \
 		query.c server.c sortlist.c statschannel.c symtbl.c symtbl-empty.c \
 		tkeyconf.c tsigconf.c update.c xfrout.c \

--- a/bin/named/geoip.c
+++ b/bin/named/geoip.c
+/*
+ * Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#ifdef HAVE_GEOIP
+#include <named/log.h>
+#include <named/geoip.h>
+
+#include <dns/geoip.h>
+
+#include <GeoIP.h>
+
+static dns_geoip_databases_t geoip_table = {
+	NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
+};
+
+static void
+init_geoip_db(GeoIP **dbp, GeoIPDBTypes edition,
+	      GeoIPOptions method, const char *name)
+{
+	char *info;
+	GeoIP *db;
+
+	REQUIRE(dbp != NULL);
+
+	db = *dbp;
+
+	if (db != NULL) {
+		GeoIP_delete(db);
+		db = *dbp = NULL;
+	}
+
+	if (! GeoIP_db_avail(edition)) {
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+			"GeoIP %s DB not available", name);
+		return;
+	}
+
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+		NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+		"initializing GeoIP %s DB", name);
+
+	db = GeoIP_open_type(edition, method);
+	if (db == NULL) {
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			"failed to initialize GeoIP %s DB; "
+			"geoip matches using this database will fail",
+			name);
+		return;
+	}
+
+	info = GeoIP_database_info(db);
+	if (info != NULL)
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+			      "%s", info);
+
+	*dbp = db;
+}
+
+static GeoIPDBTypes
+choose_rev(GeoIPDBTypes primary, GeoIPDBTypes secondary, const char *name) {
+	if (GeoIP_db_avail(primary))
+		return (primary);
+	if (GeoIP_db_avail(secondary))
+		return (secondary);
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+		NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+		"GeoIP %s DB: neither revision available", name);
+	return (0);
+}
+#endif /* HAVE_GEOIP */
+
+void
+ns_geoip_init(void) {
+#ifndef HAVE_GEOIP
+	return;
+#else
+	if (ns_g_geoip == NULL)
+		ns_g_geoip = &geoip_table;
+#endif
+}
+
+void
+ns_geoip_load(char *dir) {
+#ifndef HAVE_GEOIP
+	return;
+#else
+	GeoIPOptions method;
+	GeoIPDBTypes edition;
+
+#ifdef _WIN32
+	method = GEOIP_STANDARD;
+#else
+	method = GEOIP_MMAP_CACHE;
+#endif
+
+	ns_geoip_init();
+	if (dir != NULL) {
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+			      "using \"%s\" as GeoIP directory", dir);
+		GeoIP_setup_custom_directory(dir);
+	}
+
+	init_geoip_db(&ns_g_geoip->country_v4, GEOIP_COUNTRY_EDITION,
+		      method, "Country (IPv4)");
+#ifdef HAVE_GEOIP_V6
+	init_geoip_db(&ns_g_geoip->country_v6, GEOIP_COUNTRY_EDITION_V6,
+		      method, "Country (IPv6)");
+#endif
+
+	edition = choose_rev(GEOIP_CITY_EDITION_REV0,
+			     GEOIP_CITY_EDITION_REV1, "City (IPv4)");
+	if (edition != 0)
+		init_geoip_db(&ns_g_geoip->city_v4, edition,
+			      method, "City (IPv4)");
+#if defined(HAVE_GEOIP_V6) && defined(HAVE_GEOIP_CITY_V6)
+	edition = choose_rev(GEOIP_CITY_EDITION_REV0_V6,
+			     GEOIP_CITY_EDITION_REV1_V6, "City (IPv6)");
+	if (edition != 0)
+		init_geoip_db(&ns_g_geoip->city_v6, edition,
+			      method, "City (IPv6)");
+#endif
+
+
+	edition = choose_rev(GEOIP_REGION_EDITION_REV0,
+			     GEOIP_REGION_EDITION_REV1, "Region");
+	if (edition != 0)
+		init_geoip_db(&ns_g_geoip->region, edition, method, "Region");
+
+	init_geoip_db(&ns_g_geoip->isp, GEOIP_ISP_EDITION,
+		      method, "ISP");
+	init_geoip_db(&ns_g_geoip->org, GEOIP_ORG_EDITION,
+		      method, "Org");
+	init_geoip_db(&ns_g_geoip->as, GEOIP_ASNUM_EDITION,
+		      method, "AS");
+	init_geoip_db(&ns_g_geoip->domain, GEOIP_DOMAIN_EDITION,
+		      method, "Domain");
+	init_geoip_db(&ns_g_geoip->netspeed, GEOIP_NETSPEED_EDITION,
+		      method, "NetSpeed");
+#endif /* HAVE_GEOIP */
+}
--- a/bin/named/include/named/geoip.h
+++ b/bin/named/include/named/geoip.h
+#ifndef _GEOIP_H
+#define _GEOIP_H
+
+#ifdef HAVE_GEOIP
+#include <GeoIP.h>
+#include <GeoIPCity.h>
+
+void ns_geoip_init(void);
+void ns_geoip_load(char *dir);
+
+extern dns_geoip_databases_t *ns_g_geoip;
+
+#endif /* HAVE_GEOIP */
+#endif
--- a/bin/named/include/named/globals.h
+++ b/bin/named/include/named/globals.h
@@ -29,6 +29,7 @@
 #include <isccfg/aclconf.h>
 #include <isccfg/cfg.h>

