Re: EDNS Client Subnet (ECS) support in BIND 9.18-S1

Tue, 03 Mar 2026 13:56:21 -0800 

Greg: I looked for ecs-forward in the ARM in 9.12.3, 9.18.21, and in
https://bind9.readthedocs.io/en/latest/# and did not find it. If such a
jackalope appears, it will probably be welcomed however it won't be the
end of this issue.


Sami: DNS is both a wire protocol and an application protocol. By
analogy, an HTTP proxy server is an application protocol. What happens
if you chain several HTTP proxies together, and try to set headers? It's
a mess. There is no fundamental requirement that an application server
honor what some other application server requests ("forward my
headers"), in fact there are a lot of counterarguments that it
shouldn't. Should your little server be able to dictate what BIND
advertises (via EDNS) to its upstream as PMTU? Should it be able to
force TCP or UDP?

Proper network design has segmentation, and part of segmentation is
actual DNS at the edge. Always has been, switches and servers all the
way down. But you do what you need to do, of course. I've just heard of
so many sightings of this beast usually with a whiff of FOMO to maybe
get me to do / commit to something without giving it proper diligence.
Heffalumps.

--

Fred Morris, internet plumber

On 3/3/26 5:02 AM, Greg Choules via bind-users wrote:
> Hi Sami.
> Have you tried `ecs-forward` in your BIND configuration? it will be
> described in the -S ARM.
>
> Cheers, Greg
>
> On Tue, 3 Mar 2026 at 12:54, <[email protected]
> <mailto:[email protected]>> wrote:
>
>      
>
>     Hello,
>
>     I am reaching out regarding the use of EDNS Client Subnet (ECS) in
>     BIND.
>
>     Context:
>     I am testing an environment where:
>
>       * A dnsdist server receives client queries and injects a
>         specific ECS (e.g., 41.226.22.0/24 <http://41.226.22.0/24>).
>       * These queries are then forwarded to a BIND 9.18-S1 server
>         configured as the final resolver.
>
>     Issue:
>     BIND does not forward the ECS to upstream servers and does not
>     preserve this information in responses.
>
>     Questions:
>
>       * Can BIND 9.18-S1 be configured to rewrite or forward an ECS
>         injected by dnsdist?
>       * If not, which version or configuration would you recommend for
>         BIND to meet this requirement?
>
>      
>

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list.

Reply via email to