diff -Naur bind-9.2.4/bin/named/aclconf.c bind-9.2.4-patch/bin/named/aclconf.c
--- bin/named/aclconf.c	2004-03-09 03:09:17.000000000 -0300
+++ bind-9.2.4-patch/bin/named/aclconf.c	2005-01-25 01:13:20.178253820 -0300
@@ -204,6 +204,12 @@
 			}  else if (strcasecmp(name, "none") == 0) {
 				de->type = dns_aclelementtype_any;
 				de->negative = ISC_TF(! de->negative);
+			} else if ((0 == (strncmp("country_", name, 8))) && (10 == strlen(name))) {
+				/* It is a country code */
+				de->type = dns_aclelementtype_ipcountry;	
+				de->u.country[0] = name[8];
+				de->u.country[1] = name[9];
+				de->u.country[2] = '\0';
 			} else {
 				de->type = dns_aclelementtype_nestedacl;
 				result = convert_named_acl(ce, cctx, ctx, mctx,
diff -Naur bind-9.2.4/lib/dns/acl.c bind-9.2.4-patch/lib/dns/acl.c
--- lib/dns/acl.c	2004-03-09 03:10:59.000000000 -0300
+++ bind-9.2.4-patch/lib/dns/acl.c	2005-01-24 23:38:55.659802724 -0300
@@ -19,12 +19,15 @@
 
 #include <config.h>
 
+#include <GeoIP.h>
 #include <isc/mem.h>
 #include <isc/string.h>
 #include <isc/util.h>
 
 #include <dns/acl.h>
 
+static GeoIP *geoip = NULL;
+
 isc_result_t
 dns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target) {
 	isc_result_t result;
@@ -164,9 +167,7 @@
 
 	switch (e->type) {
 	case dns_aclelementtype_ipprefix:
-		if (env == NULL ||
-		    env->match_mapped == ISC_FALSE ||
-		    reqaddr->family != AF_INET6 ||
+		if (env == NULL || env->match_mapped == ISC_FALSE || reqaddr->family != AF_INET6 ||
 		    !IN6_IS_ADDR_V4MAPPED(&reqaddr->type.in6))
 			addr = reqaddr;
 		else {
@@ -179,6 +180,26 @@
 					 e->u.ip_prefix.prefixlen))
 			goto matched;
 		break;
+	case dns_aclelementtype_ipcountry:
+		/* We only match V4 addresses */
+		if (reqaddr->family == AF_INET) {
+			/* Country match */
+
+			if (NULL == geoip) {
+				geoip = GeoIP_new(GEOIP_MEMORY_CACHE);
+			}
+			if (NULL != geoip) {
+				const char *value;
+
+				value = GeoIP_country_code_by_addr(geoip,inet_ntoa(reqaddr->type.in));
+				if ((NULL != value) && (2 == strlen(value))) {
+					if ((e->u.country[0] == value[0]) && (e->u.country[1] == value[1])) {
+						goto matched;
+					}
+				}
+			}
+		}
+		break;
 		
 	case dns_aclelementtype_keyname:
 		if (reqsigner != NULL &&
diff -Naur bind-9.2.4/lib/dns/include/dns/acl.h bind-9.2.4-patch/lib/dns/include/dns/acl.h
--- lib/dns/include/dns/acl.h	2004-03-09 03:11:12.000000000 -0300
+++ bind-9.2.4-patch/lib/dns/include/dns/acl.h	2005-01-24 23:39:04.550363049 -0300
@@ -46,6 +46,7 @@
 
 typedef enum {
 	dns_aclelementtype_ipprefix,
+	dns_aclelementtype_ipcountry,
 	dns_aclelementtype_keyname,
 	dns_aclelementtype_nestedacl,
 	dns_aclelementtype_localhost,
@@ -54,6 +55,7 @@
 } dns_aclelemettype_t;
 
 typedef struct dns_aclipprefix dns_aclipprefix_t;
+typedef char dns_aclipcountry[3];
 
 struct dns_aclipprefix {
 	isc_netaddr_t address; /* IP4/IP6 */
@@ -65,6 +67,7 @@
 	isc_boolean_t negative;
 	union {
 		dns_aclipprefix_t ip_prefix;
+		dns_aclipcountry	country;
 		dns_name_t 	  keyname;
 		dns_acl_t 	  *nestedacl;
 	} u;