Syntax for ECS ACL Entry
Ryan McGuire
rmcguire at libretechconsulting.com
Thu Sep 2 16:24:56 UTC 2021
I did compile 9.16.20 from source since the latest in Debian repos is
9.16.15 but the result is the same. The doc snippet in my original email
was from 9.11 docs -- could this feature not have been brought forward
into 9.16 at all? The only related documented removed feature is
geoip-use-ecs.
-Ryan
On 9/2/21 10:06 AM, Ryan McGuire wrote:
>
> I'm setting ECS in dnsdist in hopes of using it in an ACL to choose a
> view. The views are working well, and the ECS is read by bind9 (see
> log below), but I can't seem to find a syntax for adding an ecs entry
> into an acl. Here is what I've tried:
>
> acl "filtered" {
> 192.168.0.90;
> 192.168.0.91;
> 192.168.0.92;
> 192.168.0.93;
> * ecs 192.168.99.0/24;*
> };
>
> view filtered-view {
> match-clients { filtered; };
> {...}
>
> When I try to start bind with this config, I get the following error:
> /etc/bind/named.conf.local:6: missing ';' before '192.168.99.0'
>
> Everything works as it should if I remove the ecs entry from the acl.
>
> I can see the ECS is being set by dnsdist when I enable query logging:
> client @0x7f21840117e8 192.168.0.1#43466 (elastic.mcguire.local): view
> filtered-view: query: elastic.mcguire.local IN A +E(0) (192.168.0.5)
> *[ECS 192.168.99.0/24/0]*
>
> From the docs*:*
>
> "An ACL containing an element of the form ecs prefix will match if a
> request arrives in containing an ECS option encoding an address within
> that prefix. If the request has no ECS option, then "ecs" elements are
> simply ignored. Addresses in ACLs that are not prefixed with "ecs" are
> matched only against the source address."*
> *
>
> I am running bind9 version 9.16.15.
>
> Regards,
>
> Ryan McGuire
> p. 260.202.0500 <tel:260.202.0500> m. 978.501.3620 <tel:978.501.3620>
> f. 260.202.0420 <tel:978.501.3620>
> w. www.libretechconsulting.com <https://libretechconsulting.com>
>
> Libre Tech Consulting <https://libretechconsulting.com>
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210902/8d283de3/attachment.htm>
More information about the bind-users
mailing list