Re: Bind 9.11 question (ACL ecs )
You use the "ecs" key word like this. acl example { ecs 10.0.0.0/8; }; view ecs-net-10-only { match-clients { example; }; }; Also using colour or fonts is not a good way to highlight what the issue is. Not everyone reads email on a display which supports different colours or fonts. Also acls are *first* *match* so match-clients { area02; ecs-area02; !{!ecs-area02; any; }; key Area02.mydomain.idv.; }; and match-clients { area02; ecs-area02; }; are the *same* as all "ecs-area02;" addresses have already been matched by the time you get to looking at "!{!ecs-area02; any; };". Bob, !{!ecs-area01; any; }; is reject anything which isn't in ecs-area01. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.11 question (ACL ecs )
On Tue, Oct 25, 2016 at 2:04 AM,wrote: > From 9.1 ARM chapter 7 that mention > > The EDNS Client Subnet (ECS) option is used by a recursive resolver to > inform an authoritative > name server of the network address block from which the original query was > received, enabling > authoritative servers to give different answers to the same resolver for > different resolver clients. > > > > *An ACL containing an element of the form ecs prefix will match if a > request arrives in containing* > *an ECS option encoding an address within that prefix. If the request has > no ECS option,* > *then "ecs" elements are simply ignored*. Addresses in ACLs that are not > prefixed with "ecs" are > matched only against the source address. > > > > Now i was migrate DNS bint fro 9.10 to 9.11 and use ECS prefix on my > allow-query entry but when i use dig > > test (not include +subnet) it not response but when i remvoe that ecs > keyword every thing was OK. > > > > I was use bind 9.11 setup three dns server one for mydomain.idv and two > are sub.mydomain.idv. > > my sub.mydomain.idv has multi view but has same zone. > > when i use dig query sub.mydomain.idv entry it always return last match > view, it will not reponse by client subnet > > following was my partial named.conf content > > > > sub.mydomain.idv (Primary server -ip:a.b.c.d) > = > > acl "slave-ips" { a.b.c.d; }; > > server a.b.c.d { > provide-ixfr yes; > request-nsid yes; > send-cookie yes; > edns-udp-size 4096; > max-udp-size 4096; > transfer-format many-answers; > }; > > server a1.b1.c1.d1 { // mydomain.idv primary server > request-nsid yes; > send-cookie yes; > edns-udp-size 4096; > max-udp-size 4096; > }; > > include "d:\isc bind 9\etc\ecs-acl-list.txt"; > include "d:\isc bind 9\etc\no-ecs-acl-list.txt"; > include "d:\isc bind 9\etc\KeyFiles.txt"; > include "d:\isc bind 9\etc\logging.conf"; > > options { > directory "d:\isc bind 9\var\named"; > allow-update {none;}; > notify explicit; > allow-transfer { none; }; > allow-query { none; }; > }; > > // End Options > > view "area01" { > match-clients { area01; ecs-area01; !{!ecs-area01; any; } ; key > Area01.mydomain.idv.;}; > zone "sub.mydomain.idv" in { > type master; > allow-query { area01; ecs-area01; }; > file "sub/area01.mydomain.idv.txt"; > also-notify { a.b.c1.d key Area01.mydomain.idv.; }; > allow-transfer { key Area01.mydomain.idv.; }; > }; > }; // End View > > view "area02" { > match-clients { area02; ecs-area02; !{!ecs-area02; any; } ; key > Area02.mydomain.idv.; }; > zone "sub.mydomain.idv" in { > type master; > allow-query { area02; ecs-area02; }; > file "sub/area02.mydomain.idv.txt"; > also-notify { a.b.c1.d key Area02.mydomain.idv.; }; > allow-transfer { key Area02.mydomain.idv.; }; > }; > }; // End View > > view "area03" { > match-clients { area03; ecs-area03; !{!ecs-area03; any; } ; key > Area03.mydomain.idv.; }; > zone "sub.mydomain.idv" in { > type master; > allow-query { area03; ecs-area03; }; > file "sub/area03.mydomain.idv.txt"; > also-notify { a.b.c1.d key Area03.mydomain.idv.;}; > allow-transfer { key Area03.mydomain.idv.; }; > }; > }; // End View > > view "deafult" { // Default > match-clients {any; }; > zone "sub.mydomain.idv" in { > type master; > allow-query { any; }; > file "sub/default.mydomain.idv.txt"; > also-notify { a.b.c1.d key Default.mydomain.idv.;}; > allow-transfer { key Default.mydomain.idv.; }; > }; > }; // End View > > sub.mydomain.idv (Slave server -ip:a.b.c1.d) > = > > server a.b.c.d { > provide-ixfr yes; > request-nsid yes; > send-cookie yes; > edns-udp-size 4096; > max-udp-size 4096; > transfer-format many-answers; > }; > > server a1.b1.c1.d1 { // mydomain.idv primary server > request-nsid yes; > send-cookie yes; > edns-udp-size 4096; > max-udp-size 4096; > }; > > include "d:\isc bind 9\etc\ecs-acl-list.txt"; > include "d:\isc bind 9\etc\no-ecs-acl-list.txt"; > include "d:\isc bind 9\etc\KeyFiles.txt"; > include "d:\isc bind 9\etc\logging.conf"; > > options { > directory "d:\isc bind 9\var\named"; > allow-update {none;}; > notify explicit; > allow-transfer { none; }; > allow-query { none; }; > }; > > // End Options > > view "area01" { > match-clients { area01; ecs-area01; !{!ecs-area01; any; } ; key > Area01.mydomain.idv.;}; > zone "sub.mydomain.idv" in { > type slave; > allow-query { area01; ecs-area01; }; > file "sub/area01.mydomain.idv.ca"; > masters { a.b.c.d key
