Re: Bind 9.11 question (ACL ecs )

2016-10-25 Thread Mark Andrews 

You use the "ecs" key word like this.

acl example { ecs 10.0.0.0/8; };

view ecs-net-10-only {
match-clients { example; };
};

Also using colour or fonts is not a good way to highlight
what the issue is.  Not everyone reads email on a display
which supports different colours or fonts.

Also acls are *first* *match* so

match-clients {
 area02; ecs-area02;
 !{!ecs-area02; any; };
 key Area02.mydomain.idv.;
};

and

match-clients { area02; ecs-area02; };

are the *same* as all "ecs-area02;" addresses have already
been matched by the time you get to looking at "!{!ecs-area02;
any; };".

Bob,
!{!ecs-area01; any; }; is reject anything which
isn't in ecs-area01.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind 9.11 question (ACL ecs )

2016-10-25 Thread Bob Harold 
On Tue, Oct 25, 2016 at 2:04 AM,  wrote:

> From 9.1 ARM chapter 7 that mention
>
> The EDNS Client Subnet (ECS) option is used by a recursive resolver to
> inform an authoritative
> name server of the network address block from which the original query was
> received, enabling
> authoritative servers to give different answers to the same resolver for
> different resolver clients.
>
>
>
> *An ACL containing an element of the form ecs prefix will match if a
> request arrives in containing*
> *an ECS option encoding an address within that prefix. If the request has
> no ECS option,*
> *then "ecs" elements are simply ignored*. Addresses in ACLs that are not
> prefixed with "ecs" are
> matched only against the source address.
>
>
>
> Now i was migrate DNS bint fro 9.10 to 9.11 and use ECS prefix on my
> allow-query entry but when i use dig
>
> test (not include +subnet) it not response but when i remvoe that ecs
> keyword every thing was OK.
>
>
>
> I was use bind 9.11 setup three dns server one for mydomain.idv and two
> are sub.mydomain.idv.
>
> my sub.mydomain.idv has multi view but has same zone.
>
> when i use dig query sub.mydomain.idv entry it always return last match
> view, it will not reponse by client subnet
>
> following was my partial named.conf content
>
>
>
> sub.mydomain.idv (Primary server -ip:a.b.c.d)
> =
>
> acl "slave-ips" { a.b.c.d; };
>
> server  a.b.c.d {
> provide-ixfr yes;
> request-nsid yes;
> send-cookie yes;
> edns-udp-size 4096;
> max-udp-size 4096;
> transfer-format many-answers;
> };
>
> server  a1.b1.c1.d1 {  // mydomain.idv primary server
> request-nsid yes;
> send-cookie yes;
> edns-udp-size 4096;
> max-udp-size 4096;
> };
>
> include "d:\isc bind 9\etc\ecs-acl-list.txt";
> include "d:\isc bind 9\etc\no-ecs-acl-list.txt";
