From 4db36f766e4ed4cc33ab1359813111ec08a4103c Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Wed, 2 Dec 2015 21:10:43 -0800
Subject: [PATCH] [v9_10] disallow map zones in response-policy

4269.	[bug]		Zones using "map" format master files currently
			don't work as policy zones.  This limitation has
			now been documented; attempting to use such zones
			in "response-policy" statements is now a
			configuration error.  [RT #38321]
---
 CHANGES                 |  6 ++++++
 doc/arm/Bv9ARM-book.xml |  2 ++
 doc/arm/notes.xml       | 11 +++++++++++
 lib/dns/zone.c          |  2 ++
 4 files changed, 21 insertions(+)

diff --git a/CHANGES b/CHANGES
index 6ab88ae075..b622c835cf 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,9 @@
+4269.	[bug]		Zones using "map" format master files currently
+			don't work as policy zones.  This limitation has
+			now been documented; attempting to use such zones
+			in "response-policy" statements is now a
+			configuration error.  [RT #38321]
+
 4267.	[test]		Check sdlz error handling. [RT #41142]
 
 4265.	[bug]		Address unchecked isc_mem_get calls. [RT #41187]
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index ec8a08ccaa..8728eb9eca 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -9463,6 +9463,8 @@ deny-answer-aliases { "example.net"; };
 	    that can be queried normally if allowed.
 	    It is usually best to restrict those queries with something like
 	    <command>allow-query { localhost; };</command>.
+	    Note that zones using <command>masterfile-format map</command>
+	    cannot be used as policy zones.
 	  </para>
 
 	  <para>
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index e952543b2d..1334ad56e6 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -362,6 +362,17 @@
 	      if wildcard records were present. [RT #40357]
 	    </para>
 	  </listitem>
+	  <listitem>
+	    <para>
+	      Zones configured to use <command>map</command> format
+	      master files can't be used as policy zones because RPZ
+	      summary data isn't compiled when such zones are mapped into
+	      memory.  This limitation may be fixed in a future release,
+	      but in the meantime it has been documented, and attempting
+	      to use such zones in <command>response-policy</command>
+	      statements is now a configuration error.  [RT #38321]
+	    </para>
+	  </listitem>
 	</itemizedlist>
       </listitem>
     </itemizedlist>
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 0340240f2d..22759b07bc 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -1678,6 +1678,8 @@ dns_zone_rpz_enable(dns_zone_t *zone, dns_rpz_zones_t *rpzs,
 	if (strcmp(zone->db_argv[0], "rbt") != 0 &&
 	    strcmp(zone->db_argv[0], "rbt64") != 0)
 		return (ISC_R_NOTIMPLEMENTED);
+	if (zone->masterformat == dns_masterformat_map)
+		return (ISC_R_NOTIMPLEMENTED);
 
 	/*
 	 * This must happen only once or be redundant.