RPZ zone defined in a view

Mark Andrews marka at isc.org
Wed Jan 7 13:31:37 UTC 2015 

In message <54AD246D.7080106 at redhat.com>, Tomas Hozza writes:
> Hello.
> 
> The BIND ARM documentation in section 6.2.16.20 says that
> "Response policy zones are named in the response-policy
> option for the view or among the global options if there
> is no response-policy option for the view."
> 
> However named with the following configuration fails to start:
> --------------------------------------------------------------
> options {
>         directory       "/var/named";
>         dump-file       "/var/named/data/cache_dump.db";
>         statistics-file "/var/named/data/named_stats.txt";
>         memstatistics-file "/var/named/data/named_mem_stats.txt";
>         allow-query     { any; };
>         recursion yes;
> 
>         dnssec-enable no;
>         dnssec-validation no;
>         dnssec-lookaside auto;
> 
>         /* Path to ISC DLV key */
>         bindkeys-file "/etc/named.iscdlv.key";
> 
>         managed-keys-directory "/var/named/dynamic";
> 
>         response-policy { zone "rpz"; };
> };
> 
> logging {
>         channel default_debug {
>                 file "data/named.run" versions 3 size 50M;
>                 severity dynamic;
>         };
> };
> 
> view "trusted" {
> 
>         zone "." IN {
>                 type hint;
>                 file "named.ca";
>         };
> 
>         zone "rpz" {
>                 type master;
>                 file "rpz.zone";
>         };
> };
> 
> view "untrusted" {
> 
>         match-clients { any; };
> 
>         zone "." IN {
>                 type hint;
>                 file "named.ca";
>         };
> };
> --------------------------------------------------------------
> It ends with:
> ...
> 07-Jan-2015 13:12:58.641 /etc/named.conf:18: 'rpz' is not a master or slave z
> one
> 07-Jan-2015 13:12:58.642 loading configuration: not found
> 07-Jan-2015 13:12:58.642 exiting (due to fatal error)
> 
> I think the problem is that if the response-policy statement
> is used within the options statement, then named looks for
> the zone only in the _default view. However if you use view
> statements, then all zones have to be defined in some view,
> thus making the RPZ zone "non-existing" for the global
> response-policy statement.

By adding it to options you are saying that all views have a rpz zone
but that is not the case.  "untrusted" does not have a rpz zone.

> If I move the response-policy statement to the "trusted" view
> it starts to work.
> 
> However based on the documentation it should work also in the
> first case.
> 
> Is the documentation wrong or is it a bug in the RPZ implementation?
> 
> Thanks!
> 
> Regards,
> -- 
> Tomas Hozza
> Software Engineer - EMEA ENG Developer Experience
> 
> PGP: 1D9F3C2D
> Red Hat Inc.                               http://cz.redhat.com
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list