> include "d:\isc bind 9\etc\KeyFiles.txt";
> include "d:\isc bind 9\etc\logging.conf";
>
> options {
>   directory   "d:\isc bind 9\var\named";
> allow-update {none;};
> notify explicit;
> allow-transfer { none; };
> allow-query { none; };
> };
>
> // End Options
>
> view "area01" {
> match-clients { area01; ecs-area01; !{!ecs-area01; any; } ; key
> Area01.mydomain.idv.;};
> zone "sub.mydomain.idv" in {
>  type master;
>  allow-query { area01; ecs-area01; };
>   file "sub/area01.mydomain.idv.txt";
>  also-notify { a.b.c1.d key Area01.mydomain.idv.; };
>  allow-transfer { key Area01.mydomain.idv.; };
>  };
> }; // End View
>
> view "area02" {
> match-clients { area02; ecs-area02; !{!ecs-area02; any; } ; key
> Area02.mydomain.idv.; };
> zone "sub.mydomain.idv" in {
>  type master;
>  allow-query { area02; ecs-area02; };
>   file "sub/area02.mydomain.idv.txt";
>  also-notify { a.b.c1.d key Area02.mydomain.idv.; };
>  allow-transfer { key Area02.mydomain.idv.; };
>  };
> }; // End View
>
> view "area03" {
> match-clients {  area03; ecs-area03; !{!ecs-area03; any; } ; key
> Area03.mydomain.idv.; };
> zone "sub.mydomain.idv" in {
>  type master;
>  allow-query {  area03; ecs-area03; };
>   file "sub/area03.mydomain.idv.txt";
>   also-notify { a.b.c1.d key Area03.mydomain.idv.;};
>   allow-transfer { key Area03.mydomain.idv.; };
>  };
> }; // End View
>
> view "deafult" {  // Default
> match-clients {any; };
> zone "sub.mydomain.idv" in {
>  type master;
>  allow-query { any; };
>   file "sub/default.mydomain.idv.txt";
>  also-notify { a.b.c1.d key Default.mydomain.idv.;};
>  allow-transfer { key Default.mydomain.idv.; };
>  };
> }; // End View
>
> sub.mydomain.idv (Slave server -ip:a.b.c1.d)
> =
>
> server  a.b.c.d {
> provide-ixfr yes;
> request-nsid yes;
> send-cookie yes;
> edns-udp-size 4096;
> max-udp-size 4096;
> transfer-format many-answers;
> };
>
> server  a1.b1.c1.d1 {  // mydomain.idv primary server
> request-nsid yes;
> send-cookie yes;
> edns-udp-size 4096;
> max-udp-size 4096;
> };
>
> include "d:\isc bind 9\etc\ecs-acl-list.txt";
> include "d:\isc bind 9\etc\no-ecs-acl-list.txt";
> include "d:\isc bind 9\etc\KeyFiles.txt";
> include "d:\isc bind 9\etc\logging.conf";
>
> options {
>   directory   "d:\isc bind 9\var\named";
> allow-update {none;};
> notify explicit;
> allow-transfer { none; };
> allow-query { none; };
> };
>
> // End Options
>
> view "area01" {
> match-clients { area01; ecs-area01; !{!ecs-area01; any; } ; key
> Area01.mydomain.idv.;};
> zone "sub.mydomain.idv" in {
>  type slave;
>  allow-query { area01; ecs-area01; };
>   file "sub/area01.mydomain.idv.ca";
>  masters { a.b.c.d key