+#include <dns/acl.h>
 #include <dns/zone.h>

 #include <dst/dst.h>
@@ -161,6 +162,10 @@ EXTERN isc_boolean_t		ns_g_noaa		INIT(ISC_FALSE);
 EXTERN unsigned int		ns_g_delay		INIT(0);
 EXTERN isc_boolean_t		ns_g_nonearest		INIT(ISC_FALSE);

+#ifdef HAVE_GEOIP
+EXTERN dns_geoip_databases_t	*ns_g_geoip		INIT(NULL);
+#endif
+
 #undef EXTERN
 #undef INIT


--- a/bin/named/interfacemgr.c
+++ b/bin/named/interfacemgr.c
@@ -106,6 +106,9 @@ ns_interfacemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 	result = dns_aclenv_init(mctx, &mgr->aclenv);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_listenon;
+#ifdef HAVE_GEOIP
+	mgr->aclenv.geoip = ns_g_geoip;
+#endif

 	mgr->references = 1;
 	mgr->magic = IFMGR_MAGIC;

--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -95,6 +95,7 @@
 #include <named/client.h>
 #include <named/config.h>
 #include <named/control.h>
+#include <named/geoip.h>
 #include <named/interfacemgr.h>
 #include <named/log.h>
 #include <named/logconf.h>
@@ -110,6 +111,9 @@
 #include <named/ns_smf_globals.h>
 #include <stdlib.h>
 #endif
+#ifdef HAVE_GEOIP
+#include <named/geoip.h>
+#endif /* HAVE_GEOIP */

 #ifndef PATH_MAX
 #define PATH_MAX 1024
@@ -3762,6 +3766,10 @@ create_view(const cfg_obj_t *vconfig, dns_viewlist_t *viewlist,
 	if (result != ISC_R_SUCCESS)
 		return (result);

+#ifdef HAVE_GEOIP
+	view->aclenv.geoip = ns_g_geoip;
+#endif
+
 	ISC_LIST_APPEND(*viewlist, view, link);
 	dns_view_attach(view, viewp);
 	return (ISC_R_SUCCESS);
@@ -5083,6 +5091,24 @@ load_configuration(const char *filename, ns_server_t *server,
 	}
 	isc__socketmgr_setreserved(ns_g_socketmgr, reserved);

+#ifdef HAVE_GEOIP
+	/*
+	 * Initialize GeoIP databases from the configured location.
+	 * This should happen before configuring any ACLs, so that we
+	 * know what databases are available and can reject any GeoIP
+	 * ACLs that can't work.
+	 */
+	obj = NULL;
+	result = ns_config_get(maps, "geoip-directory", &obj);
+	if (result == ISC_R_SUCCESS && cfg_obj_isstring(obj)) {
+		char *dir;
+		DE_CONST(cfg_obj_asstring(obj), dir);
+		ns_geoip_load(dir);
+	} else
+		ns_geoip_load(NULL);
+	ns_g_aclconfctx->geoip = ns_g_geoip;
+#endif /* HAVE_GEOIP */
+
 	/*
 	 * Configure various server options.
 	 */
@@ -6069,6 +6095,10 @@ shutdown_server(isc_task_t *task, isc_event_t *event) {
 	if (server->blackholeacl != NULL)
 		dns_acl_detach(&server->blackholeacl);

+#ifdef HAVE_GEOIP
+	dns_geoip_shutdown();
+#endif
+
 	dns_db_detach(&server->in_roothints);

 	isc_task_endexclusive(server->task);
@@ -6090,7 +6120,6 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
 	server->task = NULL;

