[v9_10] disallow map zones in response-policy

4269. [bug] Zones using "map" format master files currently don't work as policy zones. This limitation has now been documented; attempting to use such zones in "response-policy" statements is now a configuration error. [RT #38321]
2026-06-13 16:59:59 -04:00 · 2015-12-02 21:10:43 -08:00 · 2015-12-02 21:10:43 -08:00 · 4db36f766e
commit 4db36f766e
parent 19cce81c83
4 changed files with 21 additions and 0 deletions
--- a/6
+++ b/6
@ -1,3 +1,9 @@
+4269.	[bug]		Zones using "map" format master files currently
+			don't work as policy zones.  This limitation has
+			now been documented; attempting to use such zones
+			in "response-policy" statements is now a
+			configuration error.  [RT #38321]
+
 4267.	[test]		Check sdlz error handling. [RT #41142]

 4265.	[bug]		Address unchecked isc_mem_get calls. [RT #41187]
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@ -9463,6 +9463,8 @@ deny-answer-aliases { "example.net"; };
 	    that can be queried normally if allowed.
 	    It is usually best to restrict those queries with something like
 	    <command>allow-query { localhost; };</command>.
+	    Note that zones using <command>masterfile-format map</command>
+	    cannot be used as policy zones.
 	  </para>

 	  <para>
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@ -362,6 +362,17 @@
 	      if wildcard records were present. [RT #40357]
 	    </para>
 	  </listitem>
+	  <listitem>
+	    <para>
+	      Zones configured to use <command>map</command> format
+	      master files can't be used as policy zones because RPZ
+	      summary data isn't compiled when such zones are mapped into
+	      memory.  This limitation may be fixed in a future release,
+	      but in the meantime it has been documented, and attempting
+	      to use such zones in <command>response-policy</command>
+	      statements is now a configuration error.  [RT #38321]
+	    </para>
+	  </listitem>
 	</itemizedlist>
      </listitem>
    </itemizedlist>
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@ -1678,6 +1678,8 @@ dns_zone_rpz_enable(dns_zone_t *zone, dns_rpz_zones_t *rpzs,
 	if (strcmp(zone->db_argv[0], "rbt") != 0 &&
 	    strcmp(zone->db_argv[0], "rbt64") != 0)
 		return (ISC_R_NOTIMPLEMENTED);
+	if (zone->masterformat == dns_masterformat_map)
+		return (ISC_R_NOTIMPLEMENTED);

 	/*
 	 * This must happen only once or be redundant.