Bind 9.11 question (ACL ecs )
From 9.1 ARM chapter 7 that mention The EDNS Client Subnet (ECS) option is used by a recursive resolver to inform an authoritative name server of the network address block from which the original query was received, enabling authoritative servers to give different answers to the same resolver for different resolver clients. An ACL containing an element of the form ecs prefix will match if a request arrives in containing an ECS option encoding an address within that prefix. If the request has no ECS option, then "ecs" elements are simply ignored. Addresses in ACLs that are not prefixed with "ecs" are matched only against the source address. Now i was migrate DNS bint fro 9.10 to 9.11 and use ECS prefix on my allow-query entry but when i use dig test (not include +subnet) it not response but when i remvoe that ecs keyword every thing was OK. I was use bind 9.11 setup three dns server one for mydomain.idv and two are sub.mydomain.idv. my sub.mydomain.idv has multi view but has same zone. when i use dig query sub.mydomain.idv entry it always return last match view, it will not reponse by client subnet following was my partial named.conf content sub.mydomain.idv (Primary server -ip:a.b.c.d) = acl "slave-ips" { a.b.c.d; }; server a.b.c.d { provide-ixfr yes; request-nsid yes; send-cookie yes; edns-udp-size 4096; max-udp-size 4096; transfer-format many-answers; }; server a1.b1.c1.d1 { // mydomain.idv primary server request-nsid yes; send-cookie yes; edns-udp-size 4096; max-udp-size 4096; }; include "d:\isc bind 9\etc\ecs-acl-list.txt"; include "d:\isc bind 9\etc\no-ecs-acl-list.txt"; include "d:\isc bind 9\etc\KeyFiles.txt"; include "d:\isc bind 9\etc\logging.conf"; options { directory "d:\isc bind 9\var\named"; allow-update {none;}; notify explicit; allow-transfer { none; }; allow-query { none; }; }; // End Options view "area01" { match-clients { area01; ecs-area01; !{!ecs-area01; any; } ; key Area01.mydomain.idv.;}; zone "sub.mydomain.idv" in { type master; allow-query { area01; ecs-area01; }; file "sub/area01.mydomain.idv.txt"; also-notify { a.b.c1.d key Area01.mydomain.idv.; }; allow-transfer { key Area01.mydomain.idv.; }; }; }; // End View view "area02" { match-clients { area02; ecs-area02; !{!ecs-area02; any; } ; key Area02.mydomain.idv.; }; zone "sub.mydomain.idv" in { type master; allow-query { area02; ecs-area02; }; file "sub/area02.mydomain.idv.txt"; also-notify { a.b.c1.d key Area02.mydomain.idv.; }; allow-transfer { key Area02.mydomain.idv.; }; }; }; // End View view "area03" { match-clients { area03; ecs-area03; !{!ecs-area03; any; } ; key Area03.mydomain.idv.; }; zone "sub.mydomain.idv" in { type master; allow-query { area03; ecs-area03; }; file "sub/area03.mydomain.idv.txt"; also-notify { a.b.c1.d key Area03.mydomain.idv.;}; allow-transfer { key Area03.mydomain.idv.; }; }; }; // End View view "deafult" { // Default match-clients {any; }; zone "sub.mydomain.idv" in { type master; allow-query { any; }; file "sub/default.mydomain.idv.txt"; also-notify { a.b.c1.d key Default.mydomain.idv.;}; allow-transfer { key Default.mydomain.idv.; }; }; }; // End View sub.mydomain.idv (Slave server -ip:a.b.c1.d) = server a.b.c.d { provide-ixfr yes; request-nsid yes; send-cookie yes; edns-udp-size 4096; max-udp-size 4096; transfer-format many-answers; }; server a1.b1.c1.d1 { // mydomain.idv primary server request-nsid yes; send-cookie yes; edns-udp-size 4096; max-udp-size 4096; }; include "d:\isc bind 9\etc\ecs-acl-list.txt"; include "d:\isc bind 9\etc\no-ecs-acl-list.txt"; include "d:\isc bind 9\etc\KeyFiles.txt"; include "d:\isc bind 9\etc\logging.conf"; options { directory "d:\isc bind 9\var\named"; allow-update {none;}; notify explicit; allow-transfer { none; }; allow-query { none; }; }; // End Options view "area01" { match-clients { area01; ecs-area01; !{!ecs-area01; any; } ; key Area01.mydomain.idv.;}; zone "sub.mydomain.idv" in { type slave; allow-query { area01; ecs-area01; }; file "sub/area01.mydomain.idv.ca"; masters { a.b.c.d key Area01.mydomain.idv.; }; }; }; // End View view "area02" { match-clients { area02; ecs-area02; !{!ecs-area02; any; } ; key Area02.mydomain.idv.;}; zone "sub.mydomain.idv" in { type slave; allow-query { area02; ecs-area02; }; file "sub/area02.mydomain.idv.ca"; masters { a.b.c.d key Area02.mydomain.idv.; }; }; //