diff -Nrup bind-9.4.3-P1/lib/dns/acl.c bind-9.4.3-P1-geodns/lib/dns/acl.c
--- bind-9.4.3-P1/lib/dns/acl.c 2006-03-01 16:37:21.000000000 -0800
+++ bind-9.4.3-P1-geodns/lib/dns/acl.c  2009-01-14 19:12:11.000000000 -0800
@@ -21,12 +21,16 @@

 #include <config.h>

+#include <GeoIP.h>
+#include <GeoIPCity.h>
 #include <isc/mem.h>
 #include <isc/string.h>
 #include <isc/util.h>

 #include <dns/acl.h>

+static GeoIP *geoip = NULL;
+
 isc_result_t
 dns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target) {
        isc_result_t result;
@@ -208,6 +212,27 @@ dns_aclelement_match(const isc_netaddr_t
                                         e->u.ip_prefix.prefixlen))
                        goto matched;
                break;
+
+        case dns_aclelementtype_ipregion:
+                /* We only match V4 addresses */
+                if (reqaddr->family == AF_INET) {
+                        /* Region match */
+
+                        if (NULL == geoip) {
+                                geoip = GeoIP_new(GEOIP_MEMORY_CACHE);
+                        }
+                        if (NULL != geoip) {
+                                GeoIPRecord * value;
+
+                                value = GeoIP_record_by_addr(geoip,inet_ntoa(reqaddr->type.in));
+                                if ((NULL != value) && (NULL != value->region) && (2 == strlen(value->region))) {
+                                        if ((e->u.region[0] == value->region[0]) && (e->u.region[1] == value->region[1])) {
+                                                goto matched;
+                                        }
+                                }
+                        }
+                }
+                break;

        case dns_aclelementtype_keyname:
                if (reqsigner != NULL &&
diff -Nrup bind-9.4.3-P1/lib/dns/include/dns/acl.h bind-9.4.3-P1-geodns/lib/dns/include/dns/acl.h
--- bind-9.4.3-P1/lib/dns/include/dns/acl.h     2006-03-01 16:37:21.000000000 -0800
+++ bind-9.4.3-P1-geodns/lib/dns/include/dns/acl.h      2009-01-14 19:12:24.000000000 -0800
@@ -47,6 +47,7 @@

 typedef enum {
        dns_aclelementtype_ipprefix,
+        dns_aclelementtype_ipregion,
        dns_aclelementtype_keyname,
        dns_aclelementtype_nestedacl,
        dns_aclelementtype_localhost,
@@ -55,6 +56,7 @@ typedef enum {
 } dns_aclelemettype_t;

 typedef struct dns_aclipprefix dns_aclipprefix_t;
+typedef char dns_aclipregion[3];

 struct dns_aclipprefix {
        isc_netaddr_t address; /* IP4/IP6 */
@@ -66,6 +68,7 @@ struct dns_aclelement {
        isc_boolean_t negative;
        union {
                dns_aclipprefix_t ip_prefix;
+                dns_aclipregion region;
                dns_name_t        keyname;
                dns_acl_t         *nestedacl;
        } u;
diff -Nrup bind-9.4.3-P1/lib/isccfg/aclconf.c bind-9.4.3-P1-geodns/lib/isccfg/aclconf.c
--- bind-9.4.3-P1/lib/isccfg/aclconf.c  2006-03-01 16:37:22.000000000 -0800
+++ bind-9.4.3-P1-geodns/lib/isccfg/aclconf.c   2009-01-14 19:12:40.000000000 -0800
@@ -228,6 +228,12 @@ cfg_acl_fromconfig(const cfg_obj_t *caml
                        }  else if (strcasecmp(name, "none") == 0) {
                                de->type = dns_aclelementtype_any;
                                de->negative = ISC_TF(! de->negative);
+                        } else if ((0 == (strncmp("region_", name, 7))) && (9 == strlen(name))) {
+                                /* It is a region code */
+                                de->type = dns_aclelementtype_ipregion;
+                                de->u.region[0] = name[7];
+                                de->u.region[1] = name[8];
+                                de->u.region[2] = '\0';
                        } else {
                                de->type = dns_aclelementtype_nestedacl;
                                result = convert_named_acl(ce, cctx, lctx,