On 01/07/2015 02:31 PM, Mark Andrews wrote:
> In message <54ad246d.7080...@redhat.com>, Tomas Hozza writes:
> > Hello.
> >
> > The BIND ARM documentation in section 6.2.16.20 says that
> > "Response policy zones are named in the response-policy
> > option for the view or among the global options if there
> > is no response-policy option for the view."
> >
> > However named with the following configuration fails to start:
> > --------------------------------------------------------------
> > options {
> > directory "/var/named";
> > dump-file "/var/named/data/cache_dump.db";
> > statistics-file "/var/named/data/named_stats.txt";
> > memstatistics-file "/var/named/data/named_mem_stats.txt";
> > allow-query { any; };
> > recursion yes;
> >
> > dnssec-enable no;
> > dnssec-validation no;
> > dnssec-lookaside auto;
> >
> > /* Path to ISC DLV key */
> > bindkeys-file "/etc/named.iscdlv.key";
> >
> > managed-keys-directory "/var/named/dynamic";
> >
> > response-policy { zone "rpz"; };
> > };
> >
> > logging {
> > channel default_debug {
> > file "data/named.run" versions 3 size 50M;
> > severity dynamic;
> > };
> > };
> >
> > view "trusted" {
> >
> > zone "." IN {
> > type hint;
> > file "named.ca";
> > };
> >
> > zone "rpz" {
> > type master;
> > file "rpz.zone";
> > };
> > };
> >
> > view "untrusted" {
> >
> > match-clients { any; };
> >
> > zone "." IN {
> > type hint;
> > file "named.ca";
> > };
> > };
> > --------------------------------------------------------------
> > It ends with:
> > ...
> > 07-Jan-2015 13:12:58.641 /etc/named.conf:18: 'rpz' is not a master or slave
> > z
> > one
> > 07-Jan-2015 13:12:58.642 loading configuration: not found
> > 07-Jan-2015 13:12:58.642 exiting (due to fatal error)
> >
> > I think the problem is that if the response-policy statement
> > is used within the options statement, then named looks for
> > the zone only in the _default view. However if you use view
> > statements, then all zones have to be defined in some view,
> > thus making the RPZ zone "non-existing" for the global
> > response-policy statement.
>
> By adding it to options you are saying that all views have a rpz zone
> but that is not the case. "untrusted" does not have a rpz zone.
Ahh, that is the case. It wasn't clear to me from the documentation. It works
with the rpz zone in both views.
Thank you for the answer.
>
> > If I move the response-policy statement to the "trusted" view
> > it starts to work.
> >
> > However based on the documentation it should work also in the
> > first case.
> >
> > Is the documentation wrong or is it a bug in the RPZ implementation?
> >
> > Thanks!
> >
> > Regards,
> > --
> > Tomas Hozza
> > Software Engineer - EMEA ENG Developer Experience
> >
> > PGP: 1D9F3C2D
> > Red Hat Inc. http://cz.redhat.com
> > _______________________________________________
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> > unsubscribe
> > from this list
> >
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
--
Tomas Hozza
Software Engineer - EMEA ENG Developer Experience
PGP: 1D9F3C2D
Red Hat Inc. http://cz.redhat.com
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
