On Tue, Jul 1, 2025 at 11:14 PM Matthias Fechner wrote:
>
> Am 01.07.2025 um 22:23 schrieb Lee:
> > response-policy { zone "rpz.foo"; zone "rpz.bar"; zone "rpz.pgl"; }
> > break-dnssec yes
> > recursive-only no
> > qname-wait-recurse no;
>
> should these 3 lines (break-dnssec , ...) not inside the response-policy
> block?
It seems like no
https://bind9.readthedocs.io/en/latest/reference.html#configuration-file-named-conf
has break-dnssec and qname-wait-recurse outside the { zone ... ; } block.
Grammar: response-policy { zone <string> [ add-soa <boolean> ] [ log
<boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval
<duration> ] [ policy ( cname | disabled | drop | given | no-op |
nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [
recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable
<boolean> ] [ ede <string> ]; ... }
[ add-soa <boolean> ] [ break-dnssec <boolean> ] [ max-policy-ttl
<duration> ] [ min-update-interval <duration> ] [ min-ns-dots
<integer> ] [ nsip-wait-recurse <boolean> ] [ nsdname-wait-recurse
<boolean> ] [ qname-wait-recurse <boolean> ] [ recursive-only
<boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [
dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text> } ];
but I struggle with the bind documentation, so I could be misinterpreting it :(
> Otherwise it is applied to the options block which is then seen as a
> global setting?
Even if it was possible to have them be per-zone policy options, I
want them all to be global.
Regards,
Lee
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
