RPZ zone defined in a view

Tomas Hozza thozza at redhat.com
Wed Jan 7 15:13:27 UTC 2015 

On 01/07/2015 02:31 PM, Mark Andrews wrote:
> In message <54AD246D.7080106 at redhat.com>, Tomas Hozza writes:
> > Hello.
> >
> > The BIND ARM documentation in section 6.2.16.20 says that
> > "Response policy zones are named in the response-policy
> > option for the view or among the global options if there
> > is no response-policy option for the view."
> >
> > However named with the following configuration fails to start:
> > --------------------------------------------------------------
> > options {
> >         directory       "/var/named";
> >         dump-file       "/var/named/data/cache_dump.db";
> >         statistics-file "/var/named/data/named_stats.txt";
> >         memstatistics-file "/var/named/data/named_mem_stats.txt";
> >         allow-query     { any; };
> >         recursion yes;
> >
> >         dnssec-enable no;
> >         dnssec-validation no;
> >         dnssec-lookaside auto;
> >
> >         /* Path to ISC DLV key */
> >         bindkeys-file "/etc/named.iscdlv.key";
> >
> >         managed-keys-directory "/var/named/dynamic";
> >
> >         response-policy { zone "rpz"; };
> > };
> >
> > logging {
> >         channel default_debug {
> >                 file "data/named.run" versions 3 size 50M;
> >                 severity dynamic;
> >         };
> > };
> >
> > view "trusted" {
> >
> >         zone "." IN {
> >                 type hint;
> >                 file "named.ca";
> >         };
> >
> >         zone "rpz" {
> >                 type master;
> >                 file "rpz.zone";
> >         };
> > };
> >
> > view "untrusted" {
> >
> >         match-clients { any; };
> >
> >         zone "." IN {
> >                 type hint;
> >                 file "named.ca";
> >         };
> > };
> > --------------------------------------------------------------
> > It ends with:
> > ...
> > 07-Jan-2015 13:12:58.641 /etc/named.conf:18: 'rpz' is not a master or slave z
> > one
> > 07-Jan-2015 13:12:58.642 loading configuration: not found
> > 07-Jan-2015 13:12:58.642 exiting (due to fatal error)
> >
> > I think the problem is that if the response-policy statement
> > is used within the options statement, then named looks for
> > the zone only in the _default view. However if you use view
> > statements, then all zones have to be defined in some view,
> > thus making the RPZ zone "non-existing" for the global
> > response-policy statement.
>
> By adding it to options you are saying that all views have a rpz zone
> but that is not the case.  "untrusted" does not have a rpz zone.
Ahh, that is the case. It wasn't clear to me from the documentation. It works
with the rpz zone in both views.

Thank you for the answer.
>
> > If I move the response-policy statement to the "trusted" view
> > it starts to work.
> >
> > However based on the documentation it should work also in the
> > first case.
> >
> > Is the documentation wrong or is it a bug in the RPZ implementation?
> >
> > Thanks!
> >
> > Regards,
> > --
> > Tomas Hozza
> > Software Engineer - EMEA ENG Developer Experience
> >
> > PGP: 1D9F3C2D
> > Red Hat Inc.                               http://cz.redhat.com
> > _______________________________________________
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> >  from this list
> >
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users


-- 
Tomas Hozza
Software Engineer - EMEA ENG Developer Experience

PGP: 1D9F3C2D
Red Hat Inc. http://cz.redhat.com

More information about the bind-users mailing list