RPZ zone defined in a view

Tomas Hozza thozza at redhat.com
Wed Jan 7 12:19:57 UTC 2015


Hello.

The BIND ARM documentation in section 6.2.16.20 says that
"Response policy zones are named in the response-policy
option for the view or among the global options if there
is no response-policy option for the view."

However named with the following configuration fails to start:
--------------------------------------------------------------
options {
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { any; };
        recursion yes;

        dnssec-enable no;
        dnssec-validation no;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        response-policy { zone "rpz"; };
};

logging {
        channel default_debug {
                file "data/named.run" versions 3 size 50M;
                severity dynamic;
        };
};

view "trusted" {

        zone "." IN {
                type hint;
                file "named.ca";
        };

        zone "rpz" {
                type master;
                file "rpz.zone";
        };
};

view "untrusted" {

        match-clients { any; };

        zone "." IN {
                type hint;
                file "named.ca";
        };
};
--------------------------------------------------------------
It ends with:
...
07-Jan-2015 13:12:58.641 /etc/named.conf:18: 'rpz' is not a master or slave zone
07-Jan-2015 13:12:58.642 loading configuration: not found
07-Jan-2015 13:12:58.642 exiting (due to fatal error)

I think the problem is that if the response-policy statement
is used within the options statement, then named looks for
the zone only in the _default view. However if you use view
statements, then all zones have to be defined in some view,
thus making the RPZ zone "non-existing" for the global
response-policy statement.

If I move the response-policy statement to the "trusted" view
it starts to work.

However based on the documentation it should work also in the
first case.

Is the documentation wrong or is it a bug in the RPZ implementation?

Thanks!

Regards,
-- 
Tomas Hozza
Software Engineer - EMEA ENG Developer Experience

PGP: 1D9F3C2D
Red Hat Inc.                               http://cz.redhat.com


More information about the bind-users mailing list