 	/* Initialize configuration data with default values. */
-
 	result = isc_quota_init(&server->xfroutquota, 10);
 	RUNTIME_CHECK(result == ISC_R_SUCCESS);
 	result = isc_quota_init(&server->tcpquota, 10);
@@ -6098,9 +6127,16 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
 	result = isc_quota_init(&server->recursionquota, 100);
 	RUNTIME_CHECK(result == ISC_R_SUCCESS);

+
 	result = dns_aclenv_init(mctx, &server->aclenv);
 	RUNTIME_CHECK(result == ISC_R_SUCCESS);

+#ifdef HAVE_GEOIP
+	/* Initialize GeoIP before using ACL environment */
+	ns_geoip_init();
+	server->aclenv.geoip = ns_g_geoip;
+#endif
+
 	/* Initialize server data structures. */
 	server->zonemgr = NULL;
 	server->interfacemgr = NULL;

--- a/bin/tests/system/Makefile.in
+++ b/bin/tests/system/Makefile.in
@@ -21,7 +21,7 @@ top_srcdir =	@top_srcdir@

 @BIND9_MAKE_INCLUDES@

-SUBDIRS =	dlzexternal filter-aaaa lwresd rpz rsabigexponent tkey tsiggss
+SUBDIRS =	dlzexternal filter-aaaa geoip lwresd rpz rsabigexponent tkey tsiggss
 TARGETS =

