RPZ zone defined in a view
Tomas Hozza
thozza at redhat.com
Wed Jan 7 12:19:57 UTC 2015
Hello.
The BIND ARM documentation in section 6.2.16.20 says that
"Response policy zones are named in the response-policy
option for the view or among the global options if there
is no response-policy option for the view."
However named with the following configuration fails to start:
--------------------------------------------------------------
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
response-policy { zone "rpz"; };
};
logging {
channel default_debug {
file "data/named.run" versions 3 size 50M;
severity dynamic;
};
};
view "trusted" {
zone "." IN {
type hint;
file "named.ca";
};
zone "rpz" {
type master;
file "rpz.zone";
};
};
view "untrusted" {
match-clients { any; };
zone "." IN {
type hint;
file "named.ca";
};
};
--------------------------------------------------------------
It ends with:
...
07-Jan-2015 13:12:58.641 /etc/named.conf:18: 'rpz' is not a master or slave zone
07-Jan-2015 13:12:58.642 loading configuration: not found
07-Jan-2015 13:12:58.642 exiting (due to fatal error)
I think the problem is that if the response-policy statement
is used within the options statement, then named looks for
the zone only in the _default view. However if you use view
statements, then all zones have to be defined in some view,
thus making the RPZ zone "non-existing" for the global
response-policy statement.
If I move the response-policy statement to the "trusted" view
it starts to work.
However based on the documentation it should work also in the
first case.
Is the documentation wrong or is it a bug in the RPZ implementation?
Thanks!
Regards,
--
Tomas Hozza
Software Engineer - EMEA ENG Developer Experience
PGP: 1D9F3C2D
Red Hat Inc. http://cz.redhat.com
More information about the bind-users
mailing list