Bind 9.11 question (ACL ecs )

2016-10-25 Thread HsuLiPing 
From 9.1 ARM chapter 7 that mention

The EDNS Client Subnet (ECS) option is used by a recursive resolver to inform 
an authoritative
name server of the network address block from which the original query was 
received, enabling
authoritative servers to give different answers to the same resolver for 
different resolver clients.



An ACL containing an element of the form ecs prefix will match if a request 
arrives in containing
an ECS option encoding an address within that prefix. If the request has no ECS 
option,
then "ecs" elements are simply ignored. Addresses in ACLs that are not prefixed 
with "ecs" are
matched only against the source address.



Now i was migrate DNS bint fro 9.10 to 9.11 and use ECS prefix on my 
allow-query entry but when i use dig

test (not include +subnet) it not response but when i remvoe that ecs keyword 
every thing was OK.



I was use bind 9.11 setup three dns server one for mydomain.idv and two are 
sub.mydomain.idv.

my sub.mydomain.idv has multi view but has same zone.

when i use dig query sub.mydomain.idv entry it always return last match view, 
it will not reponse by client subnet

following was my partial named.conf content



sub.mydomain.idv (Primary server -ip:a.b.c.d) 
=

acl "slave-ips" { a.b.c.d; };

server  a.b.c.d {
provide-ixfr yes;
request-nsid yes;
send-cookie yes;
edns-udp-size 4096;
max-udp-size 4096;
transfer-format many-answers;
};

server  a1.b1.c1.d1 {  // mydomain.idv primary server
request-nsid yes;
send-cookie yes;
edns-udp-size 4096;
max-udp-size 4096;
};

include "d:\isc bind 9\etc\ecs-acl-list.txt";
include "d:\isc bind 9\etc\no-ecs-acl-list.txt";
include "d:\isc bind 9\etc\KeyFiles.txt";
include "d:\isc bind 9\etc\logging.conf";

options {
  directory   "d:\isc bind 9\var\named";
allow-update {none;};
notify explicit;
allow-transfer { none; };
allow-query { none; };
};

// End Options

view "area01" {
match-clients { area01; ecs-area01; !{!ecs-area01; any; } ; key 
Area01.mydomain.idv.;};
zone "sub.mydomain.idv" in {
 type master;
 allow-query { area01; ecs-area01; };
  file "sub/area01.mydomain.idv.txt";
 also-notify { a.b.c1.d key Area01.mydomain.idv.; };
 allow-transfer { key Area01.mydomain.idv.; };
 };
}; // End View

view "area02" {
match-clients { area02; ecs-area02; !{!ecs-area02; any; } ; key 
Area02.mydomain.idv.; };
zone "sub.mydomain.idv" in {
 type master;
 allow-query { area02; ecs-area02; };
  file "sub/area02.mydomain.idv.txt";
 also-notify { a.b.c1.d key Area02.mydomain.idv.; };
 allow-transfer { key Area02.mydomain.idv.; };
 };
}; // End View

view "area03" {
match-clients {  area03; ecs-area03; !{!ecs-area03; any; } ; key 
Area03.mydomain.idv.; };
zone "sub.mydomain.idv" in {
 type master;
 allow-query {  area03; ecs-area03; };
  file "sub/area03.mydomain.idv.txt";
  also-notify { a.b.c1.d key Area03.mydomain.idv.;};
  allow-transfer { key Area03.mydomain.idv.; };
 };
}; // End View

view "deafult" {  // Default
match-clients {any; };
zone "sub.mydomain.idv" in {
 type master;
 allow-query { any; };
  file "sub/default.mydomain.idv.txt";
 also-notify { a.b.c1.d key Default.mydomain.idv.;};
 allow-transfer { key Default.mydomain.idv.; };
 };
}; // End View

sub.mydomain.idv (Slave server -ip:a.b.c1.d) 
=

server  a.b.c.d {
provide-ixfr yes;
request-nsid yes;
send-cookie yes;
edns-udp-size 4096;
max-udp-size 4096;
transfer-format many-answers;
};

server  a1.b1.c1.d1 {  // mydomain.idv primary server
request-nsid yes;
send-cookie yes;
edns-udp-size 4096;
max-udp-size 4096;
};

include "d:\isc bind 9\etc\ecs-acl-list.txt";
include "d:\isc bind 9\etc\no-ecs-acl-list.txt";
include "d:\isc bind 9\etc\KeyFiles.txt";
include "d:\isc bind 9\etc\logging.conf";

options {
  directory   "d:\isc bind 9\var\named";
allow-update {none;};
notify explicit;
allow-transfer { none; };
allow-query { none; };
};

// End Options

view "area01" {
match-clients { area01; ecs-area01; !{!ecs-area01; any; } ; key 
Area01.mydomain.idv.;};
zone "sub.mydomain.idv" in {
 type slave;
 allow-query { area01; ecs-area01; };
  file "sub/area01.mydomain.idv.ca";
 masters { a.b.c.d key Area01.mydomain.idv.; };
 };
}; // End View

view "area02" {
match-clients { area02; ecs-area02; !{!ecs-area02; any; } ; key 
Area02.mydomain.idv.;};
zone "sub.mydomain.idv" in {
 type slave;
 allow-query { area02; ecs-area02; };
  file "sub/area02.mydomain.idv.ca";
 masters { a.b.c.d key Area02.mydomain.idv.; };
}; //