diff --git a/CHANGES b/CHANGES
index 6ab88ae075..b622c835cf 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,9 @@
+4269. [bug] Zones using "map" format master files currently
+ don't work as policy zones. This limitation has
+ now been documented; attempting to use such zones
+ in "response-policy" statements is now a
+ configuration error. [RT #38321]
+
4267. [test] Check sdlz error handling. [RT #41142]
4265. [bug] Address unchecked isc_mem_get calls. [RT #41187]
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index ec8a08ccaa..8728eb9eca 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -9463,6 +9463,8 @@ deny-answer-aliases { "example.net"; };
that can be queried normally if allowed.
It is usually best to restrict those queries with something like
allow-query { localhost; };.
+ Note that zones using masterfile-format map
+ cannot be used as policy zones.
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index e952543b2d..1334ad56e6 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -362,6 +362,17 @@
if wildcard records were present. [RT #40357]
+
+
+ Zones configured to use map format
+ master files can't be used as policy zones because RPZ
+ summary data isn't compiled when such zones are mapped into
+ memory. This limitation may be fixed in a future release,
+ but in the meantime it has been documented, and attempting
+ to use such zones in response-policy
+ statements is now a configuration error. [RT #38321]
+
+
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 0340240f2d..22759b07bc 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -1678,6 +1678,8 @@ dns_zone_rpz_enable(dns_zone_t *zone, dns_rpz_zones_t *rpzs,
if (strcmp(zone->db_argv[0], "rbt") != 0 &&
strcmp(zone->db_argv[0], "rbt64") != 0)
return (ISC_R_NOTIMPLEMENTED);
+ if (zone->masterformat == dns_masterformat_map)
+ return (ISC_R_NOTIMPLEMENTED);
/*
* This must happen only once or be redundant.