[master] disallow map zones in response-policy

4269. [bug] Zones using "map" format master files currently don't work as policy zones. This limitation has now been documented; attempting to use such zones in "response-policy" statements is now a configuration error. [RT #38321]
2026-05-28 04:34:54 -04:00 · 2015-12-02 21:10:09 -08:00 · 2015-12-02 21:10:09 -08:00 · 4071efbec0
commit 4071efbec0
parent 7bde79b32a
4 changed files with 21 additions and 0 deletions
--- a/6
+++ b/6
@ -1,3 +1,9 @@
+4269.	[bug]		Zones using "map" format master files currently
+			don't work as policy zones.  This limitation has
+			now been documented; attempting to use such zones
+			in "response-policy" statements is now a
+			configuration error.  [RT #38321]
+
 4268.	[func]		"rndc status" now reports the path to the
 			configuration file. [RT #36470]

--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@ -9924,6 +9924,8 @@ deny-answer-aliases { "example.net"; };
 	    that can be queried normally if allowed.
 	    It is usually best to restrict those queries with something like
 	    <command>allow-query { localhost; };</command>.
+	    Note that zones using <command>masterfile-format map</command>
+	    cannot be used as policy zones.
 	  </para>

 	  <para>
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@ -907,6 +907,17 @@
 	      when the server was reloaded or reconfigured. [RT #41058]
 	    </para>
 	  </listitem>
+	  <listitem>
+	    <para>
+	      Zones configured to use <command>map</command> format
+	      master files can't be used as policy zones because RPZ
+	      summary data isn't compiled when such zones are mapped into
+	      memory.  This limitation may be fixed in a future release,
+	      but in the meantime it has been documented, and attempting
+	      to use such zones in <command>response-policy</command>
+	      statements is now a configuration error.  [RT #38321]
+	    </para>
+	  </listitem>
 	</itemizedlist>
      </listitem>
    </itemizedlist>
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@ -1710,6 +1710,8 @@ dns_zone_rpz_enable(dns_zone_t *zone, dns_rpz_zones_t *rpzs,
 	if (strcmp(zone->db_argv[0], "rbt") != 0 &&
 	    strcmp(zone->db_argv[0], "rbt64") != 0)
 		return (ISC_R_NOTIMPLEMENTED);
+	if (zone->masterformat == dns_masterformat_map)
+		return (ISC_R_NOTIMPLEMENTED);

 	/*
 	 * This must happen only once or be redundant.