 @BIND9_MAKE_RULES@

--- a/bin/tests/system/geoip/.gitignore
+++ b/bin/tests/system/geoip/.gitignore
+geoip
--- a/bin/tests/system/geoip/Makefile.in
+++ b/bin/tests/system/geoip/Makefile.in
+# Copyright (C) 2010-2012  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.4 2011/07/28 23:47:58 tbox Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	${ISC_INCLUDES}
+
+CDEFINES =
+CWARNINGS =
+
+DNSLIBS =	
+ISCLIBS =	.
+
+DNSDEPLIBS =
+ISCDEPLIBS =
+
+DEPLIBS =
+
+LIBS =		@LIBS@
+
+TARGETS =	geoip@EXEEXT@
+
+FILTEROBJS =	geoip.@O@
+
+SRCS =		geoip.c
+
+@BIND9_MAKE_RULES@
+
+all: geoip@EXEEXT@
+
+geoip@EXEEXT@: ${FILTEROBJS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ ${FILTEROBJS} ${LIBS}
+
+clean distclean::
+	rm -f ${TARGETS}
+
--- a/bin/tests/system/geoip/clean.sh
+++ b/bin/tests/system/geoip/clean.sh
+#!/bin/sh
+#
+# Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+rm -f ns2/named.conf
+rm -f ns2/example[1234567].db
+rm -f dig.out.*
--- a/bin/tests/system/geoip/data/GeoIP.csv
+++ b/bin/tests/system/geoip/data/GeoIP.csv
+10.53.0.1/32 AU
+10.53.0.2/32 US
+10.53.0.3/32 GB
+10.53.0.4/32 CA
+10.53.0.5/32 CL
+10.53.0.6/32 DE
+10.53.0.7/32 EH
--- a/bin/tests/system/geoip/data/GeoIP.dat
+++ b/bin/tests/system/geoip/data/GeoIP.dat
--- a/bin/tests/system/geoip/data/GeoIPASNum.csv
+++ b/bin/tests/system/geoip/data/GeoIPASNum.csv
+10.53.0.1/32 AS100001 One Systems, Inc.
+10.53.0.2/32 AS100002 Two Technology Ltd.
+10.53.0.3/32 AS100003 Three Network Labs
+10.53.0.4/32 AS100004 Four University
+10.53.0.5/32 AS100005 Five Telecom
+10.53.0.6/32 AS100006 Six Company
+10.53.0.7/32 AS100007 Seven Communications
--- a/bin/tests/system/geoip/data/GeoIPASNum.dat
+++ b/bin/tests/system/geoip/data/GeoIPASNum.dat
--- a/bin/tests/system/geoip/data/GeoIPASNumv6.csv
+++ b/bin/tests/system/geoip/data/GeoIPASNumv6.csv
+fd92:7065:b8e:ffff::1/128,AS100001 One Systems, Inc.
+fd92:7065:b8e:ffff::2/128,AS100002 Two Technology Ltd.
+fd92:7065:b8e:ffff::3/128,AS100003 Three Network Labs
+fd92:7065:b8e:ffff::4/128,AS100004 Four University
+fd92:7065:b8e:ffff::5/128,AS100005 Five Telecom
+fd92:7065:b8e:ffff::6/128,AS100006 Six Company
+fd92:7065:b8e:ffff::7/128,AS100007 Seven Communications
--- a/bin/tests/system/geoip/data/GeoIPASNumv6.dat
+++ b/bin/tests/system/geoip/data/GeoIPASNumv6.dat
--- a/bin/tests/system/geoip/data/GeoIPCity.csv
+++ b/bin/tests/system/geoip/data/GeoIPCity.csv
+10.53.0.1/32,US,CA,"Redwood City",94063,37.4914,-122.2110,807,650
+10.53.0.2/32,US,CA,"Santa Cruz",95060,37.0448,-122.1021,828,831
+10.53.0.3/32,US,OK,"Oklahoma City",73120,35.5798,-97.5731,650,405
+10.53.0.4/32,US,VA,Ashland,23005,37.7563,-77.4888,556,804
+10.53.0.5/32,US,GA,Atlanta,30345,33.8477,-84.2814,524,404
+10.53.0.6/32,US,CO,Morrison,80465,39.6081,-105.2072,751,303
+10.53.0.7/32,US,AK,Ketchikan,99901,55.6153,-131.5848,747,907
--- a/bin/tests/system/geoip/data/GeoIPCity.dat
+++ b/bin/tests/system/geoip/data/GeoIPCity.dat
--- a/bin/tests/system/geoip/data/GeoIPCityv6.csv
+++ b/bin/tests/system/geoip/data/GeoIPCityv6.csv
+"fd92:7065:b8e:ffff::1","fd92:7065:b8e:ffff::1","US","CA","Redwood City","94063",37.4914,-122.2110,807,650
+"fd92:7065:b8e:ffff::2","fd92:7065:b8e:ffff::2","US","CA","Santa Cruz","95060",37.0448,-122.1021,828,831
+"fd92:7065:b8e:ffff::3","fd92:7065:b8e:ffff::3","US","OK","Oklahoma City","73120",35.5798,-97.5731,650,405
+"fd92:7065:b8e:ffff::4","fd92:7065:b8e:ffff::4","DE","07","Lotte","",52.2833,7.9167,0,0
+"fd92:7065:b8e:ffff::5","fd92:7065:b8e:ffff::5","US","GA","Atlanta","30345",33.8477,-84.2814,524,404
+"fd92:7065:b8e:ffff::6","fd92:7065:b8e:ffff::6","US","CO","Morrison","80465",39.6081,-105.2072,751,303
+"fd92:7065:b8e:ffff::7","fd92:7065:b8e:ffff::7","US","AK","Ketchikan","99901",55.6153,-131.5848,747,907
--- a/bin/tests/system/geoip/data/GeoIPCityv6.dat
+++ b/bin/tests/system/geoip/data/GeoIPCityv6.dat
--- a/bin/tests/system/geoip/data/GeoIPDomain.csv
+++ b/bin/tests/system/geoip/data/GeoIPDomain.csv
+10.53.0.1/32 one.de
+10.53.0.2/32 two.com
+10.53.0.3/32 three.com
+10.53.0.4/32 four.com
+10.53.0.5/32 five.es
