Significant memory usage

Doug Freed dwfreed at isc.org
Wed Jul 2 06:46:14 UTC 2025 

On 7/1/25 23:55, Lee wrote:
> On Tue, Jul 1, 2025 at 11:14 PM Matthias Fechner  wrote:
>>
>> Am 01.07.2025 um 22:23 schrieb Lee:
>>>     response-policy { zone "rpz.foo"; zone "rpz.bar"; zone "rpz.pgl"; }
>>>        break-dnssec yes
>>>        recursive-only no
>>>        qname-wait-recurse no;
>>
>> should these 3 lines (break-dnssec , ...) not inside the response-policy
>> block?
> 
> It seems like no
>    https://bind9.readthedocs.io/en/latest/reference.html#configuration-file-named-conf
> has break-dnssec and qname-wait-recurse outside the { zone ... ; } block.
> 
> Grammar: response-policy { zone <string> [ add-soa <boolean> ] [ log
> <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval
> <duration> ] [ policy ( cname | disabled | drop | given | no-op |
> nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [
> recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable
> <boolean> ] [ ede <string> ]; ... }
>   [ add-soa <boolean> ] [ break-dnssec <boolean> ] [ max-policy-ttl
> <duration> ] [ min-update-interval <duration> ] [ min-ns-dots
> <integer> ] [ nsip-wait-recurse <boolean> ] [ nsdname-wait-recurse
> <boolean> ] [ qname-wait-recurse <boolean> ] [ recursive-only
> <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [
> dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text> } ];
> 
> but I struggle with the bind documentation, so I could be misinterpreting it :(
> 
>> Otherwise it is applied to the options block which is then seen as a
>> global setting?
> 
> Even if it was possible to have them be per-zone policy options, I
> want them all to be global.
> 
> Regards,
> Lee

You are correct; the syntax of response-policy is very unique.

response-policy {
   zone "foo" <some per-zone settings *before* the semicolon>;
} <some non-per-zone settings *before* the semicolon>;

It is the semicolon which ends a statement, not the closing curly 
bracket of a block, which is why all blocks have to end in a semicolon too.

-Doug

More information about the bind-users mailing list