Commit 62cce60a authored by Evan Hunt's avatar Evan Hunt
Browse files

[master] better error message when exceeding RPZ zone limit

3726.	[cleanup]	Clarified the error message when attempting
			to configure more than 32 response-policy zones.
			[RT #35283]
parent e2d635d6
3726. [cleanup] Clarified the error message when attempting
to configure more than 32 response-policy zones.
[RT #35283]
3725. [contrib] Updated zkt and nslint to newest versions,
cleaned up and rearranged the contrib
directory, and added a README.
......
......@@ -1628,8 +1628,12 @@ configure_rpz_zone(dns_view_t *view, const cfg_listelt_t *element,
rpz_obj = cfg_listelt_value(element);
if (view->rpzs->p.num_zones >= DNS_RPZ_MAX_ZONES)
return (ISC_R_NOMEMORY);
if (view->rpzs->p.num_zones >= DNS_RPZ_MAX_ZONES) {
cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
"limit of %d response policy zones exceeded",
DNS_RPZ_MAX_ZONES);
return (ISC_R_FAILURE);
}
new = isc_mem_get(view->rpzs->mctx, sizeof(*new));
if (new == NULL) {
......
......@@ -9364,6 +9364,16 @@ deny-answer-aliases { "example.net"; };
<command>allow-query { localhost; };</command>.
</para>
<para>
A <command>response-policy</command> option can support
multiple policy zones. To maximize performance, a radix
tree is used to quickly identify response policy zones
containing triggers that match the current query. This
imposes an upper limit of 32 on the number of policy zones
in a single <command>response-policy</option> option; more
than that is a configuration error.
</para>
<para>
Five policy triggers can be encoded in RPZ records.
<variablelist>
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment