Re: Significant memory usage

Tue, 01 Jul 2025 23:47:08 -0700 


On 7/1/25 23:55, Lee wrote:

On Tue, Jul 1, 2025 at 11:14 PM Matthias Fechner  wrote:


Am 01.07.2025 um 22:23 schrieb Lee:

    response-policy { zone "rpz.foo"; zone "rpz.bar"; zone "rpz.pgl"; }
       break-dnssec yes
       recursive-only no
       qname-wait-recurse no;


should these 3 lines (break-dnssec , ...) not inside the response-policy
block?


It seems like no
   
https://bind9.readthedocs.io/en/latest/reference.html#configuration-file-named-conf
has break-dnssec and qname-wait-recurse outside the { zone ... ; } block.

Grammar: response-policy { zone <string> [ add-soa <boolean> ] [ log
<boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval
<duration> ] [ policy ( cname | disabled | drop | given | no-op |
nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [
recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable
<boolean> ] [ ede <string> ]; ... }
  [ add-soa <boolean> ] [ break-dnssec <boolean> ] [ max-policy-ttl
<duration> ] [ min-update-interval <duration> ] [ min-ns-dots
<integer> ] [ nsip-wait-recurse <boolean> ] [ nsdname-wait-recurse
<boolean> ] [ qname-wait-recurse <boolean> ] [ recursive-only
<boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [
dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text> } ];

but I struggle with the bind documentation, so I could be misinterpreting it :(


Otherwise it is applied to the options block which is then seen as a
global setting?


Even if it was possible to have them be per-zone policy options, I
want them all to be global.

Regards,
Lee


You are correct; the syntax of response-policy is very unique.

response-policy {
  zone "foo" <some per-zone settings *before* the semicolon>;
} <some non-per-zone settings *before* the semicolon>;


It is the semicolon which ends a statement, not the closing curly 
bracket of a block, which is why all blocks have to end in a semicolon too.


-Doug
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
























					Reply via email to