RPZ zone defined in a view
Mark Andrews
marka at isc.org
Wed Jan 7 13:31:37 UTC 2015
In message <54AD246D.7080106 at redhat.com>, Tomas Hozza writes:
> Hello.
>
> The BIND ARM documentation in section 6.2.16.20 says that
> "Response policy zones are named in the response-policy
> option for the view or among the global options if there
> is no response-policy option for the view."
>
> However named with the following configuration fails to start:
> --------------------------------------------------------------
> options {
> directory "/var/named";
> dump-file "/var/named/data/cache_dump.db";
> statistics-file "/var/named/data/named_stats.txt";
> memstatistics-file "/var/named/data/named_mem_stats.txt";
> allow-query { any; };
> recursion yes;
>
> dnssec-enable no;
> dnssec-validation no;
> dnssec-lookaside auto;
>
> /* Path to ISC DLV key */
> bindkeys-file "/etc/named.iscdlv.key";
>
> managed-keys-directory "/var/named/dynamic";
>
> response-policy { zone "rpz"; };
> };
>
> logging {
> channel default_debug {
> file "data/named.run" versions 3 size 50M;
> severity dynamic;
> };
> };
>
> view "trusted" {
>
> zone "." IN {
> type hint;
> file "named.ca";
> };
>
> zone "rpz" {
> type master;
> file "rpz.zone";
> };
> };
>
> view "untrusted" {
>
> match-clients { any; };
>
> zone "." IN {
> type hint;
> file "named.ca";
> };
> };
> --------------------------------------------------------------
> It ends with:
> ...
> 07-Jan-2015 13:12:58.641 /etc/named.conf:18: 'rpz' is not a master or slave z
> one
> 07-Jan-2015 13:12:58.642 loading configuration: not found
> 07-Jan-2015 13:12:58.642 exiting (due to fatal error)
>
> I think the problem is that if the response-policy statement
> is used within the options statement, then named looks for
> the zone only in the _default view. However if you use view
> statements, then all zones have to be defined in some view,
> thus making the RPZ zone "non-existing" for the global
> response-policy statement.
By adding it to options you are saying that all views have a rpz zone
but that is not the case. "untrusted" does not have a rpz zone.
> If I move the response-policy statement to the "trusted" view
> it starts to work.
>
> However based on the documentation it should work also in the
> first case.
>
> Is the documentation wrong or is it a bug in the RPZ implementation?
>
> Thanks!
>
> Regards,
> --
> Tomas Hozza
> Software Engineer - EMEA ENG Developer Experience
>
> PGP: 1D9F3C2D
> Red Hat Inc. http://cz.redhat.com
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list