diff --git a/CHANGES b/CHANGES
index febce4882d..fb1abaee58 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,9 @@
+4269. [bug] Zones using "map" format master files currently
+ don't work as policy zones. This limitation has
+ now been documented; attempting to use such zones
+ in "response-policy" statements is now a
+ configuration error. [RT #38321]
+
4268. [func] "rndc status" now reports the path to the
configuration file. [RT #36470]
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index e22f54f3e0..1748d7ccfb 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -9924,6 +9924,8 @@ deny-answer-aliases { "example.net"; };
that can be queried normally if allowed.
It is usually best to restrict those queries with something like
allow-query { localhost; };.
+ Note that zones using masterfile-format map
+ cannot be used as policy zones.
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index 3bd6690ccb..9c23f72120 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -907,6 +907,17 @@
when the server was reloaded or reconfigured. [RT #41058]
+
+
+ Zones configured to use map format
+ master files can't be used as policy zones because RPZ
+ summary data isn't compiled when such zones are mapped into
+ memory. This limitation may be fixed in a future release,
+ but in the meantime it has been documented, and attempting
+ to use such zones in response-policy
+ statements is now a configuration error. [RT #38321]
+
+
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 0f971add29..34610402e5 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -1710,6 +1710,8 @@ dns_zone_rpz_enable(dns_zone_t *zone, dns_rpz_zones_t *rpzs,
if (strcmp(zone->db_argv[0], "rbt") != 0 &&
strcmp(zone->db_argv[0], "rbt64") != 0)
return (ISC_R_NOTIMPLEMENTED);
+ if (zone->masterformat == dns_masterformat_map)
+ return (ISC_R_NOTIMPLEMENTED);
/*
* This must happen only once or be redundant.