+10.53.0.6/32 six.it
+10.53.0.7/32 seven.org
--- a/bin/tests/system/geoip/data/GeoIPDomain.dat
+++ b/bin/tests/system/geoip/data/GeoIPDomain.dat
--- a/bin/tests/system/geoip/data/GeoIPISP.csv
+++ b/bin/tests/system/geoip/data/GeoIPISP.csv
+10.53.0.1/32 One Systems, Inc.
+10.53.0.2/32 Two Technology Ltd.
+10.53.0.3/32 Three Network Labs
+10.53.0.4/32 Four University
+10.53.0.5/32 Five Telecom
+10.53.0.6/32 Six Company
+10.53.0.7/32 Seven Communications
--- a/bin/tests/system/geoip/data/GeoIPISP.dat
+++ b/bin/tests/system/geoip/data/GeoIPISP.dat
--- a/bin/tests/system/geoip/data/GeoIPNetSpeed.csv
+++ b/bin/tests/system/geoip/data/GeoIPNetSpeed.csv
+10.53.0.1/32 0
+10.53.0.2/32 1
+10.53.0.3/32 2
+10.53.0.4/32 3
+10.53.0.5/32 0
+10.53.0.6/32 1
+10.53.0.7/32 2
--- a/bin/tests/system/geoip/data/GeoIPNetSpeed.dat
+++ b/bin/tests/system/geoip/data/GeoIPNetSpeed.dat
--- a/bin/tests/system/geoip/data/GeoIPOrg.csv
+++ b/bin/tests/system/geoip/data/GeoIPOrg.csv
+10.53.0.1/32 One Systems, Inc.
+10.53.0.2/32 Two Technology Ltd.
+10.53.0.3/32 Three Network Labs
+10.53.0.4/32 Four University
+10.53.0.5/32 Five Telecom
+10.53.0.6/32 Six Company
+10.53.0.7/32 Seven Communications
--- a/bin/tests/system/geoip/data/GeoIPOrg.dat
+++ b/bin/tests/system/geoip/data/GeoIPOrg.dat
--- a/bin/tests/system/geoip/data/GeoIPRegion.csv
+++ b/bin/tests/system/geoip/data/GeoIPRegion.csv
+10.53.0.1/32 US CA
+10.53.0.2/32 CA BC
+10.53.0.3/32 US OK
+10.53.0.4/32 AU
+10.53.0.5/32 US CO
+10.53.0.6/32 CA ON
+10.53.0.7/32 NL
--- a/bin/tests/system/geoip/data/GeoIPRegion.dat
+++ b/bin/tests/system/geoip/data/GeoIPRegion.dat
--- a/bin/tests/system/geoip/data/GeoIPv6.csv
+++ b/bin/tests/system/geoip/data/GeoIPv6.csv
+"fd92:7065:b8e:ffff::1/128",AU
+"fd92:7065:b8e:ffff::2/128",US
+"fd92:7065:b8e:ffff::3/128",GB
+"fd92:7065:b8e:ffff::4/128",CA
+"fd92:7065:b8e:ffff::5/128",CL
+"fd92:7065:b8e:ffff::6/128",DE
+"fd92:7065:b8e:ffff::7/128",EH
--- a/bin/tests/system/geoip/data/GeoIPv6.dat
+++ b/bin/tests/system/geoip/data/GeoIPv6.dat
--- a/bin/tests/system/geoip/data/README
+++ b/bin/tests/system/geoip/data/README
+The data data files in this directory are sample GeoIP databases,
+generated from the corresponding CSV files.  Thanks to MaxMind, Inc.
+for assitance with producing these files.
+
+Unless otherwise noted, the databases only support IPv4:
+
+GeoIP.dat: Country (IPv4)
+GeoIPv6.dat: Country (IPv6)
+GeoIPCity.dat: City (IPv4)
+GeoIPCityv6.dat: City (IPv6)
+GeoIPRegion.dat: Region
+GeoIPISP.dat: ISP
+GeoIPOrg.dat: Organization
+GeoIPDoain.dat: Domain Name
+GeoIPASNum.dat: AS Number
+GeoIPNetSpeed.dat: Net Speed
+
+GeoIP.dat can also be egenerated using the open source 'geoip-csv-to-dat'
+utility:
+
+$ geoip-csv-to-dat -i "BIND9 geoip test data v1" -o GeoIP.dat << EOF
+"10.53.0.1","10.53.0.1","171245569","171245569","AU","Australia"
+"10.53.0.2","10.53.0.2","171245570","171245570","US","United States"
+"10.53.0.3","10.53.0.3","171245571","171245571","GB","United Kingdom"
+"10.53.0.4","10.53.0.4","171245572","171245572","CA","Canada"
+"10.53.0.5","10.53.0.5","171245573","171245573","CL","Chile"
+"10.53.0.6","10.53.0.6","171245574","171245574","DE","Germany"
+"10.53.0.7","10.53.0.7","171245575","171245575","EH","Western Sahara"
+EOF
--- a/bin/tests/system/geoip/geoip.c
+++ b/bin/tests/system/geoip/geoip.c
+/*
+ * Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <config.h>
+#include <isc/util.h>
+
+int
+main(int argc, char **argv) {
+
+	UNUSED(argc);
+	UNUSED(argv);
+
+#ifdef HAVE_GEOIP
+	return (0);
+#else
+	return (1);
+#endif
+}
--- a/bin/tests/system/geoip/ns2/example.db.in
+++ b/bin/tests/system/geoip/ns2/example.db.in
+; Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2
+ns2			A	10.53.0.2
--- a/bin/tests/system/geoip/ns2/named1.conf
+++ b/bin/tests/system/geoip/ns2/named1.conf
+/*
+ * Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+// NS2
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port 5300;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	geoip-directory "../data";
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-md5;